“Security Is a Process, and That Includes the Culture in a Company.”

The Internet is a growing digital landscape – “a network of networks” as security expert Mikko Hypponen, author of If It’s Smart, It’s Vulnerable describes it – made possible by open computer architectures, common protocols and compression formats, cloud sharing and social media platforms. But as online businesses scale and as companies automate industrial tasks and employ more remote workers, the vulnerabilities of these technologies also multiply.

Mikko, let’s talk first about the most common malware threats people are likely to encounter daily.

Mikko Hypponen: The most common security threats normal users run into nowadays are typically not malware. They’re more like scams or account theft, like phishing. So, people get hit all the time with tech support scams or romance scams or cryptocurrency scams, auction scams, or they receive phishing emails or other tricks where the users will lose access to their own accounts. And those are very real security problems. But it doesn’t mean their device is getting infected. They will lose their accounts. That’s also a good example of how many of the things we use are no longer on our computers. So, for example, email used to be a program we ran on our computers. Now more and more users use Gmail, which is somewhere out there. When we look at actual malware cases where your device actually gets infected, we have a very impressive improvement in the security levels of our everyday computers.   

Book Summary

If It’s Smart, It’s Vulnerable

A cybersecurity expert offers a guided tour of malware threats.

Mikko Hyppönen Wiley

Read Summary

Macs are very safe against malware. There isn’t much malware for Macs, and it’s fairly well safeguarded against those as well. When consumers get hit with malware nowadays, it’s quite often on things like their Android phones or even more interestingly, on their IoT (Internet of Things) devices, which means that, for example, the heat pump in their house gets hacked by a piece of malware.

Attackers will go after the low-hanging fruit. And these smart devices are surprisingly vulnerable because they’re new technology. The cheapest vendor wins, which means the technology isn’t that well thought out.

So, we regularly see cases where people’s smart doorbells or smart televisions or heat pumps or other things like that around their house are infected and the users have no idea. The devices still work, but they are controlled by someone else. What they typically do with those devices is create botnets which they then use to run large denial-of-service attacks. So, your heat pump in your home or summer cottage might be pumping heat just fine. But at the same time, it’s being controlled by a Russian gang launching denial of service attacks against the root domain name servers of the Internet, slowing down the whole Internet for everyone. You won’t even know you’ve been hit by some of these things.

I mean, how would you know? How can you know?

Sometimes the internet operators or telecom companies will call you up and say, “Hey, we can detect malicious traffic from your home network.” And then when you check all your computers, there’s nothing there, which means it has to be something other than a computer. Sometimes operators cut homes off from the net because they generate so much attack traffic. And then you have to hire a professional to figure out what it is. And then it typically isn’t the computer but a device. 

So, the exterminator, but for the Internet. 

Exactly. That’s exactly what it is. Ransomware used to hit home users all the time a few years ago, when we were still running Flash and Java on our computers. Computers have been getting much better security-wise over the last five years. Home users still get ransomware but it’s much more common nowadays in corporate networks. The attackers don’t care about home users; they put their efforts against larger victims, which can afford to pay much more. 

You talk about some of the major damage ransomware attacks can cause – I’m thinking of NotPetya, for instance – and criminal syndicates approaching “cybercrime unicorns,” as you put it. I never thought of them like that before, as so big and successful and organized. 

Well, when I came up with the term, it was more like a joke. But unfortunately, it’s not a joke anymore. They’ve been getting much wealthier over the last years, not just because they make more money every year but because they keep their investments in cryptocurrencies, which have rocketed in valuation. And you don’t really like to see a situation where the wealth of criminals is skyrocketing. These unicorns first go out and buy their Ferraris and Lambos. But then they invest some of that money into making their attacks more advanced, more technical. They hire better-skilled people. They run professional data centers. They hire business analysts to help them figure out how much ransom they should be demanding from their victims. They have their own lawyers. They more and more resemble traditional real-world organized crime gangs, traditional mafias. And that’s obviously not a good development.  

