Making Cybersecurity Accessible with Scott Helme
Reading time: 14 minutes
Global connectivity benefits our world in numerous ways, however, that same connectivity also poses a potential cyberthreat that is often overlooked.
There is no easy solution for combating the rising threats in our hyperconnected world. Now more than ever, cybersecurity is imperative for both businesses, governments and educational institutions, and individuals and families. For cybersecurity to effectively slow down the rising cyber threats and attacks, everyone needs to be part of the solution.
Oftentimes, the responsibility of managing cyber risks and threats is put on the individual. But we can't put all responsibility on the user. And while yes, human error remains the unfortunate reason behind many security breaches, passing the blame onto individuals who are often the victims of a cyber attack, is not solving the issue.
So what can we do? Make cybersecurity accessible to everyone.
To help us understand how an easily accessible proactive approach to cybersecurity can combat cyber threats and attacks, we spoke with Scott Helme, a security researcher, entrepreneur, and international speaker. Besides donning many hats throughout his career, Scott also freely shares his knowledge and expertise with many communities - the security community, the legal community, and the general public.
We (virtually) visited Scott in Clitheroe, a small town in England, where he showed us his dream car that he is modifying, BMW M140i, and we chatted about the challenges of making cybersecurity easier for everyone, even those not technically inclined, his numerous projects — Report URI, SecurityHeaders, Crawler.Ninja, and heard his insights on a topic he is very passionate about — encrypting the entire Internet.
You wear many hats - security researcher, infosec consultant, entrepreneur and international speaker. When did your interest in cybersecurity arise?
I've been interested in technology since I was a little boy, always tinkering with things and learning new stuff. I studied IT focused topics throughout school and college and learned software engineering at university. After my education, I spent many years working support and QA jobs where your role is to break things and report your findings. Through my own curiosity, I started looking at ways to break systems from a security perspective and not just a functional perspective. It was then that the field really caught my attention. Once I started exploring security, reading blogs, and watching videos online, I was hooked. I spent years studying the field and doing security research of my own and in 2014 I found a large security flaw in a home router provided by my ISP. The process of reporting the issue gained national and international press coverage, which eventually led to me being offered a job as a penetration tester and moving into the field professionally. Since then, I've started offering training, founded security companies, spoken at international conferences, and even done a keynote on encryption for the NCSC here in the UK.
Cybersecurity is intended for everyone, but making it more approachable to the general public and those non-technical is often a roadblock to the adoption of good practices. Why do you think we still have barriers to making cybersecurity easier for everyone?
For years we've said, "the user should…" The user should look for the padlock, the user should use a strong password, the user should do this or that. Making security the responsibility of the user was our downfall. The user is always going to be the most unreliable part of any system. That's not a criticism of the user, we're all human and unreliable. The core issue is security is hard. Rather than trying to solve it at a technology level, which is hard for us technology folk, we pushed it onto the users. Then it's easier to blame them when things go wrong. Security is getting easier as time goes by though. We are seeing a widespread use of biometrics on phones, which is far better than any password would be for the average person. 2FA is becoming more common and password managers are now easier than ever for creating and storing strong passwords for your countless online accounts. Users have become more aware of online privacy and the use of VPNs is at an all time high. The industry is also working to build more privacy and security at a technology level by default - just look at the recent explosion of HTTPS online.
You work a lot on making security easier for everyone and giving back to the community. In addition to being a speaker and holding training all over the world, you also act as an independent advisor for the UK court. Tell us a little about that.
Like many things I do, I never went out actively looking for it, but an opportunity came up and I jumped on it because I felt like I could make a difference. Acting as an expert witness in court allows me to bring current and accurate knowledge into legal cases where there's a bit of a disparity from technology outpacing the legal system for so long. Understandably, someone like a Judge is a legal expert and not a technology expert, much like I'm a technology expert and not a legal expert! Both parties are needed in legal matters that involve complex technologies, and my role is to fill that gap and ensure the court has the appropriate information and understanding.
Report URI started as a hobby project and a service to enable operators to submit CSP violation reports to the service. Now you process billions of reports each month. How did you manage to grow your service and what is the biggest value recognized by users that made the user base as big as it is today?
