All Xero Gravity episodes
Hosted by Elizabeth Ü
Meet Felix Shi, who enjoys breaking into things. Legally, of course. He’s a Product Security Specialist for Xero who likes to write security software the right way, to protect small businesses from threats like malicious software as a service (yep, real thing).
On Xero Gravity #60, he shares how you, as a small business owner, can safeguard yours. How laying the ground rules for IT usage starts with a strong password policy and two-factor authentication, laptop hard drive encryption, user education (employees), and that consulting with an IT / security expert from the get-go will prove invaluable.
It all comes to you from a guy who originally wanted to be a botanist, but was squeamish about biology, then his awful eyesight nixed the pilot idea...to today — a pro hacker who loves his work. And geocaching. Old gold rush sites.
Small Business Resources:
Host: Elizabeth Ü [EÜ]
Guest: Felix Shi [FS]
Intro: You’ve just tuned into Xero Gravity, a podcast for small business leaders and entrepreneurs across the world. Now to your host, Elizabeth Ü.
EÜ: Hi, everyone! I'm Elizabeth Ü, and this is Xero Gravity.
“One day we found there's someone else on our Wi-Fi. I thought, ‘Who is this fellow? What are they doing there?’ And it turns out they were actually stealing our Internet and perhaps stealing files off our local file share system. So after that, we tried our best to actually track this person down and see what the extent of this breach is.”
EÜ: Meet Felix Shi. He's a product security specialist at Xero, based in the Wellington, New Zealand office. Felix has been interested in this field since his teenage years, when he decided to test his high school security. He got a bit of a scolding for that, but now he's living out his dream as a self-proclaimed professional hacker.
Cyber security is usually a dry topic, yet Felix's humorous approach really drives home the importance of security for small business and what we can do about it. I was hanging on his every word.
“Well, there’s been quite a few questionable life choices. When I was in high school, I got into trouble for actually investigating the state of security of my local school network. Back then I was young, naïve, and also, frankly enough, quite rash. After that, I got a pretty stern lecture about privacy and security by the principal in high school, so that wasn’t actually great.
EÜ: We have all of that and more — coming up on Xero Gravity, right after this.
Promo: If you're an accountant or bookkeeper, listen up! XERO is taking over San Francisco – August fifteenth to seventeenth – with XEROCON, the world's most beautiful cloud accounting conference for accountants and bookkeepers.
Learn how to add the right tools and apps to help you XERO IN on your clients.
Get face time with executives and developers who are shaping the industry’s future. And come away with tactical and actionable goals to boost your practice.
Book your plans for XEROCON San Francisco and get ready to share experiences, discover best practices and be inspired.
Sign up now with special early bird registration and hotel pricing. Go to XEROCON dot com to learn more. That’s X-E-R-O-C-O-N dot com. Are you in?
EÜ: Felix, thanks for joining us on Xero Gravity.
FS: My pleasure.
EÜ: Well, I wanted to start out by asking, what did you want to be when you were growing up?
FS: I’ve always said, when I was growing up, I wanted to a botanist. In fact, a botanist or a pilot. Then I realized I'm actually quite squeamish about biology so I thought, “Pilot might not be a bad idea.” Then I realized my eyesight is utterly, utterly terrible so I thought, “You know what? Maybe I'll give that a pass as well.” And then afterwards, I really enjoyed working with computers, so I thought, “Maybe I'll be a programmer.” And then I started Computer Science at University, you know, for a good three years or so. I started here after university. I started off as a developer in the real world, not in the ivory tower of academia, working for Stocks, a little startup company, you know, with a focus on mobile cricket scoring application. I mean, in the states, I guess you guys don't really play much cricket.
EÜ: Oh, wow!
FS: I mean it’s one of those games where the rules are so convoluted you need a scoring application to keep track of everything properly. Back in the days, you need a pad, like a huge pad of A4 papers and they’d write down all the scores, formulas and everything else that they calculate the score at the end of the game. And, yeah, so I started off as a developer and afterwards, I moved into security. I've always had an interest in security ever since I was a little kid.
