SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

DE:CODED – Can Microsoft solve security?

“I have a PC… I like their delete key, which doesn’t exist on the Mac.”

SUBSCRIBE! Use one of the ‘Listen on’ links below to keep updated using your favourite podcast platform.

Listen on Apple Podcasts Listen on Spotify

Series 1 | Series 2

Other ways to listen: YouTube | Google Podcasts | Stitcher | RSS


Show notes for series 2, episode 1

Can Microsoft solve security? Do you need anti-virus on your smartphone? And are Macs more secure than PCs?

We ask Eugene Kaspersky (Kaspersky) and Christian Seifert (Microsoft).

This episode’s Security Life Hack from Mikko Hyppönen (WithSecure)!

Annual Report 2021

Can Microsoft solve security?

Platforms including Microsoft, Apple and Google control our digital lives. Can they solve security and should we trust them with our data?

Why does mobile anti-virus exist when some experts say you shouldn’t use it? And is a Mac really more secure than a PC?

We ask the experts to help us out with answers to these questions and more.

This episode’s Security Life Hack comes courtesy of Mikko Hyppönen.

Please subscribe and join the discussions. Use one of the ‘Listen On’ links above to subscribe using your favourite podcast platform.

Topics

  • Can platforms solve security?
  • Can we trust the platforms?
  • Do we need phone antivirus?
  • Assess mobile apps (for beginners)
  • Is a Mac more secure than a PC?
  • Security Life Hack!

Sign up to our newsletter!

Other resources

Transcription

(Generated automatically)

Simon Edwards 0:00
Welcome to DE:CODED, providing in-depth insight into cybersecurity. Can Microsoft solve security? Do you need antivirus on your smartphone, and are Macs more secure than PCs?

Simon Edwards 0:15
We answer all of these questions and more with special guests, Eugene Kaspersky from Kaspersky and Christian Siefert from Microsoft.

Simon Edwards 0:25
Show notes, including any links mentioned in the show are available at decodedcyber.com.

Can platforms solve security?

Simon Edwards 0:34
When you use a laptop, computer or tablet, you’re using a platform. This could be the Microsoft Windows platform, for example, or Apple’s alternative. A platform is a combination of software and services, and sometimes hardware. When you buy an Apple MacBook, you’re buying Apple hardware running an Apple operating system. And most likely, the whole thing will be hooked up to a load of Apple services such as iCloud, which stores files and other things in the cloud. Microsoft Windows has the equivalent in OneDrive. Google is another example with its cloud services, and the Android mobile operating system.

Simon Edwards 1:13
If you’re a regular computer user, then you are almost certainly committed to at least one of these main platforms, Microsoft, Apple, and Google, possibly all three. Over time, these platforms have made large steps to improve security. They push out security updates regularly and make it a pain to ignore them. They feature built in antivirus and other ways to beat malware. And they run email services that can scan messages for threats such as phishing attacks and viruses.

Simon Edwards 1:44
With such wide ranging and in depth control, have these companies solve security? Do we need to install security applications like antivirus firewalls and file encryption? should we bother with the cloud security services for email and so on?

Eugene Kaspersky

Simon Edwards 2:01
I spoke to Eugene Kaspersky, a longtime cybersecurity expert with experience in handling hacking attacks from the world’s most dedicated criminals and governments. Eugene, with all its improvements, has Microsoft solved security for all of us?

Eugene Kaspersky 2:18
Yes, you’re absolutely right that Microsoft invests a lot into the cybersecurity and makes the operating systems and applications more safe, more secure than before. And actually, it’s not just Microsoft, but Apple, for example, Google, they also do a lot with the security built into their products.

Eugene Kaspersky 2:41
But unfortunately, it doesn’t solve the problem. So their products and operating systems, they’re getting more smart, more secure. But unfortunately, the cyber criminals the bad guys keeps getting more professional. And unfortunately, it’s still the operating system that’s still vulnerable is still there is a space of all bad guys, or different types, to hack the systems and to make problem to the victims.

Diversity

Simon Edwards 3:10
If you go back 10 years or even further, a common tactic or strategy would be strength and diversity. So you might have Kaspersky antivirus on a server. And you might have Symantec antivirus on your endpoints and some kind of, I don’t know, security gateway, as well. So you’d have defense in in depth. If Microsoft and Apple solve security, then those companies are going to stop operating. And then surely the attackers only have to worry about Microsoft and Apple because they are going to persist, aren’t they? They’re not going to give up?

