On Episode 64 of The Edge of Innovation, we’re talking with entrepreneur Greg Arnette, about new business technology and archiving for perpetuity.
On Episode 61 of The Edge of Innovation, we’re talking with security expert Adriel Desautels, founder and CEO of Netragard, about whether cybersecurity is getting better or worse.
CVE: Common Vulnerability Enumeration
The Watering Hole
You Can’t Detect What You Don’t Know To Look For
Programs and Operating Systems Adriel Uses
Dealing With Data
Is Computer Security Getting Better or Worse?
What is a Honey Pot?
Internet Security: Ten Years From Now
There’s No Excuse
Data With a Long Lifetime
Why Europe is Doing Credit Right
What To Do If You Have Been Compromised
How to Tell If Penetration Services are Genuine
So now I recently read about a CVE. And just for our audience, CVE stands for…
Adriel: It’s the Common Vulnerability Enumeration, I think it is.
Paul: Something like that. So it was a vulnerability that if you browse to a certain website, to a website with a certain browser, and it loads an ad, your machine is infected. Can you explain? How does that work? And we’ll go through this probably…we’ll unwrap the onion a couple of times on this. How does that work? So I use Chrome and obviously, we think it’s secure today, but six weeks ago, we thought the same thing. And they fixed things in the past six weeks. So what happens? I go to a website. It opens up a news site. What happens? Tell me.
Adriel: So, this goes back into the helper application world. So, let’s use Flash as an example. Flash is a great example because Flash is always being exploited. In fact, our own company is notorious for having sold a Flash exploit. It made the news a while ago. But, Flash is used a lot for ads or videos or things like that on news websites or other websites, or at least it used to be. It’s a way of almost playing movies. Or playing ads and things like that.
Well, you can take Flash and you can embed specialized payloads into Flash. And then the Flash players themselves were vulnerable to these payloads. And when they would load the payload, the payload would exploit a vulnerability in the player, and then give whoever an attacker was — or whatever the end thing was — full access to your system. So in the case of malware, when the system is exploited, rather than give command and control of your compare system to some third party, the malware would be uploaded into the system, and it would do whatever it was going to do. So if it was ransomware, it would encrypt your system. Then maybe propagate it upwards, other directions. So really it’s taking advantage of helper applications.
Any time you browse the web, your browser is the main application that sometimes contains its own vulnerabilities that can be exploited. There are lots of other helper applications that come in. There’s different movie players, there are different content renderers. There are all kinds of things you can plug into a web browser or that you can use in a browser and any one of those things does have vulnerabilities and can be exploited.
So when you browse websites, when you look at anything online, you’re effectively trusting that source to have content that’s safe.
Paul: Okay, but now aren’t you also trusting their ad networks?
Adriel: You are trusting their ad networks, but more importantly, you’re trusting them. The ad networks are less likely… Well, they’re less likely to cause problems for you, than the systems themselves, usually.
Adriel: Yeah, I think so. I mean, from a theoretical perspective, I suppose anything could be a problem. But, I mean, if you look at…Are you familiar with the term watering hole?
Paul: Not from a computer point of view. I mean, from a wild gazelle point of view, yes.
Adriel: Yeah. Right. Exactly. So, in a safari, you have a watering hole. The animals, they all go to get their water, and they drink from this watering hole. And it’s the one place where the lion won’t eat the gazelle, and all these things are great and happy.
Now imagine some guy comes by with a bio agent that’s designed to wipe out these animals, and he puts it into the water hole. And these animals drink, and then they go back to their herd. And unbeknownst to them, spread this infection and then all of a sudden, their prides and their herds and all that just drop dead. That’s because of a poisoned watering hole.
So a watering hole attack is when you take a website, a common website or a news location or an ad network or anything like that, and you infect it with malware. The people who go and visit that website are then compromised or infected by the malware that exists in that website. If the malware is designed, as we would be at Netragard, if it’s designed properly, then what will end up happening is when that person takes their infected computer to another network, it will notify the controller, the person in charge, whoever deployed the malware, that they’re on a new network, and it will give them access to that network too.
So just like the infected animals that spread their infection to the rest of the herd, the infected computer will spread their infection to the rest of the computers in the network that it connects to. So it’s a watering hole.
This attack has been around… Boy, this type of attack has been around, since probably 2000, 2003, just never really heard about it until, I think it was called the Aurora incident, the Aurora something. It was when Google was targeted by the Chinese with a watering hole attack. And since then watering hole attacks have been happening. I can’t remember any off the top of my head or recall any on the top of my head that were as large-scale as that. That was just one example. I mean, there are, of course, you know… We have the ransomware attacks today that are happening. Bad Rabbit or whatever that was. They’re continuously going. But I don’t remember anything quite the scale of what was going on with Google, only because Google, of course, is massive.
Paul: They are a big target.
Adriel: Yeah. And so they have a lot of viewers. The bigger the watering hole, the more people that feed from it, the greater the impact.
Paul: So now if I’m just a general citizen sitting at my computer, why is it that Google doesn’t catch the fact that their site is infected or CNN or whatever? How come they’re not smarter than me?
