Undetected - a web security podcast

01 Johan Edholm - Evolution of hacking; Web Security to companies of all sizes

Episode Summary

Do you remember when you first connected to the Internet? Security nerds Laura and Johan go back to the Internet in the 90's, the evolution of hacking and the transformation of IT security into an industry where hackers are now allies to companies.

Episode Notes

What is phreaking - https://en.wikipedia.org/wiki/Phreaking

What is Responsible Disclosure: https://blog.detectify.com/2018/02/27/guide-responsible-disclosure/

Hackers for Charity: https://www.hackersforcharity.org/

Books mentioned:
Art of Deception by Kevin Mitnick
Ghost in the Wires by Kevin Mitnick

Speakers:
Host: Laura Kankaala - Security Researcher at Detectify
Guest: Johan Edholm - Co-founder and SysOps at Detectify

www.detectify.com
www.twitter.com/detectify

Episode Transcription

Laura Kankaala: Welcome to Undetected.

Laura Kankaala: Hi, this is a web security podcast. My name is Laura, and I'm a Security Researcher, and a hacker, and I'm on a mission to fix the Internet. I'm here with a friend of mine today, Johan Edholm, and we're going to talk about the current state of web security. But in order to do that, we need to go back and look at the Internet, what it was back then. We're both from the same generation, approximately, so I think it will be interesting to talk about our first experiences with the Internet, and what the Internet looks like today, and where are we actually headed in the future.

Laura Kankaala: This podcast is brought to you by detectify.

Laura Kankaala: So, welcome Johan.

Johan Edholm: Thank you.

Laura Kankaala: How are you?

Johan Edholm: I'm good, all good.

Laura Kankaala: Can you tell me a little bit about yourself?

Johan Edholm: Well, my name is Johan, and I'm one of the Founders here at detectify. On a day-to-day basis, I work with our technical infrastructure.

Laura Kankaala: Yeah. Yeah, we both work at detectify, and detectify is a hacker powered security tool that you can use to enforce web security on your systems, and on your websites.

Laura Kankaala: You've been working at detectify for quite some time, like from the beginning, basically?

Johan Edholm: Yeah, exactly. It's been five years or something, but of course it started much earlier than that, before it was a place to work. Actually, it was just a hobby, or a side project that turned out to something bigger, I guess.

Laura Kankaala: Yeah. Let's go back to that, a tiny bit later on. I want to know, do you remember the first time you went online, or used the Internet?

Johan Edholm: I can't really remember the first time, I think, but I remember the early days. We didn't have, of course, this fast Internet connection we have now. Actually, we weren't even allowed to use computers, really, at home. My dad's a farmer, and of course you should work with your hands, and computers are bad, all that kind of thing. It was very different, everything was slow and taboo, I guess.

Laura Kankaala: Yeah. Yeah, I remember when we got our first computer. My parents, they don't work in IT, either. For us, it was more like, everyone got to use it. Well, when we got our first computer, we didn't have it online but we used to play a lot of video games, with my sisters basically.

Johan Edholm: Yeah. We were not really allowed to do that, because dad had his tax things or something on his computer. He was like, "Oh no, you're going to get a virus, and everything is going to be terrible." We weren't allowed to touch it.

Johan Edholm: I remember, early days actually, when he was out working at the farm, I actually snuck to his computer anyway, and used it. I remember having to printout manuals, or those old e-science.

Laura Kankaala: Yeah.

Johan Edholm: Those text files, basically, to read offline.

Laura Kankaala: Yeah. That's fun. Even back then, your father was worried about computer viruses. I think they have been around for a long time. But, the overall web security, it looks super different, back in those days. I'm talking about late '90s, and early 2000.

Laura Kankaala: My first experience was that I did websites using Geocities. Do you remember Geocities?

Johan Edholm: Yeah. I never actually used that myself, I think that was before, a bit, I got into the whole computer things since I actually really couldn't use much computers.

Laura Kankaala: Yeah.

Johan Edholm: But I do remember that era, and all the funky stuff that came with it, I guess.

