From The CIA To Cybersecurity & Hacking Expert

Mr. Elliott is CEO of Comar Cyber, Inc., a Washington, DC-based company that specializes in government and corporate training in cybersecurity. He created the award-winning “Learn by Hacking” TM online cybersecurity course, with distribution deals in the US and Japan.

Mr. Elliott served for almost two decades at the CIA, where he worked in the Directorate of Operations as a Case Officer and ops leader in field assignments.

He has extensive experience at the intersection of HUMINT operations and technology. As a manager at CIA Headquarters, he worked with companies, investors, and other elements of government to identify, purchase, and create technologies for the CIA’s operational use. He used his training and experience in assignments in Europe, South Asia, and Africa, as well as at HQS, to identify and counter nation-state cyber threats to protect enterprise and operational systems. Mr. Elliott, in coordination with various stakeholders, created the Agency’s requirements for operational technology in the foreign field.

Interview Questions

#1 – What do you see as some of the new and biggest Cybersecurity threats at the present moment?

#2 – WordPress and open-source software are not as secure as proprietary software; what are your general views on this?

#3 – What are some critical things website developers and designers need to understand to make their websites more secure?

#4 – We seem to be in an age of Surveillance Capitalism, as popularized by Shoshana Zuboff. what are your own views on this?

#5 – There has been a lot of talk TikTok about it being a significant security threat; what are your own views on this?

#6 – What are your personal views on Edward Snowden and his revelations connected to the NSA?

This Week Show’s Sponsors

Castos: Castos

BlogVault: BlogVault

LaunchFlows: LaunchFlows

Focuswp.co Focuswp

Episode Transcript

Length: 30:44

(00:00)

Intro: Welcome to the WP-Tonic this week in WordPress and SaaS podcast, where Jonathan Denwood interviews the leading experts in WordPress, eLearning, and online marketing to help WordPress professionals launch their own SaaS.

(00:14)

Jonathan Denwood: Welcome back, folks, to the WP-Tonic show this week in WordPress and SaaS. We have a great interview here with Mark Elliot, he’s a cyber-security expert, worked for the CIA and other government entities, it’s going to be a fascinating chat. So, Mark, can you quickly introduce yourself to the WP-Tonic, give us a 20, 30 second intro about yourself and your company?

(00:43)

Mark Elliott: Absolutely. Jonathan, thank you so much for inviting me here. So, I currently run Comar Cyber and we are a company that does cyber security training and consulting. Career-wise, I started out in the state department, in the foreign service years ago, back in the nineties, pretty much pre-internet, as we know the internet commercially today. And then after that in the late nineties, as the internet was really taking off, I left to start an internet company that focused on cyber privacy and cyber security; the idea was to actually have an ISP that would let people surf anonymously and for free and send encrypted emails.

This was decades ago, of course, and investors didn’t really understand the value of internet privacy back then, so it was rough-sledding. Then moving along, there was the big internet bubble, the internet crashed, and then 9/11 happened. So, after 9/11, I thought I have to see if I can, actually, apply some of my skills to these pressing international problems and cyber security in the realm of international security, so I applied to the CIA and they accepted me. I was a case officer for a number of years there, conventionally out in the mainstream media, the standard media, they would call us spies, but we, actually, run spies; we’re the people who recruit spies.

But that’s fine if anybody wants to call me that, that’s fine, I won’t stand on principle on that, but in any event, so that’s what I did for a number of years. So, I went through all the standard case officer training, learned how to do all the spy stuff, and then worked for a number of years, but my specialty was cyber, so I did a range of things in the cyber realm, but as it related to the human side of it, again, looking for people with access to cyber information, that type of thing.

(02:56)

Jonathan Denwood: Oh, well, that’s great. So, we’ll delve more into your past.

(03:01)

Mark Elliott: Sure. Absolutely.

(03:02)

Jonathan Denwood: In the interview. So, Andrew, would you like to introduce yourself quickly to the tribe?

(03:08)

Andrew Palmer: Sure. I’m Andrew Palmer from Bertha.ai, and it’s an AI copywriting WordPress assistant built into WordPress so you can write where you work.

(03:17)

Jonathan Denwood: That’s great. And before we go into the main meat and potatoes of this great interview, we have a small break for our major sponsors. We’ll be back in a few moments, folks.

