Taking the floor at Hack In Paris 2012 event, F-Secure’s CRO Mikko Hypponen depicts the global threatscape and speaks in detail about known groups of attackers.
My name is Mikko Hypponen, and we will be speaking about the big picture, speaking about why we are still having all these problems, how come we can’t solve these issues, how come we can’t understand the enemy better, how come after 20 years, or, actually, now 21 years of working in this industry, I’m today busier than ever before.
When I started analyzing viruses in 1991, it felt like it was gonna pass, it felt like, you know, we’re gonna get rid of these problems, we’re gonna fix our systems. At the time, the viruses that I was analyzing were viruses like Stoned and Jerusalem and so on, actually there was a Stoned version called Stoned Flame, which I just remembered, which is interesting because Flame, of course, is a name for another malware, which we are all excited about, I’m sure. And there was a virus called Stoned Flame in around 1992. And back then they were always infecting these 8-bit or 16-bit operating systems: Apple II’s, MS-DOS and so on. And these systems were very simple, very rudimentary, and it seemed obvious that we would be able to fix these systems and eventually we would have better systems, better secured, and this wouldn’t be a problem.
And then we got 32-bit operating systems, 64-bit operating systems, and we’re still here, we’re still finding malware today, we’re still finding vulnerabilities, we’re still finding exploits. And people keep asking me about how come we can’t fix this. Especially people who are financial people, managers, who don’t really understand why we have vulnerabilities. Like, why can’t we get rid of vulnerabilities? And the way I typically explain it to them is that, well, these vulnerabilities are just bugs; they’re just bugs, problems. People write these programs and people make mistakes. And of course these people remember that bugs used to mean that your system crashed or your program crashed, or your computer crashed. They remember using Microsoft Office, let’s say, Microsoft Word with Windows 3, and it would crash, and they would lose their document. That’s what bugs used to mean.
And then along came this Internet thingy and this web thingy, and today the very same bugs, very-very similar bugs don’t just mean that your application crashes and you lose your document or your computer crashes, and you have to reboot. Now, because we are online, those very same bugs mean that potentially the system could be taken over. And you can see sort of a light bulb going off on top of their head: oh, so it’s not just human problem, it’s the coders making mistakes, and we’ll never be able to fix the coders.
But we are seeing some improvement, and the one that I’d like to highlight is Apple. Now, we all know OS X has its issues; in fact it now has more malware than ever before. But let’s look at iOS: our iPhones, iPads, iPods.
iPhone will be 5 years old next week. 5 years, one of the most visible devices on the planet. 5 years, during which time it’s been one of the most popular smartphones on the planet. Right now Apple iPhones are #3 after Symbian-based devices and Android-based devices, or actually I should say Android-based devices and Symbian-based devices when you look at smartphones globally. So there’s no lack of these devices, and lots and lots of people have been looking at them trying to figure out ways to own them.
Yet, 5 years later the amount of real in-the-wild malware for iPhone is 0. Not a single one. Yes, we’ve seen proof of concepts; yes, we’ve seen Charlie Miller’s demos – that’s not a real in-the-wild malware; yes, we’ve seen FlexiSpy; yes, we’ve seen malware for jailbroken iPhones, but those are for jailbroken iPhones. For real, unmodified iPhones, 5 years have gone by – and nothing has happened, and that is a great achievement we really should give credit to Apple for a job well done.And this, of course, has a lot to do with the App Store model, a lot to do with the restrictions they have built in place – golden handcuffs, you might say. But the fact remains: they are without malware. It’s not gonna last forever, but that’s the situation right now.
So who’s this guy (on the image)? Einstein, Albert Einstein. It’s a great photo, he’s having fun with his bicycle, and there’s something blowing up in the background. And I wanted to bring this image here to get some perspective of the long run: what’s really happening in our world. Because I claim nuclear physics lost its innocence in 1945. That’s when we, the mankind, used it as a weapon, that’s when we blew up bombs.And I claim that computer science lost its innocence in 2009 – that’s Stuxnet. That’s when Operation Stuxnet started late 2008-early 2009, with U.S. President George W. Bush signing a cyber attack program against the nuclear program of Iran.
So there is some perspective for you. We have attacks like Stuxnet, like Duqu, like Flame – attacks launched by governments, militaries and intelligence agencies. And we sort of take this now for granted, cause we’ve been speaking about these problems for the last 3 years, and I’ll speak a little more about them as well, and we’ll have a presentation about Stuxnet later today, which is great.
But just imagine, if somebody would had told you 10 years ago that in 10 years we would for real see cases where governments are writing malware to attack other governments; governments are writing malware to attack their own citizens, and here I’m especially looking at the Germans using R2D2 to spy on their own people, as well as the totalitarian states in the Middle East; that governments would be moving most of their espionage operations from the real world to the online world with APTs and what have you; and that for real governments would be attacking the nuclear systems of another government with malware.
10 years ago if somebody would have told you this, would you have believed it? I wouldn’t. I would have told you that, you know, that’s not gonna happen, that’s a movie plot, that’s a Hollywood story, that’s “Die Hard 4”. And yet, that’s exactly what is happening right now for real. There’s a lot of talk about cyber wars, cyber warfare, cyber arms race. Of course we don’t have a cyber war, because wars are fought between people and nobody has announced a war between different countries, but definitely there is something big going on. But this is, of course, not the full picture. Not nearly all the problems are like this. In fact, the most likely, mundane problem you’re gonna run into is the attacks launched by the criminals, the ones who want to make money.