Eugene Kaspersky 3:46
Well, actually, I’m afraid it will never happen. If they build their operating systems and application on existing architecture. And there will be any, anytime in there will be some some space and abilities for professional hackers to get into the system.

Internet of things

Eugene Kaspersky 4:09
I see that there, the solution there to help come to develop the system, which does need antivirus. Actually, by working on that for quite a long time. And it’s possible to do that with some reduction of functionality and flexibility of the systems. And we have the our own operating system, which is based on a completely different architecture with like a security DNA inside, but it’s not like Microsoft Windows. It’s not as flexible, not as functional. So it’s mostly for Internet of Things. For industrial systems for the gadgets which don’t need the extra functionality.

Christian Seifert

Simon Edwards 4:54
The desktop operating systems that we use today can’t be 100% Hacker proof. So does that mean we’ll always have to add extra software to our computers to stay safe? Christian Siefert runs Microsoft’s email security.

Simon Edwards 5:10
Christian, can Microsoft and other platforms, keep all of the threats away without help

Christian Seifert 5:15
A platform should most certainly help an organization protect themselves from from attacks and increase their security posture. But I think a platform itself is not able to do that. By itself, right? I mean, I think it needs to be a partnership between the platform provider and the enterprise.

Christian Seifert 5:40
So for instance, our products, of course, have a variety of protection technology, in the email case, right, protecting customers from phish, spam, etc. But we also provide then a set of tools for the enterprise, in order to investigate attacks, respond to attacks to increase security posture, I think it’s really a combination of these two,

Shackled

Simon Edwards 6:08
If what you’re saying is right, if, if Microsoft locked Windows down, and all the other services, the Office services to the point where things were completely secure, the the impact on the users would be maybe they can’t do the things that they want to do.

Simon Edwards 6:22
I’m thinking about things like mobile platforms, for example. So with iOS and Android, things are very locked down, you know, malware is, it is conceivable, but it’s not in the same way as it can work with, say, a Mac or a PC. Because those platforms are locked down.

Simon Edwards 6:39
But as a result, you and I can’t do some of the things on the mobile phone that we would want to do. So we have to go to a Windows or Mac to do that.

100% not hacker proof

Christian Seifert 6:47
Well, I mean, I think these other platforms are other certain capabilities that these platforms provide that allow security providers like Microsoft to hook in and provide protections, right like for, for iOS and Android, for instance, we are now having security offerings for those platforms as well, because there is there’s threats that occur on these platforms just like there are on Windows.

Can we trust the platforms?

Simon Edwards 7:15
Given that we know companies like Facebook, sell our data, commercially exploit us, can we or should we trust Microsoft, Apple and Google to look after us and our data? Over to Eugene?

Eugene Kaspersky 7:29
Well, speaking about the top vendors, I guess that we can trust them. And I believe they do nothing wrong. But what I don’t really like in the in the strategy, that they’re moving completely into the cloud. And that could be some questions or the customers, which are not ready to move all the data outside of the office outside of the house.

Eugene Kaspersky 8:02
So that that is one of the concerns, which stays in my mind and what what we will do that Microsoft doesn’t let us to have our emails, our data in premises in house, I guess this is one of their top, but most important issues. But speaking about the Microsoft operating system, Apple operating system and applications, they are no indicators that there is something wrong in this systems.

Do we need phone antivirus?

Simon Edwards 8:34
Now, I’m going to ask you quite a cheeky question, Eugene, because I know that you speak from the heart and not from a marketing position. But do you think people need antivirus for their mobile phones?

Eugene Kaspersky 8:46
Yes, definitely. As well, actually, they are different. Well, there are two major operating systems. And that’s Android and iOS. So for Android differently, yes, because we see there are many attacks and where many criminal actors which are developing 1000s of malicious applications for for Android. Speaking about iPhone, well actually it’s simply not possible, because Apple doesn’t let anyone to have antivirus endpoint, antivirus for this. However, there are other threats for example, phishing emails, introduction of a new new products will have a built in anti-phishing for iOS as well.

