In this episode of the podcast (#190), sponsored by LastPass, Larry Cashdollar of Akamai joins us to talk about how finding his first CVE vulnerability, more than 20 years ago, nearly got him fired. Also: Katie Petrillo of LastPass joins us to talk about how some of the security adjustments we’ve made for COVID might not go away any time soon.
When the so-called Zerologon vulnerability in Microsoft Netlogon surfaced in late September word went out far and wide to patch the 10 out of 10 critical software hole. That job was made considerably easier by a number: 2020-1472, the unique Id assigned to the hole under the Common Vulnerabilities and Exposures – or CVE- system.
Created by MITRE more than 20 years ago, CVE acts as a kind of registry for software holes, providing a unique identifier, a criticality rating as well as other critical information about all manner of software vulnerabilities. Today, it is a pillar of the information security world. But it wasn’t always that way.
20 Years and 300 CVEs Later…
With another Cybersecurity Awareness month upon us, we decided to roll back the clock and talk about what life was like before the creation of the CVE system. To guide us, we reached out to Larry Cashdollar, a Senior Security Response Engineer at Akamai into the studio to talk. Larry is a veteran bug hunter with more than 300 CVEs to his name. In celebration of cybersecurity awareness month, Larry talked to me about the first CVE he received way back in 1998 for a hole in a Silicon Graphics Onyx/2 – and how discovering it almost got him fired. He also talks about what life was like before the creation of the CVE system and some of the adventures he’s had on the road to recording some of the 300 CVEs.
The New New Normal
Six months into a pandemic that most of us thought might last six weeks, its time to stop asking when things will return to normal and time to start asking what the new normal will look like when the COVID virus is finally beaten.
Among the changes to consider are the shifts in the workplace that were expected to be temporary, but are starting to look awfully permanent. Chief among them, the shift to “work from home” and remote work that that has millions of Americans connecting to the office from their dining room tables or home offices.
The pandemic has sent a surge of business to companies like LogMeIn, which makes remote access and security tools for remote workers. But is the shift to remote work temporary or permanent? What aspects of our Pandemic normal are likely to survive the eventual retreat of the COVID 19 virus?
In our second segment, we sat down with Katie Petrillo of LastPass and LogMeIn to answer some of those questions and talk about how the shift to remote work is also changing the security- and privacy equation for companies.
(*) Disclosure: This podcast was sponsored by LastPass, a LogMeIn brand. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Episode 190 Transcript
PAUL: This episode of The Security Ledger podcast is sponsored by LastPass for more than 47,000 businesses of all sizes. LastPass reduces friction for employees while increasing control and visibility for IT with an access solution that’s easy to manage and effortless to use. From single sign-on and password management to adaptive authentication, LastPass gives superior control to IT and frictionless access to users. Check it out at lastpass.com.
[MUSIC] Welcome to The Security Ledger Podcast. I’m Paul Roberts, Editor in Chief at The Security Ledger. In this episode of the podcast, Episode 190…
KATIE: A lot of companies weren’t ready. They were not ready for all of their employees to be working remotely on the dime.
PAUL: Six months into a pandemic that most of us thought might last six weeks, it’s time to stop asking when things will return to normal and time to start asking what the new normal will look like when the covid virus is finally beaten. In our second segment, Katie Petrillo of LastPass and LogMeIn joins us to talk about how remote work and better remote worker security will figure in to the post-covid world. But first, when the so-called Zerologon vulnerability in Microsoft’s Netlogon surfaced in late September, word went out far and wide to patch the 10/10 critical software hole. The job of getting that word out was made considerably easier by a number; 2020-1472, the unique identifier assigned to the security hole under the Common Vulnerabilities and Exposures or CVE system.
CVE is a kind of White Pages cert for software holes, proving a unique identifier, a criticality rating, as well as other critical information about all manner of software vulnerabilities. Today, it is a pillar of the information security world but it wasn’t always that way. To talk about what life was like before the creation of the CVE system twenty-one years ago, we invited Larry Cashdollar, a senior security response engineer at Akamai into the studio to talk. Larry’s a veteran bug hunter with more than 300 CVEs to his name. In celebration of Cyber Security Awareness Month, Larry talked to me about his first CVE and how discovering it almost got him fired.
LARRY: Larry Cashdollar. I’m a security incident response engineer at Akamai Technologies.
PAUL: Larry, welcome back to The Security Ledger Podcast.
PAUL: We’re here talking today first of all because it’s October and it’s Cyber Security Awareness Month, and also just to look back on some of the changes and evolutions in the space, and one of which is the development of the CVEs or Common Vulnerabilities and Exposures as a tracking system for vulnerabilities. You’ve been doing this long enough, Larry, that you actually remember a time when there were no CVEs. So, talk about what the world was like before we had CVEs to track software vulnerabilities.
LARRY: Sure. I started in this industry it was 1994. Around that time I was working for a small security consulting company out of Southern Maine and that company, we did penetration testing, we did ñ we built firewalls, we set up companies with internet access, small companies in Southern Maine, and we would handle patching of systems and whatnot. Back then, it was a specific vulnerability for a specific software package. You didn’t really know which vulnerability it was if there was more than one. If you had, say, two buffer overflows in Sendmail, you wouldn’t ñ didn’t really know which patch might be applied to your version of Sendmail because it wasn’t really ñ it didn’t have a specific, unique way to determine which patch was for which vulnerability.
