Worried about email spoofing and data hacking of your websites? In Episode #5 of the Digital Cowboys, Cameron Francis and Mark Cohane from SecurityShift.com discuss email hacking, application whitelisting, relying on hosting companies and the risk-based approach to information technology security. Tune in to learn more about cyber security for your business.
- Risk Based Approach to IT Security – 00:04:01:26
- Have an understanding of you business – 00:08:08:07
- Hosting for small to medium businesses – 00:14:27:07
- Backing up websites – 00:15:47:10
- Email security – 00:18:00:05
- Application Whitelisting – 00:45:22:18
- How do you know if your site’s down – 00:59:59:24
- Should business owners rely on the hosting companies – 01:02:30:25
Digital Cowboys Episode# 4 | Cyber Security Safeguards For Your Business
Just first establish where your assets are, what you care about, how much their
worth, and then that actually guides your investment in security. You don’t want
to spend $100,000 protecting an asset that’s only worth $200,000.
So ladies and gentleman, login to your CMS, whatever it is, make sure that the
CMS version’s up to date so it’s the latest version of WordPress, it’s the latest
version of Magento, it’s the latest version of Joomla, and make sure that all of
That’s a big thing that people often miss out because people automatically go in
their minds to all the hackers are out there to get me, but information security is
about more than that. It’s about the stability of your business.
Digital Cowboys episode four. We discuss everything digital marketing and
growth hacking for small businesses,
that competitive edge, then saddle up because Cameron Francis and Sam
Roshan are about to drop some value bombs.
Hey everybody, this is Cameron Francis and this is episode four of the Digital
Cowboys. Super excited today. It’s Saturday. I’m in my office. It’s actually a
beautiful day waiting for the football to start, and I’m joined with Mark Culhane.
Now, Mark is the CTO and CISO at Security Shift. Security Shift is a
IT operations, InfoSec auditing, whole bunch of nerd stuff. Mark has a track
record of success at organizations and major projects, including the Department
of Defense, [ARS 00:01:41] Registry, Compuware, and AssetOwl. He has fulfilled
a range of roles like the Head of IT, Information Security Officer, Onsite
Consultant, and Systems Administrator. He’s presented on topics like
information security, management systems, and attack vectors and DNS at
conferences, including the Australian Internet Governance Forum. I was lucky
enough to be his celebrant at his wedding and have spent some time overseas
running amuck. He’s probably the smartest guy I know and someone you can
liken to as Sheldon from the Big Bang Theory. Ladies and gentlemen, Mark
Hey, Mark, how are you doing?
Hey. Good, thank you.
Get close to that microphone there, buddy.
There we go, there we go.
What’s going on?
Not much. Just relaxing here in the office, in the lovely eTraffic office.
What’s the biggest news that’s happened to you in the last three, four months?
So it’s been a busy three or four months, actually. Myself and a business partner
actually founded Security Shift about four months ago so we did that through a
couple of acquisitions and a couple of key clients that we have. I also, actually,
had my first baby, a baby boy, yes.
What’s his name?
His name’s Maxwell.
No, Maxwell not Maximus.
Sorry, that’s Maxwell. Middle name?
Sorry. So his name’s Maxwell Keanu.
Culhane. That’s really nice. How come you’ve never told me his middle name?
Because you’ve never asked.
Because that exact reason. You’ve gotta tell me where Keanu came from. Is it
It’s actually an Indonesian name. My wife’s Indonesian and Kiano is an
Indonesian name, which represents good luck and good fortune.
So Keanu Reeves, is he Indonesian?
No, it’s a different spelling. It’s Kiano, like piano with a K.
Okay. Is there any lines above any letters?
No, they don’t have that-
No, they don’t do that?
Okay cool. I actually wanted to get you here today because you, as I was saying
in the intro that you know a lot about security, right? And I think that there’s a
little bit of a gap for typical business owners on how to safeguard and keep their
web assets safe. Yeah, first thing I wanted to go through would be what would
you advise, from a security point of view, for typical businesses?
Yeah, so the place that I always start, especially small to medium businesses
businesses is a
ending bucket of money that you can spend, and there has to be a point where
you say, “All right. I’m not gonna spend that money because I’m not gonna get a
return on investment.”
So the place that I always start, especially for small to medium businesses, is
first, establish where your assets are, what you care about, how much their
worth, and then that actually guides your investment in security. You don’t want
to spend $100,000 protecting an asset that’s only worth $200,000.
Sorry, when you say assets, we’re talking purely online, right?
We’re talking about any
your website. It can be your emails and your calendar and your contacts. It can
even be stuff like your brand. You might say, “If we get our website hacked,
that’s not actually gonna influence our revenue because we don’t really get
revenue from the site, but we know that a lot of our customers visit the site and
if we get hacked, then that’s gonna damage our brand value.” And you can infer
some type of financial impact from something like that.
So you would look at your assets and you basically gotta work out what’s the
value to you?
Exactly and it’s not like a perfect science. For example, brand value, it’s always
difficult to pin down to a specific thing, but you can use that as a guide for, all
right, I understand that this is something that we care about to an extent of, say,
$100,000 a year or $10,000 a year or maybe it’s something that’s really not that
material. Maybe it’s only worth $200 to you or something.
That’s really interesting. If I’m a business and I ask myself, “Okay. If my website
shut down and I don’t have it anymore, what impact does that have on my
That’s the question?
That’s the question. That’s exactly what you need to answer.
Because that is how you decide how much money are you gonna spend on
Never thought of it that way. That’s really interesting. Okay, so like, for example,
if my website shut down, I’d reckon that it would have a very minimal impact, to
be honest. I’d just build up a new one.
Exactly. Exactly. So that would mean that you would not want to spend so much
money on protecting that asset, but you might say that if we’re unable to
communicate via phone, so if that phone system goes down, then that might be
something that you want to protect more. When I’m talking about protection,
it’s not just oh, the hackers are out to get us.
Information security is about confidentiality and integrity, so that’s about
preventing people from hacking stuff or preventing people from accessing data
that should be confidential, but the other big one is availability. You can say that
we want to provide information security for our phone system, and that may
not be that important that it’s confidential or it has integrity of its information.
It may be about we need our phones to be up and available and if something
happens, we need a plan for how to get them back online as soon as possible.