Simon Edwards 9:32
All that said, Android and iPhone devices are not as vulnerable to malware, as Windows and Mac computers. And as Eugene just alluded to, phishing attacks are more common and devastating in their effectiveness. We covered email attacks in our previous series of DE:CODED and we go into even more depth later in this series.

Mobile AV limitations

Simon Edwards 9:53
But the fact is, antivirus on mobile devices is not as powerful as it is on a desktop computer. It doesn’t have the same abilities in the same way that malware is more limited on a phone. In fact, as we’ll see now, even the UK Security Agency GCHQ actively recommends not using antivirus on mobile devices. Marc, you seem worried about mobile security.

Marc Briggs 10:27
I’ve got an Android device. And I’m being bombarded with all these adverts from known security companies added with the stories that I’m reading in the press about ransomware attacks and all the rest of it. And I’m being told that I could be targeted via my phone now rather than just my PC. Is that the case? And if so, will extra security software, anti malware antivirus products on my phone helped me out.

Phones are computers

Now the first thing that we need to talk about is when it comes down to security is whether you’ve got an Apple device or an Android device. Remember, at the end of the day that your tablet or phone is basically a computer, you can still open emails that could potentially lead to phishing sites, risky links, sketchy apps that will attempt to harvest your data. But before we talk about all that, let’s talk about the difference between Apple and Android. Now, Simon, from your perspective, do you think either of those devices are more vulnerable than the other? Or do you think that we should just talk about smartphones in general,

Mobile vulnerabilities

Simon Edwards 11:42
I think there’s similar to be fair, with Android, you can make it less secure than it comes out of the box. But both Google and Apple have made quite a walled garden approach to computing. So yes, they are computers. But in a way, you don’t really own that computer, even though you’ve spent for the best part of 1000 pounds these days for it. When you buy a Windows computer or even a map to a certain degree, you can do pretty much what you want with it. But with a mobile device, like a tablet, or a phone, Apple and Google have an awful lot of control over it, they can choose to remove software from it. Software that you install is very limited in what it can actually do on that device. So in that respect, inherently, they are both less useful, but more secure.

Mobile attacks

Marc Briggs 12:32
Okay, let’s break down the different types of attacks that you might get on a phone, let’s talk about smartphones. And we can compare them in terms of risk against your PC, or your laptop or desktop. So let’s talk about viruses. There’s a lower risk of contracting a virus on your phone or tablet when compared to the higher risk on your PC or laptop. And is that because of the the way that the tablets or phones have been produced? Or is it just simply that there’s already more viruses out there that are able to target PCs, and therefore, the criminals or the hackers have an easier time when it comes to targeting PCs.

Simon Edwards 13:33
There’s a combination of things at play there. So if we look at PC market, that’s the most popular and exploitable type of computer you can get. So Mac’s vs PCs, they don’t see as much in the way of threats. But that’s not necessarily because they’re more secure. That’s simply because fewer people have them. But when you look at mobile, so called malware, it’s not as straightforward as talking about viruses,

Unwanted software

I think viruses and Trojans and those kind of real, specific threats. They’re quite rare because they require a level of access to the device that you just don’t normally get what we see with MAC’s, but also with mobile devices, more of the potentially unwanted things, the slightly shady Gray, where that sits in between the definitely good and the definitely bad.

So for example, if you were going to install a torch application on your iPhone, you might you might be bothered to look down all the details and discover that it wants to be able to show adult content and it wants to be able to do other things with adverts and track your location.

Now why on earth would the torch need to know your location? So what you’re finding there are criminals or people who are on the edge of a little bit shady.

I try to work within the very limited system that they’re being given by Apple and Google it To get as much information or other things from you as they can, the real threat comes actually in the, if we frame it in terms of social engineering, I know we’re going to talk I’m sure we’re going to talk about other social engineering, but specifically getting you persuading you to install a particular app and giving it certain permissions. That support problem.

UK Gov advice

So I asked, I asked Twitter actually a while ago, you know, prove me wrong. You don’t need Antivirus for mobile phones. And I think that position is supported by actually the technical part of the UK Government as well. Yeah. So went out there and said, you don’t need Antivirus for phones. Sorry, guys just don’t. And an antivirus vendor got back to us and said, Well, no, you do.

