Q&A

The dangers of online crime: Q&A with Mikko Hypponen

Posted by: Ben Lillie


Mikko Hypponen is the chief research officer at F-Secure corporation, where he has led his team through some of the largest computer virus outbreaks in history. On stage at TEDGlobal 2011, he delivered a witty, entertaining, and deadly serious talk about the dangers of internet crime.

TED’s Ben Lillie reached him at his office in Helsinki, Finland to follow up on ways to address this widespread problem, and the risks of not facing it.

(Also read: Hypponen’s Ask Me Anything thread on Reddit.)

I loved the moment where you knock on the door and meet Basit and Amjad, the pair who wrote the first PC virus. What did they say when you talked to them? Why did they do it?

They were curious. They had history working with UNIX-based systems, and then along came this new DOS system. They thought the security model of those was horrible, and they wanted to prove how horrible it was by writing a demonstrations, and that became Brain. They weren’t trying to do anything harmful, and they weren’t expecting their virus to go global. If so, they probably wouldn’t have left their names and number in there.

(Watch: Brain: Searching for the first PC virus in Pakistan, Mikko Hypponen talks with Basit and Amjad.)

How far did it go, and how did it go that far?

Well, in 1986 we didn’t have networks basically at all, a few research systems. Most companies obviously had no internet, but also no local area networks. They’d have multiple computers, but the only way to move data between those computers would be floppy disks. So, Brain spread with these floppies. For Brain to go from one country to another, somebody had to travel from one country to another, carrying that infected floppy with them. And that’s how it went global.

So it’s the same basic idea, but takes a lot longer.

Exactly. You have to physically travel.

And by the way, if you look at Stuxnet, which made the headlines last year, that’s the way it spreads. Unlike almost all of the other stuff that we see, Stuxnet does not spread over the internet. It spreads only on USB sticks. The only way for Stuxnet to spread from one country to another is for somebody to travel, carrying an infected USB stick. Just like Brain, it went global, and we have infections from countries all around the world. And this is 25 years later.

That leads to the point you made about how we have to learn to function even when the computers stop working. Not to be too broad, but how do we do that?

Well, we can’t function as well as we can with the computers. And that’s the reason we use computers. They’ve brought us so much more productivity and we are so much more efficient with computers, but we still should be able to continue operating the most critical parts of our operation when computers fail.

So for example, if you lose your customer databases, you should have a copy somewhere else. An off-site copy. You should have mechanisms of communication, like faxes, which are obviously getting removed from offices because nobody uses them anymore. Faxes are great when e-mail doesn’t work. I wouldn’t be throwing them away.

So, thinking about alternative ways of working, thinking about how do you reach the key people you need to reach who you always reach through your computer if computers don’t work. Do you have every body’s phone numbers? Do you have ways of reaching them through other mechanisms? How do you reach all your staff if you can’t e-mail them for some reason? Things like that. These are the basic building blocks that are thought about when disaster recovery plans are designed, when there’s also somebody designing them who also thinks about computers. Normally disaster recovery is just about ‘fire burning the house down’ and how do you continue working after that.

There’s a cost-benefit calculation you have to do to figure out how much is worth the extra expense.

That’s true. Like I said, we can’t expect to be able to work as efficiently without computers, but we should be able to continue to do the critical parts. This matters more when it has to do with the critical infrastructure of our societies and things like that, but it also affects normal companies.

You said we need to invest in a global internet crime-fighting network. How do you envision that working?

Well, the problem is that the mechanisms we have in place work fine when we handle traditional international crime. They don’t work as well when we talk about this kind of online crime. Online crime is practically always international, because they almost always cross traditional national borders.

This means that the amount of international crime has absolutely exploded over the last ten years. We still have roughly the same amount of traditional international crime, but we have all this online crime that has appeared on top of it. When I look at the resources that we have to fight online crime, I’m sorry to report that they haven’t exploded.

Even more worryingly, the mechanisms we’ve built to fight international crime have been built to fight single, large, financially important crimes like smuggling, or money laundering at large scale, or drug-trafficking. We’re fairly good at doing that — police forces from independent countries that are involved work together and share information, and they help each other, and it’s prosecuted in one of the countries, and we get the bad guys.