Yeah, so that’s a big thing that people often miss out because people sort of
automatically go with their minds to ‘oh, the hackers are out there to get me’,
but information security is about more than that. It’s about the stability of your
Very good. Very good. I can’t believe we’ve never actually spoken about this
Yeah, well, it’s not exactly the most entertaining of topics.
But it’s important though, right?
Okay so, let’s go with our website security. I’ve calculated that if it was to go
down, then the cost, to me, is going to be X, so what would you invest into?
Exactly. So that’s where you generally need some expertise. Like, it would be,
for most small businesses that don’t have an experienced IT department or
Information Security Specialist, then once you’ve decided that, you want to
figure out what the best value for money protections are. To use, I guess, a
stuff that costs the least and provides the highest level of protection.
So for example, having a redundant web server. For example, having SSL
encryption on your site.
Okay. Step one. What should someone do?
It’s hard to say, specifically for a person … You really need to have an
understanding of the business and of what they’re doing. Like I said, you want to
start with the
steps, one, two, and three. For example, most business’s email and website,
generally import online assets, and the reason why we start there is because
online assets are open to attack by everyone. It’s not like your mailbox
downstairs where someone actually has to physically come and access it.
Anyone from all over the world can hit your emails and can hit your online
applications. Just doing some basic security on those things is generally
Let’s put it from a practical point of view. Okay, so I want to secure my web,
hosting and my emails. Where do I go? What do I do? What do I look for?
So, generally, you’ll engage someone or a company to say, “Can you have a look
at what we’ve currently got?” And then they’ll do a basic check, a basic scan.
They might login and-
What are they gonna scan? What are they gonna check? So what are the
questions? Yeah, you know what I mean? What are they gonna be asking?
The big thing, generally, is patching. If you’re running an old version of a web
server or an old version of WordPress or old version of WordPress plugins and
stuff like that, they’re generally vulnerable to automated attacks. So when
you’re looking at someone that’s trying to attack you, there’s different layers.
And the vast, vast, vast majority of attacks are guys, not like really organized
guys, they’re guys that are just doing online scans across huge ranges of the
Internet, not looking for you in particular, they’re just looking for a WordPress
That hasn’t been updated.
Yeah, exactly. That is just the most basic level of security is saying that I don’t
want to be the most vulnerable person on the Internet because you’re gonna be
the first one to be attacked.
So, ladies and gentlemen, login to your CMS, whatever it is, make sure that the
CMS version is up to date so it’s the latest version of WordPress, it’s the latest
version of Magento, it’s the latest version of Joomla, and make sure that all of
your plugins are updated as well. Before we actually had someone managing
our server itself, we had a couple of accounts that actually got hacked. When we
actually did the analysis and how they got hacked, it was through these bloody
Yeah and it’s not something to be embarrassed or ashamed about. I’ve worked
at really advanced IT companies that do really serious and technical IT
operations, but stuff like your websites and your blogs, they’re not in the
forefront of your mind, depending on what you do. It is really easy to not patch
them if you don’t have it automated. And having things automated is also
difficult because, for example, if you’re a WordPress user, sometimes updating
WordPress breaks your site.
It always breaks your site, all right, especially if you have a lot … Try not to have
too many plugins. Every time it’s updated, something always breaks. It’s just the
way it is and when you do that, you’ve gotta spend and pay money to actually
get the website back to what it actually is.
One of the things that we do is we take a backup of the site, update the CMS
version, update all the plugins, then we just check the site to see what needs to
Yeah exactly. Again, with information security, a lot of people focus on these
technical wizardry and all of the cool black magic stuff, but a lot of the best
value comes from just having some simple processes, like what you said. The
simple processes are every week or every month we do patching. When we do
patching, we take a backup, we deploy it, we do this test. This test covers those
things. And just doing that basic process stuff, it’s boring and it’s not sexy, but
that’s the sort of thing that really doesn’t cost a lot of money. It costs a little bit
of time, but that provides a massive increase in your protection. That means
that you’re no longer the primary target for those guys doing random scanning
around the Internet.
Now that we do that, knock on wood and you know, all of that stuff, we haven’t
been attacked and really that’s it. You just check it. Just update it. That’s it.
Exactly and that’s the point where it comes to, again, a
would argue if you’re doing that, yes, you’re gonna be much more protected,
but if, for example, China or Russia or an intelligence agency comes along and
tries to attack you or really advanced attacker targets you specifically, you’re
still gonna get-
Don’t skip it. Why would China attack Billy Bob’s Plumber.
Exactly. So why would they bother spending the money on protecting against an
advanced system threat when they’re not gonna be a target for it. I think that’s
a big problem in the security industry is that it’s not really a differentiation
between a small to medium enterprise that doesn’t need to worry about those
threats, and then a big enterprise that’s got thousands of people that does
Okay. There needs to be some kind of tiering and I guess this is something that
… Right now, we’re probably gonna be touching tier one, if that’s what you want
to call it, whatever’s the entry level. Update your CMS. And I know that
everyone has a host or they all have a web development company, don’t rely on
them. You should not be relying on a company that has no say in your business.
That’s your responsibility, as the business owner.
The other thing to be aware of is that in general, the
companies, that offer fantastic prices, if they’re getting, let’s say, $50, $100, or
$200 a month-
You’re kidding yourself, mate. It’s $9 a month.
You know what I mean?
How are they going to make money if they have to have a system admin look at
your site.The system admin, even for an hour, is gonna cost them, what, $400 in
ongoing costs and all that sort of stuff.$400 an hour for a $9 a month client. It
just doesn’t make sense.
What would you recommend for hosting for small to medium?
So, again, it depends how important the asset is to you. If it is your primary
source of income, then the hosting provider, yes and no, it does matter, but the
fact that what you need is someone either internal to your organization or
external just providing that high level of expertise, making sure that they
actually apply those processes, and being able to understand … So, for example,
if you do a scan of the website and the server and there’s vulnerabilities that
come up, most people are not going to be able to say, “I know what this
vulnerability means. I know that this cipher is insecure because of x, y, z.” It’s
not realistic for a small to medium business to have people like that. In general,
it’s a good idea to get a company like, for example, Security Shift does that.