And here’s a bad sort of malware attack that happened, I think, in Australia. And when I looked into the details of it, because you know, malware doesn’t just run on mobile devices, you have to really help it quite a lot, you would have had to have made a lot of changes to this mobile phones, settings, to be able to get this on your phone, you’d had to have clicked a lot of buttons, you wouldn’t just have happened like a Windows PC. virus can just happen

Stores protect

Marc Briggs 16:11
if you’ve got an Apple or Android device, the the App Store, so whether it’s Google Play, or whether it’s the App Store on iOS, have already done a lot and a lot and are doing a lot to really protect you as an end user. Before the bad stuff actually gets to you.

Simon Edwards 16:32
Well, yes, but they’re not perfect. So researchers are frequently coming out and saying that they’re discovering 1000s of bits of unwanted software on these stores. So yes, you should always use them because there is at least some oversight there.

Use Stores

And it’s just one place that everyone the researchers included can look. So yeah, I’m not saying don’t use the standard stores, because you absolutely should. But don’t also think well, I’m definitely safe because Google or Apple have audited or Amazon have audited the software on there. Yeah. Because the bad guys slip stuff past. And for definite,

Marc Briggs 17:06
they do they I mean, they’re constantly monitoring this, and they’re pulling bad stuff out. And there’s certainly far more good stuff than there is bad, but the occasional stuff gets through. But when you got an Android device, you have actually got the option of changing your device setting. Or you can download applications which haven’t come from Google place. That’s right. Well, you can’t do that with an Apple device.

Tricked into changing settings

Simon Edwards 17:32
No, that’s right. So you, you would have to be tricked pretty well, I think by an attacker and of course, attackers are good at tricking you into turning off all those settings on your Android device and pulling the thing down.

Whereas in contrast, a Windows PC is, that’s pretty much how you put software on it every single time. The main differences, okay, so Apple, you can’t do that at all, Google, you can do it a bit. But in both of those cases, the way that mobile software runs, not just malware, but all of it is very containerized. So it’s very hard if not impossible for one program to affect another one on that device.

Which means that a virus can’t spread here between applications, for example, whereas it can on a Windows PC. It also means that security software is quite limited in handling threats that have made it onto the system as well.

Simple threats

Marc Briggs 18:22
So do from your experience, do you think that the majority of mobile security software is is much simpler and basic compared to what the kind of software that we see regularly on the PCs? Or is it just a scanning tool looking that as black and white listed? sites? And that’s it

Simon Edwards 18:46
pretty much yeah. Or gray listed as well, potentially unwanted things. When we looked years ago at doing some kind of mobile test? We’re trying to work out how do we monitor the system to see what changes being made, because we needed to dig under the hood, like we’ve done on Windows PCs, and other than building your own version of Android, there wasn’t a way of doing it. They all sit in their own little buckets.

So what you would expect is, if you had an antivirus program, a good one on your phone. And you then was sufficiently tricked into turning off all your settings and putting this malware onto it. You would hope this thing would say, Mark, you’ve got some malware on your phone.

Simple protection

We recommend you take the steps to uninstall it. Yeah, because it can’t actually kick it off because it doesn’t have that ability. With Windows and even Mac software. The security software digs underneath two layers beneath which most people have controls, they can then get rid of other bits of software.

Marc Briggs 19:45
This is going to make attacking a phone less attractive for a criminal or a hacker because they’re just not going to get the same rewards as they would do if they target a PC. Well they’re

Simon Edwards 19:59
used for tactic. So you’re right that in terms of writing malware, malware does exist in the NSO group where there Pegasus threat used by governments all over the world, apparently, to track and ultimately kill sometimes dissidents. That is like top of the line really clever malware where you didn’t even need to click on anything, just had to receive a message on an iPhone, and it took over.

Abuse limitations

But if, if I was a bad guy, I would look at the limitations of those devices and think, Well, how can I use this to my advantage. So on a PC, you get a link in an email, and you can hover over it with a mouse, and you can see where it goes to, and choose to click on it or not, you can’t do that on a mobile device.

So things like phishing attacks by text or, or in emails, you can actually make them more convincing when you’re sending them to a target using a mobile device. So I’d say it’s less about the malware with mobile and more about the social engineering.

