ESET Press Center
Why Businesses and Consumers Alike Need To Take Computer Data Breaches Very Seriously.
Complete Transcript of Interview – Randy Abrams - ESET
Let's Talk Computers Radio Talk Show
Host Alan Ashendorf
June 18 2011
Alan: It seems that almost every week now, we're hearing about another major computer data breach. Still, there are a large percentage of the consumers that don't even give this a second thought. But, if you're one of the victims that has your credit card or financial information compromised, this is like a burglary. This could be a life-changing event.
So Today on Let's Talk Computers, we are continuing our discussion of why computer data breaches affect all of us, and not just businesses. It's our pleasure to have as our guest, again, Randy Abrams, Director of Technical Education with ESET. Welcome back to Let's Talk Computers, Randy.
Randy: Thanks, Alan. It's great to be back.
Alan: Well, these major data breaches like we're seeing in the news today – they are not just affecting business anymore. There is a deeper threat than just exposing our financial information.
But, Randy, where does the fault like for these data breaches? Should we be angry at the companies that allow this to happen or should all of our of our anger be directed to those who did the actual data breach?
Randy: Being angry, without taking action is self-defeating. Definitely do things like e-mailing Epsilon and demand to be taken off the list; e-mail your congressperson; and demand accountability, and demand legislation that allows you to get taken off lists that you don't want to be on.
There's a lot to be done in terms of enhancing privacy and part of it is for the United States to finally come around to realizing that customer data belongs to the customer. Currently that isn't how our laws work – it is how they should work.
Alan: Even if that worked in the United States, we can't have other countries enforce that. Once you go onto the Web, you really don't know where you are going, because you could be in California; you could be in New York; or you could be on the other side of the world in China or Korea, or "you name it" and not even know it. In a lot of places, the web site is just a landing zone.
Randy: Right, but most of Europe has better data privacy laws than the United States has. And just because you can't control everything doesn't mean that you don't try to control some things.
Alan: Well, let's look at it from the standpoint of a business. You said that all it takes is just one person at a company and the larger the company; the more chances are that something is going to get by.
I like you analogy, "It's like playing a game of soccer." All it takes is one ball to score in the goal, doesn't it?
Randy: Right, and the more shots in the goal, odds are that one is going to get through.
Alan: But, how should companies look at this? Companies are going to have to sit down and use this as an eye-opener experience and say, "Oh, man, this could have been us! We really need to go back and look at what we're doing and how vulnerable our equipment is - both on the inside of the Internet - what they call an "Intranet" and outside, as far as how customers connect to us," because we're so connected now, aren't we?
Randy: The problem is that a lot of companies are looking at how vulnerable their equipment was, but the vulnerability is their employees and they aren't investing in training their employees to be resilient against phishing attacks. So, that's a big part of it - focusing the training of their employees, not just phishing.
Alan: We get e-mail here all the time to "Mary and to Ralph and to Larry" and they seem to go down the list from a to z and when we start seeing that, we know that we know that somebody is just trying to phish. They just threw a line out there in the water and hopefully somebody with that name is going to bite.
However, here, we are going to see somebody that's going to target, directly because they have the e-mail address; they have the name that goes behind the e-mail address and they can make some very official looking e-mails to us, can't they?
Randy: I'm not just talking about phishing! I'm talking about this is very valuable marketing information. If I want to sell your name as a qualified e-mail lead, I can then say, "Okay, I know this person stays at Hilton Hotel. This person banks with Citibank; this person shops at Best Buy; this person shops here and this person does business here. I've then got your lifestyle.
I can then say that this customer fits your demographic and I can sell you a list of e-mail names that these people fit your demographic. So, we're not even talking about phishing. This is extremely valuable information for lead-generation.
There's not any evidence I've seen yet that indicates that actually phishing was the objective of obtaining all of these e-mail addresses. There are a lot of other really valuable uses for this information that could have motivated the attack. An insider definitely could have pulled this off, too.
Alan: You've got to really put some "smarts" on the problem and as you always say, "You have to have defense-in-depth," because if you don't have layers of defenses, just the first breach and you're gone or the first level and you're gone is not the way for a business to operate, is it?
Randy: No, it's not. Even security expert companies, like RSA have gotten breached, too.
One of the things, both with the RSA breach and the Epsilon Breach is they obviously had some intrusion detection in place, because they caught the breach and according to Epsilon it was like 2% of their lists were compromised, so evidently they stopped the attack before it got as widespread as it could have.
Alan: That's what we hear. But being in business our self, we know that nobody is going to air their dirty laundry unless they absolutely are forced to do so. What you see in the news is like the tip of the iceberg, because most companies, if they really would reveal how vulnerable they or how close they actually came to spilling the beans, they would go out of business. All of this is like a public relations nightmare.
For companies like Epsilon that are behind the scenes – that's fine. But when you have companies like Best Buy and Brookstone and all the reset, people would go, "If my information gets out I'm not to shop at these companies!"
Randy: You'd be surprised. The popularity of Facebook says that a very small percentage of people actually care about privacy. This kind of breach will not going to make a blip for Best Buy or Chase or Citibank or Disney or any of these companies. The fact of the matter is only a hand full of people actually care about privacy and this really is not make a blip.
