The Bookster Podcast: Bad people on the internet

  • Episode 7
Who's Talking?
  • Simon Beattie
  • Robin Morris
  • Colin Guthrie
Microphone Graphic

or download

There are bad people on the internet. As Bookster is an online application it is exposed to bad people who try to do bad things. Here's our thoughts and how we cope with them.

Welcome back to the Bookster podcast, hosted by Simon from inside the SaaS holiday rental software company Bookster, based in Edinburgh, Scotland.

In this insightful episode, we are joined by CEO and Co-founder Robin Morris, as well as Technical Director Colin Guthrie, to delve into the crucial topic of cybersecurity. 

As Bookster grows, so do the cybersecurity threats it faces. Learn how the team tackles these challenges, the common types of attacks they encounter, and the strategies they implement to protect their clients and their data.

Whether you're a tech enthusiast or just curious about the behind-the-scenes workings of a SaaS company, this conversation promises to be both informative and engaging.

The Important Bits:

● [02:00] - Cybersecurity Overview: An introduction to the topic of cybersecurity, its importance, and how it impacts Bookster.

● [04:00] - Cyber Attacks: Colin discusses cyber threats, such as automated tools and phishing attempts, and how these affect both small and large businesses.

● [08:00] - Protective Measures: Strategies implemented by Bookster, such as two-factor authentication, email security measures, and limiting data storage to necessary information only.

● [16:00] - Tools & Services: Stay ahead in the cybersecurity arms race, including static & dynamic analysis tools.

Key Takeaways:

● The growing profile of a company like Bookster increases its visibility to cyber attackers.

● Common cyber threats include automated hacking tools and sophisticated phishing attempts.

● Implementing two-factor authentication and other protective measures is crucial for safeguarding data.

● Limiting stored data to what is necessary reduces risk.

● Continuous monitoring and adapting to new threats are essential in maintaining cybersecurity.

Stay tuned for more episodes as we continue to explore the inner workings and challenges faced by Bookster. 

Join us next time for discussion on work in an agile manner, and how that supports Bookster's approach to technical growth.

Credits

Editor
Simon Beattie
Music
Jonny Brannen

Subscribe

Transcript

Hello, I'm Simon.

Welcome back to the Bookster podcast from inside the SaaS holiday rental software company Bookster based in Edinburgh, Scotland.

Follow along as Bookster discussed their journey and their inner workings.

Thank you for joining us, and we hope you find these conversations insightful and ultimately helpful.

Now, I'm joined today as always, by CEO
Minute 1
and Co-founder of Bookster Robin Morris.

Hello, Robin again.

Hello, Simon.

Nice to see you again.

Nice to see you.

How are you today? Not bad.

Joined the vaguely sunny Scottish weather.

I know, I know.

Our one day of summer, It's come early this Year.

Go outside and we're joined again, uh, on this episode by Colin Guthrie.

Again, technical director for Bookster.

Colin, thank you again for your time today.

Not A problem.

Uh, are you enjoying the sunshine today? I am, yes.

Yes.

I've transitioned from my winter, uh, trousers to my summer shorts, and regardless if the temperature goes down again, I've made my decision and I'm now sticking with it.

Yeah.

I'm out of principle.

I like it.

Absolutely.

Yeah.

I think as, as a man of shorts yourself, Simon, you'll approve of, uh, clothes.

I am actually, uh, wearing, wearing shorts myself today, so, uh, yes, I'm with you on that one.

Good.

Minute 2
That's not what people are here to hear about though, probably.

I dunno.

That's somehow short conversation about shorts.

Wrap it up.

Wrap it up.

That's it.

Right.

Well, if anyone is still listening to this podcast, we we're gonna talk today about a very interesting, uh, subject.

Uh, it's, it's, we, we got a title for it, bad People on the internet, and, I mean, that's, that covers a whole, there are bad people on the internet, by the way, if you didn't know that.