(03:32)

Ad: Allow us to introduce you to Castos, our major sponsor; if you’re looking to get into podcasting, Castos is for you. No penalties on the number of downloads, and the support, should you need it, is the best in the industry. Take a look at Castos for your podcasting solution. That’s castos.com, castos.com. The importance of backing up your WordPress website cannot be emphasized enough.

We use BlogVault to help us do this on a daily basis, with free staging, migrations, and on the pro plans, malware scanning, and auto-fix; BlogVault is the professional’s choice when managing just one website or many. Go to blogvault.com and see for yourself; you seriously won’t find a better, more complete solution. That’s blogvault.com, blogvault.com.

(04:26)

Jonathan Denwood: We’re coming back. I just want to point out that some of our sponsors have some great special offers for you, the tribe. To get access to these offers and some great recommendations around plugins, services, and anything else that you might find helpful, you have to go over to wp-tonic/recommendations, and all the goodies are there.

So, Mark, obviously, it’s exciting times we’re living in, and cyber security, to say that it’s in the news almost every day would be a slight understatement. What are some of the biggest threats and things on the radar that keep you up at night? I know you’re a sound sleeper, Mark, but what are some of the things that you think are really on your radar at the present moment when it comes to cyber security?

(05:23)

Mark Elliott: Jonathan, that’s a great question. And it’s a lot of the same things that we’ve been facing for a number of years now; ransomware, phishing, boss impersonation. The thread that they all have in common is that almost all of these are human factors threats; these are not esoteric, zero-day hacks, that type of thing that highly trained hackers are using to breach companies or individual systems. These are things that can be defended against and, indeed, in terms of companies, should be defended against as a matter of policy.

But again, it comes down to the human factors; it’s things like social engineering, people tricking, or attackers tricking employees into giving away passwords or access that they shouldn’t have. Phishing scams, and again, the boss impersonation types of things, as I talked about, if you don’t have policies in place in your company to verify when certain types of directives are given, that’s a human problem; it’s not even a cyber-problem, but, of course, it leads to a cyber-problem because it opens the door to it.

You can have the most secure castle in the world, but if you leave the front gate open, it’s not going to be secure for very long; in terms of new threats for individuals, I would say the one new thing in addition to all the standard old things, ransomware and social engineering; QR code hijacking, I would say that’s a relatively new thing. And that comes out of the time during the pandemic, of course, still mainly in the pandemic, but before people were going, I should say, now that people are going back out to restaurants and places, it’s very popular to not give people physical menus, for example.

(07:17)

Andrew Palmer: Yeah.

(07:17)

Mark Elliott: Just give them the QR code, right? So, not to give any ideas to potentially harmful actors, but it would be a pretty straightforward thing to print out your own QR code, paste it over the tabletop or the menu, what have you, and then direct people maliciously to your own website and steal their money, make it look like they’re ordering something and that type of thing. So, there are all kinds of things that you can do with QR codes in a malicious way. So, again, I would say that that’s a significant threat for individuals, and I’d caution everybody just to be careful right when they put their camera on the QR code; just make sure you know where it’s taking you to before you click.

(08:02)

Jonathan Denwood: That’s great. Over to you, Andrew.

(08:04)

Andrew Palmer: That’s a great tip. We have a question here that’s, you’ve, obviously, had a little bit of a preview of these, but WordPress, and I’m going to just slightly reword this, WordPress and open-source software are seemingly not as secure as they could be if people don’t take the measures that are recommended by developers and or hosts. What are your general views on that, that WordPress is not secure? And I’ll just put, mine is that it is secure as long as you have a firewall on your server, as long as you put some security software on there, whatever, but it is, generally, down to the individual, are you similarly minded?

(08:45)

Mark Elliott: Andrew, you hit the nail on the head. It comes down to the individual. it’s a lot like flying in a sense. If you’re a fantastic pilot and say you were in the Air Force and you were a test pilot and you flew for decades, and then you want to fly your own personal Cessna around to take you from place to place. Great. You’re probably well-qualified, and you know exactly what to do when you’re better than most pilots. If you’re short of that kind of a standard, maybe you should take United Airlines or American or whatever company you want to take, but take a mainstream carrier.