Laura Kankaala: Yeah. Geocities was a hosting platform, where you could host your website. There were, naturally different kinds of places where you could host your websites. I remember how I encountered hacking first was that my friend's website was basically hacked, and a person, who was able to access their website, just changed the wallpaper on the website. I was like, oh, is this hacking? Wow. Who would ever do this?

Laura Kankaala: What was your first experience, when it comes to hacking? Either you were hacking, or?

Johan Edholm: I don't actually remember that either, to be honest. But I remember IRC was a big part of my early time on the Internet, and security. I got into security fairly quickly, when it came to IT. I wasn't too much this casual Internet surfer, I guess. I've always been interested in this magic kind of thing. Before that, it was more literal, the sleight of hand and illusions. I think hacking has the same feeling. If someone does something that's out of this world, I want to understand how the fuck that works.

Laura Kankaala: Yeah.

Johan Edholm: It annoys me when I don't. That's when I started to look into it, and that was fairly quick into this whole Internet journey, I guess.

Laura Kankaala: Yeah.

Johan Edholm: I can't remember a specific, oh this hack was cool, or things like that, not that early. Yeah, I don't have any such moment. I read a lot of those designs, or similar texts where people were talking about hacks, and I guess those were probably the earliest experiences of things being hacked, without me actually seeing it for myself, just reading about it.

Laura Kankaala: Yeah. Did they go into how much detail about hacking, or what kind of texts were they?

Johan Edholm: Honestly, they were fairly low quality, in most of them. The few, these kind of science that you see nowadays, are fairly impressive usually. But back then, it was like teenager pranking, and phone freaking was a big thing.

Laura Kankaala: Yeah. Phone freaking is that you basically call a service, and then try to hack a call service, right?

Johan Edholm: Kind of, it could be. It's basically like hacking the phone system, because way back you didn't have the Internet, but you had phones. Maybe you wanted to call someone, and it was really expensive so people started wanting to bypass that. But then, you can do other kind of funky things. If you read Kevin Mitnick's book, he uses it a lot when he's doing other shenanigans like social engineering, to be helpful in those cases.

Laura Kankaala: Yeah.

Johan Edholm: You can wiretap people as well.

Laura Kankaala: Yeah.

Johan Edholm: Things like that.

Laura Kankaala: Yeah, Kevin Mitnick is probably one of the OG hackers out there.

Johan Edholm: Yeah, he's definitely one of the most famous, at least. He was chased by the FBI, and was on their top wanted list for a bunch of years, I can't remember how long. He has written a lot of books regarding social engineering, and security in general.

Laura Kankaala: Yeah. We can leave some recommendations for our listeners. Do you have any recommendation on Kevin Mitnick's books that you would want to share with us?

Johan Edholm: Art of Deception, I think, is the most that I've heard about, at least.

Laura Kankaala: Yeah.

Johan Edholm: And I've read it myself. It was a long time ago, that was in my early, early days of security, I'd say. But that one if fairly good when it comes to social engineering.

Laura Kankaala: Yeah.

Johan Edholm: As far as I can remember. I haven't read much of his other books. He as fairly recently released a biography, called Ghost in the Wires, I think?

Laura Kankaala: Mm-hmm (affirmative).

Johan Edholm: I found that fairly good. You see a lot of things he does, and the whole feeling around it, and what's actually going on.

Laura Kankaala: Yeah.

Johan Edholm: That was quite interesting.

Laura Kankaala: Yeah. You basically started working in this field, or, as you said, as a hobby, back in 2008, right?

Johan Edholm: Yeah, somewhere around there. 2008 was the year me and the other founders turned 18, so we could actually register our first company. But I think it started 2007, just not too serious. We were just nerds, trying to build something because it's fun.

Laura Kankaala: Yeah.

Johan Edholm: Then, it just escalated from there.

Laura Kankaala: Yeah. What was the initial thing that you were working on?

Johan Edholm: It was, I guess, the same scanner as we're having now. We wanted to automate security. Back then, the idea was to maybe be consultants.