EÜ: What exactly about security was interesting to you?
FS: So with security, it is a fast moving industry with new threats and technologies emerging constantly. I mean frankly enough, I like it because I don't see myself getting bored with it. You always have to keep up to date with the latest threats, technology, and trends in the industry. I mean it’s a field that rewards both the methodical approach to problem solving and also an eye for detail, especially when you're doing forensic work.
EÜ: So I have to ask you, was there ever a time when you were a hacker and trying to break into things? Did that have anything to do with your interest in security?
FS: Oh, funnily enough, that is actually what I do at work. Well, legally, of course. So when I joined Xero two years ago as a security tester, back then pretty much hired to test newly-developed features for potential security issues.
So pretty much what the so-called internal security testers do, is that what we do work but it's just like hackers do in a controlled environment. So for our, you know, in our code base, we have environments where it's not actually exposed to the public, so we actually perform so-called security tests. In other words, "hack" into it.
If we find any security flaws, we provide feedback to the developers and give them advice on how to fix it, what causes the flaw, you know, what the business impact of it is, yadda yadda yadda. So pretty much in a sense that is, I guess, what you would call hacking.
EÜ: Well it sounds actually quite fun when you describe it that way.
FS: Well, it kind of is. That's the fun part. The boring part is writing up the reports. Seriously.
EÜ: Ah. When you're not busy working at Xero, what do you enjoy doing?
FS: Well I’m very much an outdoors person, so normally I go out for walks, I go out running, and I've gotten into geocaching in my university years. Is that a thing in the states?
EÜ: It is. I actually have a geography degree so I love geocaching, though I haven't done much lately.
FS: All right. No it’s actually really big in New Zealand. I'm actually based in Wellington, by the way. Yeah, there's quite a few geocachers in the capital city of New Zealand, Wellington. I met a friend who's into historic preservation and restoration effort and we've been working through the country to start to look for old gold rush sites. So that’s been quite eventful!
EÜ: Wow, I can't wait to come visit you. Not only so that we can go geocaching together, I'm also somewhat obsessed with the gold rush, so we'll have lots to talk about.
EÜ: And where do you go for inspiration or to learn new things?
FS: See the thing is, like I said earlier, security’s quite a fast-moving field, so normally if you want to keep up to date or when I want to keep up to date, I normally resort to Internet bulletin sites or social media, for example. Like there's quite a few websites out there, such as Hacking Use, or there's a podcast called Risky Business run by an Australian fellow, Patrick Ray. Brilliant podcast if you're interested in spatial security! There's quite a few social media sites that have a focus on security: What are the latest trends in terms of threats to small businesses, banking industry, or the financial industry, etc. Normally, with books, I've always found with books they're very good for getting a fundamental understanding of security. Yet if you actually want to keep up to date with it, you've just got to resort to the Internet.
EÜ: What have been some major turning points in your life that got you to where you are today?
FS: Well, there’s been quite a few questionable life choices. When I was in high school, I got into trouble for actually investigating the state of security of my local school network. Back then, I was young, naïve, and also, frankly enough, quite rash. After that, I got a pretty stern lecture about privacy and security by the principal in high school, so that wasn’t actually great.
And when I was in university, I studied computer science with a major in software engineering. I always found with university courses that they put a lot of emphasis on theory and how to design software, but very little on security. So often you see graduates coming out of university with... they know how to write software but yet they don't know how to write secure software. When they actually started their own small business or when they actually start their own technology startup, often you see them running out of products really fast, but they're utterly insecure. So that’s when I thought, hold on a minute. That is a field I want to get into. I want to be someone where I can actually write software and write it right. By right, I mean securely, and also to make sure whatever company I'm working in has decent information security stance on information security.