We’ll do cursory scans of the sites and then we’ll just make sure that there’s
nothing glaring. It’s not gonna provide you with 100% protection. It’s just gonna
get you off that bottom rung of vulnerability.
And again, it’s got to do with risk, right? If you don’t have a level two, three,
four, five risk, then why pay for that protection?
Very good. Okay, so that’s from the website point of view. What about …
actually, no, let’s stay on that. Do you think that a business owner should be
backing up their own website and if also they’d be paying someone, that should
be a service that they should be getting?
Again, it depends on the expertise of the person. It depends whether they have
an IT department.
They don’t and they don’t have expertise. Let’s go null and null for both.
Then, yes. You need to figure out how to get a backup of your site because
there’s just an unending list of people that lose their sites, whether it’s through
malicious activities, whether it’s through the hosting company having a
so many ways that you can lose assets online and you just need to have
How often, would you say, do it?
Well, the key is to automate it. You shouldn’t have to do it. You should be able
to get it in a place where I know that my site and my assets are getting backed
up every day and not only are they getting backed up, I know that they can be
restored easily and I know how they’re restored. There’s no point in taking
backups if you don’t know how to restore them, right? It is a little bit more
complicated than just, “I’m just gonna make sure that these files are all kept on
this disk.” It has to be also, if we do lose our site, how do we get it back up
online? How long does it take? Is that acceptable for us? How much lost data do
we have? If we lose all of the audience from the day, is that okay or not? There’s
a lot of finer grain detail when you start looking into it, but at a minimum, yes,
you need to have the backup.
I’m just gonna login to our CMS now. We actually have a plugin on our site that
does automatically backup the site and we set the frequency. So I want it
backed up every week at this time and then I want that backup to be stored,
that version, for the next three months, and then they start to-
Yeah, over … what is the word?
Yeah, overwriting it. That’s enough for me because I mean, shit, if you are not
monitoring after three months that your website, there’s a mistake on there,
then it doesn’t mean a lot to you.
Yes, exactly. Exactly.
Okay cool. So let’s jump to emails.
Yeah, so email is one of the really, really interesting protocol that got created at
the very beginnings of the Internet.
Can I tell you my issue with emails?
We started off … I forget where we started. We’ve got Google Apps, right? And
I’ve got a Mac. So I logged in my emails through the Mac Mail, the issue is being
able to get back my emails, my archives. That’s a problem. I just can’t. So what I
do now … I’ve gone back to Gmail. Gmail has an absolutely disgusting search bar
for previous … It is terrible. I couldn’t do that. I need to have my emails stored,
you know? Just for my own security. So what I’ve done now is every single
email, whether it’s through inbox, sent, junk, trash, whatever it is, every single
one of them’s archived. It’s just in my … I’ve got 34,200 emails in-
That’s quite a lot of emails.
But it’s all there. I know that if I need something that’s been sent or if someone
sent something to me that’s in my junk folder, it’s in that bad boy right there. At
some point, I’m gonna run out of space. I’ll let Future Cameron worry that.
That’s Future Cameron’s problem.
But what do you reckon about emails? What should one do?
So definitely, in terms of storing and backing up, if you’ve got a requirement like
that, in general the Cloud service providers like Office 365 and Gmail, they’ve
come a long way and they’re pretty good services now.
But the interesting stuff about email is how
people believe it more than they should. For example, right now I could write a
little script and send you an email from [email protected] So you’re
gonna receive the email to your inbox and you’re gonna see that it’s from
[email protected] I’m gonna say, “Hey Cameron, I need you to transfer
a thousand bucks to this account because we’ve got a lot or something.” It’s
amazing how many people assume that when an email comes into their inbox, if
it says it’s from [email protected], that it’s from you guys.
You just clicked this here. What I’ve done here is I’ve, this is an email from
BuzzSumo. You click there and it actually has the email. Are you saying in that
it’ll have accounts?
Yeah, you can completely spoof an email. Email is completely insecure.
I don’t believe you. Are you kidding me?
I’ve got a script right here. I can do it for you.
Will it take long?
I’ll figure it out
If you can multitask, I’d be … so what, ladies and gentlemen, he’s gonna do, he’s
gonna send me an email from … This is kinda scary now. You get this from the
government, saying you’ve gotta pay tax, or the bank, log in, and then it would
be a firewall or something that you go to a different site, you put in your details-
Yeah or even just like, so the big thing that’s happening, amazingly regularly, at
the moment, is corporations are losing money because people are spoofing
emails from the CEO and they’re sending it to accounts and saying, “Ah I’m in
Japan or I’m in the Philippines or whatever, I need you to wire this money
immediately.” If it’s a large organization and people never talk to the CEO and
they know his name and they know that’s his email account, they’re just wiring
the money and it’s amazing how often it’s happening.
Yeah, but see. For me, like I would be a victim of this, right? My safeguard, when
you get those emails from the commonwealth Bank or you get those emails
from government, when you do click there and you see it’s from like
This is where I always look. If you can actually get it so it appears the email is
[email protected], that’s really scary.
There are a bunch of controls that you can actually do to prevent that from
being able to be done, but it’s very rare, well it’s not very rare, but it’s very rare
for a small to medium business to implement those controls because-
When you’re saying controls, is this like a common sense, one, two, three step
kind of pattern? So like if I see an email from accounts, the first thing I’m gonna
do is I’m gonna give a call to Carla , ask her, “Did you send this?”
So that’s an excellent one and that comes back to the not sexy process stuff.
That is a control that would … if you had a policy at your organization that said,
“No one can transfer money to anyone without phone verification,” that would
stop the problem.
Okay, so everyone, implement that today and I’m not joking. That’s gonna be
done. The fact that … I want you to prove it. I want you to send. Again, Mark’s
gonna be sending me an email saying, “Hey can you transfer some money from
accounts,” but that’s now a protocol. If money needs to be transferred, there
needs to be phone verification and is that enough of a safeguard?
Yeah, so when you say enough of a safeguard, like there’s a bunch of other
intricacies to it that could mess that up, but that’s gonna cover so much of it
that, for something that’s free and you can implement right away, yeah.
I mean, it’s a phone call. No one’s that busy. It’s a phone call, or even a text, like
“Relax. Not an email.” Can you spoof a text?
Yes, of course you can spoof a text.
How do you spoof texts?
