Security

A history of malware in 30 minutes by Mikko Hypponen

LAS VEGAS – Cyber security guru Mikko Hypponen walked a rapt audience of 2,000 through the evolution of malware in less than 30 minutes at Black Hat today.

It is a fascinating tale to be sure. And the takeaway is this: If you’re not encrypting your communication channels (email, SMS, Skype, and text, for starters), you’re positioning yourself for a world of hurt. According to Hypponen, the chief research officer at security play F-Secure, it goes something like this:

Malware really started more than 15 years ago “with kids and their hobbies launching attacks” that weren’t malicious and lacked the sometimes fatal intent that nation states and criminal groups do, Hypponen said. Kids with machines and the ability to exploit vulnerabilities did it for kicks. And laughs.

About that time, in the 1990s, criminal groups, primarily from the remnants of the Soviet Union (Russia, Ukraine, and Belarus) discovered there was money to be made plying their trades virtually. Some of the best mathematicians, programmers, and cryptographers come from there.

Hacking became a full-time gig for many because their was no economy.

“They realized they could make money off this,” Hypponen said.

And he was right. In the Target breach last Thanksgiving, criminal groups in Eastern Europe inserted trojan malware into the the company’s security and payment system, despite Target installing a $1 million anti-virus tool from FireEye six months before the wallop. In this killer hack, 40 million customers had their credit cards lifted, and the CEO was sent packing.

And this week came the news that a Russian cyber gang, aptly dubbed “CyberVor” (“thief” in Russian), had successfully boosted 1.2 billion passwords and 500 million email addresses from 420,000 websites, both large enterprise and mom and pops. The news broke after Hold Security, an outfit in Milwaukee, released the news after a 7 month investigation.

The third phase, according to Hypponen — and many of my intelligence sources agree with him —is when governments found and adapted offensive cyber capabilities. The U.S. is the best: best funded, best researched, and most lethal, according to Hyponnen. The U.S. is followed by Russia, with China taking third place.

It is this third component, governments using cyber as weapons, that seems to bewilder the amicable Hypponen more than anything.

“Democratic governments using hackers sounds like science fiction. There was a change in the threat landscape,” he said.

Hypponen said the latter tier is the most potentially dangerous because, unlike nuclear warheads, governments keep their offensive cyber arsenals close to the vest. Call it a paradigm shift of the global weapons of mass destruction landscape.

“You know they have nukes because they show you they do. We know exactly. That’s the kind of thing we don’t have with cyber weapons,” he said.

So the arguments of some of the security researchers at Black Hat this year is that cyberthreats are potentially more damaging than intercontinental ballistic missiles. And the reason for this, Hypponen and others said, is because the real potential — the most devastating aspects of what cyber can do and who has those capability —is still partially unknown.

Ultimately, it comes down to an Apple, Dell, or Toshiba laptop and a good Internet connection.

“These types of weapons,” Hyponnen said, “are accessible to just about anyone.”