Securing our future – Mikko Hyppönen

0
296

Mikko Hyppönen, F-Secure’s CRO and security celebrity who needs no introduction, highlights current and emerging concerns caused by ubiquity of the Internet.

Mikko Hyppönen I am Mikko Hyppönen, and I have spent my life analyzing viruses, tracking hackers, catching online criminals and trying to protect the security and privacy of the Net. Well, actually, I started analyzing viruses when they weren’t spreading over the Internet – when they were spreading on floppy disks, if you still remember floppy disks. But the Internet, of course, changed everything about our security and about our privacy, because now we do everything online. This has been a very quick change. The Internet isn’t that old. In fact, we are very lucky to be alive during this exciting time in mankind history where we all get connected.

'Inception of the ARPANET' sign
‘Inception of the ARPANET’ sign
I was thinking about the history of the Internet last month when I was visiting Stanford University in California. As I parked my car outside the Bill Gates building I saw this sign on the wall of the building. And that sign was put there to commemorate the birth of the Internet, because the Internet is built on top of protocols which were designed for ARPANET in Stanford University. The date on the sign was the end of October 1969. That’s when the protocols that were used to build the Internet were designed – 1969. And I thought that was very interesting, because I was born in 1969, in October 1969, in the middle of October, which means I’m older than the Internet. And I think 1969 was a great year, because we went to the Moon in 1969; we had the Woodstock Rock ‘N Roll Festival in 1969; we invented the Internet in 1969; and I was born, which was nice.

But the Internet, really, is changing everything around us. It is bringing massive changes. We are seeing artificial intelligence being developed, self-driving cars being developed, and we are seeing massive technological advances in things like robots. And I’m sure you’ve seen videos on YouTube about these robots that are being designed right now by companies all over the world. The thing that I really find weird about these videos of robots is that the engineers always demonstrate these robots by pushing them around, or maybe kicking the robots and showing how the robots are still able to continue motion without toppling over, even though they are being kicked around. And I think that kicking robots is a basic evolutionary mistake, because these robots are getting smarter and smarter. One day those robots will be watching videos on YouTube, and they will find these videos where we kicked their ancestors, and they will not like it. So kicking robots – basic evolutionary mistake. We shouldn’t do it.

The headline about robot killing a man
The headline about robot killing a man
And of course this is timely, because you might have seen in the news two days ago there was a tragic event in Germany, where a robot killed a man at the Volkswagen factory. It’s almost funny if it weren’t tragic, the robots killing people. Of course that robot, which by accident killed a man, was programmed by somebody. That robot is run by computers, it’s run by software. So, when we speak about computer security we no longer just speak about abstract problems with programs crashing or vulnerabilities on our systems. Our societies are being controlled by computers. Electricity is on in this room because of computers. We have running water because of computers. If the computers wouldn’t work, our societies wouldn’t get the power, the water, the food. None of that would work. So these things actually matter.

The two most important problems we have to solve are the problems of security and privacy. They seem to be similar problems, but they are actually quite different problems. Our security is mostly being threatened by online criminals, by organized criminal gangs who make millions with their attacks by targeting our computers and our smartphones and tablets. And they make their money with keyloggers that steal our credit card numbers as we do online shopping; with banking Trojans that steal money from our online bank accounts as we do online banking; and with ransom Trojans which lock up our systems and demand a payment in order to get their money. So, that’s crime in effect.

The only way I can pay is with my data and with my privacy.

But our privacy, our online privacy isn’t actually that much targeted by criminals. Our privacy is being threatened, first of all, by governments who use the Internet as means of surveillance and means of intelligence gathering. And second of all, our privacy is being threatened by companies. By companies which do nothing illegal as they break our privacy. Which companies might these be? Well, you know these companies. Companies like Google, or companies like Facebook, or companies like Twitter. You know all these companies, and their products are great. Google makes great products. I don’t actually use Facebook, but it obviously must be good, because it has two billion users. I love Twitter. I have over 100,000 followers on Twitter, I love the medium, it’s excellent. I just wish I could pay for these services. But there’s no way for me to pay for these services. I can’t pay for Google searches or for watching YouTube or using Twitter. The only way I can pay is with my data and with my privacy. And I urge all of you to go and check out these services for once not as a user, but as a customer. What that means is that you go to Twitter or Facebook or Google and you buy an ad, because that will open up your eyes.