In my university years, I was flatting with three other guys in a little suburb called Karori. One day we found there's someone else on our Wi-Fi, on our router. I thought, “Who is this fellow? What are they doing there?” And it turns out they were actually stealing our Internet and perhaps stealing files off our local file share system. So after that, we tried our best to actually track this person down and see what the extent of this breach is. And it turns out, it wasn't as bad as we thought. It was just someone who managed to crack our Wi-Fi password and began using our Internet to download music, movies, and whatnot. We managed to kick them off and actually secured the router once again. You know, by actually creating a more secure password and using a more secure encryption scheme. But, no, just after that, I thought, no, I want to get good at this, you know, I don't want this to happen again.
EÜ: Now let's dig a little deeper into this episode's theme, which is, of course, cyber security. Let's start with some basics. What is cyber security and why should small business owners care about it?
FS: Well, in my opinion, cyber security is just the act of protecting data stored in a system against, well, unauthorized users, you know, who are trying to tamper, disclose, or destroy the data.
I mean, it is a practice to ensure that the information stored is safe against prying eyes from both within the company, you know, unauthorized employees, or other threat actors from outside the company. One could even say that people who are trying to deface websites — that's actually compromising cyber security. Alternatively, you get other stuff like organized crime or even nation state actors, but I doubt the latter would actually go after small businesses.
And I think, in my personal opinion, the biggest threat to small business and why they should care about cyber security is that normally small businesses, they lack the resources to commit to security. Like, unlike large corporations, they don't have tens and thousands of dollars to throw around to buy the latest and greatest product. Firewall, antivirus, yadda yadda yadda. Nor do they have a dedicated security team to, you know, when incidents happen.
Like for example, when I graduated from university, I was working at a small business with an employee number of four and security is everyone's responsibility there. We don't have a dedicated security team. Everyone does security, and I think that is why it's actually really important for small business to have security on everyone's mind, as well.
EÜ: Unless people believe that security threats are only an issue for businesses that handle sensitive data or client information, what are the biggest threats that face every small business?
FS: Well, that's actually a very good question. You see, with a lot of modern breaches, people are actually compromising business in order to attack or to obtain customer details. For example: a list of customer use, addresses, credit cards, et cetera. But for companies that don’t handle sensitive financial or client information, the business information itself can be very valuable to, say, their competitors. You know, corporate espionage is a major problem, and also scamming and ransomware in recent years. There's been quite a few scams and ransomware going around. So are you familiar with the term phishing by any chance, Elizabeth?
EÜ: Phishing I am familiar with. I'd love to hear you define scamming and ransomware and then we'll get into phishing as well. Like corporate espionage,
I just love that phrase in itself. Can you tell us what scamming means?
FS: So scamming is the act of trying to phish for sensitive information by pretending to be a trustworthy party. At least in New Zealand, we see a lot of tax fraud. In essence, people pretending to be a tax agency and getting people to file fake tax returns. Alternatively, in my line of work, we see a lot of invoicing fraud. For example, a scammer sends out fake invoices pretending to be a legitimate company, like say a building company for example, to someone who wants to get a house built. So they take an existing invoice and they modify the bank account on the invoice in order to actually attempt to get the victim to pay money to the fake bank account or to the modified bank account.
FS: Yeah, it is quite prevalent amongst small businesses. Mainly just because small businesses don't have a dedicated security team for handling these kinds of things and most people who are starting off, you know, when they’re starting up their own business, they’re not very well educated about the Wild West that is the Internet.
EÜ: So how can we protect ourselves from scamming?
FS: Well, I would actually say user education for starters. One would actually say phishing with a p-h is a form of scamming as well. It is a major, major cause of compromise to businesses large and small. Like if we look at any, most actually, modern compromises to, not just small business, but in the last few years, we see large, multi-million dollar businesses getting compromised via phishing. And I think ultimately in order to protect us against phishing and scamming, it comes down to user education. Unlike, well, a computer system, for example, you can't apply a patch to a human being in a traditional way that you would install software. I mean in a sense.
EÜ: [Laughs] That’s a great image.
