BOSTON – It’s always risky for geeks to give advice to geeks, but when security experts who have worked with organizations ranging from Facebook to DARPA to the FBI are the ones giving advice, it’s worth listening.
Two such experts are Nick DePetrillo, principal security researcher for Trail of Bits; and Andre McGregor, a former FBI agent who is now director of security for Tanium. McGregor has the added cache of being an technical consultant for “Mr. Robot,” the USA Network series that delves deeply into the hacker world.
DePetrillo and McGregor discussed the ins and outs of cybersecurity and the concerns raised by the rise of connected devices (a.k.a. the Internet of Things) today in Boston during the annual meeting of the American Association for the Advancement of Science. Here are five takeaways from their talk:
iPhone vs. Android? The security of mobile devices is a big deal, going back to the FBI’s laborious but ultimately successful effort to hack into a terror suspect’s iPhone. Which phone is safest? DePetrillo favors the iPhone, primarily because Apple is more vigilant about software updates and support. He said Android phones tended to be more hit-or-miss, particularly as they age.
“The only Android phone I would buy is the phone that Google puts out,” DePetrillo said, because Google has the most interest in keeping its phones updated.
Whither Flash? In recent years, Adobe Flash Player has been the focus on continuing cybersecurity concerns. Just this week, Adobe released an updated version of the multimedia player “to address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”
The concerns are among the reasons why Apple hasn’t supported Flash for a long time. So why is the platform still around? DePetrillo said it’s because Google’s advertising network relied on Flash. (That’s changing, however.)
McGregor mused that the software’s security quirks might come in handy for a “Mr. Robot” plot twist. “I’m going to put Flash in some capacity into Season 3,” he said.
Which types of websites are least secure when it comes to malware? Porn sites are the No. 1 threat, right? McGregor says that’s wrong. “It’s video-game cheats,” he said. McGregor speculated that teenage gamers might be less circumspect about downloading software that contains malware, and might be using their parents’ older computers as well. On his list of risky destinations on the Web, celebrity gossip websites are No. 2, followed by porn as No. 3.
Is the Internet of Things safe? Last October’s massive denial-of-service attack ended up being traced to battalions of Chinese-made webcams, which hinted at how the age of connected home devices could provide an opening for hackers. Things could get worse on the Internet of Things, or IoT. “You don’t want your oven hacked and have the heating element turned on while you’re on vacation,” DePetrillo said.
If you’re buying IoT devices that serve a critical function – for example, an appliance that you can switch on using Siri or Alexa – DePetrillo advises going with the brand that meshes with your network. Look for the label that says “Apple HomeKit Compatible” or “Alexa Smart Home.”
It’d be great to have an organization like Underwriters Laboratories to certify that connected devices are safe and secure. Unfortunately, “we don’t have a UL for IoT,” DePetrillo noted.
Check your phone at the border? Both experts are concerned about the move by U.S. Customs and Border Protection to demand smartphone and social-media passwords from travelers. “All the security and all the encryption is no match for your desire to get into this country to see your loved ones,” DePetrillo said.
They said U.S. intelligence agencies and companies such as Facebook already have enough information about travelers to separate the good guys from the bad hombres at the border. “We know how to fight terrorism,” said Danny Rogers, co-founder and CEO of Terbium Labs. “The way to do it is to let the intelligence community do its job.”
If you’re deeply concerned about cybersecurity while you’re traveling, Wired provides tips for keeping your digital privacy intact – tips that would probably earn the “Mr. Robot” seal of approval.