Remote wiping

Marc Briggs 20:57
When we spoken to individuals in the mobile security market. One of the advantages that they’ve said is remote wiping of devices. So you lose your device or you get it stolen, then you’ve got this software on your phone. You can remotely wipe the device, but I’m pretty sure that is a service that’s also provided by by Apple.

Simon Edwards 21:26
Yes. So you’ve got like, let’s take so from a home user point of view, I would say that you don’t need security software, like you don’t need a VPN, in most cases, need versus one, you don’t need one. You don’t need antivirus because it doesn’t really do a great deal. So long as you’re sensible. You do need to have a bit more common sense when it comes to detecting scams. But that’s about it.

With work phones. Yes, you’ve got mobile device management MDM stuff. And you’ve also got web filters which sits in the cloud. So when you go to visit a website, so you click on a link and you you wish you hadn’t, it might actually prevent you going to a malicious website, because your traffic a bit like using a VPN in a way your traffic is going through this system. And it’s allowing or, or denying your access.

Prepare for disaster

But it’s a really good point that you should familiarize yourself with those device recovery or wiping features. Because what you don’t want to do is to learn how do I use Find My Phone, if your iPhone or the equivalent on Android, when you’ve actually lost your phone yet, you probably want to have a link to that specific website where you can track or delete already on your bookmarks on your PC or Mac, for example.

It’s a bit like, you know, when we talk to businesses about disaster recovery or instant response, you don’t have to start making your policies and processes whilst the building is on fire or the hackers? Classic. Yeah. So yeah, get those bookmarks in. Try it out that you don’t need to delete your device, but at least look at the settings and work out what would I need to do if someone snatched my phone and liked it.

Security not needed

Marc Briggs 23:08
So what we’re saying is we’ve said it a couple of times, we really don’t think that you need a separate security software on your phone or tablet. As long as you’re aware of the security functions that are built in, you don’t disable the default functions. And that’s more applicable to an Android device than an apple. But And equally, you keep your device updated.

Now, with my personal device, I don’t have the choice. And I think that’s pretty much across the board. Now it forces updates on you. So again, you are actively having to stop security progression. And so if you did nothing, then you probably okay most of the time, that is going to prevent a lot of the common malware that we’ve talked about. So the adware, spyware, ransomware, all that kind of stuff. But what it won’t do is protect you against social engineering attacks.

Phishing

So you’re still liable to be targeted by phishing cat phishing inbound calls, trying to sell you stuff, scams basically. And that’s something that you as an individual have to know more about. And you have to ask yourself the question which I know banks are often doing now, when you’re being asked to when you’re making a transfer of money, they have a separate page now which says are you being forced into this and they and the banks talk about a lot of the more common social engineering tactics which people use in terms of giving a compressed timeline there’s an emergency.

If you don’t do this soon, you’ll there’s there’s a big issue hacked and they just make you take a breath and think about whether you’re part of the scam

Social engineering

Simon Edwards 25:06
or not. We talked last series, didn’t we about one of the signatures of a scam is to put you under time pressure. So simply by saying just have a little thing, don’t don’t click straightaway. That’s actually quite a clever way of putting a breakpoint into that attack.

Marc Briggs 25:21
Yes, absolutely. And, yeah, I see companies are now doing that. And you know, it’s in the UK in January, it’s, it’s tax time, people have to pay their personal tax and tax department in the UK used to be the third most replicated website for scams in the world. And it’s gone, it’s it’s dropped right out of that top list, because of the measures that it’s taken.

And one of the measures it’s taken, which I was really pleased to see when I received an email from them recently was, it said, in the same way that all companies should say, it had a had an email that I could have easily opened on my phone, instead of saying, you’ve got this is the information, click on this link, go to our website, it says, There is information that you need to receive from us, go separately to our website, log on to your account and read the message from us.

Malicious links

And then it had a spiel about the reason why we haven’t given you a link is because of possible fraudulent use of this website impersonation, and all this kind of stuff. So as well as being secure, it’s also educating people. And I don’t understand why we don’t see this from a whole raft of organizations. Why, why why why are people still providing links on emails? But I think that’s a different subject.

Simon Edwards 26:49
It is. But I think that I’m really heartened to hear that people have started doing that now. Because, you know, not clicking on links is one of the best thing, one of the best policies anyone can take on to avoid online threats.