FS: Well, you just can't run, say, install phishing protection dot exe on say, Joe from accounting. It doesn't work like that. So I think it is important to run a rigorous security awareness and training program at your company. Where actually, when you, for example, when you hire new employees, perhaps it is important to have a security induction as part of the induction process, to inform them, hey, “What is phishing, what is scamming, how do you actually spot phishing, and how do you spot obvious scamming emails?” As an example.
There's quite a few free resources online on phishing awareness. Just a few quick tips regarding phishing. If you receive a dodgy email that's requesting sensitive information, check the sender's e-mail address. If you reply to the e-mail, double check the reply to address. There's been incidents in the past where the sender's e-mail address is actually quite different from their reply to address. And don't click on any links without hovering over it first, the destination can be very different from what it was showing on the screen. And also, if in doubt — if you have a local IT expert, ask them, “Hey, is this legit? Is this dodgy, etc?”
EÜ: You also mentioned ransomware. Can you explain what that is?
FS: Yeah. Indeed I can. So with ransomware, so just a bit of background. So back in the days we have viruses, which is dodgy little pieces of software that are designed to cause damage and propagate themselves on a computer. Nothing more, nothing less. A few, fast forward a few years, you get Trojans, which are pieces of software that sit on your computer. Imagine the old Greek anecdote of the Trojan horse: something that looks rather innocent but it sits on your computer and allows an attacker to remote into their computer to see what you're doing and perhaps perform remote administration, “remote administration” in quotes, on your computer.
And in the recent years, we've seen another thing called ransomware. So what it does is that when it's being executed in the background, and proceeds to encrypt your hard drive. In essence, it holds your sensitive files at ransom, and unless you pay the attacker a certain amount of money, they will throw away the encryption key and leave all the sensitive files encrypted and unable to be used.
EÜ: How is this even possible? If you're paying them money, can't someone track them down and stop them?
FS: Well, in theory, yes. Believe it or not, bad guys have rather good operation security and I've read in a newspaper a while back, they actually have a thing called Malicious Software as a Service so people that are wanting to develop...
EÜ: Oh my god!
FS: Yeah, it's crazy. People who are providing the ransomware actually have a proper help disk to help out organized crime. Like, “Hey, my ransomware's not working. Oh have you tried turning this on and off and on again?” You know, they have a proper help disk for this kind of stuff, which is utterly, utterly bizarre. A grey market for dodgy software, I mean, who would have guessed?
EÜ: [Laughs] This is amazing.
FS: And normally they attack small business by pretending to be a file that is not. For example, what I've seen in the past is that you have... let's say we have a building company and let's call it Bob's Building Company. Hopefully I'm not infringing any copyright laws. Bob receives an invoice from someone he trusts and says, “Hey, Bob, could you click on the invoice for me? Could you just do the invoice? Something horribly has gone wrong. You overpaid last week's bill.” There's an attachment in the e-mail and the attachment is in fact inside a zip file inside an archive. Inside the archive, there's just a file called invoice.js, which is not a pdf, which is not a document. In fact, it's a piece of ransomware or a program that downloads the ransomware, in fact. So when Bob clicks on the file, that file will run in the background. It will download a dodgy piece of software that runs in the background without Bob knowing and within the next few minutes, the computer will be encrypted. And next time, every time the computer restarts, a message will pop up that says, “Hey, Bob. All of your files are encrypted. Please pay us money within the next 48 hours or else we will throw away the key.”
EÜ: And then what? I mean what do you do if this happens to you?
FS: So normally if this happens to you, I would strongly recommend you consult an IT professional. And to prevent this from happening to you, for starters, is to make regular backups. That is actually something all small business should do because, ultimately, sure, you might be running the latest and greatest antivirus, but antivirus software, they're not foolproof.
I mean when people create new viruses, new ransomware, chances are it's going to take a few days before the signature gets updated, the antivirus signature gets updated. I think it's very important to make regular backups so in the unlikely scenario that all your files are encrypted, at least you can restore from your off site backup to make ensure your business runs as usual.
