Cybersecurity expert Mikko Hypponen offers a surprisingly entertaining tour through certain darker regions of the internet. He focuses on malware, relating its history from the first viruses to the modern, more dangerous exploits of online criminal gangs, spies, terrorists and rogue nations. An engaging storyteller, Hypponen describes investigating notorious malware attacks, and advises how businesses and individuals can better protect themselves online.
- The internet enables new security threats to individuals, companies and nations.
- For decades, malware has been the main tool for breaching computer security.
- Money motivates malware attacks.
- Modern warfare utilizes malware.
- Law enforcement uses malware in criminal investigations.
- Security breaches succeed due to technological or human error.
- Maintaining security will grow increasingly challenging in the future.
The internet enables new security threats to individuals, companies and nations.
Anyone who connects to the internet faces danger from malware. Criminals use this software to extort money from victims worldwide. Governments use malicious software to spy on other nations and carry out new forms of warfare and sabotage.
“The internet is the best and the worst thing that has happened to us.”
As more devices, appliances and infrastructure connect to the internet, malware threats will multiply.
For decades, malware has been the main tool for breaching computer security.
Malware is the umbrella term for invasive programs such as viruses, worms and trojans. Viruses first surfaced in the 1980s, spreading via shared floppy discs on computers such as the Commodore 64 and Apple II.
Viruses didn’t become a significant problem until the advent of the IBM PC. Unlike earlier computers, the PC was “open” – other manufacturers could build compatible computers and accessories, and anyone could write programs for it.
With accessories such as modems and network cards, PC users accessed online file-sharing services such as bulletin board systems (BBSs). In the early 1990s, BBSs provided the main vector for the next generation of malware – file viruses. These viruses infected program files on MS-DOS operating systems and, later, on Windows. When the internet gained traction, email and FTP file sharing offered additional infection routes.
“We’re the first generation that is living part of our lives online and part of our lives in the real world.”
Subsequently, the malware world includes:
- Macro viruses – These viruses infected shared documents, such as Word or Excel files. The first macros weren’t damaging, but later versions corrupted or overwrote documents, and some made small, random changes that wreaked havoc in certain documents, such as budget proposals.
- Email worms – These spread through email attachments. The virus instructs an infected computer to send copies of the virus to all the addresses in a user’s contact list. An email appears to come from someone the recipient knows, which increases the likelihood they will open attachments to that email. If they do, the virus again sends copies to everyone on that recipient’s contact list. Email worms became more dangerous when malware authors combined them with macro viruses, which could spread private documents from infected computers.
- Internet worms – This malware eliminated the need for a recipient to open an infected email. Worms infected computers at great speed. In 2003, for example, the internet worm Slammer shot across the world. In 15 minutes, it infected every computer it could. Slammer caused significant difficulties at international banks, and infected a nuclear power plant’s local area network.
- Exploit kits – Hackers spread this malware by compromising popular websites, turning them into conduits for installing malware on visitors’ computers.
- Ransomware trojans – This malware locks the data in the victim’s computer by encrypting it. The attackers then sell the victim a decryption key.
Money motivates malware attacks.
Cybercrime is an industry worth billions. Online criminal gangs’ income increases about 100% a year, and the value of their assets – which they usually store as bitcoins – has also soared. Cybercrime is such a significant problem that the US State Department offers a $10 million reward for tips that lead to the arrest of members of certain online crime gangs.
Using viruses for monetary gain began in the early 2000s when “spammers” – people who send out junk email – collaborated with virus creators. Previously, email spam filters removed potential junk from inboxes by scanning for mail from blacklisted addresses and servers. But with the aid of viruses, spammers could hijack home computers to send out the spammers’ messages and infected attachments.
Criminals increasingly relied on ransomware trojan attacks. In a notable 2009 attack, the malware FileFixer encrypted users’ documents, and displayed an error message claiming the file system was corrupted. The message, which appeared to come from the Windows operating system, recommended purchasing the software Data Doctor. While it claimed to restore the corrupted files, it, in fact, decrypted them. Thousands of people paid the $89 licensing fee for Data Doctor.
Such schemes were somewhat risky for the perpetrators, because they had to collect the ransom by way of credit or gift cards. But in 2013, a newly discovered trojan, CryptoLocker, offered the option of paying a reduced ransom with bitcoin.
“The appearance of bitcoin and other cryptocurrencies is both wonderful and problematic – much like the internet itself.”
Bitcoin has become the currency of choice for online criminal transactions. Cryptocurrency transactions can be invisible to investigators, and are irreversible. You can’t stop payment on bitcoin transactions, and no entity provides refunds – as PayPal does, for example, in cases of scams or nondelivery. Rogue nation North Korea prefers to collect bitcoins, because unlike dollars or euros, cryptocurrency can pass through economic embargoes.
Modern warfare utilizes malware.
Nations utilize cyberweapons because they can inflict considerable damage and prove less costly than traditional armaments. Development costs for Stuxnet, one of the most effective cyberweapons, were probably about $20 million, a bargain compared to the cost of a conventional aerial bombing campaign. Experts believe Stuxnet sabotaged Iranian centrifuges that enriched uranium – a devastating setback for Iran’s nuclear weapons program. Cyberweapons such as Stuxnet can run for years before anyone discovers them.
Cyberweapons provide a veil of plausible deniability. Most experts believe the United States and Israel collaborated on the development and deployment of Stuxnet, but no hard proof has come to light. Cyberweapons also enable countries to launch attacks that appear to be the work of other nations.
“Technology is changing relationships between the superpowers, while altering the nature of conflicts and the way we wage war.”