Marc Briggs 27:05
For me, it’s quite a simple thing. Apple and Android devices do a good job. And as a regular home user, that you’re not taking part in any activity, which may raise the interest of a nation state. You’re just going about your usual business, as long as if you’ve got an apple, you are using the app store, you’re conscious of social engineering tactics. And you keep your device up to date absolutely fine. And on an Android device, you’re doing the same as well as you don’t go through all the stages that require you giving root access to the to the device racism mark.

Why does mobile AV exist?

Simon Edwards 27:51
With that in mind. Why do these antivirus companies try and persuade people to install their software on their phones, and often not even charged them for the software? What’s their motivation for doing that? Do you think

Marc Briggs 28:06
their financial gain has to be every business, every businesses is in the business of making money, and security companies are no different. So you could speculate that if they aren’t charging individuals for downloading using their security software, they must be gaining a financial benefits from somewhere else. Now, of course, if your security software sits in between you as a user, and all the activity that you’re doing on your phone, that security software could easily capture data.

Equal power

Simon Edwards 28:44
But remember, on mobile devices, all these apps sit on the same level of the hierarchy. So they’re probably not in a position to spy on each other. That’s what Apple and Google really tried to prevent from happening. If you think about Windows, anti malware, software, and the prevalence of free stuff, certainly in the last few years, the security companies benefit from as many people running their software as possible, because it enables them to get a better view of the threat landscape.

So let’s say a new threat did come out for a mobile device. And everyone running vendor X’s antivirus. Maybe they quickly update it, so it handles it. So that’s a good reason to be with the biggest company, I guess. But essentially, what they’re doing is they use in my humble opinion, and it’s just a bit of a theory. It’s not based on fact, it’s using everyone as a honeypot. So it’s a way of keeping an eye on what is happening in the mobile malware scheme of things today, and just keeping an eye on x. If they’re not on those endpoints, then they’re not seeing what’s happening to the targets.

Marc Briggs 29:51
Yeah, you’re looking at it the other way. So rather than collecting data from what’s leaving the device, collecting data, what’s coming in and using that to educate themselves.

Manic miner

Simon Edwards 30:03
And in a weird twist, some of these antivirus vendors even quite sorts of credible well known ones have been installing, like Bitcoin type miners on people’s computers. I don’t know if they’re doing that on the mobile or just on Windows, but people are complaining on the internet about how hard it is to remove this.

So in the old days, they’d be blocking that kind of stuff. And now it’s coming bundled with it. I mean, how bonkers is that? Yeah. So, you know, I think it’s not unreasonable to be a little bit skeptical about endpoint security on mobile devices, because you don’t really need it. And then, what is their motivation for pushing it so hard?

Marc Briggs 30:42
Yeah. When it’s not providing actually what they’re really saying?

Simon Edwards 30:46
Yeah, they’re saying, oh, yeah, well, we’ll save you from viruses, but you can’t really

Marc Briggs 30:50
know. So I hope that clears clears it up. And if you’re in two minds about whether to buy these, this mobile security software, then hopefully that answers some of your some of your questions,

Battery life

Simon Edwards 31:03
it will be interesting to know how what impact these things have on your battery life as well, because I think some of the vendors, you know, try to be as light as possible. So they’re not tracking the performance down,

Marc Briggs 31:14
there is actually something as a as a, as a user, you can you can check yourself. And I think probably, I think a lot of people battery life on their mobile devices is, is one of the key requirements for for its use. And you can now look quite easily which application is using, how much battery power both when it’s on and in the background.

And if I downloaded a piece of security software thinking, I know that my device gives me quite a bit of security, but I’m convinced by the marketing claims by this company, so I’ll put it on. But then I found out that it was using 30% of my battery power, every day, have a laugh, now you’re out?

Assess mobile apps (for beginners)

Simon Edwards 31:56
Well, one of the things that people can do. So we have a call to action, actually, at the end of this, this section is we’ve we’ve written a blog post about how to assess applications before you install them. Because when people talk about mobile security, they always say, use a VPN, get antivirus, and then research the apps before you install them. Well, that’s a very glib thing to say, because it’s very hard to actually research a mobile app properly.

So we’ve broken it down into sort of very few numbers of steps, as people can go and have a look and actually work out what kind of app they should be installing and where the red flags are, as well. So for example, I’ll give you one example, on the Apple Store.