EÜ: With regard to these backups, is there any particular software you recommend for backing up your hard drive?
FS: Not in particular. Every business is different, especially, I mean, we were talking about small business. Small businesses normally don't have a lot of money to throw into backup software. Normally, at least when I was working at a startup, multiple startups, what they've done is that they’ve simply just gone with a hard drive and every week or so, they simply just copy a lot of information onto their hard drive and that is the off-site backup they have stored on the hard drive,
an external hard drive. What they've done is they've stored the hard drive off site.
Because I live in the capital city of New Zealand, Wellington, earthquakes are a major problem here. We get a few minor earthquakes, every few weeks. Yeah, about every few weeks we get an earthquake. People are worried about say, “What happens if the office collapses? What happens if the server room collapses?” Having an off-site backup really helps a lot.
EÜ: It seems like also in terms of backing things up that having a cloud solution as far as software goes, is another form of security.
FS: Indeed it is. Especially, in fact, it's very interesting that you mentioned that, Elizabeth. For a lot of small business, they, instead of investing in starting their own service and starting their own infrastructure, there's quite a few cloud-based solutions out there. For example, software as a service for off-site backups or in fact or running your own business.
EÜ: Can you take us through some of the keys do’s and don'ts that small businesses and entrepreneurs should follow for making sure their business is secure?
FS: Absolutely. Well you see the thing is, you get some advantages that come with running a small business. I mean you have the flexibility to make rapid changes compared to, say, you know multi-national corporations where you have to draft who knows how much documentation and go through steps in order to make any changes. With that said, I think it's actually quite important to lay down some grounds rules with IT usage before people can actually use the computer. For example, password policy. Make sure that you actually have a secure password. Make sure you're not reusing the same password you use for your personal email or any other personal service, because it is important to start, for starters to have, you know, work/life segregation, compartmentalization.
And also, imagine this, if there's a compromise on another system — let's say hypothetically speaking — your personal email service provider, the password you use for your email password for your work password will be different from your personal password. Therefore an attacker would be trying the same password for your work account and compromise it that way.
Also, when you're running a business, make sure you always have a basic antivirus software. It will filter out most low-hanging fruit, for example, and you can get quite a few free ones. If you're running Windows, if your business runs Windows, you can always get Windows Security Essentials installed. Make sure it's running and make sure it is kept up to date.
And another thing is, if your business revolves around laptops, if you're doing most of your work on laptops, encrypt your hard drive. If you're running Windows, you can use a feature called Bitlocker. I mean, in the unlikely scenario that there is a physical security breach, someone breaks into your office, steals your laptop, your sensitive business information stored on your laptop will be inaccessible to the thief. Otherwise if people steal your hard drive, they can read all the business stuff and that would be bad.
EÜ: [Laughs] No, that would be bad. Does that also mean that you would be able to recover the information that was on the stolen laptop?
FS: Yeah, so Bitlocker is a function offered by Windows.
So what it does is that by default it encrypts your hard drive at risk. And only when you log in, when you start Windows and log in, it decrypts your hard drive. Without the appropriate credentials, an attacker cannot gain access to what's stored on your hard drive. And go back to what you mentioned about cloud services, there's a lot of online service nowadays that offer enhanced security in the form of two-factor authentication. If it is offered, take it.
So, I mean someone might be asking, “What is two-factor authentication? What is this man going on about?” Two factors: Normally with a lot of service, you can authenticate yourself by providing a username and password. That is something you know. So with two factor authentication, they introduce a second factor which is something you have as well as something you know. For example, I use Gmail for my, as my personal email service provider, and when I want to log on into Gmail, I have to type in my username and my password. When I entered my username and password, it will send a text to my personal cell phone with a one-time code. Once I enter the one-time code, it authenticates. I can login to access my email. Using two-factor authentication protects a lot of small business, large and small business in fact, against identity theft in the unlikely scenario of an information breach. So yes, if it is offered, make sure you take it.
