Spirit of the time - Mikko Hypponen at Zeitgeist Americas 2011

>>Mikko Hypponen: My name is Mikko Hypponen. I have been working for the past 20 years researching, analyzing viruses and tracking online criminals for F-Secure Corporation. The Internet is a reflection of the real world and just like the real world has problems with criminals and crime and bad people. Obviously, we have exactly the same problems in the online world. Since I have spent pretty much most of my life watching these online criminals, I wanted to share with you my view of who we actually are fighting today. Because if we understand where the attacks are coming from, we are much better equipped in actually fighting these problems. We can try to solve these problems by having technical solutions, having all the antiviruses, all the firewalls, all the patching, all the backups. But if we want to go a bit deeper, we have to understand where the attacks are coming from. Of course, the attacks are global and they are going on right now. When we track with our systems where different attacks are coming from and where they are going, they are constantly -- right now we are finding more than 100,000 new malicious samples of (inaudible) every single day. It is just totally out of control. Where are these coming from? And I group the current attackers into three main groups. We have the organized criminal gangs. Then we have different kind of attacks coming from hacktivists. And then we have attacks which are launched by different countries and nation states. So, first, criminals who make money. Organized criminal gangs, gangs operating from Russia, from Ukraine, from Kazakhstan, from Belarus, from Romania, from China, from Brazil. These are global issues. And these guys, their motivation is money. And money is a good motivator. People do pretty much anything for money. And if they can make good income by writing viruses, infecting people's computers, they will be doing that. And they have been doing it since around 2003. We found the very first PC viruses 25 years ago in 1986. But we found the very first money-making viruses only around eight years ago. Today the Internet is full of millionaires who became millionaires by writing viruses and infecting people's computers. For example, this photo right here was found during a forensic examination of a lineup server which was used as a drop site for a banking Trojan attack. On that server was a deleted folder which had deleted images taken from a digital camera. One of those images was this. We tried to estimate how much money there is in the photo. It's around $1.5 million, which looks like a lot of money. But, then again, we have remember the value of the dollar has been going down, so... [ Laughter ] Here's I-Frame Biz. This is a Web site run in St. Petersburg, Russia, specializing in buying access to infected computers. So if you are a virus writer anywhere in the world, you can infect computers, you can simply sell the access to those infected home computers and corporate computers to these guys. They will pay you money for infecting machines, which, of course, then means they have to be able to monetize those computers somehow. You can sort of see the lifestyle image they are trying to portray to people they would like to buy infected computers from. [ Laughter ] Infect computers, sell them to us, become rich, meet girls, that's the way it works. [ Laughter ] This is Albert, known as Segwick online. Photographed in the penthouse suite of, I believe, the Peninsula Hotel in New York while he is hacking away. Here is his partner in crime, Mr. Watt, known online as UNIX terrorist, partying in the same hotel in the pool. Nice lifestyle. How can these guys afford a lifestyle like this? Well, they can afford it by paying their bills with your credit cards. That's what they do. So these are Americans. But, of course, we have attackers coming from eastern Europe as well like (saying name) from the City of Kiev which is in Ukraine, or Vladimir Tsastsin from the city of Tartu, which is in Estonia. And the amount of the attacks these guys are making are actually being monitized through things like keyloggers. Keyloggers sit on your computer and save everything you type. So every password you type is saved and sent to the criminals. Every email you type is saved and sent to the criminals. Every Google Search you do, the same thing. Every Bing search you do, the same thing. Of course, that's a joke. They are not really recording Bing searches because nobody uses Bing. [ Laughter ] Nice, smooth. [ Laughter ] Now, the real target of these attacks, of course, is to have the keylogger active when you do online shopping because when you do online shopping you will be typing in your name, address, credit card number, expiration date, security code which means they gain access to your systems. Many of these guys have made a total business out of these operations. They run Web sites where they can -- where they will buy access to infected computers. They buy and sell stolen credit card numbers, buy access to infected servers. This is a flash animation from a Web site called Carderplanet where they advertise their services. Buy credit cards from us, become rich, be independent. It has become very organized. This is the bigger problem we fight. Organized criminal gangs are the single biggest problem we have. Then we have the these guys. Group number two, hacktivists, social activists who operate globally thanks to the Internet. The Internet is global. No distances, no