That’s when they might already come up with a CVE which was great for folks like me who were looking to track vulnerabilities that we were patching for our customers. Instead of somebody asking me hey, do you ñ did you guys patch for this vulnerability that impacts, oh, let’s say Apache? It’s like yeah, let me check and see what version we have and what version we built for your system. Then it was so much easier to have them say hey, we patched for CVE 2000-OO45 and it was much, much easier to track things [00:05:00] after that, so it was a really nice thing to ñ nice tool to have.
PAUL: Yeah, so, I mean, CVEs is kind of like the difference between having a name for somebody versus describing how they look. Like, the guy with the brown hair and the ñ he’s 6’1.
LARRY: Exactly. That’s a great analogy.
PAUL: Yeah. So, you wrote a blog post this week and talked about your first CVE which you were assigned in May of 1999, and at that point you were working as an administrator, contract administrator at Bath Iron Works up in Maine, obviously a huge defense contractor. Talk just a little bit about that first CVE you received and the kind of story behind it ’cause it’s really interesting.
LARRY: I had left the small consulting company in Maine ñ I think it was 1998 or ’99, and I had joined Computer Sciences Corporation. As you mentioned, that was contracted by Bath Iron Works. Now, Bath Iron Works is a large shipyard in coastal Maine and Bath, and they had a lot of computers, a lot of computer systems there. My group was ñ I was joining the UNIX Group. We managed ñ I think it was close to or over 3,000 UNIX systems and these systems ranged from AIX to IRX to ñ we had HPUX, we had ñ I think there was a couple of SCO systems out there. There was a large playground for someone like me to explore systems and just learn more about different flavors of UNIX. I can’t remember if it was the ñ what day it was after I started; my manager decided to take me a tour because Bath Iron Works has a pretty big campus and they have buildings that are spread out at different locations.
He decided to take me to one of their new labs where they had built this SGI lab where they had all of these SGI systems. You know, the purple indigo machines. This was their CAD lab that they were generating these 3D models of zones on the ships. I think at the time they were working on a new submarine program and this was part of that. He sat down at one of the consoles and he said, some day when you prove your worth, I’ll give you a login on this SGI machine. I’m like, okay. I knew, being into security then, that all SGI boxes had an LP account with no password. The line printer account had a valid shell, no password, and you could just walk up to any ñ at the time, IRX-6 system and type LP and hit Enter. If it hadn’t been secured properly, it logged in.
I walked up to one of the IRX systems, I typed LP, hit Enter, and I logged in. I said thanks, I don’t need a login. My manager spun around in his chair and he looked at me and said, how did you do that? I said well, you know, IRX LP doesn’t have a password. This is default IRX right out of the box. He looked at me and he said, will you do security for us? I said, I was hoping you’d say that. So, I became the little ñ I guess hacker kid for the group. Cut to the point, we had this SGI Onyx. An SGI Onyx is this ñ it was an Onyx2; it was this refrigerator-sized computer system by SGI. It had its own data center, it was locked away, it had a…
PAUL: You got a picture of it on your blog post, actually. It’s quite a piece of hardware.
LARRY: Yeah, yeah. I think they were retailing $250,000, $500,000 depending on how they were configured. This thing was like, the Holy Grail of computer systems at our facility that I was working out of. There was only one or two UNIX administrators. There were UNIX administrators Level 3. I was a Level 1 so I didn’t have access to it. These administrators would always henpeck my team and I about not having access to the Onyx. Oh, some day we’ll ñ maybe you’ll get an account on the Onyx. Maybe you’ll get a login on there or you’ll get the root ñ you’ll get a root access. I’ve got root to the Onyx. It was a thing we’d hear now and then. The key code to the door was protected, you know. Nobody knew it except these guys.
If you needed something from the data center, they would get it for you. You couldn’t go in there. They wouldn’t give you the key code. It was this big protected thing and I thought, I really want to have access to the Onyx to show these guys that they’re not that special. I’m like well, how can I get access to this Onyx? I’m like well, I could look at another system that has the same operating system as the Onyx. I know I can log-in as LP; I know they haven’t secured it, so how do I get root on the system? It was an SGI desktop that was ñ I remember it was in my closet or it must have been running. Maybe it was one of the machines I had set up in the lab that I had [00:10:00] access to. I’m like, I’m gonna just explore this thing and look for vulnerabilities that can get me root that are ñ nobody knows about.
Back then, people were looking to attack the servers or systems and once you logged into a server, you have to elevate your privileges and then wipe your access to the system. That was the big thing that guys would do when they ñ folks would do when they would log into a ñ hack into a system. So, I figured first thing I should look at is setuid root binaries. Now, a setuid root binary is the binary that when you run it as a normal user, it executes with administrative or root permissions. With that, if I could get that binary to somehow manipulate files on the system, I could eventually ñ possibly get myself root privileges. I saw this little ñ this small binary; I think it was only 50K in size called MidiKeys. I thought to myself, what’s MidiKeys? This little keyboard pops up on my screen and you can click it with a mouse and it plays these…
LARRY: …little Midi Files or ñ yeah, exactly. I was playing with this MidiKeys program and I thought to myself well, if this thing’s setuid root, why, and what can I do with it? It says it can open files and save files. If I want to save my Midi File, I can save it. Can I open up a file that I don’t own? Can I save to a file I don’t own, like one owned by root, like sc password? So, I open up sc password, change my password on it to another ñ or my UID on it to 0 to make my Larry account 0, save it, and it saves. I successfully edited the sc password file. I’m like, this is my way into the Onyx2. I thought to myself, I’ll log into the Onyx2, I’ll edit the password file, get myself root, and tell the guys and just log-out and point a finger at them and say, I hacked into your machine. So, I log into the Onyx2.