EÜ: Well, thank you. I will make sure to do that myself. What is one piece of advice that you find yourself giving to people over and over again when it comes to cyber security?
FS: When you plug a new piece of technology into your system, by technology I mean it could be hardware or software, think about how to secure it and make sure that you don't store too much sensitive information on it unless it is needed to. For example, when you actually use any cloud-based service provider, see exactly what access does it actually need? Try to provide it with the minimum amount of privilege if applicable.
And also, when you're first starting up a company, when you're first setting up your company and IT infrastructure associated with the company who you're with, for instance, consult an expert. It's a one-time fee that will save you a lot of money in the long run. And also there's a lot of small business security guys on the Internet. Do your research before actually setting up your infrastructure.
EÜ: Well, thank you. This has been a fascinating conversation. And I think for me one of the most interesting pieces of it has been how the security landscape has changed over time. I remember when viruses were the only thing we had to worry about it, and then it was phishing and now ransomware. So, so many great tips here for small businesses and thinking about how they can keep themselves secure and their business and customer information secure. And also, I really appreciate the information you shared about the training programs for employees to make sure your entire staff is part of the solution and not contributing to the problem.
: We're going to finish up with our question countdown, which is five quick questions and five quick answers. Are you ready?
FS: Ready when you are.
EÜ: What business, book or idea has made the biggest impact on your life and why?
FS: I would actually say Turn the Ship Around, by David Marquet. I am probably butchering his last name. My apologies, David. Yeah. It's a book about a newly appointed captain of a nuclear powered submarine in the middle of nowhere. And the submarine is actually plagued by poor morale, horrible performance and hence forth other issues in a high-stress environment. So it's actually a book on leadership and performance. The book talks about how this newly-appointed captain of a submarine manages to turn the worst submarine in the fleet into the most high-performing submarine. So it was actually a brilliant book. I would strongly recommend it. And it is quite applicable to my work as well because I deal with people a lot and I have to offer suggestions and advice, so it ties directly into my work. Although, I wouldn’t call myself a submarine captain. [Laughs]
EÜ: I'll call you captain from now on. That works for me.
FS: Oh yes!
EÜ: What's the one thing you can't live without?
FS: Mm, well, genuine human connection. I go crazy if I don't talk to people or see people for an extended period of time.
EÜ: What's the most useful app on your phone right now?
FS: Yeah, currently, Google Authenticator. It generates one-time use tokens for a lot of services I use. Without it I wouldn't be able to check my email, do my online shopping, or quite a few other services I just can't access without it. And that is actually part of two-factor authentication, which also means that if someone steals my username and password, they won't have my one-time token and they theoretically won't be able to log in as me. Security! Yeah!
EÜ: [Laughs] In one sentence, what's the greatest lesson you've learned throughout your career?
FS: I would say security is everyone’s responsibility, there's no single point of failure. Like you said, a compromised employee could actually lead to the compromise of a small business. So in fact we should ensure that everyone is actually taking part in security training and making sure that their system is secure.
EÜ: And finally, what skill do you want to enhance this year?
FS: I recently got back into playing recorder. Well, have mercy on my neighbors.
EÜ: [Laughs] Oh my! Well, I hope the next time we speak with you you can give us a performance. What a great conversation, Felix. Thanks so much for joining us on the show.
FS: Thank you very much for hosting me, Elizabeth.
Promo: Are you a fan of Xero Gravity? Because we’d love to hear from you! Subscribe to the show in iTunes or Soundcloud, and leave a review, sharing your favorite moment from the show so far.
EÜ: That was Felix Shi, product security specialist at Xero. Thanks for listening to Xero Gravity. Make sure you join us next Wednesday because we’re going to be talking to Fernando Gomez, CEO at SpargoConnect LLC. He’s a digital marketing expert with a passion for human psychology and learning about what makes people tick. It's going to be a great one. We'll see you then!