One of Google's data centers
One of Google’s data centers
And it will also make you understand how companies like Google can make so much money. Google is right now investing, roughly, $2 billion every quarter into their data centers, 2 billion not per year but per quarter, just into the hardware costs of their data centers. 2 billion. In fact, Google is one of the largest manufacturers of computer servers on the planet, and they don’t even sell servers. They are such a large manufacturer because they build so many servers for their own use. So, if they invest so much money into their infrastructure, you would think that they would be going bankrupt because their products are free. But of course they are not going bankrupt. Google’s revenues last year were $66 billion, their profit was $14 billion. If we make a modest assumption that there’s 2 billion users of Google and we divide that 66 billion by 2, we end up with the figure that you made Google $33 of revenue last year. I made Google $33 of revenue, you made them $33, we all did. And I would rather pay them $33 in cash. In fact, I would rather pay them 50 or 100 bucks. Google would be worth hundreds of bucks a year to me if I could pay. But I can’t.

Targeting ads on Twitter
Targeting ads on Twitter
When you go and look at these services as a customer, you go and buy an ad, you end up in this user interface, for example with Twitter, where you can build a campaign of showing your ads to people who otherwise wouldn’t see them. And you can, of course, target your ads (see right-hand image). That’s how these online ads are so powerful – you can target them. Obviously, you can target them based on geography – you would like to show your ad to people in, I don’t know, Lyon. You want to show your ad to people in Lyon who are female, who are between 30 and 40 years old, who use Twitter with an iPhone, and who are interested in cooking. Of course Twitter can do that for you, because they know quite a bit about their users based on what they tweet about and who they follow. They know your interests.

However, as you build a campaign on Twitter it gets more interesting, because you can start targeting people not just based on what they tweet about; you can target your ads on Twitter based on how many people there are in the family. If you want to show your ads to people who are in a family which has two or three or four children, you can do that. Twitter knows how many kids you have. Or you can target families based on life events, for example if a family is expecting a new child in the next six months. So, Google knows, and Twitter knows, if you are expecting a new child in your family, or if you just got a new child six months ago. They can target grandfathers or grandmothers.

Net worth
Net worth
They can also target the ads based on how much money you make, so Twitter knows how much money you make (see right-hand image).
Targeting based on occupation
Targeting based on occupation
Or you can target based on your occupation: whether you are a boss or whether you are in the army – they know that as well (see left-hand image).
Types of credit cards
Types of credit cards
And they can also target the ads based on what kind of credit cards you carry (see right-hand image), as well as your lifestyle trend. They know if you are a hipster; I don’t know how they do that, but they do. And they also can target based on where you donate money for charities, or what kind of purchases you make. I especially like the example here that you can target your Twitter ads on ladies who buy plus size clothes.

And obviously, this information isn’t coming from your tweets. So, where is this information then coming from? Twitter doesn’t know how much money you make or what kind of breakfast cereal you eat based on your tweets. Yet, they have all this information. They have this information because they buy it from data warehousing companies, from companies that you’ve never heard of, companies like CPG or Acxiom or Datalogix. And they gather this information about consumer behavior by buying this from shops, from credit card companies, from insurance companies and from frequent buyer clubs. Then they combine that into databases and they build these profiles of us based on what we buy. And then they sell this information to companies like Twitter.

Whoever controls the data knows us better than our spouses do.