Surprising to hear.

But, uh, for you guys that must bring its own issues and problems and headaches, we're talking, I guess, generally about cybersecurity, uh, and how that affects you guys.

Yep.

So perhaps you just start the conversation by telling me a little bit about, any sort of experiences you've had with it or, or how it's affected bookstore and, and, and how you deal with it maybe.

Yeah.

Well, uh, this is definitely, uh, in Colin's realm, but I'm gonna start anyway.

Minute 3
Uh, just to broadly, broadly talk about, so, cybersecurity as a company that is operating an online application, clearly we are, uh, exposed to people attempting to gain access to our systems or bring us down or, uh, compromise our clients data, things like that.

And as we grow in profile, it, it probably just becomes a bigger issue because we start turning up in various searches that people do.

We, you know, it become, we become, as you become bigger, you become a bigger target, I suppose.

So, yeah.

So that, that's broadly what we're talking about here.

So, yeah.

So I suppose maybe Colin, what kinds of things Yeah.

Do people try to do? Yeah, absolutely.

I mean, I think it's, it's one of these things these days,
Minute 4
there's so many automated tools out there.

There's so many, you know, you put a website out there and almost immediately it'll be, there'll be people trying to break into it in some way, shape, or form.

Now, quite often these are stab in the dark attempts, so there's lots of software products out there, lots of open source products out there.

You've got your content management systems like WordPress.

You've got your utility tools like, uh, PHP, my admin, which is, uh, a a web front end to a database backend to sort of generic tool.

And these are often installed on servers out there on the internet.

And, and quite often you put up any website, even if it's just completely static pages, there's no sort of programming element to it.

You will see in your logs almost immediately requests for the URL that starts slash PHP, my admin or slash administrator slash whatever,
Minute 5
for these common kind of tools out there, because people are just looking for insecured or default passwords, access to these tools and utilities that are on any website.

So, you know, no matter what you do, even if you're a tiny company, and you've got two clients, you put a website out there, it will almost, you know, it won't take long before you start seeing those things in your web logs.

But when you become bigger, the problem ramps up a bit.

We have on a daily basis, hundreds of thousands of requests that are arguably nefarious, uh, in some way, shape, or form.

Now, these vary from relatively harmless attempts like I've just described there for people trying to find these kind of software tools.

Now, we obviously don't have any of those installed on any, on any server that that's, that's publicly facing.

They'll, they'll also get
Minute 6
attempts that are a bit more tailored.

So I think probably one of the, one of the sort of watershed moments for us when we were sort of running the business is when someone took the time and effort to clone our website and pretend to fake our login pages, sort of, we've made it now someone actually values our business so greatly that they'll go to that effort of, of, you know, copying our login page in order to try and attempt to lure our our clients to, to log in there instead and give up their username and password.

Yeah.

So that's a, that's a classic, uh, phishing, Phishing attempt attack.

Yeah.

Basically.

Yeah.

And so, you know, a lot of our customers, you can find out who our customers are relatively easily because, you know, their website will link back to ours.

You can look for inbound links, you can then target their publicly facing email addresses because our clients are ultimately public facing, you know, they want inquiries, they want people to contact them to, to make bookings, et cetera.

Minute 7
So finding their details is relatively straightforward.

They can then be targeted and told, oh, you know, send them an email that looks like it comes from Bookster, says, please log in here to look at your latest booking.

Here's a link.

They click on that link, it goes to website that looks like Bookster but isn't.

They give up their username and password, and hopefully then that person will get their login details and they can go and explore the real Bookster, try and harvest data or, or use it in some other nefarious way.

Yeah.

So in in that case, Yeah, Sorry.

In that case, uh, even though, uh, we have two factor authentication on Bookster Mm-Hmm.

So if someone does this to us, uh, they wouldn't necessarily be able to get, so they would, they wouldn't as a result necessarily be able to get into Bookster's data, what necessarily.

