End of the Web As We Know It?Sep 19th, 2011 | By Innovya | Category: Articles, Evidence | Print This Post
by James Tulloch
Mikko Hypponen, cybersecurity expert, speaks during TEDGlobal 2011 in Edinburgh, Scotland. “Stuxnet shows that the PLCs that control our entire infrastructure, everything that we rely on, can be infected.” (Source: James Duncan Davidson / TED Conferences)
Cybersecurity expert Mikko Hypponen, chief research officer at F-Secure Corporation in Finland, has some chilling warnings about the age of organized cybercrime and Stuxnet-style cyberwarfare. We tracked him down at TEDGlobal 2011 in Edinburgh.
You have tackled many computer virus outbreaks. Who or what are the biggest cyber threats today?
We can split attackers into three basic groups.
There are the hobbyists or hactivists like Anonymous or Lulzsec. They are not trying to make money, they are trying to send a political message, do it for fun or the challenge.
They are a problem but not nearly as bad a problem as organized criminal gangs who do all their attacks for money: they infect home computers, do banking Trojans to steal data, hack credit card details, hijack computers for ransom. They are the biggest threat to the normal end user.
The third problem is cyberwar or cybersabotage, things like the Stuxnet virus launched against a nuclear research centre in Iran, or countrywide denial of service attacks like we saw hitting Georgia and Estonia. These problems will be even more frequent in the future.
How do cybercriminals steal our sensitive data?
The most typical way to become a victim is to take a Windows computer and go online. Five years ago it was done through email, now it’s done through the web.
You might go to Google, click on a search result, and you’re infected. You don’t see anything happening, you can’t tell. They hack into high-profile websites like newspaper websites and insert some exploit codes and so you visit the site, read the news, and get infected.
Another way is to make a new, fake site from scratch, put lots of keywords there and so it ends up in the search results. There is no real content there but you go there and get infected.
Then there are key loggers. They sit silently on your computer and record everything that you type. Everything is saved and sent to the criminals. They are looking for online purchases when you type your name, address, credit card details and security codes.
How much is cybercrime costing us?
Nobody really knows. Nobody can calculate it reliably because the biggest losses come from denial of access to services, for which it is difficult to calculate the losses. You hear that cybercrime is bigger than the drug trade. I don’t believe that. It’s big, but it’s not that big. I believe it’s in the hundreds of millions of euros per year.
So what can we do to protect ourselves?
We have to stop blaming the user because most problems are not related to the user.
Of course the computer has to be vulnerable, which can be down to user error, but that gets very technical. Your Windows might be updated, but what about Quicktime, Flash and Java plug-ins or add-ons?
We have to move responsibility up to higher levels, to operating system manufacturers, to security companies like us, and to operators and Internet Service Providers (ISPs) that provide the connections.
What about governments or law enforcement authorities?
In the online world each individual crime is small but there are lots of lots of them, and victims all over world. It makes it a nightmare to investigate.
On the internet there are no borders, making every single online crime an international crime, beyond national jurisdictions. That means the sheer numbers of international crimes have exploded in the last ten years. Have the numbers of international law enforcement systems exploded in the last 10 years? No they haven’t.
We are proposing a new framework, like Interpol, focusing on online crime. All countries would promise to work together. So if country A is investigating a crime involving servers in countries B and C, those countries would be forced to help solve the crime.
So the internet needs to be more orderly than previously?
Yes, it does but we have to be very careful not to restrict the openness, creativity and freedom of speech we have on the internet, careful not to move towards a police state.
Mikko Hypponen at the TEDGlobal 2011: ”Fighting viruses, defending the net”
You say we risk losing everything if we don’t deal with cyber security. What do you mean?
When people learn about these security and privacy problems their first reaction is to never go online again. That’s perfectly human but it’s not the right reaction. We have crime in the real world. Yet people run businesses and walk the streets.
One thing we are missing from the online world which we have in the real world is police work. That is why we have to fight these security and privacy problems. We risk these criminals running rampant and taking away peoples’ trust. If people don’t trust the net they won’t use it.
We are already seeing some countries blocking ISPs from some regions so we risk turning the globalized internet back into nation states or islands of internet usage that don’t talk to each other.
Which brings us to cyberwarfare: why is Stuxnet such a revolutionary threat?
Stuxnet is unique. Yes, it infects computers but in addition it is capable of jumping from those computers to Programmable Logic Controller (PLC) boxes, in this Stuxnet’s case Siemens PLCs running Siemens’ own operating system. These PLCs operate all kinds of infrastructure, factories and systems.
Stuxnet infects the PLC and hopes that device is used in one specific target—in this case the Natanz nuclear enrichment processing plant in Iran. We believe it broke nuclear fuel enrichment centrifuges by turning them at the wrong speeds. But if it infects other PLCs that end up in a food processing plant then nothing will happen.
That is a targeted attack, a very difficult attack, and a very worrying attack.
What happens now that the Stuxnet genie is out of the bottle?
Let me tell you something worrying. Three months ago I went online and tried to find a copy of Stuxnet from public sources. It took me three minutes. Any other government or any extremist group could try to modify Stuxnet, it is right there.
It is the first of its kind, so far we’ve only seen one, but the worry is we will see more. Stuxnet shows that the PLCs that control our entire infrastructure, everything that we rely on, can be infected.