But we still have a mystery. How then does Twitter know that this profile of this consumer, who carries a MasterCard and likes to buy a lot of Rice Krispies – how do they know that this profile is actually this Twitter user? How do they combine these data? And the answer is, they combine that based on your mobile phone number. This is the reason why services like Google and Twitter and Facebook ask for your mobile phone number. That’s the key which connects your online profile to your real-world profile. And in fact, one of the reasons why Twitter asks for your mobile phone number is actually security. They ask for your mobile phone number so that you can enable two-factor authentication, which actually does give you better security for your Twitter account. But of course then you lose in privacy.

Facebook's WhatsApp deal
Facebook’s WhatsApp deal
And this also might be one of the reasons why Facebook paid $22 billion to buy WhatsApp: because they didn’t just get the chatting service, they actually got the mobile phone numbers of hundreds of millions of existing Facebook users, which means now they can combine these consumer databases, which they can buy, to the profiles of the users they already have. This is why online advertising makes so much money. And this is why it is a real problem of privacy for all of us. It’s not a problem that you tweet or you post stuff to Facebook and it becomes public knowledge. Of course it becomes public knowledge, because you make it public yourself. But we live our lives online today. Whoever controls the data knows us better than our spouses do, because they know what we think. For example, we are more honest with the search engines than we are with our wives or husbands. We ask search engines the kind of questions we would never dare ask anyone else. Show me your Google search history and I’ll find something embarrassing in 15 minutes, guaranteed, or incriminating. Embarrassing or incriminating in 15 minutes, guaranteed.

The license agreement trap
The license agreement trap
And this is all legal because of this lie (see left-hand image). This is the biggest lie on the Internet. “I have read the Terms and Conditions” – no, you haven’t. Don’t lie to me, you haven’t. We know you haven’t. We actually tested this. Last year we set up a free WiFi hotspot in London, and to get Internet access you had to click through our Terms and Conditions. And in the Terms and Conditions we had included a term that you had to give your firstborn child to F-Secure. And everybody clicked OK, there we go.
Just a trivial technicality
Just a trivial technicality
It’s gotten so bad that a friend of mine, who actually lives in Germany, when he was filing his taxes (see right-hand image), at the end of the online tax filing process the last question on this governmental form was “Would you like to read the Terms and Conditions before you confirm that you have read the Terms and Conditions?” And the default was “No”. So, that’s how bad it is. All of this is completely legal. Google is doing nothing illegal, Facebook is doing nothing illegal, Twitter is doing nothing illegal. We let them do this.

Alert displayed by ransom Trojan
Alert displayed by ransom Trojan
There are criminal things online as well. When we move from privacy problems to security problems, then we end up with practical things like this (see right-hand image). This is a ransom Trojan, a crypto locker, a Trojan which will infect your system, typically by hitting your browser with an exploit as you surf the web, and then it will encrypt the files on your hard drive. If you are a corporate user, it’s going to encrypt the files in your network shares. And then it’s going to show you this message, where it explains that “Hello, I’m a Trojan, I’ve just encrypted all your files with irreversible encryption unless you have the key; and you can buy the key, please pay me and you will get the key.” And if you actually pay them, they actually will send you a program which actually will decrypt your files. So, at least, they are honest criminals.

The thing that has enabled this particular problem – this crypto ransom Trojans problem – the mega trend which made all of this possible is Bitcoin. Bitcoin, which enabled criminals to actually ask you for a ransom and get the money without getting caught. Now, of course, Bitcoin by itself isn’t bad. It’s neutral. It’s a tool, just like cash. I mean, Bitcoin is the cash of the Internet. Almost all of us have cash in our pockets right now, but do you know who else likes cash? Criminals like cash. It’s very hard to buy cocaine with a credit card, or so I’ve been told. You pretty much have to use cash. And in the online world, exactly for the same reasons, criminals prefer Bitcoin or other virtual currencies.