What’s going wrong? 

The biggest failure is we are not able to catch more than a small fraction of online criminals. That means that potential newcomers into the field, the people who have the skills but who might not have the opportunity, are considering getting into a life of crime because it’s an easy way to make money. They see that no one’s getting caught. Even if you get caught, it’s unlikely you will get indicted. Even if you get indicted, it’s unlikely you’ll get sentenced. If you get sentenced, the sentence is typically not too bad, especially compared to real-world crime. And that’s exactly what we should be changing and showing to these potential newcomers: that crime doesn’t pay, even online. That’s what we should be telling them and showing them. 

Can you describe the NotPetya attack and its effect on Maersk? 

NotPetya looked like ransomware. But it wasn’t. It was actually a cyber weapon, which used a cover story of being ransomware, which is actually a pretty good cover story. What it really wanted to do was to destroy as much information as possible in Ukraine. This weapon was developed by Russia and was launched during earlier stages of the war Russia is waging on Ukraine. Of course, ransomware is very destructive, but there’s an undo. If you pay, you get your data back. For NotPetya, there’s no undo even if you pay the ransom. The code doesn’t encrypt; it overwrites. So there is no possible way of recovering the information. It was only a cover story they used.

How did one of the largest container shipping companies in the world, which has really nothing to do with Ukraine, get hit so hard?

There were plenty of other victims, but Maersk is the best known and maybe the biggest sufferer. None of these companies had anything else to do with Ukraine except they had offices there that used this software the Russian attackers hijacked as a vector to infect victims in Ukraine.  

This was a channel an accounting software firm used to send out updates to clients, and the result closed grocery stores, crippled manufacturers and hospitals among other damage. 

And I don’t think the Russians even understood how far and wide this attack would spread beyond Ukraine. It was supposed to hit hard and cause damage in Ukraine, and it did. Ukraine was by far the worst hit by NotPetya. It was probably the single most expensive malware outbreak of all time.  

Why couldn’t Maersk just recover from backups? 

They weren’t expecting catastrophic failure of all of their systems worldwide at the same time. And this is what NotPetya caused. It was designed to spread in the network once it gained access and it spread to all of their servers, to all of their data centers at once. This is a global company. They operate dozens of container harbors around the world. They have data centers around the world. All of their systems were hit and most crucially, their systems’ Active Directory servers.  

Since they already had 151 AD servers around the world, clearly there’s no need for a backup. You already have 151 backups of the data. Certainly you’re not going to lose all of them at the same time. How would that ever happen?

Well, when it happened, they realized that they now have no backups at all. Well, they have data backups, but it doesn’t matter because users can’t log in. There’s no information about who are the users, how many users do we have? What are they called? What kind of rights should they have? What data should they be able to access and what not? That part was not backed up. That part they couldn’t recover. And let me expand a little bit on the whole backup topic and ransomware in general when we look at more common ransomware cases. Nowadays backups don’t really help because ransomware gangs use double extortion tactics where first they encrypt your data. You will get your data back if you pay, sure. 

And if you have backups, sure, that helps. But the second tactic is that they don’t just encrypt the data, they first take a copy of the data and then they encrypt it, which means if you don’t pay the ransom, they will publish your data online.

They have dedicated websites in the Tor hidden services in the Dark Web. There are dozens of those sites right now. I know because I visit them every day and they list a steady flow of new victims every day. And if those victims don’t pay, their email, archives and document archives will be posted online for anybody to look at, which includes all company secrets, all price negotiations or patent applications, every email where your employees are emailing corporate health care about their private health issues, all of that will be made public. And that’s a very hard situation for the victims. Nobody wants to give money to criminals. But what’s the other option? Have these files posted online? 

And there’s no guarantee that they are “honest criminals.”

Not every case, but it makes sense for them to be honest criminals. If you would pay a ransomware gang money and they would still leak your information, why would anyone else ever pay them again? It’s much harder for them to actually do what they promise. They run tech support teams, which is a bit funny, to help make sure you’re happy after you paid, and they need the reputation that they’re honest criminals.