New apps have to submit information about what kind of information they take from the user what they can track. But it doesn’t apply to older ones. And so if you see an old one that hasn’t updated that, then that’s a red flag. Either they are taking stuff they don’t want to talk about, or it’s not a very well maintained app, in which case you probably want something that someone’s keeping an eye on.

Marc Briggs 33:00
Yep. And where would they go to find that blog?

Simon Edwards 33:03
The details are in the show notes. Brilliant.

Is a Mac more secure than a PC?

[Apple Advert]

Simon Edwards 33:21
In 2007. British comedians Mitchell and Webb fronted an advertising campaign for Apple, which clearly made the case that the computer virus threat was much more significant for PCs than for Macs. Today, well, not today. But pre pandemic, if you went to any of the serious security conferences, you’d see MacBooks everywhere.

Maybe not outnumbering Lenovo ThinkPads, but it’s a close call. If security experts use MAC’s, maybe there’s something in Apple’s claim that Macs are safer and more secure. But is Apple’s desktop operating system inherently more secure? Or are we seeing less threats because hackers focus on Windows, which is much more popular and widespread? Eugene, from Kaspersky again.

Dangers of popularity

Eugene Kaspersky 34:09
it’s a very, very good question. And actually, that’s the situation it’s not stable. So the companies that invest more and more in cybersecurity, and in the past, let’s say like 10 years ago, I will say that Microsoft is much more advanced in cybersecurity campaigning to Apple, but not anymore. Both companies, they do their best to make the products and operating system more secure.

But once again, unfortunately, there still is space for the bad guys to hack the systems and to do anything they want with infected systems. It’s true for Microsoft Windows for Mac for Android, and from time to time even for iOS. It’s more complicated ideas are protected by the SEC from time to time, their vulnerabilities found they’re expensive, but they do exist. And unfortunately, from time to time, they have problems as well.

Personal choice!

Simon Edwards 35:06
Eugene, what do you use? Do you use a Mac or a PC?

Eugene Kaspersky 35:09
I have a PC. I used I tried to use Mac years ago. And I found some Well, now these problems are fixed as far as I know, but that time, some of my favorite applications, they will not adapted for Mark. And I like their delete key, which doesn’t exist on the Mac keyboard.

Simon Edwards 35:36
Stand to usability then, isn’t it not security. It seems that even the most experts, computer users focus more on what is easy to use, rather than what is built most security. The security of our digital lives at home and work is in the hands of the platform’s. But maybe we can trust them with that. The people we asked are the sort who dig down into the depths of how operating systems work.

They see the most advanced types of threats. And yet they still use PCs and Macs, they use Google workspace and Microsoft Office 365. And they’re happy with both Android and iPhone smartphones. But they also understand the limitations of these platforms and moderate their behavior online. They might not store every file in the cloud.

They configure their security settings to sensible levels, not accepting the default settings in many cases. And for the most part, they use mainstream phone handsets with or without antivirus. There isn’t a clear winner in the battle between Mac and PC, even if simplified advertising would have you believe otherwise, is what you want, what we’ll do the jobs you need.

Security Life Hack!

And now just before we finish it security life hack time. At the end of each episode, we give one or two special security tips that work for real people in the real world for work and in personal lives. This episode’s life hacker is the Kim Kardashian of the info security world. Mikko Hypponen.

Mikko Hyppönen 37:12
This is Makeup for decoded podcast, and this is my security life hack. Carry your photo ID separate from your bank or credit cards. Bad guys can do much more harm to you if you’re lost or stolen credit cards also have something which contains your address. exactly in the same way.

If you lose a piece of identification, which does not contain your address, and then someone contacts you to tell you they found it and they’ll be more than happy to mail it to you don’t believe them. Don’t give them your home address. That’s exactly the missing piece of personal identification they might be looking for to do an identity theft against you. Instead, give them an address to your workplace or to a friend. That’s a

The end!

Simon Edwards 37:59
please subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues. We also have a free email newsletter. Sign up on our website where you’ll find this episode’s show notes, and bonus episodes featuring full length interviews with our guests. Just visit decoded, cyber.com and that’s it. Thank you for listening, and we hope to see you again soon

Feedback

Please send your comments, questions and concerns to info@decodedcyber.com.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press