Affiliate backend of CTB-Locker
Affiliate backend of CTB-Locker
These ransom Trojans are not just coming from one criminal. They are actually coming from gangs. They are competing gangs operating from different countries. Most of them are actually in Russia, but there are also ransom Trojan gangs operating from Romania, from Ukraine, from Japan and so on. And they are competing with each other, trying to reach more of their customers, or victims, as they go and encrypt their files. It has even become an affiliate model. This is the affiliate backend of one of these ransom Trojans (see left-hand image); this is coming from Moscow. So this gang is writing a ransom Trojan, making a product out of it, and selling that to other criminals. So they, basically, outsource the criminal element of ransom Trojans.

They themselves only write the Trojan. They never infect anybody with it. They never encrypt anybody’s files, which means they do no crime, which means they can’t be caught for anything because they haven’t done anything illegal. Their customers are the ones that actually infect end users and actually demand a payment. And this means that we are seeing an age where our enemy is becoming more and more professional. They can now afford to invest into their development. We are seeing more malware, more online attacks now than ever before.

And one particular problem that we are all a little bit worried about in the near future is IoT, the Internet of Things. Can’t spell “idiot” without “IoT” – that’s how you remember it. The Internet of Things has been in the headlines a lot regarding the potential security problems we are going to face with IoT and with connected devices. However, most of the risk scenarios you read about are completely blown out of proportion. The typical risk scenario you might read about would be that, you know, evil hackers can hack your Smart Car. They can hack your car and then they can disable the brakes in your car, and then they can drive you off a cliff, and they can kill you. And you know what, yeah, that’s probably doable. It’s probably possible to do that. However, I don’t think it’s going to happen. Why would they do it? Hackers are not interested in killing random people. It’s also illegal to kill random people. If we can come up with risk models where the attackers actually can somehow benefit from their crime, then that makes much more sense.

Sometimes it feels like we’re building a monster by connecting all these devices in the online world.

So, how about someone hacking your Smart Car not to kill you but to open the doors, to start the engine and to steal your car? How is that? Well, that makes much more sense, because we already have a problem with car theft, and if they could steal the car without breaking the windows, they would probably prefer that. Or how about a ransom Trojan for a Smart Car? You get your car to pick up the kids from school, and the car won’t start because there’s a message asking for a payment if you want to get to the school in time. We haven’t actually seen that, but that could easily happen. So, the thing to remember about smart devices is that when someone tells you that something is smart, what you should be thinking about is that it’s exploitable. So, a smart car is an exploitable car. A smart watch, like my Pebble – well, that’s an exploitable watch. Or a smart phone – that’s an exploitable phone.

LIFX smart light bulb
LIFX smart light bulb
Sometimes it feels like we’re building a monster by connecting all these devices in the online world. You can even go and buy yourself a connected smart light bulb (see left-hand image). That’s a light bulb from a company called LIFX. You can take that and screw it into any normal, standard light bulb place, and then you can control your lights with an app from your smartphone. Pretty neat – connected device, IoT. And obviously, you can imagine that that’s hackable. If there’s a vulnerability, somebody probably could hack that light bulb. But why would anybody ever hack a light bulb? Obviously, this is not going to happen. Obviously, we don’t have to worry about light bulbs getting hacked, except that we do. There actually is a vulnerability in this light bulb, and there’s a perfectly good reason why attackers might want to hack this particular light bulb. And the reason is that the vulnerability in these light bulbs enables the attacker to gain access to the light bulb and then steal the credentials to your wireless network. So, if this light bulb is in your office and you connect it to your WiFi, to your corporate WiFi, somebody can hack the light bulb and get into your internal network. It becomes a vector inside your organization. So, this actually makes perfect sense. It feels like nobody would ever hack a light bulb, but if it works as a vector inside of your organization – sure they will.