How do you find these criminals? How do you hunt them down?

All it takes is one mistake and you can get hacked. A mistake like you misconfigure one server, or you leave one port open, or a user clicks on a malicious link one time, that’s enough for you or your organization to get hacked. However, it also works the other way around. If these criminals want to go scot-free, they must never make a single mistake either because one mistake is enough for them as well. 

In cases where the attackers got caught, they made very simple, small mistakes. Sometimes you can trick them into doing that.  

We worked with a bank that was targeted with a banking Trojan. It was still being developed and tested. Instead of kicking the criminals out, we let them play in a fake sandbox environment to gather information. When the Trojan was ready and deployed against real users, the team was able to detect it because they had followed the development all along, but it didn’t work. The criminals thought the reason they couldn’t make their Trojan work against real users must have to do with their VPN that protected their IP addresses, so then they connected with their own IP addresses, revealing their identity. 

That must feel very satisfying to catch these hackers.

It did. 

You say all breaches come down to either technical problems or human errors. How would you characterize this distinction? What are some typical examples of human error?

The most typical example of human error is that you use the same password everywhere. Your password to Netflix is the same as your corporate account, to Gmail, to everywhere else. Passwords should have died 20 years ago. Now, slowly but surely, we are going towards things like biometric detection. But every single one of us still has 100 passwords. 

There are services where if someone gains access, it matters to you, especially your corporate accounts and things like that because that means someone can gain access to your whole network. So think about what matters and what doesn’t. Put your limited resources into coming up with great passwords and remembering them for services that matter. The real solution is to use password managers, which make sure you don’t have to remember anything at all. You remember one password and that will remember and unlock everything else. Another thing that users do a lot is simply fall for every scam, every phishing link that they see: “Oh, there’s a package arriving for me? Click on the link. Oh, I have to log in too. Okay, here’s my account. I apparently have to log in to Windows. Interesting. Here you go.” So, users trust too much.  

One of my pet peeves is that people are worried that if you don’t fix these systems, people are going to lose their trust. I think people already trust too much and they fall for all these scams because they believe everything is real.

A friend of mine told me she got a tech support email out of the clear blue sky, supposedly from Microsoft. She called the phone number on the email and spoke to someone who guided her through installing stuff, which I thought was insane.

Yes, that’s insane. But people fall for it. It’s easy for these scammers to get onto people’s machines by using tricks like that.  

And are these scams going to get worse with AI and deep fakes? 

Right now, it is real people calling you, which means they can’t scale that by a factor of a million because they need real people to make the phone calls. Very soon, they can do all that with automated systems like large language models, which can create the content and the text and the answers to your questions in real time. And then speech synthesizers, which will sound as real as you and me. Eventually, the video will look just like this video call. Someone made a deep fake of me and sent it to me two weeks ago and I couldn’t really tell that it was not me, but it was speaking Turkish and I don’t speak Turkish. 

It is already causing a lot of chaos. 

Yes. This year has been exciting and scary around the developments in different machine learning AI systems. Not just these text chat systems. When I talk with ChatGPT, I speak in Finnish with it and it speaks perfect Finnish back. The same thing in Swedish, same thing in any other language I speak. And the reason why it’s so good is it’s a machine learning framework and to learn, we’ve given it everything we’ve created: all the books ever written in any language, all of Wikipedia, all the source code on GitHub, which is most of the open-source code humans have ever written in all programming languages.

Well, I guess then the next question is, does training help? What can companies do to minimize their exposure to these threats? 

Security is not a product you could go and buy. Security is a process and that includes the culture of a company. You can’t add it later. You must build it into the systems you’re building. Most companies today don’t just build products. They build software as well. The larger the company, the more likely it is that they’re shipping code they created to their customers, which means almost every company is a software company. You can’t just build a software product and then at the last stage, bolt on some security. It has to be there from the beginning.