These protocols are not implemented to have authentication of senders.
Okay, no texting for verification of money transfers. Wow. You’re opening my
eyes here, Mr. Culhane. That’s excellent. All right, so we’re looking at … Okay,
keep going through email protocol because this is fascinating.
So email stuff, as you mentioned, the phone call is a great process, way to
protect against that. There are other automated ways. So automated ways are
always a little bit better because that means that you don’t have to do anything.
There’s stuff like SPF records, which set a policy framework, so that’s like a DNS
entry where you specify which servers can send emails on behalf of your
domain, but again, if you’re going down to a small to medium business and you
go, “Can you just implement a SPF record on your DNS.” They’re gonna-
I don’t even know what you just said. They’re gonna look at you like the way I’m
looking at you. Whole bunch of letters there, man.
Yeah, so there comes a point where it’s worth it for an organization to not just
say, “All right. We’ll be aware of this and we’ll make the phone call.” Where it
becomes worth it to say, “We’re gonna get a little bit of help and get someone
in that can do that extra level of automation and that extra level of assurance.”
I think what it would come down to, again, guys, is when you’re talking initially
about the threat, like what is the risk for your business, right? The bigger the
business is, the bigger the risk are. The more money you can transfer, the more
levels there are to the CEO, to the person, to the accounts team. I mean, from
my point of view, and for businesses of similar sizes, then that phone
verification, I mean, really just implement it, right?
Yeah, yeah. Let me touch on the topic of how much large organizations spend
on security. If you look at the Australian Big Four banks and the US banks, they
spend literally billions of dollars on information security. It’s insane how much
Do you have any data on it?
I’m looking it up. According to Gartner Worldwide Spending on information has
reached 75.4 billion in 2015. They’re spending a lot of money on it.
Wow, so that’s why you chose this industry, huh? Not bad. It’s not bad. And the
digital marketing industry comes in. Well played, sir. So you know how we’re
talking about storing and saving emails, I want some data around that and some
steps around that, and other things that someone running a small to medium
business, up to 100 employees, from one employee, what are some of the
things [crosstalk 00:26:30] just the basic email.
So basic email, of course, storing and backing up the emails.
See, you know how I’m telling you I’ve archived 35,000? I’m not doing that with
every one, right? I really should be, especially if they’re sending emails through
to clients, then I really should be.
One of the great things about the big Cloud service providers like your
Office365s and your Gmail is you’re basically getting unlimited, well not
unlimited storage, but more storage than you could ever need at a price that is
insanely good.It’s actually really simple to set up basic email routing that will
mean that every email that comes in and out of your organization will be stored
in an archive accountwhere it’s something that you can go and look at and you
can go and review and restore if required.
That is, of course, meaning that you’re still trusting that Google and Microsoft
are not going to lose your data. Honestly, for a small to medium business, I think
that’s pretty reasonable. Microsoft and Google have not, to my knowledge, had
any major data loss of clients in the past five years. I think for most
organizations, it’s completely reasonable just to depend on your Cloud services
provider to provide that level of assurance.
If you want to take that extra step, then there’s plenty of tools available to go in
and pull those emails down to somewhere offline. When I say offline, the key
point of that is one of the biggest risks of how you’re gonna lose emails is
through accidental or bad user deletion. For example, if you accidentally delete
your emails or if you’ve got someone in your organization who’s got access to all
those emails, all those email accounts, who accidentally or maliciously deletes
them. Having an offline backup means that you can only send data to it. You
can’t go in and delete data from it. So there’s a lot of services provide that.
Any recommend … We’ll put it in the show notes. What do you recommend?
Best recommendation for small to medium businesses is Amazon’s Glacier
Service. So basically what that is is you can send unlimited data to the Glacier
Service, which is like a bunch of tapes and hard disks and you just send data to it
and it’s almost free to send data to it, it’s like a matter of cents, and then the
only time you really pay for it is when you go, “All right. We’ve had a major
problem. I need to go and retrieve that data.” You have to go through a series of
I’m gonna look it up. How do you spell it?
It’s Glacier, as in like the melting glaciers.
If I type in Glacier-
AWS, all right. I’m gonna put this in the show notes and most likely gonna
purchase it, but yeah, sorry, continue.
Okay. We were talking about … I think we’ve covered backing up emails.
But is there anything else that someone should look for because this is actually,
from my point of view and security and all of that stuff, if someone in my
organization sends an email, I’m liable for the contents in that email, right? It’s
important that I need to have … But then there’s also confidentiality. I can’t just
look up my employee’s emails.
Well, yeah. It depends on your information security policies and your employee
agreements. So, in general, most corporations will have a part in their employee
agreement that allow them, for a specific reason, to go and look at any email
that’s been sent or received to it.
For a reason. It’s like how a policeman can frisk someone if they feel that they’re
Yes, except that this is generally contract and lawyer terms for, basically,
whenever we want. It’s pretty general, but the law strictly says-
Etraffickers, I’m not checking your emails, don’t worry.
Okay, Glacier, checking emails, backing them all up, is there anything else that
someone should … Okay, what about the disclaimer in the email?
Yeah, that is just-
A bunch of bullshit.
I knew it. I don’t have it in mine. What does that mean?
Yeah it’s completely unenforceable. What it means, if you don’t have it in your
email, is that if someone reads your email and is trying to be really formal and
thinks that important then maybe they’ll be like, “Oh, well you’re not a
professional,” but really there’s no legal value to having those.
All it does, it takes up real estate. From a marketing standpoint, use that space
to show accreditations and more links.
I can’t believe it’s lasted so long actually. You know, we’ve got it in our emails.
Do you really? That’s so funny. See, I don’t have it out of laziness, but I love that
I can justify it. Yeah, so, okay cool. So we’ve covered website, covered backups.
Well there’s more in email, there’s more in email.
Okay, tell us.
So some of the biggest attack factors for small to medium businesses, via email,
is not just what we call the spoofing of emails. So the spoofing of email means
that I send you an email-
I’m still waiting for that spoof, just FYI.
Well, I’m talking to you.
Sure, sure. Multitask.
So, there’s that spoofing of email, but there’s also malicious URLs within emails.