I forward an X Window back to myself with the MidiKeys program, launch the MidiKeys app, edit sc password to change my user ID to 0, giving myself root access, save it, and then log-in as Larry, and I’m root. I’m like oh, cool, I’m root on the Onyx. I’m sitting there and I’m like well, I should change the password because it’s a blank password and that’s bad, so I go to ñ I type the password file and I hit Ctrl + D, thinking wait, I’m ñ I can’t change the password for Larry 0 or Larry ’cause I’m UID 0, so I’m actually changing the password for root. I hit Ctrl + D, Ctrl + D thinking I was gonna back myself out of the password program. IRX saved the password as Ctrl + D, so I inadvertently changed the password for root on the Onyx2 to Ctrl + D. At this point I realized “Oh, crud. I screwed up.” I thought to myself, I just changed the sys administrator’s password on the Onyx without telling anyone.
PAUL: It’s like that sinking feeling in your belly, right? Like, ugh.
LARRY: Yeah, I just felt this sort of sense of dread, like shoot. Me being a person of small stature; I’m 5’6. At the time, I was probably 120 pounds. I asked my friend Donovan who’s 6’3 or whatever; he’s a big guy. I’m like Donovan, can you go tell Dave, the sysadmin, that I hacked into the Onyx and changed the root password to Ctrl + D? Donovan’s like sure, I’ll go tell him. Donovan comes back like, I don’t know, twenty minutes or a half-hour later and he’s like dude ñ he’s like, they are so pissed at you. I’m like, why? He’s like, you changed the password right when they were logging in doing a demo for the US Navy. He’s like, there was an admiral in there, there was a bunch of senior management in there and they were all about to get a demo of the Onyx doing a rotation in 3D of the zone on one of the ships. He’s like, they couldn’t log-in so they had to scrub the demo. I’m like, oh my god. I’m like, holy cow. He’s like, they are mad at you. I’m like, that’s it.
I’m like, I’m gonna get fired. I’m done. At the time, this was a great job. I was making so much more money than my previous job and I was nervous. Like, I’m gonna have to go home and tell my wife that I just got fired. I’m like, alright, I don’t have much stuff here. I’m just gonna have to clean out my desk of what little things I have. An hour goes by and I’m sitting in my ñ on my ñ at my cubicle and my manager comes over. He says, hey. He’s like, we gotta go talk, you and I, with my manager. I’m like, okay. I’m like, here it comes. The cardboard box; get ready to get my pink slip. I walk into my boss’ manager’s office and I see a SANS Security poster on the wall. I thought to myself, this guy knows about security. He’s like, a security guy. I thought maybe he’ll sympathize with me. He’s like, have a seat. I sit down and he’s like, look; he’s like, [00:15:00] I really appreciate what you’re doing here. He’s like, I know what you’ve been doing with your security stuff.
But he’s like, from now on, I need you to tell the sys administrators what you’re doing and when. He’s like, you can’t just go and break into systems. There could be something happening like what happened today. He’s like, I’m gonna need a report from you on what systems you’re targeting, when you’re planning to target them, and then who you contacted about targeting them so that ñ and then they have to tell me it’s okay for you to try and get into those systems. I’m like, okay. I’m like, great. I just legitimize what I’m doing. I now have a process so I can ñ I have some authority now. I can say hey, look, I want to do a penetration test on your system. I’m gonna notify my manager and his manager and you can set up a time with me when you’ll let me take a look at the system’s security. It gave me sort of a ñ some sort of authority that I had now, not that I was some kid playing on the network.
PAUL: It worked out for you, Larry. It was like…
LARRY: It did.
PAUL: It did. What was the process back then for getting the actual CVE assigned once you had discovered the vulnerability?
LARRY: Back then when you found something, you’d drop an e-mail to Bugtraq. At least in my case, I didn’t notify SGI. I didn’t even know how to notify SGI. We didn’t have the social media and connections that we did back then. I wasn’t some old greybeard that was working at Sun Microsystems that had a buddy at SGI that I could just e-mail. I was just some twenty-two-year-old punk that broke into a system and didn’t ñ knew we found this new vulnerability but didn’t know who to talk to, so I pretty much sent it out to Bugtraq which had thousands of guys on it just like me or way, way, way smarter than me that could say oh yeah, I’ve been a sysadmin for twenty years, and they have a buddy at SGI or actually even SGI would be listening to Bugtraq.
You just dropped your zero-day on Bugtraq with as much documentation as possible, with ñ at least in my case, I tried to make it well-documented with a proof-of-concept so other folks could test it. Then the folks on the list usually vetted your work. There were guys that would pile on and say hey, this works for me; I’m running IRX 6.3 , the setuid root bin binary has the bitset on it and I tested it, and Larry’s right. There were guys that sort of took my vulnerability and then just made it more efficient and then confirmed it. Then eventually SGI had issued a patch.