Governments sponsored two global trojan attacks in 2017. NotPetya linked to GRU, a Russian military intelligence agency. Targeting computer systems in Ukraine, NotPetya adopted the appearance of a typical ransom trojan, even to the point of including a ransom demand. But NotPetya was actually a cyberweapon that impaired many Ukrainian companies, shutting down mass-transit servers, interrupting point-of-sale systems in retail chains, and disrupting bank networks. It infected the computers of Western companies with branches in Ukraine, and spread internationally. NotPetya inflicted unprecedented financial damage: The container shipping company Maersk, FedEx and pharmaceutical giant Merck all reported hundreds of millions of dollars in losses they traced to the malware.
“To protect our information systems, we need to know who we are fighting and why they are attacking us.”
Also in 2017, the North Korean government launched the WannaCry ransomware attack to raise money. The malware infected nearly a quarter of a million computers around the world, but its code was buggy, and the malware didn’t work correctly. News spread that WannaCry could not restore data after victims paid the ransom. North Korea ultimately collected only 60 bitcoins.
Law enforcement uses malware in criminal investigations.
Police have traditionally enjoyed authorization to tap suspects’ landline phones, and later expanded their eavesdropping to mobile phones, text messages and email. But when encryption of online communication became common, police needed a way to view a message before a suspect hit the send button. They do so by planting malware in suspects’ devices.
The police have access to infection routes criminal malware producers cannot utilize. Police can get a warrant to break into a suspect’s house and insert malware into a device. Alternatively, they can enlist a local internet provider to prepare software the suspect will download.
Law enforcement can seize a suspect’s devices, but then can face great difficulty retrieving data from those devices. Criminals often prepare stratagems for quickly destroying evidence on their devices in the event of arrest. When police seize an intact but locked device, they can try to break in by using all possible passwords. With sufficient computing power, decryption systems can try millions of password options every second, but it can take months to find the right one.
Even when the authorities can’t decrypt communications such as email and direct messages, they can find leads by examining a message’s metadata. This reveals, for example, who took part in a communication, the participants’ locations, and what time they conducted the conversation.
In some cases, the only option for gaining access to a suspect’s data is to create a distraction and grab the suspect’s unlocked device.
Security breaches succeed due to technological or human error.
Modern computer programs feature thousands or millions of lines of code, so typos and other coding mistakes are inevitable. These bugs provide loopholes through which hackers penetrate a system.
“Question: How many of the Fortune 500 are hacked right now? Answer: 500.”
Software developers can help eliminate these vulnerabilities by offering “bug bounties” – monetary rewards for people who find and report these errors.
Fixing bugs can be costly, but once programmers patch a weak point, it vanishes permanently. No one, on the other hand, can eliminate human error.
Common human errors include using the same password for everything, downloading dubious utilities from the web, opening any email attachment, falling for phishing sites, and other ruses. Instead of trying to eliminate human error, firms insist that responsibility for security lies not with users, but with telecom providers, data-security services, and the makers of operating systems and software.
“When information security works flawlessly, it is invisible.”
One common error companies make is limiting their security efforts to building impenetrable firewalls to keep attackers out. A company should always assume that its network is vulnerable. A security regimen should include regularly monitoring the internal network for unusual activity. Monitoring techniques include:
- Network profiling – Companies set up multiple sensors to record a “snapshot” of the network’s normal activity. They program sensors to seek deviations from typical behavior.
- Bait networks – This is an attractive but fake lure to snare intruders. The bait could be a folder on the document server containing fictitious financial reports or password lists. An intruder who peeks inside these folders triggers an alert.
A common mistake among manufacturing enterprises is to assume a factory’s computer-controlled machinery is secure because it does not connect to the internet. Managers may believe their plant’s control system resides on its own “closed network” – but almost any modern factory system connects to the internet somehow, including via accidental links.
“IT security is not always rocket science. You simply need to consider how to make life harder for attackers.”
A factory’s closed system could change if the manufacturer merged with another company and the two companies integrated their networks. An employee may create an inadvertent link by installing a connection that allows him or her to work remotely.
Maintaining security will grow increasingly challenging in the future.
Today all computers are online, and with the advent of the Internet of Things, all electrical devices will eventually connect to a network. Network connections will boost a product’s functionality while increasing its vulnerability. Smart, connected devices – watches, televisions, cars, homes and entire cities – will offer expanded functionality that will be more vulnerable to attack.
“The internet is controlled by a handful of corporations who couldn’t care less about the concerns of individual users.”
Vulnerabilities will increase when “dumb devices,” such as toasters or kitchen mixers, go online. Once connectivity becomes sufficiently inexpensive, machines will collect valuable data on the products’ owners – where they live or how they use the machines – and send it over a network to the manufacturers.
“Installing antivirus in a dishwasher will not work, and firewall software cannot run on coffee machines.”
These machines will probably use connection infrastructure that consumers can’t easily disable. Securing such devices will prove more difficult than protecting a phone or computer. One possible solution may be to institute regulations that hold manufacturers liable for damage that occurs due to vulnerabilities in the devices they sell.
About the Author
Mikko Hypponen is the chief research officer at WithSecure and the principal research adviser at F-Secure.
This document is restricted to personal use only.
Did you like this summary?Buy book or audiobook
Comment on this summary
In our Journal
6 months ago
“Security Is a Process, and That Includes the Culture in a Company.”
Cybersecurity expert Mikko Hypponen, author of If It’s Smart, It’s Vulnerable, offers insights on how to navigate the wilds of the Internet. The Internet is a growing digital landscape – “a network of networks” as security expert Mikko Hypponen, author of If It’s Smart, It’s Vulnerable describes it – made possible by open computer architectures, […]