So, the reality of the Internet is that if I can get you to click on a link, there’s a
good chance that I can compromise your computer or compromise information
from you. So that means if I send you an email and I don’t even bother spoofing
it, so, say, for example, I pretend it’s from Westpac and I put a link. I make the
email exactly the same as Westpac’s email and instead of it being from Westpac,
I put something that looks very much similar to Westpac. I might send an email
from [email protected] blah blah blah, and you can’t see the rest of
it. It’s generally very difficult to pick that up.
We’ve all received them. You just go to your junk folder now and you’ll see
And that’s another fantastic part about the Cloud services, the Office365 and
Their spam folders are really good.
They have actually really impressive. I’m really impressed.
A lot of that would be to do with the volume of emails.
Exactly. They’ve got that massive volume and they can do like heuristics and
detection and figure out who’s sending all this stuff and block it. Yeah, that’s a
big pro for using one of those big suppliers, but still, if you get targeted by
someone, they’re only gonna pick up the mass spammers who are sending those
emails to millions of people. If I decide to be a little bit less lazy and I start
sending those emails, instead of doing it to a million people, I go to the yellow
pages and do it to 10,000 people, then my emails are gonna get through.
Yeah and so there’s a number of ways that you can be malicious with the emails
and some of them might be pretending to be a
you a link to your bank interface and you click on the link and it looks exactly the
same as Commonwealth Bank’s login page, and it’s got SSL and it looks perfect,
but yeah, to the untrained eye it looks perfect.
But the URL would be different?
Yeah, but there’s so many little techniques to make those URLs look exactly the
same. You really have to be looking to be able to pick that up and even myself,
as someone that works in Information Security, I don’t trust myself to pick that
sort of stuff up, so I put controls in place that check that.
Is there firewalls that you would put in place or Lehmann’s terms?
No, so firewalls are more of a network traffic control. If you had a firewall, that
would stop all emails coming in, which is no good, but a lot of firewalls do have
an extra module in them that basically checks the URLs that are coming into
your mailbox and checks them for malicious content and that sort of stuff.
So what protocols would you put in place?
You can use services like Proofpoint. What Proofpoint does is when an email
comes to you, you first send it to Proofpoint and they have millions and millions
of emails coming through them and they’ve got a bunch of technology in place,
that before they forward the email onto your actual account for your reading,
they just double check the content and all of the links in it for anything
Why wouldn’t you recommend this to me previously? This is very important
It’s because there’s a list of thousands of those things and-
But we’re only giving the … This is one that you recommend?
Yeah, so it goes through the basics, but yeah, that’s the reason why it’s a
hundred billion dollar industry, right, is because there’s just-
That’s the reason why I talk about the
right, I want to be safe from attackers, there’s just too much. Where do you
start? There’s just too much stuff to do. Yeah, Proofpoint’s a great one. They’ve
got an essential product that’s free.
What is it? What’s it called? I’m on the site now.
Yeah it’s called Proofpoint Essentials.
Could do with some SEO, but yeah, great site.
Yeah. That’s a good one. There’s a bunch of alternatives to Proofpoint, of
course. I’m not associated with Proofpoint. I’m not getting money from them. So
I probably shouldn’t recommend it.
No, no. If that’s the one you recommend, then that’s one that we’ll look at.
Okay, so this is going to help when clicking links from email browsers.
Yes, so that’s one thing it helps with. Basically, that’s just, every time an email
comes to you, it’s first going through a washing machine. Proofpoint is a
washing machine and it’s gonna … There’s a bunch of things. You can either
have it warn you if there’s bad content and still send it to you or you can have a
block or whatever, but basically, again, as we talked about with the websites, it’s
getting you off that bottom level of vulnerability so you’re no longer the easiest
target on the Internet.
We were talking about email spoofing earlier before where-
Yeah, so I guess one of the most misunderstood aspects of email is that I can
send email, myself, from anyone. I can send email as [email protected]
to [email protected]and assuming you don’t have any other controls in
place, like sender policy framework, etc., etc. then the email’s gonna come
through to you and most people, when they see that the from address is
someone they know or part of their organization, assume that it is from their
This is the scary thing, right? I have received it. I didn’t believe him. It didn’t go
to my inbox because of the spam. Mark’s just sent me an email. First of all, it
says etraffic.com. There’s no etraffic.com.
eTraffic.com.au , but you could’ve changed that, right?
Yep. So there’s that aspect, and then on the email, and I’ve just taken a photo
and I’ll add it into the show notes. It basically says, “Test spoof.
will this go to you?
No that would go to [email protected]
But the point is, in the text, because in the body of the email it just says, “Send
Yeah, so if I really wanted to try it, then I would put an email like, “Hi, Cam. We
need to pay this invoice blah blah blah blah, please transfer or go to this
Do another one because this is actually both interesting, alarming, and scary at
the same time, the fact that you’ve just done this, right? In some ways, I’m in
the digital text space and I didn’t think that this was possible. Later on, I want
you to send an email from David, saying “Dude, I need you to send me some
money.” And then put our bank details to see if that actually works.
It definitely will. The good part about what you guys have got is someone who
has put in an SPF record in your DNS … So what that does is … Well, the way
how the SPF record is configured means that if the email comes from a server
that’s not listed in something you created, so you can say, only Google servers
can send email on behalf of etraffic.com.au. You’ve got that in place, but you’ve
got it in place in what’s called a soft block, which means that it will still go
through, but it will get tagged as junk or something like that.
And that’s where it went straight through to … So if Claro , our IT guy, didn’t
actually have that in place, with the SPF-
Then it would go straight to your inbox.
Interesting. So, honestly, every business person, get this fixed. This is incredible.
How do people get this fixed, man?
It’s really simple. Anyone who’s technical is listening to me saying, “You’re an
idiot. That’s so simple to fix.” And it is. It is simple, but the reason why I’m
talking about it is because if you’re not someone that knows about DNS and DNS
records [crosstalk 00:40:23]
Hands up. Many people.
Most business owners won’t know about that and it doesn’t mean that they’re
stupid. It means that they’re concentrating on something else.
Yeah, there’s a very simple way to fix it and it’s called an SPF record. The place
where it gets a little bit complicated is what that does is it says, “Only these
servers can send email from eTraffic,” but if, for example, you use something
Why did it still get sent through?