Smart light bulb’s vulnerability patch
Smart light bulb’s vulnerability patch
And this company, LIFX, they actually patched this vulnerability, they shipped an update a couple of months ago (see right-hand image). So, if you have one of these light bulbs you can actually update and patch your light bulb to fix it. It does take, roughly, 15 minutes per bulb to fix it, and the whole idea that you have to patch your light bulbs seems a little bit ridiculous, doesn’t it? But IT administrators in companies no longer have to just worry about updating all the computers and all the smartphones – they now have to start worrying about updating the light bulbs and the toasters and the microwave ovens. Yes, sometimes it does feel like we are building a monster by connecting everything we have to the Internet. Yes, we do get great benefits. I’m sure it’s really nice to be able to change the lighting from your phone, but, obviously, security is not the first thing in mind with these companies that develop new IoT devices. It’s not a selling point. A light bulb’s security is not a selling point when it’s being produced by some company somewhere.

I suppose the biggest surprise, to me personally, over the last 25 years that I have been fighting online attacks is the fact that governments themselves became one of our opponents, or enemies. One of the main sources of the most advanced new malware we see is actually now coming from governments. It’s coming from the military; it’s coming from intelligence agencies; it’s coming from law enforcement. We are seeing backdoors being deployed by intelligence agencies to gain access to data they otherwise wouldn’t get access to. And of course, intelligence agencies are interested in hacking, because that’s what they do, I mean, they collect the information. Spying is collecting information. 20 years ago, it meant that you had to physically go to where the information was, because the information was printed on paper and so you had to copy the paper or steal the paper. Well, you know what, information is no longer on paper. Information is data, and that means that you don’t have to physically go to where the information is to steal it.

Chinese military marching
Chinese military marching
And there’s a reason why I chose this clip (watch right-hand animation) as the backgrounder when I speak about governments and malware writing. But just take a moment and look at these guys, look at the Chinese military marching. I’ve seen your military march, they don’t march like this. That’s pretty neat. That’s pretty impressive. The very first governmental malware case that we ever saw is our labs was in 2003 – 12 years ago. And that was from the Chinese government. That particular case was a targeted attack against a European defense contractor, where one of the key managers received an email from one of their customers. That email spoke about an ongoing project and had a PDF file attached to the email. And as he opened up the PDF file, the PDF file actually contained an exploit which took over his computer and installed a backdoor, which gave an outside attacker full access to his computer and full access to all the data he could see in their corporate network.

That email was never sent by the customer. That email was spoofed. It was made to look like a real email. And this is the type of attack we still see today in 2015: targeted attacks against key employees in key companies, which come over email, which look like a credible email coming from someone you know and trust, coming in your own local language. And it doesn’t contain a program, it contains a word document, or an Excel spreadsheet, or a PowerPoint slideshow, or a PDF file. And as you open up the file, it works, you get the data, but you also get infected at the very same time.

Countries known to spread viruses
Countries known to spread viruses
The thing about cyber-attacks that are coming from governments is that it’s not only the superpowers that are playing this game. You don’t have to be a superpower to have credible offensive capability in the online world. We are seeing attacks from the Chinese, from the Americans, from the Russians; but we are also seeing offensive cyber-attacks coming from much smaller countries, including Iran and North Korea (see right-hand image). Many of these attacks are very well orchestrated. They obviously put a lot of money into development of these things. And the whole idea that governments themselves are writing viruses would have been science fiction 20 years ago, but this is actually happening. It’s happening right now.

Chinese governmental virus
Chinese governmental virus
One example of the kind of governmental malware we see is a piece of malware that we call “Medre” (see left-hand image). It’s coming from China. We believe it’s coming from the Chinese government. And it’s unusual because this malware is written in an unusual language, a language which we almost never see with malware. It’s written in Lisp.
AutoCAD drawing
AutoCAD drawing
The reason why it’s written in Lisp is that this malware actually infects engineering drawings created with the AutoCAD program. And AutoCAD is the de facto standard tool used by all engineering houses all of the world as they build models of buildings, and houses, and bridges, and devices (see right-hand image). And the macrolanguage inside AutoCAD is Lisp. So, this this Medre malware actually infects the 3D drawings that you create with AutoCAD.