Laura Kankaala: Yeah?

Johan Edholm: When it comes to security, because that was what everyone was doing, so it seemed like an easy thing. But then we're lazy, so we figured we could just automate. Might as well, right?

Laura Kankaala: Yeah.

Johan Edholm: Then, this whole cloud thing was growing, we were early jumping on that train, I guess.

Laura Kankaala: Yeah. Back during 2007, 2008, there were cybersecurity companies, or security companies, however you want to put it. But I suppose that the field was quite difference back then? Nowadays, we have bug bounties, we have a lot of consultants, we have pen testers, a lot of people working in this field and it's constantly growing. But back then, I suppose, it was quite different?

Johan Edholm: Yeah, exactly. Of course, I'm a bit biased because I was very young then, but how I remember it was people were consultants, basically. Of course, you had these security products, but generally, things felt slow moving, I'd say, and very enterprise-y. It's very much a product for the enterprises, for people with money, it's not like a 10-people company would hire a pen tester. That's very expensive, usually.

Laura Kankaala: Yeah.

Johan Edholm: Sure, you would have antivirus, but not the same level for the web security, I guess.

Laura Kankaala: Yeah.

Johan Edholm: Also, the vulnerabilities you saw were simpler. I'd say it's getting more and more complex now, with bigger systems, and you need to find flaws in how they interact with each other. Back then, it was often quite straight forward.

Laura Kankaala: Yeah.

Johan Edholm: I think that's a symptom of this, few people that could afford security, basically.

Laura Kankaala: Yeah.

Johan Edholm: With the consultants, and bug bounties wasn't really a thing that came, later. I know Netscape had it, like '95?

Laura Kankaala: Yeah.

Johan Edholm: But basically, nobody knew about it.

Laura Kankaala: Yeah.

Johan Edholm: Or, at least I didn't. That's not web. It was the browser, not the Internet itself.

Laura Kankaala: Yeah.

Johan Edholm: The whole feeling around it was very different.

Laura Kankaala: Yeah. What kind of vulnerabilities were there, at the time? What was the top three vulnerabilities?

Johan Edholm: My feeling is that it was mostly SQL injections, those were very common. They have a very large impact. They, of course, are still around a bit today, but it's much, much more rare. Back in the days, those were everywhere.

Laura Kankaala: Yeah. Basically, being able to dump and trace from database, directly through a web application?

Johan Edholm: Yeah, exactly. Then, RCEs, or remote code executions, they were, compared to now, very much more common.

Laura Kankaala: Yeah.

Johan Edholm: It's very basic. Now, you have SSRF, rather, which is the new RCE, almost. Yeah.

Laura Kankaala: Yeah, they may be in cloud environments. So, SSRF stands for server-side request forgery, right?

Johan Edholm: Yeah, exactly.

Laura Kankaala: Yeah.

Johan Edholm: Then, what would be the third? I would say file inclusions, like local or remote, even. They were fairly big as well, if you count the impact.

Johan Edholm: One thing that I would say have stayed is [inaudible 00:14:15]. They might have changed shape, but it's still around, and probably bigger now, even, maybe.

Laura Kankaala: Yeah. So, JavaScript based vulnerabilities being able to insert malicious JavaScript in web applications?

Johan Edholm: Yeah, exactly.

Laura Kankaala: Yeah. That's interesting that you said about the RCEs, and comparing them to SSRFs, or to the server-side request forgeries, how they are basically the new RCEs, in some cases.

Johan Edholm: Yeah. That's more or less what we see nowadays. When you get that impact, it's usually not the standard RCE. Before we could really have RCE in a query string, like in the URL.

Laura Kankaala: Yeah.

Johan Edholm: You don't really see that. Now, as I mentioned, things are much more complex, so you use the complexity of an application against itself.

Laura Kankaala: Yeah.

Johan Edholm: It makes things really hard to detect, I think, as well. Or, harder at least, to detect those kind of things often.