Adriel: Yeah. You can’t detect what you don’t know to look for. A weird example. Imagine we somehow encounter extraterrestrials and they come in. “We come in peace.” Shoot to kill. They think they’re friendly. We think they’re friendly. Everything is going great. Meanwhile, they’re offloading masses of weapons, and we don’t recognize the weapons as weapons because we have no idea what they are. Right? And they begin to attack us with these weapons, but they’re not like anything we’ve ever seen before. So we have no idea we’re being attacked. And then all of sudden, people just start dropping dead, and it takes us a while to begin to realize, we’ve been attacked.
Hackers are the aliens. We build weapons that nobody else has seen before. And we attack people in ways that they absolutely don’t expect and in ways that the security industry doesn’t expect. We come up with new things. And so you really can’t defend against the unknown, which kind of goes full circle, and that’s why this whole “I protect you against zero-day things” is ridiculous because zero days are unknown vulnerabilities you can’t defend.
Paul: So it’s all marketing is what you’re saying is…
Adriel: Exactly. That’s exactly right.
Paul: Now what kind of computer do you use? Do you use a PC with Windows or Mac or what?
Adriel: I use a Mac. But within the Mac, I use a hypervisor and I run about four or five different operating systems within that. So I use the virtual machines. Within containers is my real machines.
Paul: Which hypervisor do you use?
Adriel: Right now it’s VMware Fusion.
Paul: Okay. So you’re using VMware Fusion which allows you to run virtual machines, as they’re generally called. Are those sacrificial virtual machines, or are they secure?
Adriel: One of them secure, but it can still be sacrificed if that makes any sense. I take snapshots regularly. So if I’m doing something, and I think anything bizarre happens, I just revert back to the snapshot that I know was good.
Paul: Okay. So this is a good line of discussion. So you have several VMs and you use those. Now in those VMs, do you have any antivirus, antimalware, any software on them that helps you stay secure?
Adriel: Yeah. Only in one of them, in the Mac VM, within the Mac. On my Mac within a Mac, yeah. I use Bitdefender and Hands Off! I use Bitdefender because it is proven to be one of the most effective pieces of antivirus software out there. When we do our own zero-day development, Bitdefender oftentimes will pick up our exploits or our tools and we’ll be able to say, “Hey, well okay. We have to adjust this because Bitdefender just found it.” Others just don’t seem to do it quite as well.
And then Hands Off! Is sort of like Little Snitch, only it’s a bit more advanced. It’s a bit more advanced than Little Snitch. Hands Off! allows me to control what files are accessed, what ports are being connected to, what hosts are being connected to. So if I decide that I want to browse to XYZ.com, Hands Off! is going to say, “Hey, do you want to allow this connection? Do you want to allow this access to this file?” And I have to explicitly allow everything.
And it’s nice because if I actually brought us to a malicious site and I hit a Flash exploit or whatever it might be, when that exploit begins to work, I will see that my system is trying to access files and do things that it shouldn’t normally do. And I’ll say, “Hey, wait a second. Why are you doing all of this stuff? Something just happened. Let me revert back.” So I can catch it, even if I don’t know exactly what’s going on.
Paul: So it sounds like you have to be a little bit smart.
Adriel: Yeah. You do. You have to be vigilant. Absolutely.
Paul: And know what you’re looking at. So if the ordinary user was faced with Hands Off!, they might not know how to respond.
Adriel: Yeah, it’s not trivial, unfortunately.
Paul: So what are the other operating systems you run in these VMs and, and why?
Adriel: So BSD and Linux., BSD just because I like it. There’s not a lot of people that are targeting BSD. I like the port system a lot. And Linux because Kali is great for penetration testing and doing research, and a lot of tools run on it. I run Ubuntu, but I do that largely for administrative reasons because it has some cool functions and features that will help you manage other servers that are similar or systems that are similar.
Paul: And do you run Windows at all?
Adriel: I don’t. I mean, I do have a Windows VM, but I use that specifically for signing malware. So we have a code signing certificate and we sign all the malware that we push out, which is interesting. So I use Windows specifically for signing malware.
Paul: So how do you deal with your data?
Adriel: What kind of data?
Paul: Well, I mean, you’re doing work. You’re a productive member of society. You probably have a bank account. You probably have photos. You have business files, an agreement with a client, a contract here and there, etc. Where are those? Are they on the machine? Are they in a VM? Are they somewhere else? Are they on a flash drive?
Adriel: No. So everything that we have is stored in our data center that is related to the business. And it’s stored in different ways. If something is highly sensitive, it’s stored on an encrypted disk, and it’s also PGP encrypted. And there are only three people that can decrypt those files. If it’s medium sensitivity, then it’s stored in the system with an encrypted file system or it’s stored in a system with an encrypted file system within an encrypted database.
The idea of encryption, though, on end points like that, kind of promotes a false sense of security also. If you were to walk into our data center, and you were to lift one of our machines, the drive would be encrypted, and you wouldn’t know the passphrase to unlock the drive, so of course, it wouldn’t be useful. But if you’re a hacker, and you were to hack one of these systems, the contents are already decrypted because the system is running, and you’re going to gain access to the system and its respective data.
Likewise, encrypted databases, everybody always talks about them. “Oh, let’s use encrypted databases. They’re great.”