Because the way that you’ve got the record configured is in soft block mode. If
you look at the actual DNS record, it’s got a squiggle instead of a dash, and even
the technical folk that are listening, a lot of them won’t know the difference
between the squiggle and a dash. So the squiggle and the dash means let it
through, but tag it. The dash means don’t let it through at all.
So would you suggest not let it through at all?
No, I actually reckon that the squiggle is fine, especially … It’s called a tilde, not a
squiggle, but it’s fine.
Yeah, except in ASCII mode. So, yeah, it’s fine the way it is, especially if you’re
using an email provider like Gmail or Office365. They’ll see your SPF record.
They’ll see that it’s in soft enforcement and they’ll go okay, this is junk or this is
malicious. The place where it gets a little bit complicated and where some
people need help is, say you didn’t know that your IT guy had done this, right?
Correct because that’s his job.
Exactly, and that is his job, right? But, say, for example, you wanted to do an
email marketing campaign and you used a service like SendGrid or, what’s the
other one? MailChimp. If MailChimp and SendGrid are not listed in this record,
then that means every email that you send in your marketing campaign is gonna
get tagged as junk and no one’s gonna read it. So that is another aspect of
information security that is often sort of overlooked. What’s the cost of putting
in that control? Yeah, it’s fantastic that you guys have got it and that email got
put into junk, but I bet my bottom dollar that if you decided to do a MailChimp
or a SendGrid email marketing campaign, it’s unlikely that you would
communicate with your IT guy and make sure that your SPF record is correct so
that those emails don’t go to all of your marketing targets’ junk. Yeah, so that is
an interesting aspect, but all in all, I’d say that you guys were successful in
blocking my remedial attempt.
The fact that it came through though and I don’t think that any of our clients
would actually have this, we don’t offer that as a service, though, right? I saw it,
I didn’t believe that it was possible. It did go through, went to our junk, and
even then it’s got my tailbone up a little bit. That’s really scary.
It really is amazing.
Because that’s a simple thing. You just did that in front of me.
In terms of sophistication of attacks, this is the absolute lowest, simplest … I’m a
little bit embarrassed to be talking about it because anyone that’s really
technical is just like, “Oh my God. That’s stupid.”
But that’s your domain, right?
Exactly. That’s why I am talking about it because we’re not talking to the guys
that understand this. We’re talking to business owners who don’t have $100,000
to pay an IT guy.
They don’t need that $100,000 or IT guy, right?
No, they don’t.
So what do they do to stop this?
Yeah, so there’s a bunch of things that they can do. Number one is if you want
to get some understanding yourself or if you do have an IT guy that’s got no
experience in security, get them to have a look at … There’s a lot of resources.
One of the best ones that I recommend is the Australian Signals Directorate. So
the Australian Signals Directorate is Australia’s version of the NSA. So that’s our
intelligence agency that does all of the offensive hacking and all that sort of cool
stuff, but what they also do is they provide Australian businesses and Australian
citizens with recommendations on how to do basic security, a basic information
security. So they actually publish a top 32 mitigation strategies. So that’s a list of
controls like SPF, what we’re talking about, and patching, and all that sort of
stuff. They provide recommendations on the basic things that you can do. Not
every business owner’s gonna be able to do that, but if they’ve got someone
who has got the basic levels of technical ability, they’re gonna be able to read
that and glean from it what some basic controls are and implement them. For
example, I’ve their top four mitigation strategies up in front of me. Number one
is application whitelisting. What that means is if you’ve got a few staff members
in your office, you want to restrict what they can install on their work stations.
North Korea, sure.
For example, if you give someone a laptop and they’re working in your office,
and they go home and they go, “I’m gonna stream something from, for free” or
whatever. Free streaming sites are terrible because what they do is they use
Flash, which is one of the most vulnerable things on the Internet, or on your
computer, and they’re gonna get breached, so they’re gonna get a bunch of
malware installed on their computer. Most of it’s not that serious, but some of it
Can I give you an example of one? Okay, so, one of my very first jobs, actually, I
was working at Corporate Choice sales company and they didn’t have this in
place and I downloaded [Vuze 00:46:22] and at the office, I thought, Jesus
Christ, this is fast. I’m pretty sure, like, this is over a decade ago, right? So this is
Dialup’s 20 years ago, mate.
Is it? No, it wasn’t. I had dialup around 15, 16 years ago. We didn’t go to the
rich, pretty boy school, but yeah, so I remember I was there and I thought,
“Jeez, this is downloading really, really quickly.” So I downloaded Vuze and I put
on my TV shows. I put on my movies. At that time, they had an Internet plan
where if you exceed X, you pay for every megabyte over, and their Internet bill
came in, and it was a lot. From memory, it was at least $5, $6 grand, and it was
500%, 600% over. Now, because they didn’t have the prevent in place-
Whitelisting, yeah. Application whitelisting.
I didn’t have to pay for it, but that is a perfect example of where this comes into
play and it cost them a lot of money.
Exactly. Exactly. The other aspect of application whitelisting, it’s not just work
sanctions, it’s also the service that you have. So if you’ve got a web server or
something like that, then you need to ensure that, if you have a basic
vulnerability whereby people can do some really basic sort of exploits, you still
need to have application whitelisting in place because that prevents them from
escalating their privileges and from doing something really malicious on your
computer. The primary thing that will happen to small to medium businesses is
their server will get turned into to what’s called a zombie and that becomes part
of a botnet and people use them for distributed denial of service attacks.
If I send out a basic exploit that goes around to and breaches 100,000
computers just because it’s got a really basic thing. I don’t actually have full
control of their server, but what I can get it to do is I can get it to send requests
to another website. Then I say to … One of the famous examples is a lot of the
Australian online gambling companies, on Melbourne Cup Day, every single
year, they get emails from these distributed denial of service guys, saying, “If
you don’t pay us $50 grand or if you don’t pay us $20 grand or whatever, then
we’re going to send millions of requests to your site and no one’s gonna be able
to use it, so on Melbourne Cup Day, no one can place bets.
Whoa. Because that’s not hard to do. Every website can only handle a certain
amount of traffic. That’s why you hear websites crashing. If you send any normal
website millions of visitors, website goes down. They can’t handle the
Exactly and if I’m a small to medium business, there’s no way that … The cost for
Is that a DDOS attack?