Alan: Anybody that has watched Science Fiction knows who the "Borg" is and this is almost like the Borg. Every time you attack the Borg, they are going to adapt and then you can't use that attack anymore, because now they are blocking it. Malware writers are the same way. They are learning as they go and each attack seems to get more sophisticated and stronger and seems to look more legitimate and so where's it going?
Randy: It's going where it's been going for thousands of years. This is just crime. We haven't stopped crime in the past several in the past several thousand years. With the Internet and the computers are "tools" and nothing more than tools that criminals are using!
So if you look at the history of crime, the good guys will come up with a defense and the bad guys will come up with a workaround. The good guys will find a way to defend against that and then the bad guys will find a new attack method.
With computers and the Internet it's just another tool – nothing more, nothing less. It's another tools that criminals use. And criminals adapt. It's what they do; it's what they've done for thousands of years. It's really over thinking it to think that this is anything more than criminals using tools to commit crimes!
Alan: I know in 1969, when I was going through GM Training School, General Motors was making this major announcement that they were going to stop car thieves because they were coming out with this steering wheel lock, where the ignition system and the housing was actually built into the steering wheel and nobody was going to be able to get past that.
However, all it took was five minutes after it was announced and all these new cars came rolling off the assembling line where a hatch hammer, available at any body shop – all they had to screw it into that little lock; pop it; stick a screw driver into it and it worked better than the old way!
Randy: Anyone that says that they've got the silver bullet is either hallucinating or lying!
Alan: These bad guys that are writing this malware software are not like little kids that used to sit in the back room and say, "Oh, let's see, I want to see how noticeable I can be in the world. I want to make a statement!" This is big business and when I say big business, I'm talking about billions of dollars, which are put into trying to get through companies' security, isn't it?
Randy: Right, and these are professional programmers, professional hackers who are working for criminal organizations. These people are on a payroll and are making good money to hack in; write good custom-software to get past security software. Yes, is definitely an organized criminal operation.
Alan: What are we looking at as far as the cost of ESET Smart Security and ESET NOD32 software?
Randy: That can depend how many computers you are buying it for and how long you are buying it. For one PC a one-year subscription is $59.99. If you buy a two-year license then its $89.99, which saves you 25%. There are other discounts like for two PCs; the one-year license is $69.99, where one PC is $59.99. Again, there is like a 25% discount going with two years.
For the ESET Smart NOD32, which is just the basic anti-malware; anti-spyware; anti-adware; anti-virus; anti-trojan; anti-rootkit, the malware protection. The one-year license is $39.99 for one PC. It's $59.99 for two PCs. For one PC a two-year license is $58.99.
You can go to http://www.eset.com and look at the products and there is a breakdown. You can contact ESET if you are a corporation using more than four PCs to find out volume pricing for your corporate needs.
Alan: And you have different flavors, that are not just for PCs, don't you?
Randy: Exactly. We make protection for not only Windows, but also for MAC. For a long, long time we've had ESET NOD32 for Linux machines. We also provide protections for Exchange Servers.
ESET also has mobile malware protection. We don't currently support the iPhone or the Android, but we cover Windows Mobile and Symbian devices. If you haven't looked recently at product offering, take a look at http://www.eset.com. We've got a nice range of products there.
Alan: And you also have Trialware. These are full-featured Trialware. You don't strip them down and "Try it and if you see that it's taken a virus out then you pay me for it." These are full-featured Trialware, aren't they?
Randy: Exactly. It's the full product with, essentially a 30-day license. Anything that our regular product can do your demo product can do – because it is our regular product! And then if at the end of 30 days you decide that you want to purchase a license you don't download new software. You get the license key and use the same software you downloaded because it's fully functional. It's just like having a 30-day license so that you can evaluate the software and try it and see if it's what you like.
Alan: And during those 30 days, you get full updates and sometimes you send out updates daily to make sure that we're protected, don't you?
Randy: Usually there's at least a few updates a day so it's pretty rare that a day goes by that doesn't have at least one update and generally there's two to four, sometimes more. It depends on what's happening. Trial software gets updated just like the regular software because it is the regular software. It's just a time-limited trial.
Alan: You mentioned that education is the key and I know on your Website you have all types of White Papers, talking about viruses and different ways that can infect your computer system and you also have copies of all the transcripts that we have done together.
Alan: You mentioned at education is the key. And I know on your Website you have all types of White Papers, talking about viruses and the different ways that they can infect your computer system. You also have copies of all of the transcripts that we have done together!
Randy: These are excellent resources that people can use to educate themselves and learn more. We also have the blog and just recently I started a series about Adobe Flash, because a lot of people don't understand that Adobe Flash can seriously compromise your privacy. If you go out to our blog, you can also learn a lot more about a variety of different threats and how to deal with them.
Alan: And if I want to find out more information, what Website should I visit?
Randy: Come visit http://www.eset.com and also for educational purposes, check out http://www.securingourecity.com. This is an effort that that ESET and several companies, private and public are providing to simply provide education.
When you go to http://www.securingourecity.com, Website you are not going to get product pitches; there's no link to buy here – it's pure education!
Alan: Well, Randy, it looks like we've run out of time. I know and I look forward to having you back on Let's Talk Computers real soon.
Randy: Well, thank you, Alan. It's been a pleasure to be here today.