Well, if you hack a system with an encrypted database, the key exists somewhere because the database users, the people that are responsible for using that system, they have to have a way of decrypting the data. Right? And we have yet to find it an instance where we breached a network, counter encrypted the database, and couldn’t find a way to decrypt it. So really, encryption is not going to protect. It’s going to slow things down. The best way to encrypt something and protect is with something like PGP. But again, that’s not trivial. You know, I mean, PGP and managing that kind of…I mean, you lose your keys, you’re screwed.
Paul: Right. What do you do with your photos, your personal stuff?
Adriel: That goes into that Mac VM that I have that’s protected by Little Snitch and Bitdefender. Aand I, I just have those there.
Paul: Do you back them up?
Adriel: Yeah. I back them up.
Paul: How do you do back up?
Adriel: I back them up to the cloud. I dump them to the cloud. The iCloud. You just make sure that nothing is sensitive. That’s all. Nothing is compromising or sensitive.
Paul: Right. Okay.
Adriel: So, yeah. That’s the best way. I mean, anything that could ever be compromising or sensitive or somehow used to harm my family or harm myself, I just don’t put on computers. I try to make sure that that stuff you do stays in memory or is on paper in a vault or it just doesn’t exist.
Paul: Right. Well, it’s interesting. I’ve had, being a computer person, everybody asks you to solve their computer problems, and the number of people I’ve seen become infected, I’m like, “I don’t know. How did you get infected?” And it almost always comes down to they didn’t know what they were doing. They didn’t realize that doing this was going to do this. And, there’s really no way to give them that level of scrutiny that things that you and I might do, certainly you more than I would just say, “Wait a minute. That doesn’t seem right.” And they don’t perceive it. They don’t even see it.
I just saw a good example of the WPA Crack hack where they got in the middle and basically redirected somebody to a non-SSL site and captured their username and password. And that’s a good, for me, that really make it plain that, yeah, we really shouldn’t have any non-SSL sites. And that would have fixed that problem.
Paul: So what is your prognosis? Is computer security getting better, getting worse?
Adriel: No, it’s getting convoluted unnecessarily so, and it’s getting complex. And more and more difficult to understand because of the security market. Good security should follow the KISS rule. Right? Keep It Simple, Stupid.
The reason why our customers keep coming back to us, for example, is because we Keep It Simple, Stupid. We look at very efficient solutions. We don’t focus on bloatware because of security fatigue, which apparently is a new thing that people are talking about. We focus on effectiveness. The solutions that exist today are really pretty. And they look really cool.
And maybe they are catching a really high volume of attacks. The problem is, is they’re also catching a lot of non-attacks. And so somebody sitting down and staring at a screen with stuff scrolling by all the time is going to get worn out pretty quickly. Right? And so the interface of the person or the data that’s presented to the person is ineffective. And so the whole solution becomes ineffective.
Your network intrusion prevention systems, they make a lot of sense. But the part that’s not being considered there is the person that has to sit there and churn through all of that data every single day. You just can’t do it. Right?
So the security industry is chock full of solutions, which you really don’t call solutions. They’re, chock full of distracted new technologies, distracted technologies like this and these technologies are continually being marketed, pushed by other businesses. And in the end, if you follow it at all, it has to do with money. Everybody wants to make their money. The breaches that are happening today are also beneficial to the security industry because these breaches mean people are going to come and look for more technology, more services, more solutions.
In all reality, people don’t need to do a lot to be secure. And in all reality, people should not be focusing on breach prevention. They should be to a degree. But the real thing they should be looking at is preventing a damaging breach. It’s impossible to prevent the breach. Someday, somehow, somebody is going to breach your network. But if you can detect that breach when it happens, before it becomes damaging, you can prevent the damage, and you can prevent yourself from ever making the news. That’s how you protect networks.
And the way that you detect a breach, right after it happens, is with things like internal honey pots and solutions that can pick up on lateral movement.
Paul: Well, so explain that to me.
Adriel: So a hacker breaks into a network…
Paul: You mentioned that. And so explain that to me. I’m a small business. I make semiconductors. I’ve got 50 employees. What is an internal honey pot?
Adriel: Well, actually, so we sell these now. It’s something that we’ve started manufacturing and selling and developing — whatever you want to call it — probably about a year ago because of their effectiveness. So what it is, it’s a computer system that does absolutely nothing except to sit there and look like other computer systems. You deploy these fake computer systems in different parts of the network, depending on how threats are likely to enter your network and move through your network. And they’re tempting.
So a hacker breaks into an infrastructure, and a hacker begins to probe the network. The very act of probing the network when it contacts one of these systems, these honey pots, is going to set off an alarm. That honey pot is going to say, “Hey, user Joe just connected to me.” Now there’s absolutely no reason for any legitimate user to ever connect to a honey pot because they do nothing. Right? So any time anybody connects to a honey pot, by default, it’s illegitimate. So there is no false positive. There is no continuous streams of data like you’re going to see with other solutions. A hacker breaks in, hacker probes network, hacker trips two or three of these things. System admin will get an alert within seconds likely of a hacker breaching a network, maybe within minutes of a hacker breaching a network.