PAUL: It still can be hard for independent researchers to know who to approach or who to talk to. Not every company out there has a real clear ñ as Katie Moussouris will call it ñ a front door approach.
LARRY: I probably get ñ maybe once a month or twice a month I get someone who reaches out to me over Twitter and says hey Larry, I’m a researcher and I’ve been having trouble getting this vendor to respond. Could you help me get a CVE number assigned? I don’t really know what the process is. What do I do? Where do I go? Then I sort of guide them through the process. I’m like well, you can go to ñ MITRE has a website, cveform.mitre.org that you can request a CVE for. The process is way more streamlined now.
PAUL: You’ve been assigned more than 300 CVEs in your time as a security researcher. I’m sure you’ve discovered a lot more vulnerabilities but you’ve registered more than 300 CVEs. Give us some of the highlights or lowlights depending on how you look at it.
LARRY: There was one that I really liked back in 2000. I was working at a small consulting company in Southern California. Again, I had chased the dot-com bubble out there and I was a consultant. They knew that I liked ñ I was into security ’cause I told them. The director of the company said hey Larry, would you mind; we’re looking to buy this software that will evaluate our logs on our web server. Now back then, everything was about how many hits you got to your website. If you wanted some venture capitalist to come in and give you money, one of the first things they would ask was well, how much traffic does your website get? A lot of these companies were really paying attention to their web server logs. The company I was working for was no exception. They asked me to evaluate this ñ some log-assessing ñ assessment software and one of the products I had looked at was Sawmill which is this great product that at the time I think was developed by one guy.
It was great; you could point it at your Apache logs and it would tell you from where somebody came in the world from your web server, their geolocation, pretty much how long they stayed on each page and which pages they moved to. It was a great little piece of software. I’m like, I’m gonna try this and I’ll [00:20:00] install it on one of my lab systems with a web server on it and just examine it. I installed it and I noticed that it listened on port ñ I think it was 8987. It had this administrative interface. I’m like oh, this is kinda nice. You can log-in with your web browser. I noticed in the URL, the get-request field that actually had a parameter pointing at the log file. I’m like well, what if I put a ../ in there? Can I get it to pull other files off of the disc as an unauthenticated user? So, I put in ../../ sc password and lo and behold, the first line of sc password popped up in my browser and it said, Error: Parse error. I’m like oh, I can actually read sc password with this thing as an unauthenticated user.
Then I started looking locally at the actual software and I noticed it had created this admin.db file. I’m like, what’s this? I opened it up and it had what looked like ñ it wasn’t a crypt hash; it was some other type of cipher of what looked like a password. I noticed the cipher was the same length as the password I had stuck in there. I’m like, that’s interesting. It’s not a crypt hash, it’s not an mcrypt or bcrypt or anything like that. I started tinkering with it. I’m like well, I’m gonna clear my password out and I’ll put a password in as ‘a’. So, I stuck the password in as ‘a’. I looked in the admin.db file and it had a capital Z. I’m like, that’s interesting. So, then I put in a ‘b’ just as my password and it had a capital ñ or a lowercase c in the file. I’m like so, ‘a’ is a capital Z and ‘b’ is a lowercase c. Then I typed in ‘abcd’ and I got capital Z, lowercase c, lowercase r, capital M, 1. Then I’m like, is this thing doing a substitution cipher?
PAUL: Transposition, yeah.
LARRY: I went to the binary. I typed strings on the binary and it literally spit out the array that it was using to translate the alphabet to his substitution cipher. Now, this is 2000. I wrote a little C program on my PalmPilot IIIxe that you could stick the password in and it would ñ or the encrypted password encrypted in quotes, and then it would spit out the clear text. What I ended up doing was ñ this was 2000; I was dumb. Don’t do this stuff. This is one of the learning things that I did; I lucked out again. I logged into the Sawmill’s ñ their demo site. I got on their demo site and I specified sc password on their site, grabbed the root login for their server, and then I also grabbed the admin.db file from their server for Sawmill. I decrypted the admin.db file with my little PalmPilot program that I think the password was ‘wookie’, logged into the Sawmill administrative interface as admin where I could execute commands as root and do things like that, and then I told the guy who ran the website about it.
I’m like hey, I just found these two vulnerabilities in Sawmill and hacked into your website. Here’s the program I wrote, here’s the cipher text that you guys were using, or the substitution cipher text you’re using. You might want to fix this. Now, that was really risky and dumb. I mean, he could have jumped down my throat, he could have ñ I don’t know. He could have gotten me fired. I could have gotten in so much trouble. Instead, he was like hey man, nice hacking. He’s like, that’s really cool. Here’s a free software license. I’m gonna fix these vulnerabilities right now and look for other vulnerabilities. Thanks so much for telling me. So, I went back to my manager and says yeah, I like this software; I got you guys a free license because I found some bugs in it. Here you go. Maybe you could just buy me lunch one day. They were so grateful. They were like, thank you so much. You saved us money ’cause it was a startup. Yeah, so that was one of my favorites that I ñ I’ll never do anything like that again, but it was…
PAUL: Yeah, I was gonna say, that ñ you definitely can’t count on that type of generous response.