And so, I would say it depends on the individual, and if you’re going to run a site, a WordPress site on your own, I’ve dabbled in it a bit, it’s a beast, and now, I absolutely would want to leave that to professionals. So, I’d say, yeah, if you’re a professional, absolutely, you can run those things securely or as securely as possible within a certain level of risk, and if you’re not, you should probably consider leaving it up to them. In terms of the overall security of something like WordPress versus the whole proprietary versus open-source software debate, that comes down to the question of, it’s two different things.

With open-source, one advantage is you have far more eyes on the problem. You have tens of thousands, hundreds of thousands of people who can get into the code and look at it. And they also have a community that’s motivated by more than just profit; they really love the software; Red Hat, and things like that, or Linux, I should say. So, you have more eyes on the problem that can spot bugs, and, in general, the open-source software organizations or companies can get those patches out a lot faster to the community.

If you have a private sector or, I should say, a proprietary company doing it, it depends on the company; if it’s a small to medium-sized company, they’re not particularly good; they care more about their profits than anything else. Maybe they’ll sit on a patch longer than an open-source.

(10:58)

Jonathan Denwood: Yeah. It’s funny that you say that, Mark, because he hasn’t been there; over the past 18 months, there’ve been some significant stories about companies that have known that they have some major security problems, and they’ve just sat on it. Is that correct?

 

 

(11:19)

Mark Elliott: Absolutely. Absolutely. As well as companies that should have known better and had better security implementation, like SolarWinds, that’s just a classic.

(11:28)

Jonathan Denwood: Yeah. That’s the one that comes to mind, Mark. Can you give a quick outline of what that was?

(11:33)

Mark Elliott: Sure. Sure. So, SolarWinds, it appears that it was compromised by a foreign threat actor, likely a foreign government threat actor, and I’ll admit, that’s a high-level threat. But part of the issue was in terms of; it seems that their review of their software was not as thorough and their internal process for checking the security of their software was not where it should have been. And then, of course, when all the revelations came out, I believe they tried to blame it on a low-level staffer, maybe even an intern, for having a wrong password, and that’s just not acceptable. So, yeah, absolutely, they’re playing.

(12:19)

Jonathan Denwood: What was their software? Because that was the problem, it was utilized in the stack of a lot of IT companies.

(12:26)

Mark Elliott: A lot of IT companies and the US federal government too, so that was a big problem, possibly, a problem for national security, when you get to that level. So, it affected many people and organizations; the corollary to that is, you take a look at a company like Apple. Nobody can see Apple’s proprietary software; in terms of security, it’s really hard to judge as an outsider, but Apple has a tremendous reputation. You can look at the people they hire and you can look at their track record and their commitment to security. So, yeah, I would say that you can be safe using proprietary and open-source, but you have to take different types of precautions.

(13:11)

Jonathan Denwood: Right. So, I think, in general, what you’re saying is, you have to really take it on a case-to-case basis; you can’t just draw a broad, open-source is not secure, proprietary software is; it’s much more diverse than that.

(13:28)

Mark Elliott: Exactly.

(13:28)

Jonathan Denwood: That’s right.

(13:29)

Mark Elliott: Exactly.

(13:29)

Jonathan Denwood: I have a follow through question, I’m going to drop question three, because I think it would be duplicating question two, but it’s a follow through question. Would you agree that these gangs, these criminal organizations, do you think that a lot of them are kind of quasi government supported, i.e. they’re based in Russia, China, North Korea, other countries?

(14:01)

Andrew Palmer: America.

(14:03)

Jonathan Denwood: And do you think that they’re freelancers, but they’re also in some way supported by these governments in a kind of bounty or that they are supported and also have the protection of these governments because they’re also useful to some degree, am I on the right track, Mark?

(14:31)

Mark Elliott: Spot on, Jonathan. Spot on. And there are multiple different arrangements that these types of gangs have. So, in certain countries, these gangs are just allowed to operate freely, as long as they don’t go after members of that country, that type of thing, or neighboring countries that they are allied with. And then sometimes they have to pay a percentage of their profits to the government, like protection money, kind of a protection racket. Other times, they are forced to work for the government because the government has caught these guys hacking illegally, and they say, look, you used to do it for yourself, now you’re going to do it for us.