If that admin responds to those alarms and in quick time, that admin can likely kick that intruder out of the network before any damage is every caused. They can say, “Hey, my web server just started scanning my network. That should never happen. Let me go and kill the connection, and let me go put up a temporary site, or let me revert to a back to a backup and just see what will happen.” But this was a breach. It was a breach that doesn’t matter because sensitive information was never captured.
Meanwhile, what’s going on is the inverse of this. People are focusing on breaches, and this is why I say the industry is convoluted. People are focusing on breach prevention. We hear this all the time. It’s an impossible task. But they’re not focusing on post-breach detection. And so what ends up happening is they suffer a breach, and the hacker sits there and says, “Okay. Was that detected?” It’s almost never detected. I mean, I can’t think of the last time that we were detected breaking into a network. So hacker says, “Okay. Were we detected? The answer is no. Great. Now let’s just spread like wildfire throughout the network because nobody has any post-breach detection capabilities.” And it’s true.
Paul: Right. I see.
Adriel: So there’s this gap. Mind the gap. There’s a gap that exists, and that’s what we’re exploiting. The security industry as a whole is upside down, and the solutions that it’s providing are also upside down. Rather than providing you with a solution that says, “Hey, you’re being hacked and it’s real. Do something about it,” they’re providing you with solutions that say, a million times a day, “You might be getting hacked here.”
Adriel: So, it doesn’t work.
Adriel: So is it getting better, is it getting worse? I think the threats are evolving. I think some of the technology is evolving. I think software vendors like Microsoft are definitely evolving. They’re doing a much better job, and they have a part to do with good security. I think a lot of the other software vendors, especially the ones who build the applications that used by Microsoft need to really catch up and start taking security seriously. But I think that rather than being something that could be a fairly simple type of thing, I think it’s become a big convoluted mess. And I think that convoluted mess is making it hard for normal, everyday people to be able to really understand where to go, what to do.
Paul: Sure. So alright. Let’s take the crystal ball out here. Ten years from now, is it going to be better or worse?
Adriel: Oh, boy. I don’t know. If we keep on allowing bureaucrats to dictate the direction of the industry and if we keep on allowing entrepreneurs that are financially motivated rather than technically motivated to dictate the direction, as long it’s being directed by really policies and money, it’s going to continue to get worse.
Paul: So that sounds like it’s going to get worse.
Adriel: Yes, that’s exactly right. And so inevitably, I think that that’s the case.
Paul: Do you think that there’s some period or some event or inflection point that we’ll reach where we just have to do something differently?
Adriel: I think we’ve already passed that point.
Paul: Okay. That’s fair.
Adriel: Yeah, there’s no reason why businesses should be suffering breaches.
Adriel: Yeah, there’s no reason why businesses should be suffering breaches the way they have, the Equifax breach in my opinion along with Target, and the multiple breaches of Sony and Hanaford and Ashley Madison, these stand out because these were the ones that were particularly silly. And these breaches shouldn’t have happened. Knowing what I know about how these businesses operate, the reasons why these breaches most likely happened is that either the CEO or some senior level executive didn’t do their job properly and didn’t pay attention to what they were supposed to be paying attention to or didn’t give security people enough of a budget or there was a political reason. Or they believed that they were doing their job properly and they were listening to the advice of bonified experts when in fact they were just being fed Coolaid and they were given a false sense of security.
Paul: So with the Exquifax – ill say it – it was just industrial strength stupidity on their part. It wasn’t clever. They drove with their door open and their seatbelt off.
Adriel: Yeah, with a big neon sign that said, “Hey come take it.” Yeah that’s exactly right.
Paul: It’s almost like manslaughter if not murder. Its manslaughter.
So just briefly talk about the Equifax thing. A lot of people don’t understand what actually happened. I’m not really concerned with the details of the technical of thing.
So I recently attended a conference by Frank Abagnale. I don’t know if you know who he is? “Catch Me If You Can?” There was a movie about him. And he works for the FBI. And when he was arrested, he was in prison and the FBI came to him and said if you work for the rest of your prison term for us we’ll let you get out of prison and he’s been working with them now for 45 years. He made the point, the distinction that is obvious again, when I say it, that what hackers are interested in, is data that has a long lifetime. Your name, your address, your eye color, your social security number. He said credit cards are great for people to steal, there’s zero liability for users. So he made the example, for my kids, I had them get a credit card when they went off to college, and I said to them I’ll pay it off every month, don’t spend – you can spend what you want to spend, but I’m actually going to be paying for things through that. So, when they got out of college they had a great credit rating. His point, was he said there’s no risk with a credit card, if someone steals it, they give you a new one. But with your social security number, they don’t give you a new one and Equifax lost 150 million people’s social security numbers.
Paul: And it’s not just a number like I could say 1,2,3,4,5,6,7,8,9, that’s a social security number of someone but that’s not the point. The point is that they, Equifax wrote it down on a piece of paper and said, “Oh this is Bob Smith and he lives at 123 Main Street and oh by the way he has this car and this house.” I don’t see a way to recover from that.