It's pretty wild to think this little project I started in my spare time is now processing billions of reports per month for tens of thousands of websites! I started Report URI because I was looking for a service like it, but none existed and it sounded like it could provide some pretty useful information. As time has gone by, more people are realising that all of the technologies we support are pretty important and can provide a wealth of information. There are many recognisable companies in there now, trusting us to help them secure their online presence. Since those early days, we've taken investments and grown the company into what you see today, which is something I'm really proud of.
Source: report-uri.com
Tell us a little bit about the importance of Content Security Policies (CSP) and what are some interesting and less-known things you can use CSP for?
The headline feature of CSP is always going to be powerful mitigation for one of the most dangerous web application attacks out there, Cross-Site Scripting (XSS). Controlling what JavaScript is running on your pages is crucially important, especially as we continue to do more things online and allow websites to handle and process more information about us. While controlling JS and mitigating XSS will always be the number 1 feature of CSP, there's even more that it can do for you. For example, we've recently seen a huge uptick in attacks from a group known as Magecart. They focus on injecting hostile JS, tailored towards stealing credit card numbers from users as they type them into web pages, into your application. Ideally, you'd stop them by preventing the injection of hostile JS. But CSP can also allow you to control where data is sent from the page. CSP isn't just about controlling what can be loaded onto your page, it also controls where data is sent!
You also have another project, Crawler.Ninja, where you conduct Alexa Top 1 million crawls with reports twice a year on various metrics from your security analysis. What can users learn from these reports and what got you started on this project?
This was another project I didn't have time to run but started anyway! My desire to know how we were progressing as an industry was what really started it. Being able to look back over the last x months or x years and see definitive proof we are improving is very satisfying, and makes all the hard work worth it. It lets us know what we're doing well and not so well, so we know where to focus our efforts. All of the data is open for the public to freely use for further analysis beyond what I am already doing, so I hope it can be even more useful as time goes by.
Source: https://scotthelme.co.uk/top-1-million-analysis-march-2020/
If our readers didn't believe us when we said you wear a multi-hatted role, you also run Security Headers. What makes Security Headers stand out from other services that analyse the HTTP response headers of websites?
Ah yes, Security Headers too! Interestingly, Security Headers was born out of the same need as Report URI. I wanted a quick and easy way to do something, one didn't exist, so I built it! I found myself constantly wondering what sites used what headers and if they were configured well. I was digging around in the Dev Tools on my browser so much, I thought, "there has to be a better way." I originally built the tool for myself and found it useful, so I opened it up for everyone else to use for free. Now we've conducted over 110,000,000 free scans. Many services now exist that will do what Security Headers does, but I think the fact that we're the original, still free, and quick and easy to use keeps people coming back.
Source: securityheaders.com
How do you manage to work on all of these projects while also holding frequent trainings? What makes you stay focused and keeps you going?
I have to be ruthlessly efficient with my time and when I'm working, I'm working at 100%. I don't let any time pass me by without trying to make use of it. When I travelled a lot I wouldn't watch movies on a train or plane, I'd be writing code or blog posts. These days, without the travel, I try to maintain a similar use of my time and even a trip to the coffee machine is a chance to clear off a few emails whilst the water heats up! Car journeys are also a great opportunity to listen to podcasts and soak up some more knowledge. Another thing I do is to try and structure my tasks so that I have a choice of what to do on a given day. Maybe I wake up and I'm not feeling the creativity to write a blog so I can dive into some coding instead, or maybe I don't feel like coding today so I write a blog or read some new material instead. There are always the tasks you can't avoid, like clearing down your inbox, but in general I always try to work on something I want to be working on to keep my motivation and focus up. The thing that keeps me going overall is an element of enjoying what I do, but mainly feeling like I can make a difference, even if it is a small one.
You have been reporting on CAs and how they reach the end of life on their existing Root CA certificates on your personal website. You even deliver courses on the topic. As it's not often discussed, share with our readers what kind of issue the "expiry date" of CAs bring?