But what they might have achieved, not necessarily, but what they might have achieved is, access
Minute 8
to our client's email login.

So like, say they had, if they've Reused their password or They reused their password, they're used the same password, which, you know, do not do if you're out there.

So yeah, if they, There are bad people on the internet, They're bad people out there.

So yeah, my 1, 2, 3, 4 passwords has got people stumped.

No, yeah, that's a, that's A Password luggage, a baseball reference in case anyone didn't get The, I mean, I guess, uh, just, yeah.

Is there a way, I mean, certainly, I mean, we're talking generally, but bringing it back to sort of Bookster, is there a way that your clients can tell that any email or whatever is not coming from you? Do you know what I mean? Is there something they should look out for? Yeah, I mean, yeah, you have to look out for the sending domain of the email.

So it has to be from @booksterhq.com.

Minute 9
We have various things within our email infrastructure that says, no other servers are allowed to send email from our domains.

You know, only the, the servers that we've authorized are allowed to do that.

So theoretically, e email is a incredibly loose system.

You know, it was, is is a bizarre kind of mishmash of protocols that have grown up since the early days of the internet.

And security has very much not been designed in from the start.

It's all been bolted on afterwards with various additions and extensions, and it depends on your provider's support for those extensions, et cetera.

But it's, you know, it, it's generally any major provider now will, will be honoring these kind of, security checks, et cetera.

So generally speaking, if it comes from app boots queue.com, it's usually from us.

Now, that's not to say that there are not ways and means of, of getting into to those platforms and sending email from the authorized senders, uh,
Minute 10
without our permission.

So you do still have to be wary, even if it's from the, the, the, the from address is, is purports to be genuine.

Any links that you click on an email, you know, you have to make sure that you're, you're, you very much trust email before you click on it.

If you can look at the link rather than just clicking and make sure it goes to domain that you recognize, that's great.

But even still nowadays with domain names, it's very easy to register a domain name that looks very lightly like Bookster, you know, maybe it's got three o's in it instead of two.

You know, so on first glance, you know, the human eye is very much susceptible to the beginning and the end of the words, and they, they kind of gloss over the letters in the middle.

So it might look genuine.

Similarly strange characters that look like a no but isn't a no or looks like a B but isn't a b, it, all of these things can be manipulated in order to send you to a phishing website.

Minute 11
And obviously we can't control all of the variations of the spelling and, uh, pronunciation of ster to register all the domain names out there.

So there will always be, the, the chance of that happening.

What to do generally speaking is if you get an email that says log in, click here, you can just go to Bookster yourself.

You don't need to click on the links, you know, go to the Bookster website, you can find what we're referring to fairly easily just by, by going to your bookmark and, and looking for it.

So that's another safety tip.

Bookster also has two factor authentication.

Uh, Robin mentioned that already.

So we mandate that for all of our sort of, uh, main clients.

We've got different levels of, of user access.

So for, for all the people that are dealing with a lot of sensitive data, we mandate that they have two factor authentication.

That's an additional, we, we support an additional application that you would have on a smartphone, uh, where whenever you log in on a new device that's, that's sort
Minute 12
of new to, to your login, you would have to type in a, an additional verification code that only your device has.

So that's, that's two factor is, is the principle, is that there's knowledge, which is your username and password, and then something physical, which is this additional code.

So if someone steals your username and password, they try and log in, they can't get in because they don't have the physical thing that you need in order to, to validate that login.

Now it is not impossible to, to phish these two-factor things as well.

Someone could be sent to a website that looks like our login page that asks for the username password and then subsequently asks for a two factor code.

But what, what it does is that website that's pretending to be us, we'd actually have to be talking to us in the background, uh, acting as a sort of skim leader over the top and in real time log in, in order to get session for that customer.

They couldn't at a later date log in again.

Minute 13
They would have to keep that, that session alive in order to, to get data.