And they’re not formally part of the government, but they’re absolutely doing things on behalf of their government, whether they want to or not. All this has been proven out, time and time again in open-source reporting, I don’t think there’s any doubt about that. So, we here in the US are kind of at a disadvantage, in terms of going against a setup like that, or defending against something like that, because we’re used to either having a binary threat of something like, is it a government threat or a criminal threat? Yes, no, that type of thing. But now, you’re looking at something that’s in-between, and they have the legal protection of living in another country and doing their attacks from there.

(15:57)

Jonathan Denwood: Yeah. I asked you this question because we’re going to go for our break soon. Is that, I think there’s this perception that it’s still some teenage hacker in a basement, and some of it is, there was a notorious case in the UK. He hacked into a number of US states, and he has Asperger’s Syndrome, and there was a drawn-out case. And there have been a couple of others, but, in general, this idea that it’s a teenager or some skilled hacker, the reality is it’s large teams, quasi under the support of governments, would you agree with that, Mark?

(16:45)

Mark Elliott: Absolutely. There are a number of different groups and gangs out there that do this type of work, almost to the point of being reasonably corporate about them. I guess I don’t know, emails that have been captured by the counter and white-hat hackers, they’ve seen how these guys talk about salaries and money and getting vacation time, things like that. So, no, these are very well-organized gangs, it reminds me of my time in Bogota, Columbia, decades ago now, and you had gangs kidnapping people down there for profit, and a lot of that was a very corporate type of thing.

(17:25)

Jonathan Denwood: And am I correct, also, I think it’s been documented to some degree that in North Korea, they, literally, they are forces and depart, they, actually, sell services, they sell groups of their hackers that are, actually, in the North Korean army and they sell it on the open market as a resource, am I semi-right about that?

(17:53)

Mark Elliott: Interesting. I have to admit, I had not heard about the North Koreans selling their services out on the Black Market, but it seems plausible, and they certainly do have hacker units and the FBI has indictments out for a number of them, and they even, apparently, know some of them by name, so pretty fascinating work. Pretty fascinating.

(18:16)

Jonathan Denwood: Right.

(18:17)

Andrew Palmer: If you want conspiracy theories, Jonathan’s yours right here.

(18:22)

Jonathan Denwood: Most of it is correct; that’s fantastic. It just gets more and more enjoyable. So, we’re going to go for our break. We’ll be back in a few moments with this fascinating discussion. We’ll be back soon, folks.

(18:38)

Ad: Build next-generation WordPress forms with WS Form, the only fully responsive, no code form plugin. Choose from over 60 feature-rich field types, conditional logic, repeaters, calculations, and more than 65 integrations to build intuitive, accessible forms. Upgrade your form plugin today at wsform.com; use coupon code WP-Tonic for 20% off any WS Form edition.

 

 

(19:09)

Ad: Hey, it’s Spence from launchflows.com. If you’ve been looking for a fast and easy way to create powerful sales funnels on WordPress, then look no further than LaunchFlows. In just minutes, you can easily create instant registration, upsells, down-sells, order bumps, one-click checkouts, one-time offers, custom thank you pages, and best of all, no coding is required. For as little as $50 per year, you can own and control your entire sales funnel machine with LaunchFlows. Get your copy today.

(19:43)

Ad: Hey, tribe, are you trying to scale your agency, but struggling to find time to work on your business because you’re always stuck working in your business? Head over to focuswp. co, where you can subscribe to an instant team of white-label geeks and creatives to delegate; use code WP-Tonic for a special discount for the tribe. With FocusWP, you don’t have to worry about hiring, firing, or any other HR nightmares; just submit a ticket, and your new team will dive in. Focus on what you love, and outsource the rest.

(20:14)

Jonathan Denwood: We’re coming back. We’ve been delving into the world of hacking, and in what we say in the UK, the spooks, Mark, that’s a nickname for spies, in the world of spooks. I just want to point out that I do a fabulous newsletter; it’s really based on all the stories of the Friday Roundtable show. Also, I do a personal editorial; I try and choose a really interesting news story of the week; to get this, all you have to do is go over to wp/newsletter, and you’ll be able to sign up for that, and it’ll be in your inbox around Sunday.

So, let’s go on. Another thing that’s been talked about a lot, and it’s covered by a particular catchphrase, and it’s called Surveillance Capitalism. I would imagine that you know this term. It’s. A whole industry has been built about surveilling people from every second they’re online. I can’t pronounce her name; she has a pretty unpronounceable name for me.