Adriel: You can’t. There’s no way. And it’s not the kind of thing where we’re going to begin seeing the impact of it until several years go by. But if you think about the information that Equifax has, how many banks and how many healthcare providers and how many wealth management firms use that exact same information to authenticate you and forget your password.
Paul: Right. What was the first car you owned and of the five addresses which one have you lived at.
Adriel: Right and this information, I’d be surprised, if it wasn’t at some point used for some major heists. You can clean people out with this information if you do it carefully and thoughtfully and spend some time doing it. Of course, you have social security fraud and all kinds of other things that could be happening in the future. People die and you take their identities. The scale of what this could do is significant and what is almost laughable, and really ridiculous about the whole thing is that you look at Europe and they don’t have a credit bureau. Europeans have credit cards but they don’t have credit bureaus like Equifax. They don’t need this person’s place, this business, to maintain all this history. They have different ways of doing things. I know this because my business partner came over here from Europe, bought a house here not too long ago with his wife and all that. The whole process, you don’t have any credit yet I can still do all this stuff in Europe. Why do I need to have this thing called credit over here? So it’s interesting.
Paul: Interesting. Given all of this data is out there and all these financing companies have to continue to do business, doesn’t it almost become their problem now? Because how are they going to, they can’t just say well we’re not going to lend to you because your identity was released on the internet? Well if they stop lending to everyone they stop making money.
Adriel: Yeah, well honestly, I think we should follow suit with what most of Europe is doing. Getting rid of these credit agencies and I think we should go into a more modernized way of tracking and verifying credit. From the little that I understand, I believe that what happens that if you take a credit card in Europe and if you don’t pay off that card there’s a way of communicating to other credit card companies, without a credit score, that there’s this debt that exists. The level of information that Equifax has is too much. They have way too much information.
Paul: It’s criminal, t seems like! It’s centralized.
Adriel: Yeah and they don’t need that level of information to know that you are a good buyer and really, they don’t need to know that Paul or Adriel – They don’t need to know their name, they just need to know credit card score and some kind of unique identifier. That’s all they need yet, because they are using this antiquated system and because they are collecting information and because they make most of their money by reselling our information without us really being aware if it to god knows who, they have that and they’ve put us all at risk! And now here they are. So yeah, those companies should be done away with and that we should have a more modernized way of doing this.
Paul: Do you have any suggestions somebody who was potentially compromised? What should they do?
Adriel: Freeze your credit. Call Equifax, call Trans Union, call Experian, and pay the 15 dollars or whatever it is to freeze it. And quite frankly, Equifax should be doing that for free. They shouldn’t be charging you to freeze your credit, but do that. Because if you freeze your credit it will at least help to prevent people from taking loans out and things out in your name because it won’t be possible to pull your credit history. Doesn’t mean your safe though because people can still use that information to access resources that belong to you, financial things like wealth management, retirement funds, whatever, you can still use that and if you get in, there’s no reason why you can transfer out and steal money that way. It’s unfortunate.
Paul: So things are worse. We’ve passed the inflection point. Things are not necessarily getting any better. We still want to use the internet. Be careful of what you share because it could be used against you. Boy it sounds like, it doesn’t sound too positive here. I guess one of the things is through your services companies can be a lot more secure. So that’s a positive thing.
Adriel: It is but you have to be careful even with that. When you purchase penetration services, you have to make sure that you’re purchasing genuine services that produce a realistic level of threat and not services that give you a squirt gun test. The analogy is that penetration tests are the equivalent of testing body armor with a squirt gun. And there are ways to do it and we actually published a white paper that was published on Forbes, that was picked up by Forbes, and the article was “This Year Why Not Take Data Security Seriously” and if you google that, you’ll find a white paper that we published and it really gives you non biased key points on how to identify a genuine penetration testing, and how to differentiate between the people that are going to be selling snake oil. One of the most important differentiators there is that the snake oil vendors will sell based on the number of IP address or the number of web applications that you have. It’s called count-based pricing. And if you have ten Ips, like I said initially, and you bill five hundred dollars per IP address, that’s all great and good, you’re going to have a five hundred dollar price tag but what happens if zero of those IPs are providing any services. You just spent five grand on zero seconds worth of work.
Adriel: Likewise, what happens if each one is offering 40 man hours worth of service. Well no pent tester is going to be working for 12 dollars and 50 cents an hour so any vendor that uses count-based pricing as part of their pricing methodology, you can rest assured that youre going to be getting that squirt gun test. There’s a lot you can do and it’s a lot of stuff you have to cut through to understand before you can get to the good stuff.
Paul: Is there anything you’d like to cover that we haven’t talked about?
Adriel: No, I think this was pretty thorough. There’s a lot of stuff!
Paul: There’s a lot of stuff, we could do this a couple more times I’m sure. We’ve been talking with Adriel Desautels of Netragard. He’s a security expert. You’re based in Boston right?
Paul: But I know you work internationally and are pretty well known. And we’ve been exploring security and penetration testing and security testing and all of the different things that coalesce to mean security, what is security and what isn’t security. There will be a tremendous amount of links that will be in our shownotes, that I think will be worth looking at. Many of the articles that Adriel mentioned and many of the sites and of course a link to Netragard as well, and ways to contact Adriel.