Exactly, a distributed denial of service, DDOS.
Very good. I remember because this has happened to us. It was from Russia or
something like that and I randomly went to a site and it was down. I went to
Claro , “Hey what’s going on?” And he’s like, “I’m on it.” He was up really early in
the morning. He said, “We’re being attacked.” He said, “DDOS.” It was just a
whole bunch of traffic. That’s not even hard to do.
No, and amongst information security professionals or whatever, it’s not a
respected thing because it’s something that 14 year olds can do. It doesn’t
require any intelligence. It just requires a willingness to break the law.
So let’s just say, competitor A has a beef with competitor B, then he pays … I
mean, it’s as simple as, “I’ll pay this person to send thousands of …”
100%. There’s thousands of services. They’re called DDOS for hire and you can-
DDOS for hire. Don’t Google that.
Yeah, I don’t think we’re helping the Internet.
But how do you safeguard against it?
That’s one thing that I can’t give a small to medium business a simple fix for.
Can I attempt? Can you just say I don’t want traffic from Russia?
Yeah, you can, but so the problem is that-
Or I don’t want traffic from Uzbekistan?
Yeah, so the problem is that wherever you have control up to … So say you have
control of your server or even if you’re a little bit more advanced, you have
control of the router in front of your server, then you can control that part and
say, “Whenever traffic gets there, I want to drop it if it’s from a certain area,”
but what happens with denial of service attacks or distributed denial of service
Is they throw so much traffic that the point of failure is not where your control
is. The point of failure is gonna be the Internet service provider just before
where you’re in control, so there’s really nothing you can do about it unless you
pay … Another sad thing about the information security business is now, to
counteract these distributed denial of service groups, there’s a bunch of
companies that offer DDOS mitigation, and basically you pay them thousands of
dollars a month to, when you get under attack, you route all your traffic through
them, and they have huge amounts of bandwidth and they can filter that all out,
but basically you pay for the privilege of being able to devote your traffic to
them and then they clear it up and send it on to you. But that’s getting onto-
But you know what’s interesting? DDOS mitigation, Australia, searches per
month, it’s only 50.
Yeah. Yeah. I agree. But you use it as a guide. It’s no exactly 50, but the fact that
it’s that low, and it’s that important.
Yeah, well, of course it depends … Let’s go back to the
But if it happens once, right? So
business if your website is down for a day?
How much would that cost you? If it happens once, okay. If it happens twice,
okay. If it happens three, do something about it?
If it happens often, then someone’s got a boner for you.
Even if you assess the risk. So at an organization I previously worked at, we did
not actually come under a DDOS attack, but we assessed the risk of, and
likelihood of, it occurring, and we decided that just the risk of it occurring was
sufficient for us to pay, and we ended up paying $120 grand a year just for the
mitigation of that risk. It’s not realistic for every small to medium business that’s
gonna pay that, but when you start moving up. So say your business is making
$2 million a month or $3 million a month or whatever, then it really-
You can’t afford for your site to go down.
Yeah, it’s like insurance.
Do you still get DDOS attacks now? Have you ever had one?
Yeah, we’ve had a lot of them. What? When I say we, the company-
Stop making enemies, man.
That’s the thing. It really is sort of random. Because of the ease of the attack and
the people that are doing it, are just doing it every day to whoever they can, and
it’s just extortion.
Is it malicious or is there a reason behind it?
No, it’s purely malicious. It’s just basic extortion. It’s we’re gonna attack this
company because we think that they’re gonna pay us.
So when you’re using, is it the TAB or whatever Melbourne Cup example?
Do they pay?
Yeah, I believe so.
They pay for terrorists? They’re funding terrorists?
Well, it’s extortion. They’re paying for Internet gangsters.
Wow. What would your advice be to them?
Well [crosstalk 00:54:11] My ideology is that you should never pay them.
I agree because then they’ll just keep on doing it.
Exactly. It just keeps on doing it. And then, the sad part about it all is that if all of
the Internet service providers actually agreed, as an industry, there’s a very
simple way of preventing it ever from happening again, but the fact of the
matter is that there’s too much politics around it all and instead of just doing
the basic simple fix that could be implemented, we still all have to deal with this
problem and we have to pay extortion one way or another, whether it’s through
paying the criminals or paying the guys that-
To fix it.
Well, the guys that charge you for the risk mitigation. Anyways.
So, no, but that’s really interesting as well. Really, really fascinating topic. What
would Mr. and Mrs. business owner, what should they do?
Mr. and Mrs. business owner, don’t even worry about it. Until you actually have
a problem with it, don’t worry about it too much and don’t pay unnecessarily for
a DDOS mitigation service that you can’t really test, you can’t really ensure
works, and costs thousands of dollars for something that may or may not
happen. I would recommend not doing a DDOS mitigation service, but back to
the topic, the reason why we’re talking about that is because application
whitelisting is something that prevents your server from being one of the
servers that contributes to those attacks. So that’s just being a good Internet
citizen, is application whitelisting. Same thing goes for patching systems.
Ensuring that your WordPress, ensuring that your web server, whether it’s
APACHE or NGINX or whatever, ensuring that the operating system are all up to
So, let me piggyback a bit because I don’t think that a lot of people would know
that, and so what the general population would do is they would be either, so
there’s two. So they’d either get a BlueHost, GoDaddy, CrazyDomains, or they
would pay for a company that has their own server, like us for example, and
then we manage that for them. Those are the two, but they wouldn’t know any
of those [crosstalk 00:56:30]
Exactly. So when you say that and the business owner says, “Well, we don’t have
the resources to do that. I don’t know how to do that.” If you go with a managed
service provider like a GoDaddy or a same company like that, then they
basically, for better or worse, take care of your lower level patching, like your
operating system and your web server and that sort of stuff.
Do you know why I don’t like those? How many sites would be on one of these-
And, how do you know you’re not sharing a server with a porn site, a gambling
site, and your website, that trickles through. That affects a lot of different
100%. If you’ve got a business that makes money online, particularly through a
No, but it’s not just makes money online. That’s lead generation… Mark
Exactly. Very good point. If you’ve got a website that’s a
valuable asset to your business, whether it’s revenue generating or otherwise, if
you say, “All right. I think this website is worth $10,000 a year or $100,000 a
year or whatever.” And you’re paying $7 a month for hosting.
