As 2013 winds to a close, there’s no denying it’s been a fascinating year – and no one agrees more than Mikko Hypponen, malware adventurer, famed TED speaker, and F-Secure’s Chief Research Officer. But how will the extraordinary events of 2013 influence the Internet in 2014? I sat down with Mr. Hypponen to hear his thoughts about the Snowden revelations, crypto currencies and the hidden Web.
How will the Internet change as a result of Snowden’s revelations?
The Web came around 20 years ago. For the first 15 years of the Web, we lived in a sort of utopia where there really were no borders, no distances, no geographies, no countries. People couldn’t care less about where their data was stored. For once, we had something truly global.
What I’m seeing happening right now is we are losing this utopia, and the reason is that this wholesale espionage is being used against the citizens of the world. So people are starting to ask questions like where is my data stored, under which country’s laws, which country is this software coming from. These are questions nobody was asking 20 years ago, and this is a really sad development because this great global Internet is becoming shattered and broken down by country lines. So in 2014 and beyond this segregation of the Internet will continue.
What’s the worst case scenario?
The worst case is the Internet becoming a series of disconnected islands because people don’t trust foreign countries anymore, especially powerful countries like the USA. Basically complete breaking of the global trust.
And the best case?
Best case is that Snowden keeps leaking explosive stuff about wrongdoings of the US intelligence agencies. Eventually he leaks such bad stuff that the revelations outweigh whatever Snowden himself has done. He’s forgiven by the US people, he receives a hero’s welcome at home, the US intelligence agencies are brought back under control, and everybody wins.
How should people change how they use the Web in 2014 because of the revelations?
One thing that I said during my TEDxBrussels talk in October was that people shouldn’t be worried, they should be outraged. Fighting this sort of thing with technical measures is hard. If change is going to happen, it’s going to happen through political change and international pressure.
But as far as technical things, my advice is to use encryption everywhere, use strong passwords or a password manager (like F-Secure Key), use cloud services from countries that aren’t conducting wholesale blanket surveillance. Use the same good computing hygiene that you would use to protect yourself from computer crime and malware.
So on the whole, is it good that Snowden did what he did?
Absolutely it’s a good thing. Regardless of Snowden’s motives, he did us a favor by revealing the details of these intelligence agencies. Because they are out of control. The fact that they undermine encryption algorithms makes us all less secure.
What do you think about whistleblowing in general?
Protecting valid whistleblowers is very important because they alert us to wrongdoing that would otherwise never have been revealed.
All these companies like Google and Facebook say they have not been complying with and didn’t know anything about PRISM. What do you think?
I don’t believe these companies are voluntarily cooperating. When Google says “we are not giving data to the NSA” I believe them. I believe most of these companies are victims themselves. I believe they are getting breached by their own government.
What do you think is the US intelligence agencies’ ultimate goal? Do you think their goal is to protect America from terrorism, or is it something more sinister?
I don’t think it’s either. I don’t think the people working inside the NSA are evil people with some sinister plot. I believe they’re trying to fulfill their mission which is to provide signals intelligence. They are fulfilling their mission – but the problem is, they seem to be willing to go to any lengths to do it. They’ve lost their way. They’ve lost sight of their original goals, they’ve become too powerful and they’re out of control. It’s not just about terrorism either, or why would they be tapping Angela Merkel’s phone?
Any other predictions for 2014?
On a different subject entirely, I think 2014 will be the year when crypto currencies like Bitcoin switch from being something that only geeks are aware of to something that regular people know about. The age of virtual, crypto currencies is finally here and it’s long overdue. The one to go mainstream might not be Bitcoin, but maybe a clone or son of it. Of course, just like cash, Bitcoin can be used for good and for bad. And we’re seeing the use for bad in the online crime world.
In April I noted on Twitter when Bitcoin value had reached 100 US dollars, and I predicted it would break $1000 by the end of the year. Today it’s $980. Good call!
(Bitcoin broke $1000 a few days after this interview)
And what about the hidden Web, or deep Web we’ve been hearing about lately?
When the Web originated, the powers that be didn’t see the importance of the Internet. Now the powers that be are trying to control it as much as they can, which means the whole Internet is changing, and we’re fighting for its future.
We’re seeing people who still want to be free on the Web moving to the hidden Web, which will be brought under control as well, in time. And bad things are happening on the hidden Web for sure, but that doesn’t mean the whole thing is bad. People think it’s bad, but that’s what they used to think about the traditional Web as well.