So Adriel thank you very much for your time. We really appreciate it! It’s really been fascinating and I think a lot of people will learn a lot today and I really look forward to doing it again.
Adriel: My pleasure, any time.
Paul: Thank you Adriel.
Today on the Edge of Innovation, we are talking with Enza Lilley, a doula from “A Mommy’s Friend Doula Service” about her experiences as a Doula and small business owner on the North Shore of Boston.
A Mommy’s Friend” – Searching for a Doula
What’s in a Name
Doula-ing From a Technology Point of View
WannaCry, Petya and Ransomeware – Why Protecting your Website is Important
Why Small Businesses Need to Back Up Data Too
Be Proactive With Data Backups
Paul: Well hi! I’m here today with Enza Lilley.
Paul: She’s headquartered, or really works geographically out of the North Shore of Massachusetts into Boston and she helps moms bring new people into the world.
You are obviously geographically located, you know, so you basically go a certain geography. How far do you go from here?
Enza: Usually within 30 miles.
Paul: So we’re on the North Shore of Boston. So will you go into Boston?
Enza: I will go into Boston. I do charge a little bit more to go into Boston, but I do. And sometimes you can find me in New Hampshire. I have done Catholic Medical Center there and Exeter. Not very often.
Paul: Right. So do you think about it from a point of view of the hospital or the birthing center? Is that sort of the anchor points for you?
Enza: Yes, yes.
Paul: So if somebody called you from Lexington, are you immediately thinking, “Well, what hospital is in Lexington?” Is that how you think about it?
Enza: That’s how I think about it.
Paul: Interesting. Do you do marketing?
Enza: Very little. My website speaks volumes. I occasionally will put my card up in coffee shops. I have done the baby bash, the annual Danvers Baby Bash, which I’ll do again this year. But that’s really all I do in marketing.
Paul: Interesting. That’s cool. Are you fairly busy? I mean, it sounds like you’re booked.
Enza: Oh, I’m very booked.
Paul: So I guess what we’re saying is if you’re going to have a baby or thinking about having a baby, call Enza first.
Enza: Don’t wait. Don’t wait till you’re 36 weeks pregnant to call for either me or any doula. I’m already pretty much booked until the end of September.
Paul: Wow. So what would happen if somebody came to you and said, “I really want to hire you.” Obviously, they’re doing it a little late. You refer them to somebody maybe?
Enza: If I’m really crazy, I’ll take them on. But most of the time, yes, I have a couple of other doulas that I will refer them out to.
Paul: Okay. So now are there professional organizations for doulas?
Enza: There are.
Paul: And are you a member of those?
Enza: I am currently not a member.
Paul: But then if you want to search for a doula, what do you do? We’ve talked about your website, and what’s the URL for it?
Enza: It’s www.AMommysFriend.com.
Paul: Okay. And it’s m-o-m-m—
Enza: —y-s… Yes.
Paul: Okay. A mommy’s friend. Okay. Not m-o-m-m-i-e-s apostrophe, hyphen, dash. So AMommysFriend.com. What’s with the name, just in that it encompasses that, or where’d that come from?
Enza: So, years ago, I was trying to come up with a name for my business and I was asking around, and trying to come up with different things. And a client of mine said, “I really don’t care what you call yourself, but to me, you’ll always be a mommy’s friend.” And I thought, I like that because I do become their friend. I think it describes me. I’m loyal. I am dependable, committed. I’m a friend.
Paul: Yeah. That’s cool. So, what if you’re looking for a doula, alright, you can go to AMommysFriend. What happens when you search for a doula. I mean, is it a commercial business? Or is it individuals like you? Because I imagine you have a choice if there are. I can go and get a doctor. I can go to a hospital, or I can go to a single practice, or maybe, three doctors that work together. Is that the same in the doula world?
Enza: So there are some bigger corporations that you have them… You have a corporate, like a specific corporation who will have doulas and lactation consultants, and it’s kind of like a one-stop shop. There are a few of those in the area. But mostly, we’re just self-employed. We’re one-man doula. How do you say that? One doula?
Paul: One-doula doulas.
Enza: One-doula doulas.
Paul: Doing doulas. Do— do…
Enza: Doula doulas.
Paul: So let’s talk about your business a little bit from a technology point of view. We helped you with your website and again, you made it very easy because you’ve got a great personality. You’ve got a great story to tell. You’ve got very engaged visitors. So, you know, you go to Amazon, and it’s like, “Well, do I want to buy that, or do I want to buy that?” And it’s very easy for you to passively just click off of that and go somewhere else.
When you’re considering a relationship with somebody that’s going to be there at your birth, it’s like, well that’s a little more intense. So, that’s a huge benefit to your website is that when you have that very motivated buyer or person engaged, we can present data to them, and they’re going to enough consume it. One of the most difficult things on the web right now is sort of our attention deficit disorder. You know, we always want the fastest things. Twitter is 140 characters. We want it all summarized, and we want to be able to think we’ve got it and go on. That’s not how people are wired to be, a million miles wide, and a millimeter thick. We’re wired like I think you’re discovering, and the value you offer is the depth of relationship.
And so, it’s key that a website communicates that.