So it's not infallible, but it's an extra barrier.

It's all about building up extra barriers to, to prevent people from logging in.

And we've got a lot of logging in the backend to know when things look a bit suspicious.

So we can take action if we think, and actually yeah, the past two factor, but we're still a bit unsure about that, so we'll maybe, we'll maybe not actually, uh, allow this login and ask for, for further validation.

Yeah.

But yeah, I think, broad, broadly speaking, it's like an arms race basically.

Yeah.

You know, we're trying to stay one step ahead of everyone that, or anyone that might attempt to, to do something nefarious to Bookster.

So, you know, keeping up to date with as many security patches we can and coding in a really defensive way so that people can't, you know, inject things into our code.

Minute 14
It, it's kind of, we're building up these walls, but you know, the attackers are, are also building ladders all the time.

So, you know, you're just constantly building the walls and they're constantly building the ladders and you're just hoping that you're always, Staying Ahead.

Yeah.

Got enough bricks to keep ahead.

And I guess that comes back if, kind of related to our last episode of being agile, I suppose, uh, one of the benefits perhaps you're always thinking about these things and, and sort of exploring new ways to, to Keep Yeah, well, exactly.

And it's, it's, it's one of these things that the agile process is, is great in, in terms of adapting to what's needed.

It's just unfortunate when you've got a feature that you're trying to develop, but then ultimately you have to delay that because you're having to deal with a certain attack that's coming in, or here's a, a new structure that someone's trying and well, let's make sure we've got enough defense in place for that and, let's try and make sure we've got, you know, ability to,
Minute 15
to block off denial of service attacks and, and you know, various things like that as well.

So yeah, it's, it's good that we can adapt to it, but it's annoying that it has to be done.

But that's just one of the, the, the sort of sad realities of, of working on the internet and working with the, So really, you know, what you want to do do is employ one of these hackers and as a member of your staff.

Yeah, well, exactly.

I mean, that's, that's quite a common thing.

You know, a lot of, a lot of these people that start off in the, the black hat sort of approach to hacking and trying to find spaces turn themselves into security consultants ultimately at the end of the day.

And it's, it's, yeah, it, it does happen.

And yeah, there's, there's, there's lots of companies out there that, that specialize in services to help people.

There, there's, there's various sort of web application firewalls that you can sort of place in front of your product.

So it, it all, the incoming traffic comes into them.

They can do lots of analysis, not just on your customers,
Minute 16
but across the wider ecosystem that they're dealing with.

They'll, they'll be able to spot nefarious activity and block it before it even reaches your servers.

So, so those services are really good.

There's also loads of tools out there now for doing static analysis, uh, of your code to spot possible injections.

So Robin mentioned injection, that's a, a, a standard kind of approach that, that the bad people on the internet take, which is manipulate you.

You always have to pass data into your application.

So whether it's, set up information at the backend or query information for front end searching or, or whatever, you're passing values in.

And ultimately something has to read the user input and process it.

And if you don't completely have a zero trust model of that user input, you're going to run into problems.

So a lot of the time people try and do escaping tricks, so they know that your value is gonna go into a database.

Minute 17
So instead of a numeric value one, they'll, they'll actually supply you with one quote semicolon and then some SQL statements in the hope that you pass that straight through to your database server and it leaks information and allows 'em to manipulate information, et cetera.

So yeah, lots of static analysis tools to help detect those kind of problems when you're trusting input incorrectly.

And there's also lots of dynamic testing tools as well, where you can create a, you know, you can deploy either a version, a sandbox version of your application with and, and, and let these tools loose with a, with a login.

They, they're able to simulate logins, they're able to go through your whole application.

They'll hammer lots of data at it that's nefarious.

They'll, they'll try and break it, they'll try and inject cross-site scripting tools and that can produce a big report to you saying, we were able to do X, Y, and Z in your, in your application.

Minute 18
These are all the recommendations for fixes.