See more of Mikko’s recent comments:
TEDx Brussels talk: How the NSA Betrayed the World’s Trust – Time to Act
Reuters TV interview: In Cloud We Trust
Reuters TV interview: Bitcoin – the Latest Front in Cybercrime
It’s a well-known fact that UK’s Prime Minister David Cameron doesn’t care much about peoples’ privacy. Recently he has been driving the so called Snooper’s Charter that would give authorities expanded surveillance powers, which got additional fuel from the Paris attacks. It is said that terrorists want to tear down the Western society and lifestyle. And Cameron definitively puts himself in the same camp with statements like this: “In our country, do we want to allow a means of communication between people which we cannot read? No, we must not.” David Cameron Note that he didn’t say terrorists, he said people. Kudos for the honesty. It’s a fact that terrorist blend in with the rest of the population and any attempt to weaken their security affects all of us. And it should be a no-brainer that a nation where the government can listen in on everybody is bad, at least if you have read Orwell’s Nineteen Eighty-Four. But why does WhatsApp occur over and over as an example of something that gives the snoops grey hair? It’s a mainstream instant messenger app that wasn’t built for security. There are also similar apps that focus on security and privacy, like Telegram, Signal and Wickr. Why isn’t Cameron raging about them? The answer is both simple and very significant. But it may not be obvious at fist. Internet was by default insecure and you had to use tools to fix that. The pre-Snowden era was the golden age for agencies tapping into the Internet backbone. Everything was open and unencrypted, except the really interesting stuff. Encryption itself became a signal that someone was of interest, and the authorities could use other means to find out what that person was up to. More and more encryption is being built in by default now when we, thanks to Snowden, know the real state of things. A secured connection between client and server is becoming the norm for communication services. And many services are deploying end-to-end encryption. That means that messages are secured and opened by the communicating devices, not by the servers. Stuff stored on the servers are thus also safe from snoops. So yes, people with Cameron’s mindset have a real problem here. Correctly implemented end-to-end encryption can be next to impossible to break. But there’s still one important thing that tapping the wire can reveal. That’s what communication tool you are using, and this is the important point. WhatsApp is a mainstream messenger with security. Telegram, Signal and Wickr are security messengers used by only a small group people with special needs. Traffic from both WhatsApp and Signal, for example, are encrypted. But the fact that you are using Signal is the important point. You stick out, just like encryption-users before. WhatsApp is the prime target of Cameron’s wrath mainly because it is showing us how security will be implemented in the future. We are quickly moving towards a net where security is built in. Everyone will get decent security by default and minding your security will not make you a suspect anymore. And that’s great! We all need protection in a world with escalating cyber criminality. WhatsApp is by no means a perfect security solution. The implementation of end-to-end encryption started in late 2014 and is still far from complete. The handling of metadata about users and communication is not very secure. And there are tricks the wire-snoops can use to map peoples’ network of contacts. So check it out thoroughly before you start using it for really hot stuff. But they seem to be on the path to become something unique. Among the first communication solutions that are easy to use, popular and secure by default. Apple's iMessage is another example. So easy that many are using it without knowing it, when they think they are sending SMS-messages. But iMessage’s security is unfortunately not flawless either. Safe surfing, Micke PS. Yes, weakening security IS a bad idea. An excellent example is the TSA luggage locks, that have a master key that *used to be* secret. Image by Sam Azgor
If you run a Wordpress site, you know that criminals around the world would love to use it to spread malware. Last month, F-Secure Labs spike in "Flash redirectors" that automatically redirect the visitor to a site with the goal of infecting them with malware, in this case the Angler exploit kit. The source was compromised websites -- specifically Wordpress sites. This isn't a new find for the Labs but what is unique is one of the tactics of the attack -- seeking out Wordpress usernames. Why? "After obtaining the username, the only thing that the attacker would need to figure out is the password," Patricia from The Labs explains. "The tool used by the attacker attempted around 1200 passwords before it was able to successfully login." If you happen to have one of those passwords, bam. You site is serving up malware, which is not only harmful to your visitors, it can cost you tons of traffic as Google delists you. Keeping your server and plugins up to date is essential for avoiding most attacks. Beyond that, this attack points to the need to both protect your Wordpress username AND always use a unique, strong password. "Furthermore, in order to defend against this kind of WordPress attack, you should not use a WordPress admin account for publishing anything," Patricia notes. You can also protect your server from enumeration attacks that discover the usernames of your bloggers. To see how to do that, visit our News from the Labs blog. It's pretty amazing what people can figure out about you with just your login and password. But when you're running a website, which can be part or all of your livelihood, the only way to keep from handing criminals the key to your front door is to make sure your password can't be figured out by anyone but you. And turn on two-step authentication if you haven't already. Cheers, Jason
We have a dilemma, and maybe you want to help us. I have written a lot about privacy and the trust relationship between users and software vendors. Users must trust the vendor to not misuse data that the software handles, but they have very poor abilities to base that trust on any facts. The vendor’s reputation is usually the most tangible thing available. Vendors can be split into two camps based on their business model. The providers of “free” services, like Facebook and Google, must collect comprehensive data about the users to be able to run targeted marketing. The other camp, where we at F-Secure are, sells products that you pay money for. This camp does not have the need to profile users, so the privacy-threats should be smaller. But is that the whole picture? No, not really. Vendors of paid products do not have the need to profile users for marketing. But there is still a lot of data on customers’ devices that may be relevant. The devices’ technical configuration is of course relevant when prioritizing maintenance. And knowing what features actually are used helps plan future releases. And we in the security field have additional interests. The prevalence of both clean and malicious files is important, as well as patterns related to malicious attacks. Just to name a few things. One of our primary goals is to guard your privacy. But we could on the other hand benefit from data on your device. Or to be precise, you could benefit from letting us use that data as it contributes to better protection overall. So that’s our dilemma. How to utilize this data in a way that won’t put your privacy in jeopardy? And how to maintain trust? How to convince you that data we collect really is used to improve your protection? Our policy for this is outlined here, and the anti-malware product’s data transfer is documented in detail in this document. In short, we only upload data necessary to produce the service, we focus on technical data and won’t take personal data, we use hashing of the data when feasible and we anonymize data so we can’t tell whom it came from. The trend is clearly towards lighter devices that rely more on cloud services. Our answer to that is Security Cloud. It enables devices to off-load tasks to the cloud and benefit from data collected from the whole community. But to keep up with the threats we must develop Security Cloud constantly. And that also means that we will need more info about what happens on your device. That’s why I would like to check what your opinion about data upload is. How do you feel about Security Cloud using data from your device to improve the overall security for all users? Do you trust us when we say that we apply strict rules to the data upload to guard your privacy? [polldaddy poll=9196371] Safe surfing, Micke Image by balticservers.com