But all these countries are typically motivated to work together because it’s such a big crime, and it involves so many people. In the world of online crime… Well, you can imagine what happens when the police in one country starts to investigate a botnet, and they call the police in another country and they say, “We’d like your help to investigate this case — and to gather 400 gigs of information and do some research for us — because we’re investigating this one guy who stole a credit card number from this one grandmother in your country and stole $900 from her account.” That’s not going to fly.

That’s one of the main problems we have. These crimes don’t look as serious, and they don’t look as big, and they don’t look as important, and they don’t look as financially relevant as traditional crimes. But, what we easily miss is that it’s not just that grandmother. It’s like 10,000 of them, and the total amount of money is significant.

I understand that traditional crime has to get the priority. Especially when we start to think about problems that involve threat to life. For example, I was in Sao Paulo not too long ago. Some of the local law enforcement there spoke to some of the big banks. They have big problems with online crime, especially banking trojans, in Sao Paulo. One of the local police officers told me, “Yes, yes, we understand” that they have big problems. But what I don’t know (pointing at me) was that Sao Paulo is one of the murder capitals of the world and they have people gunned down on the streets every single day. So, where exactly are they supposed to put their resources?

When you look at it from that point of view, it becomes painfully obvious that you first worry about crimes where people die. And it also makes it obvious how easy it is for Westerners like us to point the finger to Brazil or China or Russia or some far away country and say, “You have a problem, fix it.” That’s not actually the answer, it’s too easy a way out.

So, if this is going to happen it need a lot of resources from the first-world countries who are most affected by it?

Yes, and it would also need something of a framework where the member countries would be required to cooperate if another country is investigating, even if the crime doesn’t seem too important, or too big, or too financially important from your point of view.

What’s the danger if we don’t put something like this together?

Well, we’re risking the future of the net. People are already loosing their trust. Once you get burned once — somebody steals your credit card, or makes a purchase on your account — people tend to stay away from online commerce, and from trusting online services.

You could also argue that that’s good. Right now we might be in a situation where most end-users trust the online world way too much — clicking every link, downloading every attachment, putting their password into every field. The risk is that if people lose their trust completely, or don’t rely on the information they see, we are going to lose the momentum and the growth of the net, and run the risk of losing all the great things that we’re expecting.

And our societies are already assuming that everybody is online. Everybody from teenage girls to grandmothers are online, and we can rely that they have internet connectivity and we can start to move things like social-security services, voting, and all these things to the online world since everybody is there. And that implies that everybody has to be there, which implies that everybody has to be capable of protecting themselves there as well. And we can’t really put that kind of a burden on the teenage girls and the grandmothers of the world. We can’t assume that they know how to secure themselves. It is complicated, and it is technical. It should be on a higher level — the operating system manufacturers, security companies, and the internet operators.

Yeah, you’ve said that ISPs could be doing more. What could they do?

Well, there’s lots of stuff about blocking malicious addresses. Every single day we automatically detect malicious websites, or spam email servers, or peer-to-peer clients which are used by botnets to talk to each other so they can be controlled. Operators can simply block traffic to these sites — not just web traffic, but internet traffic altogether. And some operators do.

There’s actually quite a bit of difference between different operators in how much they do stuff like this. Things that are completely behind the scenes, but which concretely protect their paying customers. And that’s a tough position for an operator. Of course they want to protect their customers, but if the customers don’t see any benefit — and it’s quite costly to do this — it might be hard to explain it to their shareholders.

So then you have the question of making it required by regulation, and how much power you give to an international agency.

Right. Well, there are many different mechanisms to do this. I’m not very keen on regulation, or political choices.

Also, one thing I want to make clear: I don’t want to increase networked monitoring, or countries monitoring what their citizens are doing online in any way. I believe in the freedom of the net, but I don’t believe in the freedom of the net at the cost of having these online criminal gangs running completely loose, and using the freedom of the net to steal every body’s money and take away the trust we have.

One other mechanism you talked about was finding the people who have the skills, but not the opportunities. What are the opportunities? And how do you go about finding the people, who tend to be all over the world?