Why do you think that there’s service providers that provide a higher level of
service at a higher price? If that shared hosting was fine, there wouldn’t be a
market for better services. There are downfalls to it. I’m not gonna go through
them all right now, there’s no point, but if you care about it, at least you’re
engage a company that’s gonna give you the support and tell you, “All right. You
need to be aware that your WordPress is not patched. You need to be aware
that you’re getting DDOS. You’re on your own IP address so you’re not gonna
get blacklisted because there’s some other site going around.”
Very important. Actually, you know what? From a marketing perspective, it
actually affects your SEO.
No, it does because if you’ve got a site on the same server as you and they’re
getting spammed like you wouldn’t believe and they’ve got all of this negative
stuff, that trickles through to you because-
There’s so many aspects to it, as well, because most of the search engine,
especially Google, for example, they’re gonna say, “Is the person searching for
your site in Australia? Is your server in Australia? Does it have its own IP
address? What else is on that IP? It all affects everything.
We’re actually doing some SEO for a customer and we’re doing everything right,
we’re ticking all the boxes, doing a normal A to B, C to D, and their results were
not what we expected. Some person recommended that we get them off, I
would say X server provider, and get them onto someone else, and it had an
Immediate. And if you think of your website as a revenue generating tool, it’s an
asset, not for branding, not just for [crosstalk 00:59:36]
Well the other argument to that is if you’re paying $9 a month for hosting, then
the hosting provider does not care about your service. Well, they care about
your service, they don’t care about your website.
No, they don’t.
They’re not gonna go overboard.
But if your site goes down, do they notify you or do they try and … That’s a
really important aspect, right? That’s what I wanted to talk about as well. How
do you know if your sites down?
Good question. It’s a lot more complex than is your site down. If your site-
It’s A or B.
No, it’s not A or B. That’s an amazingly complex question for something that’s so
simple. For example, one of the hardest things to pin down when you’re
providing … Say you’re providing a government agency or a large organization
with a really hugely important application, and you’ve got contracts in place that
say this site has to be available 99.9% of the time or 99.9999% blah blah blah.
How do you establish whether the site is available or not? Does that mean that
when you go to the site, if it responds in 20 seconds or 30 seconds, is that
Okay, I see what you mean.
If it responds with an error, is that available? If all of the pages, except for one,
works, is that available? There’s a lot of intricacies to it and-
But would it be to do purely with the server because everything else has got
nothing to do with the actual hosting company itself?
Again, that depends on how valuable the asset is to you. At Security Shift, we
manage some extremely
agencies say this is something that handles legal tender, we cannot allow that to
go down. It doesn’t matter if [crosstalk 01:01:33] That’s the thing. If you’ve got
the money to spend, then, for example, we have multiple honed routes to our
site so if our ISP and three other ISPs go down-
But what was the … Obama Health?
That went down. [crosstalk 01:01:53]
The Australian Census, that was a massive one. So the Australian Census was a
huge disaster. They spent hundreds of millions of dollars setting up the census
and telling everyone to do it, and then when everyone went to it, it was broken.
I guess the point that I would make there is that when you’re seeking help, you
need to go to someone with a good track record and who’s reputable. Even the
Australian Census, that was done by IBM and when they did the investigation on
why all of that failed, most technical people would say it was remedial things.
Let’s talk to Mr. and Mrs. business owner. Should they just be relying on the
managed hosting company to just be on top of it?
Or would … I think we use Pingdom.
Yeah, Pingdom’s a good external monitor. You also want to have internal
monitoring. So you wan to know if you’re going to run out of disk space. You
want to know if you’re running out of resources on your server. There’s huge
amount of effort you can go to. Load balancing, Any cast/cost (?) connecting to
your site. You can do so much stuff. And, again, it’s that
whereby you say, “This is how much this is worth to me. This is how much I’m
willing to spend on doing it.” Then, you need to find someone who is capable of
saying, “All right. I understand this is how much it’s worth. I understand this is
how much you’re willing to spend. Now I’m gonna put the most
controls in place to provide you with what you want for the money that you
want to spend.”
In general, you want to find someone, a company that’s technically able to do
that. There are a lot of companies that do it. Finding people that are capable of
doing it is the hard part.
What would expect the cost to be? Don’t give me the risk analysis.
You have to because for example, at Security Shift, we have clients that pay
upwards of $60,000 a month for hosting versus people that pay $10 a month for
Yeah, but I think the people that spend $10 a month for hosting don’t actually
understand what they’re paying for and they just see the dollar amount, right? I
think that this is gonna help them understand if that goes down … Hosting’s not
Yep. If people want someone like Security Shift, our business is really focused
not so much on small to medium business. We do offer services for small to
medium businesses, but at least we can provide … If someone wants help and
they say they need help, then you can contact us at [email protected]
and we will point you in the direction of someone that can provide you with the
service that you’re looking for. It might be us. It might be someone else.
This was really fun, man. I really loved it. Do you want to add some final words?
Yeah, I think we’ve gone through it all. Obviously, if you need some help,
contact us at securityshift.com, but yeah, otherwise it’s been fun.
And really, really good luck everyone. Everyone, this has really opened up my
eyes on the email that Mark sent me from my accounts team, just opening my
eyes up of the fact that your website can be hacked really easily, DDOS attacks,
research it. Just look into it. Don’t just rely on that $10 a month hosting account
and thinking that you’re safe because there’s so much more variables to it.
You’ve gotta think, how valuable is your online asset to your business?
Sorry. One more thing that I will say is to all the technical people that have been
frustrated with me talking about the very basic exploits and vulnerabilities,
strong recommendation to listen to the Risky.biz podcast, made out of
Melbourne by Patrick Gray. It’s one of the best podcasts I can recommend, so
He’s adorable. Thank you very much, Mark Culhane.
Cheers. Thank you.
Thanks for listening to the Digital Cowboys with Cameron Francis and Sam
Roshan. Now, if you enjoyed today’s episode, head on over to iTunes and give us
a five star rating and please, write a review. Also, head on over to
digitalcowboys.com.au, where we post the latest episodes and content pieces
for all of our listeners. So saddle up and join us next time for another edition of
the Digital Cowboys.