Paul: Now you have heard, rightfully so, that there’s all these malware out there. These particular ones we’re talking about are WannaCry and Petya. So there’s these ransomwares out there, malware, specifically a ransomware called WannaCry and Petya. There’s many others as well. If you go to a website. You click on something. It might be an image or whatever it is or a link, and the process of doing that installs a piece of malicious software on your computer. And this is why it’s very important to have up-to-date antivirus and antimalware because hopefully your antivirus and antimalware will detect that and stop it.
The problem is there’s these things called zero-day exploits, which come out right now. It’s the zero day. So the virus company hasn’t had a chance to write the block for it. And so that’s what we’re seeing is a few weeks ago, we had WannaCry, which was an exploit based on some research and some weaponization that the NSA did. They created software that allowed them to infiltrate computers. WikiLeaks leaked that information and the details of how to create that, and it turned out it was an unpatched hole in a Microsoft operating system. Microsoft was very frustrated with the NSA because if they had told them about it, they would have patched it. But the NSA is in a spy game, so they don’t want to close the door. You know, it’s like you left the window open in your basement, and nobody knows about it. It’s not that obvious, but that’s effectively what it is. And so the NSA could crawl in through that window and do anything they wanted in the house.
And so WannaCry made this available to the world at large. Microsoft immediately patched it. But the problem is how does that patch get installed. Not everybody puts their patches on. Not everybody is concerned about the hygiene of their computer because it’s just out of sight, out of mind. They don’t know.
And what happened is a lot of people got bitten by WannaCry. Now WannaCry was written in such a way that if it got into your basement, it could use all the secret tunnels to all the other basements in town. Okay? It could literally connect to another computer connected to your Wi-Fi or to your LAN and infect that computer. And then on and on and on.
Well, so what? It infected it. Well, what they did was, there’s this whole thing going on now called ransomware where I go into your data, and I encrypt it and hold it hostage, that you cannot decrypt it. So it’s scrambled with a secret decoder ring that they haven’t given you. Then they pop up a message, and they say, “Oh, by the way, we’ve just encrypted all your data. And if you want to get it back, you have to pay us.” Now, 10 years ago, if you said, “How am I going to pay you? Because if I give you my credit card… First of all, I don’t want to give my credit card to a thief.” And if you send you a check, I’m sending it to somebody, and they go, and I’ll go to arrest them.
Well the appearance of Bitcoin, which is a somewhat anonymous way to transfer value, transfer finance, money, has come out. So now I can pay something to somebody by sending it to an address, and I can’t know where it goes after that. I can, but it’s very difficult to track down how it actually gets in the pocket of the criminal.
And so Bitcoin has done some really cool stuff. But it’s also enabled criminals to be able to extort money and not be explicitly caught, you know. Because you have the movie where you’ve got a hostage situation — bring me the bag of money — somebody has to physically pick up that money, that cash, and we can have a helicopter watching them, and then follow them to where they’re going. So that now has been mitigated by Bitcoin. I can’t put a helicopter up there watching where the money is going. And so it’s made ransomware a really attractive way to do things. So, the Petya Virus, which is fascinating, uses the exact same threat vector that the WannaCry used. Well, wait a minute. WannaCry came out a month ago or two months ago. Why didn’t the people patch it? Well, why didn’t they?
I don’t know why, you know, and so it’s sort of like, I come to your house, and I say, “Hey, your basement window is open in the back.”
And you say, “Oh, my gosh. That’s right.”
You know, and then I go to your neighbor’s. “Your basement window is open in the back.”
You lock yours. And you going to call the guy over to come over and fix the glass and fix it. Your neighbor didn’t do anything. So now there’s another exploit. We killed WannaCry, another exact same exploit with actually some more stuff added on. And it goes in and infects your neighbor’s basement.
Enza: So what you’re really saying is that everyone is susceptible to this. It’s not just targeted towards large corporations or large businesses.
Paul: Right. Yeah. There was some news reports where they were talking about this morning, Merck was targeted. They may have been targeted. There is a way to target things and try to do that and try to exploit a target. But most of it is just happening by circumstance, just propagation, just happening. People go places. Something bad happens. And the bad thing happens because they didn’t put all the protections in place.
Enza: So for us small business owners, my fellow doulas… So we just have to make sure that our security updates are where they need to be.
Paul: Well, that’s one thing. But the real important part here is you need to have a backup of your data. And now, different people understand or hear the word backup and interpret it differently. A backup does not mean a hard disk connected to your computer with a copy of your files on it. It’s technically not a backup. It is a second copy. But the issue is with WannaCry or, Petya, it will encrypt those files as well, because it’s connected. So in order for a backup to be a backup, it has to be separate and disconnected.
So if you’re going to make a copy of it — let’s put it in the simplest terms — you buy an external hard drive. You copy all of the files over to it. You disconnect that hard drive and put it in a bank vault. That is technically a backup because if the place where the computer is ceases to exist, oh, no big deal. I have my backup. Whereas, if it’s right next to your computer, and there’s a fire, the backup just burned up. So it’s not just a semantic argument about the word but really what is a true backup. No, that’s a copy of your files. A backup is a little bit more. So you say, “Well, wait a minute. It’s a real hassle to do that, take that disk, and move it to the bank every week or every day.” Uh, and yeah. It is. And that’s why most people don’t do good backups.