Yeah. Once you cross the border and start doing online crimes the situation is much more difficult to fix. Once you’ve broken the law you have to pay, one way or another. So it would be much more beneficial for our societies to find these people and prevent it before hand as much as they can.

And the situation is vastly different in different parts of the world. For example, I’m in Helsinki, Finland, which is one of the high-tech capitals of the European countries. If you live here and you understand networks and protocols, and you understand how to code, you’ll get a job, no problem.

If you’re the same person, with the same skills, living in the countryside of China, or Siberia, or the slums of Sao Paulo, nobody is hiring you. You have no opportunities to earn a living with the skills you have, unless you go to the online life of crime. You still have access to the internet, can still reach all these rich Westerners, who are easy targets for a clever attacker. And that’s one of the reasons why many of these people tend to this life of crime. All the initiatives that help giving opportunities to people who have skills but can’t find a way of using them would work.

There are some examples, like Imagine Cup, run by Microsoft, and Campus Party, originating from Mexico and Brazil, which are initiatives aimed at teenagers and people in their early twenties, getting them together and showing them productive stuff they can use their skills for.

Was there anything you really wish you’d been able to get in your talk, which you couldn’t for time?

Yes, when people who aren’t working in this field hear about things we are fighting and see some examples in practice, the obvious end result is that they get scared. And the outcome of that is that they think, “Oh my god, it’s horrible, I’ll never go online again, I’ll never use my credit card again.” And that’s not the right thing to do either, and it’s not what I’m trying to say.

What I’m saying is that we have criminals in the real world, and we have criminals in the online world. Of course we do, the online world is just the reflection of the real world. We have good people and bad people in both places. And the bad people in the real world don’t prevent us from living our lives and going to work and going to the shop, and they shouldn’t prevent us from doing that in the online world either.

Comments (12)

  • Pingback: » Mikko Hypponen: Three types of online attack - CyberZoned

  • Pingback: » Mikko Hypponen: Fighting viruses, defending the net - CyberZoned

  • Ania Ciuba commented on Dec 5 2011

    Mikko is answering your questions in the F-Secure Community http://community.f-secure.com/ on December 5-9 2011.

  • Pingback: technology, mobile phones, the internet, social networks | sheplyon

  • Pingback: The dangers of online crime: Q&A with Mikko Hypponen | sheplyon

  • Nicolas Iragorri commented on Sep 13 2011

    Lol, Sorry didn’t get it before. I see what you were going for. Cheers!

  • Yago Nuchera commented on Sep 6 2011

    Hi again Nicolas!
    Thanks for your email, fellow Linux user :) I agree with everything you say in it, but I have to point something out: I never said security companies like Mikko’s would be writing viruses no matter the reason, and you imply that that’s my opinion when, in fact, it is not.

    Let me put it differently so that maybe you understand what I was trying to convey:
    Imagine that you work for, say, a homeless charity.
    You work everyday 10 to 6pm thanks to the fact that there are homeless people who need your company’s service.
    If all of a sudden homelessness was to disappear, you’d loose your job…
    Would this realization get you to push people off their homes so as to maintain your job? Well, I hope not. But that doesn’t change the fact that the homeless situation directly benefits you and that, in this capitalist system, you have to market your service…

  • Yago Nuchera commented on Aug 30 2011

    Hi Nicolas! Thanks for your comment, I stand corrected.
    I overspoke when I said that GNU/Linux OS’s are SECURE. I should have said that they are abbysmally more secure than Microsoft’s products.
    But let me also point out that the Windows market share figure is made up by the number of Microsoft OS’s CD/DVD sold plus the number of computers sold with Windows already installed. All of my 3 machines were bought with Windows on them but none of them run it any more. It simply is much, much easier to get a good machine with Windows on it than with any flavour of Linux. If all Linux users were like me (and I know for a fact that some of them are) is that 70% actually representative or is it just a way of bending the information for one’s purpose?
    The main reason why GNU/Linux is inherently more secure is because it is Open Source, not just because the kernel is more robust and the adminstration of permissions prevents anyone from making any changes to the computer without the use of the administrator password. The Open Source community who’s constantly actively checking the health of the code is huge. Microsoft could never hire such amount of people to do the work that they get done in Linux. The cases you mention (iOS and Android) are OS’s that have taken a linux environment and added their own proprietary source code on top of it, which straight away weakens them to attacks.
    I’m not saying Linux is invulnerable, god forbid, but it is much better prepared to cope with them with little or no effect on the user. Security companies like Mikko’s, benefit from the existence of weaknesses, so the question is: do they actually want to eradicate security issues in computers and, therefore, loose their jobs? I don’t think so. But then again, I am only human and known to be wrong.
    In any case, I thank you again for reading what I have to say, I appreciate it.