A Certificate Authority (CA) is an organization that issues certificates to domains like "scotthelme.co.uk" and makes HTTPS work. Not just in the web browser where you might visit my site, but any 'connected' or 'smart' device is also going to depend on encrypted communications in the background. These CAs typically have a lifespan of 20-25 years. Given that the Web really kicked off in the late 90s and early 00s, we're coming towards the end of life for some of the earliest CAs. In an ideal world this is no problem because there is a new CA to replace it, and your device will receive an update containing it. The problem is, we're not so great at updating stuff. If your device doesn't receive an update, or someone doesn't install the update, the device won't know about the new CA and the old one will eventually expire. At this point, the device will stop trusting HTTPS certificates and encrypted communication will be impossible, meaning no communication can happen. As an example, if you have a 'smart' TV it becomes a 'dumb' TV, because none of the smart features will work.
What can we expect in the future, when it comes to the looming issue of Root CA certificate expiration?
Stuff will break. Lots of stuff. I hate to be all doom and gloom, and I certainly don't want to catastrophize, but I think we should expect a few ripples in the pond over the coming years, as major Root CAs begin to expire. 2020 is the first time we've seen this happen on a large scale, and it had quite a few negative effects, even though it was just a warning shot across the bow. Because this is the first time in history the encrypted Web has been 20-25 years old, it's also the first time we will go through the expiration of major Root CAs and many organizations won't have heard of this issue before. The heart of this issue is these devices haven't been updated in years. Chances are they won't suddenly be updated by their owners and may not even have updates available if the vendor hasn't released any. The only hope we have is the replacement of the affected devices. Hopefully the first few incidents like this will get the ball rolling and we'll see a focused industry effort to identify future failures and work to mitigate them.
If we want to encrypt the entire web and make it safer for everyone, how can we tackle that?
Between 2014 and 2020 we encrypted almost 3 times as much traffic as we did in the prior 20 years between 1994 and 2014. It's fair to say we are making tremendous progress encrypting the Web, but we do still have a long way to go. Once we have encrypted the Web on HTTP, we still have to finish off encrypting all of our email with SMTP, encrypting DNS, as well as countless other critical protocols. I'm not sure we will ever sit back and say, "we're done" but, I am thrilled we continue to take great strides in improving security and privacy for everyone online as every day goes by. As long as we keep reducing the cost and technical barriers, and keep increasing the incentives to use secure technologies, we will continue to see progress made.
What are the most common threats against encryption?
The most common problem we have with encryption is it is not used widely enough. Nowadays, it's easy to deploy strong, high performance and robust encryption. I think sites that are already doing it are very well protected. Yes, we have the occasional 'one-off' issue, like Heartbleed back in 2014, but these aren't inherent or underlying issues with encryption. They're things that happen from time to time, and as an industry we need to respond by fixing them and learning how to avoid them in the future. We also need to improve our agility. Effecting change in the encryption ecosystem is a slow and painful process, which often means we can't respond quickly to incidents that do happen, prolonging the negative effects. Steps have been taken over the last few years to solve this with the continued reduction in the lifetime of certificates from 5 years, to 3 years, 2 years, and now 1 year. The technology we use isn't perfect, but deployed widely it would certainly be good enough.
It's clear that you are always working on new projects and improving the ones you work on currently, but do you have any plans for 2021? What can we expect from Crawler Ninja and Report URI?
Wow, 2021 is going to be another great year! I keep telling myself I should slow down and take it easy, but I honestly don't want to and probably won't until I need to or I change my mind! Report URI is going from strength to strength and has a few new features lined up for release in 2021. I also have a few new features ready for Security Headers that we should see in Q1 2021. Crawler.Ninja will be expanded to incorporate new security metrics, as well as the continued expansion of the analysis, and regular content on my blog to keep people up to date on the latest security. The training and conference talks are already booking up well into 2021, so expect to "see" me out there as much as ever. Just inside a Zoom window and not up at the front of a stage! Who knows, maybe 2021 will see us traveling again, but either way I'm going to be incredibly busy.
Final words
We hope you've enjoyed the final interview of 2020 with Scott Helme. Make sure to follow Scott on his Twitter account and to stay tuned on our blog for the new interview series we will be launching in 2021.