borders. And people who would like to protest something used to be able to do it locally. Now, of course, they can do it globally and they can do it everywhere in the world. Groups like Anonymous made the headlines late last year. They have been around for quite a while, but they really started making headlines when they started large-scale attacks, mostly related to WikiLeaks' saga, trying to shut down Web sites of companies like Visa and MasterCard and so on. Anonymous is like an amoeba. It changes structure, no clear leadership, no clear roster, no clear membership list, different operations have different people behind them. And nobody really knows who is actually a member and who's not. Like they say themselves, we are all anonymous. But he decided to investigate this. He is Mr. Aaron Barr. He used to be a CEO for a company called HBGary Federal. It is a security company which did a lot of consulting for the U.S. government. And they specialized, well, in many things but one was social -- gathering intelligence from social networks. So Mr. Aaron Barr infiltrated these different chat boards and online forums used by different anonymous operations and became one of them, collected information about their group. And then he gave an interview about this. He spoke to a journalist called Andy Greenberg from "Forbes" and explained he has done all this research and is going to make all this information public next week in a conference in San Francisco. And this was in February. He gave the interview on Friday. It was printed in "Forbes" on a Friday. He was due to give the talk on Tuesday. He never did because during the weekend, his Facebook was hacked. His Twitter was hacked. His email accounts were hacked. The email archives of the whole company was hacked. In fact, they were put online and they are still online today on a system where anybody, including any of you, can go and search for the whole email history of this company for the past five years, since then the company was started, including reading every single confidential email, every single private email, every single classified email that this company has sent or received, which is pretty devastating. It is a good example of just how ruthless groups like these can be when they feel threatened. And then we have group Number 3, nation states, countries launching the attacks. We've seen online espionage and spying for a number of years. Spying, of course, is collecting information. Information obviously is data today. If you want to reach information, you don't really go after paper in physical locations anymore. You go after the computers and the computer networks. You know of the attacks, like the Aurora attack against Google itself last year and many, many similar cases. Then we have other kinds of attacks like what's been going in Iran. Iranian hackers have gained access to at least two certificate authorities, so they are able to issue SSL certificates and code-signing certificates including issuing SSL certificates for -- a fake certificate for google.com apparently because then the Iranian government can monitor dissidence within Iran while they are using Gmail to do their communication. And then we have cyber sabotage, maybe in the feature real cyber warfare. Best example, of course, is what we saw with stocks net. Stocks net, the worm, we found in the summer of 2010. Stocks net, which is the first worm in history that targets automation systems, in fact, it targets these. This is a Siemens S7-400. It is a PLC box roughly this size, costs you around $5,000. And this is what runs our modern societies. This runs factories, (inaudible), heaters, pumps. The elevators in this building are most likely controlled by something like this, and that's what stocks net targets and through that targeted the nuclear enrichment program in Iran. So what can we do about these three problems? Problem number one, organized criminal gangs, the solutions are obvious. Of course, we have to do technical safeguards like taking backups, patching, running antivirus. That's clear. But even more importantly, we should be able to catch these guys, find them and put them behind the bars. That's something we are doing really, really poorly at the time. Hacktivists. This is the next generation. That's The generation that's growing up, the generation that doesn't know of a time when Internet wasn't around. And for them, it seems to be as natural to go online and launch denial of service attacks to make their point as it is to go to the streets and have a real-world protest. And we have to be able to reach them and explain to them that it is not the same thing. Freedom of speech, support, you can go and have a peaceful protest. Going online and launching denial of service attacks is illegal. And then we have the last group, nation states, behind these attacks. And that is a tough problem because I think universally, it is probably a good thing that somebody is doing something about the Iranian nuclear program, right? That's probably not something we would try to stop. But we have a real problem that we have security mostly being provided by private security companies from independent countries. And if you are getting your security solutions from a vendor in Country A and you actually might be worried about attacks targeting your own country from the same country, things get really complicated. So, while the Internet really is global, the situation is that the borders still sometimes matter. Thank you very much. [ Applause ]