That’s why it is a process. And all of this has to be done by humans. That’s why it’s a culture thing. We can drill down to the root cause of every single data breach, every malware outbreak, every data leak. And the root cause is always either a technical problem or a human problem.

So a technical problem like an unsecured server or an unpatched system or a human problem like users having the same password everywhere or users clicking on attachments in emails coming from nowhere. And while fixing the technical problems is hard, at least it is doable. I really don’t know how to fix humans so that they would be permanently fixed so that they would learn and remember. Even the technical problems like vulnerabilities in our systems are actually human problems because they are there because the programmers who created the systems made mistakes. Humans make mistakes, and when programmers make mistakes, we end up with bugs. And when we have bugs in interconnected systems, they become vulnerabilities. So, in the end, all of this is a human problem.  

So, what’s the long-term fix?

How do we fix technical problems so that they’re gone? The answer is the systems have to be created by something that doesn’t make mistakes. They can’t be programmed by humans anymore. They have to be programmed by programs, which is becoming closer and closer to reality. Within the next couple of years, more and more of the programs we run will no longer be written by humans. And that gets really crazy when you realize that when we can create a program that can write programs, we can ask that program to make a better version of itself and then automatically ask that new version to make a better version of itself. And we can repeat it, let’s say a billion times, which in the end is something we humans have no hope of understanding. This is one of the challenges we have with this AI revolution. 

More and more things, more of our lives will be connected to the Internet. What happens when we have smart mixers and smart cities and autonomous cars? Is it our best hope that machine learning AIs are creating them? Is that really our best hope? Because it sounds like maybe it is. 

It’s going to get worse before it gets better. Right now, the non-computers which are already online are smart things. You know, smart TVs, smart cars. People have smart fridges now with video cameras inside, so they don’t need to remember what’s missing. They can just look inside the fridge when they’re shopping. But that’s just the first stage. These are all examples of devices where the consumer who bought the device knows that the device is online. The next step will be dumb devices online. These are the kind of devices where you as a consumer don’t need the thing to be online. You don’t want it to be online, but it’s got to be online anyway. The kitchen mixer, the example I have in my book, that’s going to happen when it becomes cheap enough to put these things online, when the benefits to the manufacturer outweigh the costs. The most obvious reason is to collect consumer marketing information. Like how many consumers do we really have using our mixers today in Paraguay or in Vietnam? How many consumers in Tokyo? Where are they in Tokyo? Should we advertise more on the east side of Tokyo? If the price of putting the thing online is a cent, the information is probably more valuable to the manufacturer than the cost. 

So, should we just give up all hope of privacy? 

There’s nothing we can do to stop this except one thing, which is laws and regulations. We could make it illegal, so that you can’t collect information. The consumer must have an opt-out. They must be informed clearly that this thing is online and it’s online to collect information about usage. Are you sure you want to tell the mixer manufacturer where you are? Things like that. We can take it further. We could regulate liability for problems created by poor security in IoT devices. So if your washing machine burns down your house because it catches fire in the middle of the night, the manufacturer is liable. But if it has smart functionality and your washing machine gets hacked and you wake up in the morning and every computer in your home network has been hacked because of the washing machine, they’re not liable. This is what we could change. Biden’s cyber security strategy, published recently, mentions this very directly, bringing liability for software products. So the powers that be are aware of this problem and we might see some laws and regulations around this, which is at once exciting and scary because I’m not really a fan of regulation. I think regulation quite often fails. But clearly, we need something here because the markets are not going to fix themselves when it comes to the security of IoT devices. 

No, they are motivated by profit to not fix themselves. What I can’t understand is why people seem to just accept that data breaches are a way of life or that none of this matters because everybody already knows everything about me anyway.

“I have nothing to hide.” 

Yes. 

My answer always to people who say they have nothing to hide is that I’m really glad you told me so I don’t tell you anything confidential, because obviously, you can’t keep secrets.