Laura Kankaala: Yeah, that's true. Also, going back to the past, one thing that I feel has changed, also, over the years, is the role of hacktivism.

Johan Edholm: Yeah, I think so too. I would attribute that, partly, to bug bounties. Now, people have a legal alternative.

Laura Kankaala: Yeah.

Johan Edholm: To make a lot of money, even, on hacking. But, back in the days, it was more people wanted to have fun, or pranksters, basically.

Laura Kankaala: Yeah.

Johan Edholm: Or teenagers, just as you mentioned, defacing websites, or changing the background and look of a website, to spread maybe a message, or just because they're bored.

Laura Kankaala: Yeah. Yeah, it feels like, back in the days, there was a lot of political ... naturally even, to this day. Hacktivism basically stands for having some kind of political agenda, or some kind of bigger agenda behind hacking. For example, there was ... Well, they still exist to this day, but collectives such as Anonymous, and [TSB 00:16:48], but I think they have gotten smaller.

Johan Edholm: Yeah, that's my impression as well. Or, maybe they're just more careful, or hidden, or something. Maybe they do a lot of things behind the curtains, that we don't see, with dumping things to Wikileaks, for example.

Laura Kankaala: Yeah.

Johan Edholm: I can't remember what the Snowden project is called, but where you can basically also send information. Maybe it's just not as obvious. Back then, people really wanted to make a name for themselves, as well.

Laura Kankaala: Yeah.

Johan Edholm: You often tagged your releases with your group name, like Anonymous, even though that's not really maybe like a group, I'd say.

Laura Kankaala: Yeah.

Johan Edholm: You would often do that. You also had Lulzsec, for example, that were fairly big in this ... I'm not sure if they had much of a political message, to be honest, but at least they liked to tag it.

Laura Kankaala: Yeah.

Johan Edholm: I think that was fairly common, it's like a two part thing. I would almost guess that people did that a lot, they almost added the political agenda, often, just to rationalize their recklessness, I guess.

Laura Kankaala: Yeah,

Johan Edholm: Or, their hacking. Like, it's just lame if we hack it because we're bored, so they wanted to, I don't know, make a statement. Sometimes they could have more thought behind it, and sometimes it's really not.

Laura Kankaala: Yeah. Yeah, absolutely. Today, if there're political motivations, typically these groups are then funded by governments themselves. But yeah, as you said, I think bug bounties have made a tiny difference for individuals, when it comes to security because now they have a platform for reporting these things, as long as they basically stay in scope, and work accordingly to the agreed rules and policies in there.

Johan Edholm: Yeah, exactly. People often hack for the challenge, and for they love it.

Laura Kankaala: Yeah.

Johan Edholm: Now, when they have a legal alternative to it, they can brag about it on their high score lists, and all that, rather than having to, I don't know, deface a website, and write their name on it.

Laura Kankaala: Yeah, they can publicly tweet about it.

Johan Edholm: Yeah, exactly.

Laura Kankaala: Yeah.

Johan Edholm: Now, they have a very good alternative, a more ethical alternative which, in my opinion, is very good.

Laura Kankaala: Yeah. But the hacktivism is not completely dead, though. For example, just recently, a hacker going by the name of Finnish Fisher announced a bug bounty program for hackers, basically.

Johan Edholm: Yeah, exactly. That was also delivered as one of those pure text files, that are very popular. I read it, and it brought a lot of nostalgia, to be honest. Yeah, that was a very strong political statement, and something you often saw, I think, before us. I'm born '90, I think it was more common in the '80s, that kind of style. But the message that's in that is a lot like, "Fuck Capitalism."

Laura Kankaala: Yeah. What they stated ... For example, this is a quote from that manifesto. They said that, "Hacking to obtain and leak documents with public interest is one of the best ways for hackers to benefit this society." Which is an interesting message, I think, today. Naturally, I think it's not that outdated, but when it comes to, for example, responsible disclosure, or bug bounties, these kind of ideas don't typically come out in bug bounties. Or, never, because in bug bounties they ask you not to leak information, or responsibly disclose the vulnerabilities that you find.