LARRY: Yeah, no, you can’t.
PAUL: So, today, obviously the population of software-driven things has grown exponentially since the late 90s and CVEs have kind of adapted. One of the changes is some specific CVEs just ran, for example, industrial control systems and some of those types of systems. Talk just a little bit about how the basic numbering identification system has adapted to the times.
LARRY: MITRE now has ñ they have different tiers or sections for ñ they have an open-source numbering system and they have a closed-source system. Then there [00:25:00] are many, many companies now that they’re their own certified numbering authority. Companies like Microsoft and Oracle can assign their own CVE IDs. With all of the Internet of Things now, there’s gonna be so many more vulnerabilities ’cause there’s so much more software out there. Twenty years ago, it wasn’t anywhere near as spread out as it is now. Now there’s just so many IoT devices. I just literally installed a smart outlet so that I can control the power going into one of my routers because I ñ sometimes I have to reset this router ’cause it’s flaky. This thing, I Nmapped it, of course, and it has ñ for some reason, it has the ñ an IRC port open on it. The IRC Internet Relay Chat daemon, that port number is listening on this device. It’s got some sort of service running on the IRC port and there’s billions of these devices. You have this enormous network of things now or Internet of Things now, and those things have software and that software is ñ could have a vulnerability, so you’ve ñ things have just expanded greatly since twenty years ago.
PAUL: For sure. I think one of the things that struck me about your story from Bath Iron Works, Silicon Graphics was kind of how back in the 90s there just wasn’t the same awareness of security vulnerabilities. But it strikes me that with many of these embedded devices, and that story you just told right now is a great example, these IoT devices, it’s kind of like back to the battle days where there just isn’t that much thought given to hardening these devices before you’re pushing them out into homes and businesses. It’s kind of the assumption of oh, people just won’t know to look.
LARRY: Right. In the 90s it was ñ companies would just send things out that worked. If you want your system to ñ you get a new Sun box and you want to telnet into it, they’re gonna have telnet running by default. Of course, they’re gonna have Echo and CharGEN and FTP and all that stuff running too, but they just wanted things to work right right out of the box back then. Not that you had to, yeah, configure your system from a secure point to a usable point; it was configure your system from a usable point to a secure point. Now, I think the IoT manufacturers are going through that same ñ I guess growth spurt where they got all these IoT cameras, their DVRs, all these things. Those things, they work out of the box, but they’re not secure out of the box. What they’re ñ I believe they’re working towards now is making things secure out of the box that also work, so we’re seeing improvements there. Not that it’s all completely fixed, but at least I think they’re trying to improve.
PAUL: Two questions; one is is the CVE system such as it is going to scale to meet the demands of the IoT where, again, billions of devices and tens of thousands of types of devices ñ or are we gonna need something different to handle that surge and how do we get these companies making these devices which are not by-and-large software companies in their DNA to plug into something like CVE and really be part of the community?
LARRY: I think I’d have to ask someone from the CVE program at MITRE if they think it would scale. I think it will scale as long as MITRE can keep adding more digits to the CVE numbering format.
PAUL: Easy enough to do.
LARRY: Yeah, and then I would imagine companies are gonna have to track their own vulnerabilities by becoming their own certified numbering authority and just identifying things that they fixed. This, I think, would be something for consumers to look at when they buy a product; is this company actually concerned about security? Do they have a security program to work on the security of the software that’s running on their products? I think that will be something that will push vendors to do the right thing by way of their consumers, that the consumers ask for it.
Which is the next thing I was gonna say, is that I think it comes down to us, the people who are buying things, to say I’m not gonna buy this product because I’m looking at the website documentation and it doesn’t seem like these guys have security in mind. They have people in their comment section saying my camera was hacked and somebody was talking over my ñ to my baby and I kept asking the ñ sending e-mails to the support at this manufacturer or this vendor and they never answered me. I think reviews like that [00:30:00] will be things that’ll push these manufacturers to make things more secure, if people stop buying products that they know ñ or you’re just gonna buy it and then you’re never gonna hear from the manufacturer again if there’s a patch or a new firmware update that leaves your baby camera open to attack or hijack or what have you.
PAUL: Of a generous response.
LARRY: Yeah, no, you can’t.
PAUL: Larry Cashdollar, thank you so much for coming onto Security Ledger Podcast and talking to us about your history with CVEs.
LARRY: Thank you.
PAUL: Larry, happy Cyber Security Awareness Month.
PAUL: Larry Cashdollar is a senior security response engineer at the firm Akamai. You’re listening to the Security Ledger Podcast sponsored by LastPass.
Up next, as the pandemic drags on, changes to the workplace that were expected to be temporary are starting to look awfully permanent. Chief among them, the shift to work from home and telecommuting that has millions of Americans connecting to the office from their dining room tables or home offices. The pandemic has sent a surge of business to companies like LogMeIn which makes remote access and security tools for workers and companies, but it is a shift to remote ñ 3, 2, 1, but is the shift to remote work temporary or permanent? What aspects of our pandemic normal are likely to survive the eventual retreat of the covid-19 virus? In this next segment, we invited Katie Petrillo of LastPass and LogMeIn back into The Security Ledger studios. Katie and I try to answer some of the questions about how the shift to remote work is changing the office maybe for good, and how cyber-security factors into the remote work equation for companies.