So there's, there's tools out there that you can just use, but they're a bit complex to set up, but there's lots of companies out there that offer that as a service, which is, is really useful.

So, so yeah, there's a, there's a whole depth of of process to, to go on, uh, in your, your sort of approach to the, the sort of web security And I mean the, you know, clients are obviously putting their faith in, in, in businesses like yourself, you know, SaaS, software companies like you to keep their data, uh, you know, safe.

Uh, basically, just in terms of, you know, running a business or setting up a business, is there some sort of, I dunno, insurance that you take out against this sort of thing? Or does that get covered anywhere? Well, I mean, we have, professional liability insurance, so some of that would be covered.

Yes.

So there, there are specific insurance policies against cyber attacks and, and things like that,
Minute 19
but the premiums of them are, are very steep, and have to be sort of traded off as part of your business analysis, you know, the likelihoods and, and what kind of data can be exfiltrated and, and who's affected, et cetera.

So I think that whole industry and the premiums involved, there's, there's, there's even kind of ransom insurance and stuff like that as well these days.

And, and ransomware is another side of things where companies would effectively get into your systems and, and steal your data.

So they'll, they'll encrypt it with a key that only they have and they won't give you the key unless you pay them lots of money.

There's so many different attack vectors.

I think the insurance and the sort of, that, that whole industry is still very young and I think it's a bit of a, a, it's such a dynamic moving kind of process of the attack vectors and the, uh, you know, insurance premiums have always got, got their get out clauses and, you know, force of nature and blah, blah, blah.

Minute 20
I think it's a very interesting space for insurance.

But I'm not sure it's one that necessarily we'd, we'd always pay out for, for people.

One, One, uh, I suppose key thing to do is don't store more information than you need.

So, uh, yeah.

And this, you know, if you're setting up a, you know, software applications, task application, don't ask your users for, uh, you know, information that you don't really need to have from them.

So that would be my biggest advice.

Yeah.

Because if someone does get into your system, it doesn't matter so much.

I mean, for us, as an example is, credit card information.

So we try where possible to not have that stored inside Bookster, so, you know, when we really can,
Minute 21
we just don't do that at all.

But other things, you know, like date of birth or people's home addresses and things, you know, if you don't need it, don't ask for it.

Don't store it, don't Store it.

That's kind of worst Thing.

And, and likewise, like we, we obviously have to store a certain amount of information about our customers, um, but our customer's customers are more transient.

So, you know, for Bookster for our product, it's guests.

Um, so guests come along, they make a booking, the booking happens, and that's them.

Now, there might be occasions where you get repeat bookings, obviously that's actually something we generally encourage and, and try and, and help our clients get repeat bookings.

But, but that, that sort of thing is, is, is time constrained and we don't need to store that information more than we need to.

So we actually have automated tools within Bookster to help our clients not store too much data.

In Bookster, we have automatic anonymizing tools, which will take their, their booking data
Minute 22
and anonymize them automatically after a period of two to five years or, or whatever, uh, the configuration that they, they choose.

So if I don't need to know anything two years ago, anonymize it, take the email addresses out, take the customer names out, and the addresses out and, and these kind of things.

Um, so you know, we are, we, we take that, that sort of very seriously, don't store the data you don't need.

Um, yeah, Yeah, no good advice.

And in terms of, uh, just, you know, how often, uh, I mean, how often should somebody, an individual, perhaps change their password on the internet to help them stay safe? I mean, changing passwords is only really needed if you think your password's compromised, if you've got a secure password, um, and you know, using it for one application in one place, if it's secure, it's secure changing it all the time.

Yes, it, it helps occasionally.

Minute 23
If it is compromised and you don't know about it, then yes, changing your password is obviously a sensible thing.

So there, there is a ultimately a, a sensible amount of time to change your password.

But I think other things are more important, like making sure that the tools that you're using report when you log in and make sure you spot any activity that that you know, shows when you logged in but you didn't actually.