    Yago

    • Nicolas Iragorri commented on Sep 3 2011

      Hello Yago!! Indeed I think It’s true what you say, as to why Linux is more secure, and the vulnerabilities of iOS and Android. I am a Linux user myself. I have to turn to Windows every now and then because I need it for work, but I use Linux everytime I can and I’m loving more everytime. Distros like Ubuntu have come a long way and really just work out of the box. Like you I love PC’s, beacuse of prices and the computer models that are available, but without Linux you really can’t get the juice out of it. If you leave Windows installed you always feel like you’re stuck behind the Pentium I era.

      You gotta love free software ( free as in freedom ). Private Corporations will always put their priorities first. With Linux it’s all about the user experience ( by users for users ). A wise man one said, “You can’t serve two lords”. What I mean by this is, when you design an OS or an Application, you gotta have a philosophy behind it, either it’s profits or it’s ease of use and convenience, you just can’t have both.

      My opinion on what you asked about companies is the following. I do think It’s true that its in those companies interest to keep deleting viruses, and so they benefit from the abundance of malware on the net. But I think they have absolutely no need to produce them. Take a look at any country and see how many murderers, drug dealers, criminals, thieves and thugs live there. You know for a fact you won’t find a single country that doesn’t have these problems. And in some cases you’ll see politicians have no control over it because of the magnitude of the situation. The middle east is constantly at war. I have to admit (even if I would like not to) that the world is still filled with people who’ll do wrong to others. And the technology and knowledge to do harm to others over the web exists. It’s very cheap, and it’s widely available to everyone. Even with all these advances we’re still very far away from what and evolved civilization would be. So, imagine that these security people truly are greedy people who would do anything to suit their needs. Even if they wanted to, do you think they would start to write viruses and invest time and money into this? And even worse risk being discovered by some ethical hacker and be ridiculed before the whole world? I think it wouldn’t be a smart move. In my opinion they don’t even have the necessity to do it. And given the case they do need to write viruses to stay on board, would they write them? I couldn’t answer, I would have to ask them.

      It’s always a pleasure debating over the web :D

  • Pingback: TED Talk | Just Got Hacked

  • Yago Nuchera commented on Aug 10 2011

    This whole interview is indeed very interesting and I thoroughly enjoyed the very fresh moments Mikko delighted us with in his talk, but something is not being said here, and that is that all of this talk about security is based on the fact that the majority of us are using a system that is really vulnerable to virus attacks. Why do we have to focus and deploy so much of our efforts and resources in fighting back and trying to catch the thieves not matter what, when it would be far cheaper and cleverer to just use a safer environment, one that is inherently secure from the kernel up like all GNU/Linux OS’s?
    To me Mikko’s lecture sounds more like a spokesman from a security company in its attempt to spread fear so as to indoctrinate people into investing more in their field, rather than a real attempt to eradicate the problem.
    Yago

    • Nicolas Iragorri commented on Aug 27 2011

      Hi Yago!! Using Linux or OsX is not going to solve the problem. They are more secure and have less viruses than Windows but that doesn’t make them invulnerable to any attacks. The main reason there are so many viruses for windows pcs is that they have over 70% of the marketshare for pc operating systems, so hackers cover more ground by targetting pcs with windows. Do a search in Google and you’ll find that there are several viruses and hacks for ios and android which are based on os x and linux, mainly because they are used widely. Windows security IS worse but that doesn’t mean you can’t hack os x or linux. Technology hasn’t gotten to the point where a computer can detect amhacker perse, you have to rely on security mechanisms, policies and permissions, and most importantly a security profesional. That is at least for the time being.