So now, given the speed of the Internet that we have in our homes and businesses, we can do online backup. So online backup’s great. Because what it can do is backup everything by the moment. So you go and type a letter in, and the minute you save it, it’s being backed up. But that’s still not good enough because I go and type a letter. I save it. I get the ransomware. It encrypts that files and backups up the file to the cloud. It’s encrypted on the cloud.
A key point of backup in the cloud is that you have to have multiple versions. And most of them offer that. We recommend Backblaze almost universally. So with Backblaze, you go to the web interface, you can say, “Okay, letter to Paul.” I can bring that up and it said, “Oh, you have a version from this day and a version from that day.” So the one on Thursday is when I got hit with the ransomware. That’s encrypted. But if I go back to the Wednesday version, it’s not encrypted. So at most, you lose a day’s worth of work. Or even not even that because it’s doing it continuously. So you should loose almost no work.
So all of that, all of those words, is the key is to have good backups that are up to date. You can feel great about saying I have an external hard drive, and I put it on the shelf next to my computer. That’s sort of a backup. As long as it’s disconnected it becomes a backup. My problem with that is that if there’s a fire, you don’t have that protection. So when you say, “Well, okay, I have an office. My computer is there, and then I’ll bring the disk home.” That’s a true backup. You know. But then you sort of forget. You’re busy. You’re running out. “Oh, I forgot to do the backup.” You really don’t want backups that are dependent on humans. You want to make sure that they’re just happening.
Enza: So what if you have been attacked by this ransomware?
Paul: You have to pay for it usually.
Enza: There’s no other way to get around it.
Paul: No. There have been ransomwares that people have figured out how to decrypt. Okay, so it is possible to do that. So for this particular ransomware, you have to send a certain amount of Bitcoin, a number that it indicates, a Bitcoin and a wallet to a certain email address which is no longer working. So if you’ve got encrypted, right now you’re in a no-man’s land because you can’t get your data back because the people were taking the money, their email address got shut down. So how do you get to the people that have the key to unlock your data?
So it is so much easier just to be proactive about this stuff. I mean Backblaze for individual users, it’s $50 a year. It backs up unlimited amount of data. In businesses, we use that for all of our business clients for every user in the business has Backblaze on their machine. We also back up servers and all that kind of stuff. But there’s been too many cases where people are supposed to store things on the server and they don’t. And it’s the important spreadsheet or correspondence that they happen to have on their computer. And it’s now gone.
We’ve never been bitten by any of our clients getting ransomware or malware in that way, which hopefully will remain the case because we’re pretty diligent about patches. But, if there’s other people listening to us out there, you’ve gotta have a good backup. And I can’t sing the praises of Backblaze high enough. They’re just great. There’s other ones — Carbonate, Mozy… I’ve found that Backblaze just works so well.
Enza: So placing something on Google Drive is…
Paul: Well it depends. If you have Google Drive and you have the Google Drive app installed, that will encrypt it. It will encrypt everything on Google Drive. Because, if you notice, you just… When you save something on Google Drive, you don’t browse to a website. You go to that folder and just drop something in. Same thing with OneDrive, the same thing with DropBox and Box.com. All of those have the ability to sync to your computer. And if you’re using that sync, you go get the ransomware, it will encrypt everything there, and then push it up.
Now some of them — DropBox and, I think, Box — has versions. So you could go back. But I don’t know about Google Drive, if it has versions for everything. So that’s something to be concerned with. But even that, there is this assumption by people that, “Oh, I’m storing it in the cloud. I don’t need backup.”
That is not true. There hasn’t been that many catastrophes with online storage, but there could be. And they are not offering redundant, resilient storage as a general part of that. There will be the day when, “Oh, we’ve lost this and… sorry.” And we’ll point out in our contract where, “See? It says we weren’t guaranteeing it.” So it’s really incumbent upon you as a computer user to make your own backups.
So have I scared you?
Enza: I just need to go home and make sure that all of my security updates are…
Paul: Put a bag over your head. Right?
Enza: I need to make sure I’m patched.
Paul: That’s right. Do that. Have the doula do that.
Enza: Doula do.
Paul: Doula do. Dudly do the right. Sorry.
Paul: So we’ve been talking with Enza Lilley of A Mommy’s Friend doula…What’s the actual title? A Mommy’s Friend, period?
Enza: Mommy’s Friend Doula Service.
Paul: Doula service. Okay. And, she’s headquartered, or really, works geographically out of the North Shore, Massachusetts into Boston. And she helps moms bring new people into the world. Is that fair?
Enza: That’s fair. Thank you for having me.
Paul: Absolutely. It’s been a pleasure, and look for her, her book, and you were recently in Voyager Boston?
Enza: Yes. Boston Voyager.
Paul: Boston Voyager. Yes.
Enza: Boston Voyager online magazine.
Paul: Okay. Cool. So if you want to get some insight into that and your website is aMommysFriend.com.
Paul: M-o-m-m-y-s friend.
Paul: Okay. Well, thank you.
Enza: Thank you.