Dr. Markus Jakobsson’s background places him amongst the top experts in the world in security. In this interview, Markus provides security tips and lessons only he can provide and the latest trends from his extensive ongoing research as top scientist in the field. Dr. Markus Jakobsson is a founder of the security startups RavenWhite and Fatskunk, and Principal Scientist of Consumer Security at PayPal. He has held positions as Principal Scientist at Palo Alto Research Center, Principal Research Scientist at RSA Security, Member of the Technical Staff at Bell Labs, Associate Professor at Indiana University and Adjunct Associate Professor at New York University.
Dr. Jakobsson is a visiting research fellow of the Anti-Phishing Working Group, and serves on the technical advisory boards of Cellfony and Lifelock. His research is focused on socio-technical fraud; he has contributed to the knowledge of phishing, crimeware and efficient cryptographic protocols, and is currently focusing his efforts on mobile malware and mobile user authentication.
He is an editor of "Phishing and Countermeasures" (Wiley, 2006) and "Crimeware: Understanding New Attacks and Defenses" (Symantec Press, 2008), and "The Death of the Internet" (Wiley, forthcoming). He received his PhD in computer science from University of California at San Diego in 1997.
Enjoy! Stephen Ibaraki
To listen to the interview, click on this MP3 file link
:00:37: Markus, can you profile your extensive history prior to your current role and three valuable lessons? "....We cannot design security products without taking the end user into consideration....All devices are not the same; we cannot port security from traditional platforms to mobile for example....Sometimes paradigms fail...."
:04:37: Can you profile your current role and what you hope to achieve? "....As Principal Scientist of Consumer Security at PayPal....Rework the "online security center" and understand how to better communicate security advice....Stay abreast on authentication challenges....Be one step ahead in terms of the threats...."
:17:28: How can you get rid of spoofing? "....The main principle to avoid many kinds of spoofing is you have to understand what makes spoofing successful and then you have to interrupt that flow.... (see http://www.spoofkiller.com)...."
:26:52: What are your tips for improving passwords? "....There are so many reasons why if we could, we should abandon passwords for something that would give us more convenience and more security....There's a long list of things people are frustrated with in terms of passwords, we have to address all of those. Let me stick to three things for now: the speed of entering it, the recall rate, and the security levels....(see http://www.fastword.me)...."
:34:14: What are the challenges with PINs and how can they be made easier? "....People want to be able to select passwords on their own in order to remember them....Using the password or some other kind of credential and bootstrapping the PIN from that solves a lot of the problems. Once you have a PIN and another credential from which you derived the PIN you can create this tiered security....(see http://www.derivedPIN.com)...."
:36:30: What are trends in fraud? "....Malware is the new tool of fraudsters....Another one is increased use of traditional social engineering methods in combination with malware....We are also seeing an increased use of zero-day attacks for high value targets...."
:39:12: What are the trends in mobile malware? "....To date there isn't a whole lot of mobile malware. There is a simple explanation why and also why it will change. There aren't enough handsets out there to make it worthwhile (historically speaking that has been the case). It has also been a somewhat fragmented market with different operating systems. Now that is changing - today there are more smartphones in the world than there are toothbrushes...."
:44:09: What role does security play in social media and what are the challenges? "....With the increased use of social networks today (for example, Facebook and their environment almost becoming an operating system in that you can play games, run apps, access resources within that environment), we have to start thinking of the "Facebook operating system" (I don't mean what they are running but what they are presenting the user with) as a potential starting place for malware distribution. It's going to increasingly happen and it's going to be made worse by the fact people think of their phone as a social device and feel much more relaxed about security on their phone than on traditional devices...."
:47:54: In your current role, what are your top three ways of measuring security success? "....First and foremost, a reduction in account and machine takeovers....Attitude changes – do people act differently after receiving security education?....Success in identifying good visitors in spite of what the end user does to his device...."
:49:38: In your current role, what are your top 3 challenges and top 3 opportunities? "....Challenges: Be able to contain the likely explosion in mobile malware and malware in general....Understand why things happen, not just what happens....Better user authentication and if possible, suppressing social engineering....Opportunities: Everybody understands the importance of security now; much better than 10 years ago....As more and more security is managed by service providers and with the increased reliance on the cloud, security can become a backend proposition, and we can rely less on individual users to manage their security....When new fields open (such as mobile), we have the chance to redesign things and fix old problems...."
:53:11: What are your current projects and what one lesson can you share from each of your major projects? "....Suppressing spoofing - lesson here is to ask why....Better authentication - insight here is to understand how people use the technology....Malware, mostly how to detect - maybe the insight here is that this is harder than anybody thought and we seriously have to pay attention to this...."
:54:41: What specific technologies should business and IT executives be embracing today and in two years, five years? "....Not so much technology as mindset. I would sum it up in 3 things: Metrics....Imagination....Funding...."
:56:53: Please make predictions for the future, their implications, and how we can best prepare? "....Predictions are what we see, but that's not the important part because those are the parts we don't have control over. What we do have control over is how we react and that's where I want the focus to be...."
:57:49: What are your thoughts on computing as a recognized profession like medicine and law, with demonstrated professional development, adherence to a code of ethics, and recognized credentials? [See www.ipthree.org and the Global Industry Council, http://www.ipthree.org/about-ip3/global-advisory-council] "....Understanding computing is already a recognized profession, we just do not have a consistent name for it. There are very clear ethical guidelines, such as those put forth by Internal Review Boards as soon as user experiments are to be performed....There are several types of credentials, maybe not very consistent yet, but they are very indicative of the different types of computing professions...."
:58:30: If you were conducting this interview, what 3 questions would you ask, and then what would be your answers? "....Why are big changes needed now?....Why are we still stuck with antiquated security measures such as passwords?....How come mobile security isn't just security for handsets – how is it any different at all?...."
How do security failures impact your role and your organization?
How do cyber-security and privacy threats impact you, your role, your data? Have you been a victim of cyber fraud? What would happen to you if your mobile was hacked? How would you define security threats? What stories can you share about security and privacy breaches to you and your organization? What measures are you taking to protect yourself and your organization? How would you define the costs when there is security failure? How accountable are you to breaches in your organization? What actions can you take to protect yourself and your organization? I would like to hear your thoughts.