And as these engineering houses share these drawings with their clients and with other engineering houses, they actually spread the infection. When they give an infected drawing to their client, the client then infects the rest of their drawings automatically. And when they share those drawings with other engineering houses, the infection spreads from one engineering house to another engineering house, from one country to another country. And right now there are tens of thousands of infections all over the world. And Medre doesn’t just infect your drawings – it actually takes a copy of your engineering drawings and sends that copy to Mainland China. So, what’s happening here is governmental industrial espionage at a global scale.

Malware most likely coming from the Russian government
Malware most likely coming from the Russian government
Another example of governmental malware writing is what we’ve seen lately from Russia (see left-hand image). Over the last two years, we’ve analyzed five members of the so-called Duke family, and we believe all these are coming from the Russian government. An interesting detail about Duke malware infection, especially the last version of this family, is that almost all of the victims are in one country. And that country is Ukraine. The victims include Ukrainian military, Ukrainian government, Ukrainian defense contractors, and so on. Obviously, in the middle of this crisis between Russia and Ukraine, intelligence is more important than ever, and this seems to be the way they gather that intelligence.

President Obama and his laptop
President Obama and his laptop
But Duke versions have been found elsewhere as well. One place where this Russian governmental malware was found was in the White House. In fact, if you go and look at the White House photostream on Flickr, you’ll find plenty of pictures of Mr. Obama at his computer (see right-hand image). In fact, if you look at this computer, it seems to be a Dell, Dell Latitude, maybe E6430, or E6420 maybe, running as an operating system, I don’t know, maybe, what do you think – Windows XP Service Pack 1? I’m joking, actually. There’s another photo where you can actually see the operating system – he’s running Windows 7.

Kaspersky Lab headquarters
Kaspersky Lab headquarters
This building (see left-hand image) is in Moscow. It’s not the Russian government; this is actually a private company. This is the headquarters of a security company called Kaspersky Lab, one of the largest security companies in the world. I know many of the engineers who work at Kaspersky – world-class research, excellent people. And they broke the news a month ago that they were hacked themselves. They were hit with a targeted attack launched by a foreign government. We believe the government behind this attack was the Israelis. The way they found out that they were infected was that one of their engineers was developing a new prototype of a security program, which would detect unknown advanced malware; and once he compiled the first test version of the program and he ran it on his own computer, it detected an anomaly in his own computer. And he was really confused, so he rechecked the source code and recompiled, and it still found an anomaly. So then he ran it on his colleague’s computer and found the same anomaly. And then they realized that they had actually been infected by themselves, and they had been infected for several months. And we have to give Kaspersky full credit for making this public. Most companies would have never told the world, but they came publicly out with this information to warn others. And this also means that security companies are clearly now a target of foreign governments and of intelligence agencies.

'Legitimate military targets'
‘Legitimate military targets’
So, with all of these cases going around, I actually went back to read through the Geneva Convention. The Geneva Convention, as you might remember, maps the laws and rules of war. The Geneva Convention, for example, defines that during war you should not bomb hospitals, or you should not bomb churches, and that you should not use chemical weapons. The Geneva Convention also defines what a legitimate military target is during a time of war (see right-hand image). And the way I read this text is that during a time of war our company, a security company, an online security company, would be a legitimate military target. A legitimate target, for example, for bombing.

And let me tell you, 25 years ago, when I started analyzing first viruses I ever analyzed, written by teenage boys, spreading on 5 ¼-inch floppy disks – 25 years ago, I would have never imagined this. And I definitely didn’t sign up for this. But this is where we are today. This is where we are today.

So, we have two problems to solve: security and privacy. When we all first got online, when we first started surfing the web – remember installing Netscape Navigator and getting online – it changed our world. And what we got was a free and open Net. That’s what we all received. We received a free and open Net. And right now, it’s up to us whether we will be able to give the free and open Net to the next generation. Thank you very much!

LEAVE A REPLY

Please enter your comment!
Please enter your name here