(21:34)

Andrew Palmer: Shoshana. Shall I do it for you?

(21:35)

Jonathan Denwood: Yes. Can you, actually?

(21:37)

Andrew Palmer: Shoshana Duboff.

(21:37)

Jonathan Denwood: Duboff.

 

(21:37)

Andrew Palmer: Or Zuboff.

(21:40)

Jonathan Denwood: Zuboff?

(21:41)

Andrew Palmer: Yeah, Shoshana Zuboff.

(21:41)

Jonathan Denwood: She popularized this in her book. Do you agree with some of her ideas and this concept of Surveillance Capitalism, Mark?

(21:50)

Mark Elliott: Absolutely. I agree with pretty much all of it, I read her book, it was fantastic. I was literally walking down the street, seeing just the book in the window of a bookstore and the title. And I said, yeah, I have to read that. And it was fantastic because I’d been grappling with these ideas, literally, since decades ago. And back then, I remember talking to a friend of mine who said, Hey, I don’t mind Google having all of my data, I just don’t want the government to have all of my data. I said, well, therein lies the rub.

The issue is that I’m not going to pick up companies like Google and others, but all these companies in these spaces that collect data on us do it far more efficiently than the government ever could. And they do it legally because you’re volunteering to give the data to these companies, right? And then if the government wanted that data, all it now needs to do is just go to Google or any other company, Facebook or Twitter, with a warrant and say, okay, now, we’d like Jonathan’s data.

(22:56)

Jonathan Denwood: Well, I’m going to put to you, isn’t the relationship, and Andrew’s going to laugh at this. Isn’t the relationship even a bit tighter than that? We’ve discussed these foreign governments and their relationship with these foreign gangs, whatever you want to call them. But isn’t the relationship with Amazon, Google, and the other tech even closer with the government and the quasi-security services of Western governments to some degree; aren’t they quite helpful, and their relationship is quite in bed with one another?

(23:37)

Andrew Palmer: Are you talking? Sorry, Mark, I’m just going to add to this question.

(23:43)

Mark Elliott: Sure.

 

 

(23:43)

Andrew Palmer: Are you talking about tax breaks? Maybe if the government they do an?

(23:45)

Jonathan Denwood: Well, obviously, Google’s a very monopolistic entity, much more than Microsoft was in the nineties, but there is no movement to threaten their monopoly and break them up. I only presume the reason is that they’re protected to some extent because they’re very useful to specific entities in the US government,

(24:11)

Mark Elliott: Jonathan, that’s an interesting theory indeed. And let’s unpack it, and here’s how I go about doing that. Take a look at a few things, for example, not too long ago, a number of Google engineers said that they refused to work on a project because it went to the Department of Defense and they didn’t want to be involved in militaristic things. If the government had some kind of a thumb on Google, they could’ve just suppressed all of that, it would’ve never come to light, and they’d be making whatever it is that they wanted for them.

The other thing is, the companies are pretty independent in terms of what they’re allowed to do under our laws; look, if there’s some kind of a secret agreement with the government and those companies, I certainly don’t know about it, but, again, as far as I know, and as far as I’ve seen. If the government wants data from those companies, they have to go with a warrant through an actual legal process; there has to be a specific bar for that process to start; it can’t just be on a whim.

And again, there are a number of examples where social media companies or tech companies have actually refused the government on things that were quite significant; for example, when Apple refused to unlock the phone of two people who had committed terrorist shootings, a number of years ago. They refused to do that; you would think that if the, again, the government had some kind of a backdoor or some kind of a secret alliance with them, out of any case, that would be, kind of, a no-brainer. Hey, give us the information on these phones so that we can maybe prevent another terrorist attack, that type of thing.

(25:56)

Andrew Palmer: Whereas, all they really needed to do to unlock those phones was go to the local mobile guy in the shopping mall, like the rest of us do.

(26:03)

Mark Elliott: Maybe. Maybe. But in any event, that’s my concept.

(26:09)

Jonathan Denwood: Yeah, sure, Mark.

(26:10)

Mark Elliott: Yeah.

(26:11)

Jonathan Denwood: Over to you, Andrew.