KATIE: Katie Petrillo, senior manager, LastPass product marketing for LogMeIn.
PAUL: Katie, welcome back to Security Ledger Podcast.
KATIE: Thank you for having me.
PAUL: We’re speaking now kind of ñ end part of September. It’s been around nine months now that our world got turned upside down by the covid virus. I want to check back in with you because LogMeIn LastPass is one of those companies that was really right in the cross-hairs of when covid hit as everybody shifted to remote work. Obviously, LogMeIn’s been doing this for years and it’s obviously been a growing trend for years, but covid just put everything into overdrive. I thought it would be great to check back in with you, Katie, and sort of see how the world looks nine months into this pandemic from the perspective from where you’re sitting there at LogMeIn and LastPass.
KATIE: Yeah, absolutely. It’s been an ñ very interesting nine months to say, and I feel like we’ve been on this roller coaster now for that period of time and who knows? Is there an end in sight? Not sure. But I think, as you mentioned, LogMeIn as a company has really been ñ we’ve been doing work from anywhere, work from home support for as long as we can remember. The first time LogMeIn originated was with remote access and the need to be able to connect to a computer in Budapest that was across town. They have the Buda and the pest, the two sides of the town, and the computer was on one side and the person was on the other and he needed to connect it, and so it’s like, that concept just all of a sudden became extremely relevant in March when everybody was working at home on a dime. We’ve evolved since then. Everyone I think is really settled in to being from home. We all have our computers, we’re set up, we kind of are getting into a little bit more of a rhythm and a routine.
That’s been interesting. I think one of the things that’s changed or we’re seeing is at the beginning it was like okay, this is gonna be for a couple of weeks, maybe a month or so. What we’re now seeing is that it’s gonna last. This is not going to be short-term. Our CEO actually shared a stat with us a couple of weeks ago saying that by the end of ñ nine months ago there was a survey that was how many employees you expect to be working remotely by the end of 2021. That number was single digits. Now that number is around a third of employees. You can already see how this shift for remote work is something that happens occasionally to like, this is going to be part of our daily, weekly life. I think that’s been the biggest shift, is that just how pervasive and longer-term this is actually gonna be.
PAUL: I mean, if we were to look at this whole work from home pie as it were, what are the pros and cons? What does LastPass and LogMeIn see as the main advantages companies gain by having more of their workers or even all of their workers remote? Then on the flip side, what are some of the drawbacks or things organizations need to be on the lookout for?
KATIE: Yeah, [00:35:00] there are two sides to the coin. I think at this point, especially for someone ñ what we’re seeing here at LogMeIn is we’ve ñ people can work from home. They can be very productive and I think there are definitely benefits that the employees and this is ñ employees across the world are seeing. I think the interesting thing to think about or the caveat when you think about benefits; we have to think about current state versus normal state. Obviously right now we’re in the middle of a pandemic, but if we think about when kids are back in school and in daycare and socializing outside of your pod and you have this more of a normal life, I think that’s when we can start to think about those benefits, that there’s a lot there.
We did a survey actually earlier in the year just with knowledge workers, asking them about what the benefits were, what they’ve ñ how they felt about working remotely. The three things that rose to the top of that were about time, so saving their time, obviously think about commuting, but also productivity. There’s no hallway conversations. Of course, that has downsides as well, but you are really able to focus on your work. The other thing is about saving on costs; again where commuting comes in, food expenses. Then I think the third is really around just spending more time with friends and family. All three of these, they all come together. But I think ultimately what it means is there’s just a higher level of satisfaction overall that we’re seeing that comes as a benefit of being able to work from home.
PAUL: Yeah, I mean, before the pandemic, particularly after school was back in session in the fall, the morning commute ñ I live pretty close to the center of my town and we’ve got this crazy intersection that people ñ we’re a cut-through town that people use to get into Boston. In the morning rush hour, you’d see cars backed up forty or fifty cars from this intersection right past my house just sitting there idling and people kinda slowly losing their mind, you know? That’s just gone. There’s just no ñ I was just thinking about my daughter’s first day back to high school the other day. Ordinarily, it would just be a crazy traffic day ’cause of the buses and everything else and it was just like, nothing. You’re like, wow. Obviously, there’s a huge economic impact of this virus that has not been positive, but you do think about the productivity gains that organizations get just from not having their workers stuck in bumper-to-bumper traffic getting into the office.
KATIE: There’s the traffic and yes, the time you spent there, but you mentioned it; the frustration. You don’t have that frustration of like oh, this commute was terrible and you get to work and you’re already frustrated, or having a terrible commute home and then being in a bad mood when you get home to your family.
PAUL: Yeah. Your blood pressure’s gone through the roof.
PAUL: Out of sorts.
KATIE: Yeah, I feel like that’s something that is gone. I’ve said this a couple times; it’s like, the rushing around, that’s completely gone. I really, honestly don’t miss it. I think the other piece of it though is there are definitely downsides, as I mentioned, the security risks.
PAUL: Yeah, let’s talk about them. Yeah.