Johan Edholm: Yeah, exactly. I mean, we might call it responsible disclosure, but I guess, the hacker in this case would not call that responsible, maybe?

Laura Kankaala: Mm-hmm (affirmative).

Johan Edholm: This hacker claims to be a she, so I'm going to refer to that.

Laura Kankaala: Yeah.

Johan Edholm: She says rather, how we best can ... I can't remember the exact quote.

Laura Kankaala: Yeah.

Johan Edholm: But, the best benefit to society by leaking documents, et cetera. I guess she would consider that responsible.

Laura Kankaala: Yeah.

Johan Edholm: I guess it's very subjective, what's responsible in that case.

Laura Kankaala: Absolutely. Yeah, and they are also offering up to $100,000 for hackers who are able to leak some kind of documents. I don't know where this money comes from, but they are paid in, basically, Bitcoin or other kinds of cryptocurrency.

Johan Edholm: Yeah. In that same release, she talked about hacking a bank, so maybe from there?

Laura Kankaala: Yeah. Has some stored, somewhere. As you said, maybe it's also a subjective view on what is responsible disclosure, and what is not, then. I think it stands to hacktivism that you're asking for these kind of leaks, basically.

Laura Kankaala: If we go to just ... We are both in this profession, and in this field, working as professional security people. I think we already, basically, touched upon this, but working in this field today is quite different. When I was studying, for example, it never occurred to me that I could be a pen tester. Only when I entered the IT field, and I worked as a Sys Admin for a bit, and I was able, then, inside a company, change to a pen tester role. Only then I understood that, okay, this is actually a career, and you can make a career out of this.

Laura Kankaala: I think you had this revelation much earlier than I did, because you were already, back in 2008, doing this kind of line of work?

Johan Edholm: Yeah, kind of. I mean, since I mentioned, my dad's a farmer, he worked with his hands, and his dad was also a farmer, on the same farm even. Same, on my mom's side, they were plumbers. So, for me the whole IT, in general, was never ... I never saw it as a possibility to work with it, that was something you did as a hobby, like playing chess or something.

Johan Edholm: I remember when that clicked for me, it was when I saw there was a school that I actually ended up going to, an IT school here in Stockholm. I was like, holy shit, you can actually work with this? Is that a profession? I had never accepted that. Then, of course, it goes further, with the security and all that. Of course, it existed, but it wasn't as big. Like, nowadays, you hear about it all the time, in the media, especially with the elections in the US, the Snowden leaks, and all that. It's become the norm, everyone knows that IT is everything, basically.

Laura Kankaala: Yeah.

Johan Edholm: All the way until 2007, or 2008, it wasn't that big, you didn't hear that much about it then. I'm not sure if I really realized that security specifically could be a profession for me, either.

Laura Kankaala: Yeah.

Johan Edholm: I honestly wasn't even sure if I wanted to work with IT. It was more like, I think it's fun, and I find it fairly easy. But, do I want to have this as a profession or as a hobby? Now, it ended up the hobby becoming the profession, which is, of course, I like that. But I remember having those kinds of ideas, as well.

Laura Kankaala: Yeah. That's interesting, and here you are today?

Johan Edholm: Yeah, can't escape it.

Laura Kankaala: Yeah.

Johan Edholm: No, it's fun.

Laura Kankaala: Yeah. Yeah, it's definitely interesting. I think, also, the shift when it comes to security, one of the reasons behind it must be that a lot of our lives are actually happening online. We have social media, we have our banks, our health, everything is online. It has also become more profitable to hack into these things, also for personal gain. If you are a malicious actor, and you are able to hack into a company, or steal data from them, that can be directly profitable for you, if you sell that data on illegal marketplaces.

Johan Edholm: Yeah, exactly. I'd say, further back people mostly had websites to show where they had their store, maybe. Now, you have the store online, and you have all the user records, who buys from you, and maybe even their history and stuff like that. Of course, that can be valuable for some people. If nothing else, it could be useful for doing other attacks, like spearfishing attacks, like scamming people by stalking them, and having good info, you can make these kinds of scams much more successful, I guess.