(26:12)

Andrew Palmer: Well, this is going to be the last question because, unfortunately, I have a meeting that I must attend at 5:30-ish, I can be a minute or so late, and I know Jonathan’s got it, and I know you’re a busy guy as well, but I’m not going to go to question six. So, there’s been a lot of talk about TikTok, a Chinese company grabbing data, it actually can; when you allow TikTok to be an app on your phone, it can scan the whole of your phone; there’s been a lot of talk about that.

(26:42)

Mark Elliott: Right. Right.

(26:44)

Andrew Palmer: It’s user permissions, so we’ve allowed them to do that. If you read the reams of terms and conditions that all these apps have, you would be aware of.

(26:57)

Mark Elliott: Which we never do.

(26:57)

Andrew Palmer: Which you never do, because it is, literally, reams of information, thousands of lines. Do you think it’s a security threat, TikTok?

(27:07)

Mark Elliott: I do. I do. And people have said, well, how is this different from any other app that collects data? First of all, as you pointed out, Andrew, TikTok collects a lot more data than most apps. And then they also do the biometrics, facial scanning, so it has facial recognition, and it’s asking for permission to use your microphone and your camera at any time, not just when you’re doing your TikTok type of videos. So, once you ramp that permission, they can take all that stuff whenever they want it and all of it goes to China and China has a lower bar for accessing that data than, again, the US government.

(27:48)

Jonathan Denwood: It’s one way of putting it, Mark.

(27:50)

Mark Elliott: Right, right, right. Right. And so, that, I think, is the concern. Honestly, I’ve downloaded apps before, particularly, on non-iPhones, on Android phones, and I downloaded a flashlight app, and it said, user permissions, do you grant permission toward access to the microphone and the camera? I asked, why does a flashlight need access?

(28:14)

Andrew Palmer: It’s a light, for God’s sake.

(28:14)

Mark Elliott: So, yeah. I quickly deleted the app. And so, there you go. But once again, it’s a social engineering problem because everyone’s giving that permission, and the government can’t just step in really quickly and tell consumers, Hey, you can’t use that app. In the government, they could say, Hey, if you’re in the military, you can’t use it, if you’re in specific agencies, maybe you can’t use it, that kind of thing.

But to the rest of the public, they can’t do it. And that goes back to Zuboff and the Surveillance Capitalism issue, all these tech companies have managed to navigate a path in-between law, culture, and societal norms to extract troves of data that no one could ever have foreseen, and they do it all legally because it’s extraordinarily hard to regulate in capitalist, democratic societies.

(29:08)

Jonathan Denwood: Yeah. I’m going to end the podcast part of the show, I do want to ask question six, but Andrew needs to go.

(29:17)

Mark Elliott: Sure.

(29:17)

Jonathan Denwood: So, I’m going to end the podcast part. So, Mark, what’s the best way for people to find out more about you and what you’re up to?

(29:26)

Mark Elliott: Come to our website, comarcyber.com, C O M A R cyber.com, and reach out to us there. We’re also on LinkedIn and Facebook, but, yeah, comarcyber.com.

(29:40)

Jonathan Denwood: I have all the links in the show notes, folks. So, Andrew, what’s the best way for people to find out more about what you’re up to and your thoughts?

(29:48)

Andrew Palmer: Bertha.ai, and at Arnie Palmer on Twitter. And I’ll communicate with anyone; I’m like that.

(29:55)

Jonathan Denwood: That’s great. We will continue the discussion after the show, and I have a question about Edward Snowden; I’m sure Mark will be very entertaining with his thoughts about Mr. Snowden. You’ll be able to see the whole interview, plus the other couple of questions, on the WP-Tonic YouTube channel; go over there and watch the whole interview. And please subscribe to the channel; it really does help the podcast and WP-Tonic. And that’s great. We’ll see you soon. Next week, we have another fabulous guest. We’ll see you soon, folks. Bye.

(30:29)

Outro: Hey, thanks for listening; we really do appreciate it. Why not visit the mastermind Facebook group and also to keep up with the latest news, click wp-tonic.com/newsletter. We’ll see you next time.

Sign-up For The WP-Tonic’s Weekly Newsletter

Sign up For WP-Tonic’s Weekly Newsletter, Where You Read The Latest WordPress News & The Best Deals! Join The Tribe?

NEWSLETTER
#713 WP-Tonic This Week in WordPress & SaaS We Interview Mark Elliott From The CIA To Cybersecurity Expert was last modified: by