KATIE: Yeah, which obviously, this is something that here at LastPass, we’ve been paying attention to cyber-attacks. That’s the business of what we do, but the unfortunate thing is as hackers have seen the ñ people are spending ñ and this is individuals as well as business workers ñ are spending more time online, that there’s been more of an opportunity for attacks. Ransomware attacks are up, phishing is up, and I think that’s really presenting a lot of challenges for organizations when ñ especially, you think about IT; all of their employees, they’re like, they’re out of reach, you know? How do you make sure that they are secure? When cyber-crime is quadrupled, it’s something that becomes a much more challenging thing to be able to address.
But I think that’s one of the pieces that that’s where people are ñ and companies are starting to focus on now. We did a survey recently and we were asking about just how you would address your strategy with remote work. It was basically 100% of them that said that they really ñ the security strategy is where they needed to make the shifts which is ñ kinda tells us a little bit and says that a lot of companies weren’t ready. They were not ready for all of their employees to be working remotely on a dime. I mean, that totally makes sense, but I think that’s one of ñ definitely one of the open threats that continues to be a challenge.
PAUL: Yeah, I mean, none of the phishing ñ malicious e-mail attachments, none of those are new. Covid didn’t bring any of those to the surface. They’ve always been there. I guess the problem, the challenge from the standpoint of an employer is your ìcorporate network perimeterî, quote unquote, is now basically hundreds [00:40:00] or thousands depending on how many employees you have working remotely. Home networks, right, with teenagers on there with their devices and a mixture of the DVR and the iPad and everything else is all kinda thrown in there together, and you’ve got somebody who’s connecting into your corporate network from that. That becomes a very tricky security problem and a management monitoring problem. Yeah, yeah.
KATIE: Yeah, and I think that’s where the ñ that security strategy really comes into play. If we think about things like just having a simple authentication factor on your work tools, meaning 2FA, MFA, a biometric that will ñ an employee has to verify before being able to get into a machine or an application, that just really gives that extra layer of security that ñ and a lot of companies didn’t have that set up or at least set up as broadly as they wanted it to be. I think that’s where they’re starting to take some of those strides to add authentication into their employees’ day-to-day work life.
PAUL: Yeah, I mean, it’s a small thing and it doesn’t solve all of your problems, but I’m always amazed at how much just doing something like having two-factor authentication in one form or another reduces your risk, right? How many problems it short-circuits. For companies that again are kind of wrestling with this problem; we’ve got all these employees at home, we’re worried about their exposure to cyber-risk and cyber-threats, what are you recommending that they do to address this?
KATIE: I’d say there’s two sides to this. One is focus; your employees, what can you encourage them to do and then what can you do as a business thinking about your IT team? If we start with those employees, those ñ just your individuals, I think a lot of it comes down to awareness which we’re talking about this. You mentioned this is the end ñ we’re at the end of September getting into October which is Cyber Security Awareness Month which is a huge, huge month for security because ñ and I’ve already been seeing a lot of e-mails and reminders from brands that I follow and I’m subscribed to giving out advice and I think the advice is very similar across the board. It’s really about paying attention.
I mentioned don’t click on suspicious links, making sure you’re always using those strong passwords. You mentioned account takeover; the first step to that is don’t use ‘password123’ as your password. We can’t say this enough. Putting those strong passwords on, also then adding the 2FA so you have that second layer of protection. I think that’s really, really important, and then keeping your software updated. If your computer is asking you to update something, make sure you’re doing it just so anything outdated can potentially allow any sort of threats in and you don’t want that, so make sure things are updated. The other one is really around ñ I mentioned paying attention but not just to links, but also where is your data online?
Is there an opportunity for you to sign up for a monitoring service where you’re able to monitor your e-mail or certain personal pieces of information that could be found on the dark web or be part of a breach? This is something that LastPass just announced for ñ we’re ñ now offer that for our password management tool, but it’s just something that’s nice because now anytime that your e-mail is found on the dark web, I receive an e-mail about it and I ñ alert, so I’m aware. You know you can go ñ and you can go change your password. It’s not hard. It’s really just ñ again, it’s about awareness and just paying attention to that.
PAUL: Okay, so that’s individuals. Now what about employers?
KATIE: Yeah, I think on the employee side it comes back to this kind of security strategy or putting together and making sure you are putting together a strategy to secure the access and authentication of your users. Know your ecosystem of your employees that are out there, the devices that they’re on, and the applications that they’re using so that you can then put together a plan to be able to secure all of those. Ultimately altogether, this is really your IAM or your identity strategy. Like I mentioned earlier, the multi-factor authentication is a big piece of that, so adding ñ really being able to verify your employee is who they say they are when they’re going in to access whether it’s their ñ even open into ñ open their machine, open their e-mail, open that PO system or financial system that they need to be using.
PAUL: Katie Petrillo, talk to us a little bit; we’re kind of in the middle of this. It’s like you’re in the middle of the fog and you’re trying to see what’s beyond the fog [00:45:00] with this pandemic. Like you said, we all thought it was gonna be, I don’t know, a few weeks or something and it’s ñ now it’s seven months or eight months and we’re looking ahead and we know it’s gonna end eventually, but I wouldn’t want to have to put a date on when. I don’t think you would, either. What do you think is going to endure from this huge, unplanned experiment in remote work? As we come out of covid and go into the post-covid world where hopefully things are a lot more normal and maybe more people do go back to work, what do you think is going to remain and just become an enduring part of 21st century business culture as a result of all this stuff we’ve gone through?