Laura Kankaala: Yeah.

Johan Edholm: Or, you could, if people are password re users, and stuff like that. Since, as you mentioned, everything has moved online, or more or less everything, you have a higher incentive to actually hack things. You don't have to go through your house to break in to look at them, or whatever, you can do it overseas.

Laura Kankaala: Sitting at home.

Johan Edholm: Yeah.

Laura Kankaala: Don't have to go outside.

Johan Edholm: Yeah, exactly. It's a very easy way to be a criminal as well, I guess.

Laura Kankaala: Yeah, exactly. Thinking about the website security, because we also need to put more resources into it today, than we had to, maybe, back in 2000, do you feel that the security landscape is getting better?

Johan Edholm: Yeah, I would definitely say it is, actually. We're getting better at both defense and offense, but I would also say to get into a fairly good security level, it's harder now than it was 10 years ago. Because we have evolved, you have to understand more things, and you have to work our way to patch a lot of the common problems. Like, you have a lot of frameworks that aren't yet, by default, SQL injection vulnerable.

Laura Kankaala: Yeah.

Johan Edholm: You have also frameworks that are mitigating successes, for example. It gets trickier. When you use frameworks, one patch can fix a lot of things, and I think we have been fairly good at that, raising the security awareness. Of course, there are still a lot of good hackers, and you can still make mistakes.

Laura Kankaala: Yeah.

Johan Edholm: I would say it's better now.

Laura Kankaala: Yeah. As you said, the frameworks, they already have these built in mechanisms to mitigate this, they filter the input or the output that comes to or from the web application, so that using those web applications is more safe for end users today.

Johan Edholm: Yeah, exactly. We have learned by our mistakes, and it's a very good way of switching it so you're maybe safe by default. If you have some edge case where you don't want that kind of security mechanism for some reason, it's an opt-out, rather than opt-in.

Laura Kankaala: Yeah.

Johan Edholm: I think that's really the change we have seen, and that we will hopefully continue to see.

Laura Kankaala: Yeah. I think today there's a lot more tools that can provide automated security, also. And also consultants, and a lot of different kinds of pen testers, with different kinds of knowledge and focus areas. It's easier to also buy security, these days.

Johan Edholm: Yeah, exactly. If you feel you have the resources to actually fix things, you can also start a responsible disclosure program. You don't even have to pay people, but people might look at your things anyway. Or, if they accidentally find something, they know how to contact you, and how to make it in a good way.

Laura Kankaala: Yeah.

Johan Edholm: I've seen, also, of course people hack for bug bounties, to get a lot of money. But also, responsible disclosures can be fairly useful, because people can show it off on their resume, or they can show it off on their online profiles, so they get invited to closed bug bounty programs. There are a lot of those, as well.

Laura Kankaala: Yeah.

Johan Edholm: Not everyone wants to be public with their bug bounty program.

Laura Kankaala: Yeah.

Johan Edholm: People can also use it as a way to help their career.

Laura Kankaala: Yeah.

Johan Edholm: It's a win, win.

Laura Kankaala: Yeah.

Johan Edholm: You get help with your security, and they get credit for it, of course.

Laura Kankaala: Yeah, absolutely. I think there must be some people who just want to do this out of good will, as well.

Johan Edholm: Yeah, definitely. I know there are people that are doing security for charity. I can't remember exactly what it's called, that group. Maybe Hackers for Charity or something?

Laura Kankaala: Yeah.

Johan Edholm: Where they actually just purely do it out of good will.

Laura Kankaala: Yeah.

Johan Edholm: I would expect some people maybe want to exercise their skills, or things like that as well, just to get a technical challenge.

Laura Kankaala: Yeah, that's cool. We've talked a lot about the past and the current state of the security, and the new trends that have been emerging. But, where do you see us going from here?