Um, and likewise things like two factor, much more important.

Um, and using unique passwords and not guessable passwords, you know, brute force attacks, passwords is still a thing.

Um, people will try every combination of passwords, use different characters, different letters, try not try to avoid words, try to avoid sequence sequences, et cetera.

But also for, for brute force attacks, they become easier to do over time as computing power goes up.

You can try every combination of a password faster.

Now, some password policies on,
Minute 24
on products are actually self-defeating.

If you say you need to have a password that's between eight and 10 characters long, has an upper and lowercase character and needs a special symbol that's reducing the attack surface, you know that the attack surface has to have a combination that meets those rules in order to be a valid password.

If you say it can be anything from eight to 20 characters long, knock yourself out, that's a massively higher attack space, um, and would take much longer to brute force.

So sometimes these policies are actually counterproductive.

Um, they're sensible in theory they sound very sensible.

But actually if you leave it as a more open thing, it's more combinations as long as people are good at actually doing it and not typing password 1, 2, 3.

Yeah.

And using, using a password manager to put in different randomized passwords every different time you log into or every different service
Minute 25
that you log into, uh, is Very Valid.

A good idea.

Yeah.

Um, yeah, that's what what these password managers, uh, are good at.

Obviously don't give away your master passport, then everyone's got access to all your passwords, but generally speaking, um, yeah, that's a good idea because you get different password for everything and it's pretty random that what it is that it's generating and yeah.

Okay.

Um, and just I think probably just a final question on this topic, uh, for today would be, um, I mean, how, obviously you have your own security stuff in place and you, you know, your, your, your walls, whatever, um, but if someone was just try and sort of get into your system, how quickly would you know that? I mean, how, is that a sort of instant thing or does it rely on somebody contacting you, one of your clients to say, oh, this has happened, or? Yeah, It, it will depend on the type of attack.

Ultimately, we've got a lot of tools and,
Minute 26
and monitoring in place that lets us detect these things happening and these, these sort of nefarious attacks can kind of ping up and say, well, there's a bit of suspicious activity here.

Um, so there are tools that, that help detect these things.

Um, if it very much appears like someone's password is being compromised, maybe their two factors being, being compromised or, or something is in some way being able to steal their, their active session and, and, and hijack that essentially, then it's quite hard to detect, um, when these things happen.

Um, it's unfortunately the sort of nature of the game.

So, um, but yeah, we, we do have reporting tools.

We can sort of say that this session has been accessed from this location that's, that, that seems suspicious.

Um, and then we can take action to, to help that customer secure their data.

Um, but yeah, it's, it's a, it is a tricky one overall for sure.

Yeah.

Minefield.

Um, well look, thank you both for your time today.

Minute 27
It's been a very, uh, interesting conversation today.

Um, I, I didn't know there was bad people on the internet, but now I do.

So thank you for that.

No Worries.

Be safer there.

59800:26:42.575 --> 00:26:43.845Um, so look, thank you for that.

Uh, thank you for listening everybody and, and watching on, on YouTube.

Um, quick reminder that we do have our sister podcast as well, which is, uh, um, smashing your visitor rental goals.

Um, so that's available, uh, out in the world as well.

I'd like to look for that and leave a favorable review.

If you listen to it, please do, uh, please listen to our podcast, uh, and leave a review as well if you'd like.

That'd be very gratefully received.

If you have any questions about today's topic or any other topics that we've done covered so far, please email podcast@booksterhq.com and we shall answer them in future episodes.

Um, but for now, gentlemen, thank you very much for your time, both of you.

Thank you very much.

Thanks.

Thank you.

Thank you, Colin.

I'm off to now change a password.

More Episodes of The Bookster Podcast

  • The Bookster Podcast Episode 7 - Text "The Bookster Podcast Episode 7" on a green background with an icon of a microphone.

Updates to Bookster