KATIE: Yeah, you just mentioned or we were ñ the security versus convenience trade-offs and I think up until this point, we’ve really ñ we’ve been talking about it as just that; trade-offs. It’s hard to have one and have the other. Doing both is a challenge and this is something here ñ at LogMeIn, at LastPass, this is a story we tell a lot and it is something that is possible. I think what probably ñ this situation, this pandemic forcing everyone home really quickly and being able to work directly ñ not needing to go into the office has forced this issue and I think what’s happened is really proving that you can have a secure work environment that is also productive. I think it’s not gonna be about being ñ there being trade-offs anymore. It’s really going to be something that is ñ can happen collectively together.
Like I mentioned, you don’t have to ñ you can have your employees having this one-click access to their e-mail or their project management system, but ñ and have them authenticate and have them get in really quickly and have them enjoy the experience. Also, you have that peace of mind and control over the access that they’re getting. I think that’s something that is different because I think that’s ñ it’s interesting, the amount of companies that don’t necessarily ñ didn’t think that way previously and are now working in that way or starting to think in that way. I think that’s gonna be potentially one of the biggest things that will come from this which is ñ we’re happy to see that and I think that’s something, like I said, we’ve been talking about for a long time and it’s actually coming to be true.
PAUL: Yeah, it’s kind of the necessities of mother of invention phenomenon, right? All these organizations that maybe were inclined to dip their toe into some of these things and be super-cautious and have a very long time horizon have really been forced to embrace them and adopt them very rapidly. While that was kind of painful, it also has dividends, I think, down the road for them. It opens doors and opens eyes to some of the different ways that maybe you can do business and conduct business.
KATIE: Yeah. Some of these things that they may have been ñ it might have been ñ it’s funny how much of a power the employee has or how many of our customers or folks that we talk to that say I can’t do this, I can’t add this into my employees’ workflow because they’ll be frustrated by it or this will cause friction even though it is something that is in the best interest of the organization whether that is something like single sign-on or a multi-factor. It certainly is a ñ very traditionally a best practice. They’re hesitant because of the employee backlash. I think covid is a situation where it’s like all of a sudden these are things that we have to be doing because you’re not outside of the quote, unquote ìfour walls of the officeî. It will be something that will endure, as you mentioned, beyond ñ once we’re doing it for a month, eighteen months, or twelve to eighteen months, it’s not gonna go away and employees will be used to it, so I think that is potentially one of the biggest benefits that we could see.
PAUL: It’s like wearing masks, right?
KATIE: Yeah. Yeah, actually. Yeah.
PAUL: The United States; not a mask-wearing country, generally. Now everybody wears masks and nobody really thinks about it that much. Maybe that’ll be the case with strong passwords, too.
KATIE: They’re coming in style.
PAUL: Everybody kind of blew it off but maybe in a year from now we’ll all just be having strong, unique passwords for all of our different accounts and nobody will think twice about it.
KATIE: We would be very happy if that were to be the case.
PAUL: It’s an adjustment. It’s definitely learning [00:50:00] a new skill and learning ñ I mean, I ñ ’cause I evangelize with people all the time about this and I think ñ and I’m sure you guys have noticed this ñ what’s hard for people is letting go of the idea that they need to know all their passwords, that this is information that they need to keep in their head and being like well, if you’re keeping it in your head, almost by definition, it’s not very secure.
KATIE: Right. Yeah, the control there…
PAUL: You’re much better off ñ yeah, I would ñ trusting technology to help you do this task, right? That can be a big leap into the void for people into the unknown.
KATIE: Absolutely. People don’t want to give up that control. It’s interesting though because they ñ their password that they’re remembering is something that is really easy and they’re ñ [MUSIC] think that they’re protecting it and meanwhile, they don’t want ñ the real, true way to protect it would be to make it something that is completely random and put it somewhere that they don’t actually have to remember it. It’s just this interesting psychology behind it. But I think ultimately it comes down to a lack of understanding, unfortunately, of just what the different options and what these different methods actually are and what the outcomes are or potential risks.
PAUL: Kind of confusing people of ideas like oh, you know, if you’re using this formula where it’s the initials of the website plus some other static value, that’s not really random or secure, you know? Kind of disabusing this notion that the thing that you do that you kind of think makes a random password, it’s not really random.
KATIE: That is not random to any sort of a brute-force hacker. They will figure that out.
PAUL: That’s just not gonna work. Katie Petrillo of LastPass and LogMeIn, thank you so much for coming on and speaking to us again on The Security Ledger Podcast.
KATIE: Thank you very much for having me. It was a delight.
PAUL: Katie Petrillo is the manager of LastPass product marketing at LogMeIn. You’ve been listening to The Security Ledger Podcast sponsored by LastPass. For more than 47,000 businesses of all sizes, LastPass reduces friction for employees while increasing control and visibility for IT with an access solution that’s easy to manage and effortless to use. From single sign-on and password management to adaptive authentication, LastPass gives superior control to IT and frictionless access to users. Check it out at lastpass.com.
Transcription by: www.leahtranscribes.com