Johan Edholm: Partly, as I mentioned, all these frameworks, or CMSs, or even programming languages, I think they will become even better at making people the good decisions, when it comes to security. So, security by default, or maybe even ... What's it called? Theo de Raadt, The creator of OpenBSD, that says, "opportunal security isn't security." Maybe, even that hard, like you don't have a choice. But, I think we'll become better at that.

Johan Edholm: Of course, automation I think is a thing, definitely. Quite obvious, in this case, when it comes to the [inaudible] in stats what we do.

Laura Kankaala: Yeah.

Johan Edholm: I really believe in that. As I mentioned, it's harder and harder to get into the field of security, and there's fewer and fewer that are doing this original research, maybe, or the top hackers. So we need to distribute that knowledge.

Laura Kankaala: Yeah.

Johan Edholm: Not everyone can learn to hack that well, and those insights shouldn't be only for those few that can, or the few that can afford to hire these people. If you look at Google's bug bounty program, or Facebook, or some others, they have an enormous budget.

Laura Kankaala: Yeah.

Johan Edholm: Obviously, that won't go for everyone.

Laura Kankaala: Yeah.

Johan Edholm: But we want security for everyone, anyway.

Laura Kankaala: Yeah.

Johan Edholm: It's not just the organizations themselves that would suffer from this, it's all the users of the smaller websites, and organizations. What we need to do is find ways to distribute that knowledge, to spread that knowledge so we can get a more secure Internet experience, basically.

Laura Kankaala: Yeah.

Johan Edholm: That's partly what we do. We try to take this knowledge from the few, and automate it so it can reach much more people.

Laura Kankaala: Yeah.

Johan Edholm: But knowledge would also go into those open source tools, or CMSs, or similar. I think that's a futuristic way to look at security. At least, that's what I believe, and hope for as well, so we don't get this too-centralized, few services that you can't actually feel like you trust because those are the only ones that can afford this kind of thing. It's not just super big enterprises and nation states, it's actually more for everyone.

Laura Kankaala: Yeah, absolutely. I think you made an excellent point there, that even though companies need to be the ones enforcing security, but lack of security will always affect the end users, basically, in one way or another. Either their data is compromised, or their devices are compromised, but the target for malicious actors is either a group of people, opportunistically everyone, or a really specific target, like one person.

Johan Edholm: Yeah, exactly. That's a lot of the point. If your company gets hacked, of course you as a company will suffer, it will damage your brand, and might have a lot of financial costs and things, but it also affects everyone that's using your service. Or, if they have their personal data on that service, maybe other things that are even more sensitive than ... I'm not sure, Bitcoin wallets, for example, that could have a huge cost for people.

Laura Kankaala: Yeah.

Johan Edholm: Also, those more subtle, like your email has leaked so now you get a lot of spam. That's just annoying, but of course, it could lead to a lot of different things, depending on how you use it, and what kind of company it is.

Laura Kankaala: Yeah.

Johan Edholm: The point is, it's not just the organizations that suffer, it's all the users of it. We need to help everyone be more safe, or secure.

Laura Kankaala: Absolutely. To summarize, I think that even though we're getting better at security, for example through automation, and from raising awareness, and through these kind of things, also the threats in the future will keep on increasing. Because even more and more data will be online, and we and our devices will be even more connected in the future.

Johan Edholm: Yeah, definitely. I mean, we see organized crime using Internet as a platform, as well, like Ransomware for hospital, which is just terrible.

Laura Kankaala: Yeah.

Johan Edholm: I don't think we'll see less of that, we'll probably see more incentive for people because it's ... You can sit in whichever country, and hack whichever other country you want, so you're fairly safe from being caught.

Laura Kankaala: Yeah, absolutely. Thank you for coming here, and having this very enlightful chat with me, Johan.

Johan Edholm: Yeah, thank you for having me.

Laura Kankaala: Thank you.

Laura Kankaala: So, that's it for our episode. If you have any questions or any ideas, feel free to reach out to us over at the detectify Twitter, or Undetected@detectify.com.

See you next time!