Mikko Hypponen, chief research officer at Finland's F-Secure delivered a wide-ranging, entertaining and informative presentation at IP Expo Europe, entitled Securing Our Future, describing corporates as a new threat actor, and declaring ‘smart' anything another word for ‘exploitable'.
After explaining the Chrysler Jeep hack, Hypponen noted how the hackers, Charlie Miller and Chris Valasek, are now employed by Uber – which is also recruiting engineers and artificial intelligence specialists – presumably planning the roll out of automated ‘smart' cars (illustrated with a mocked up video of people wandering across busy roads unconcerned at the near misses thanks to their trust in ‘infallible' automated cars).
But Hypponen rubbished the idea of ‘Smart', noting, there is no cloud – it's just other people's computers – and there is no smart cars, smart phones, smart TVs, smart missiles – in this context, smart just means exploitable.
And top of the list of what's being exploited is our data. How come a company that doesn't sell its product (Google) had US $16 billion profit last year? Facebook and Twitter don't pay their content creators, they sell their profiles. It's an indicator of how valuable our data is, hence there are no ‘free' search engines, or free anything else, with perhaps the exception of open source software.
In his presentation Hypponen also trashed the phrase ‘full spectrum cyber' defence as marketing hype, but he did note that current developments are serious enough not to need the hype, including the growing capability of extremist terrorists – specifically ISIS – to mount cyber-attacks.
It's an area Hypponen had forecast to grow three years ago, and his prognosis remains that it will only get worse. In addition the range of attackers to be considered now includes corporates, with Volkswagen held up as an example of the latter for hacking its own cars.
SC asked Hypponen, which of the threat actors posed the biggest concern, to which the response was, “It depends what you do. Different sectors will have different threats.
"A pizza place won't be a target for state actors, but criminals would be interested in financial transactions, so you need to know who is likely to be attacking you.”
This raised the issue of how you identify attackers – given the known problems of attribution. Hypponen says, “You can rank how likely each potential attacker would be, from insiders and competitors to nation states, and deal with the biggest problems first.”
Hypponen noted how, having done the risk analysis, the likelihood of going bankrupt due to cyber-attack remained low, with share prices often bouncing back, such as Sony, and the results rarely being as dramatic as forecast. Also there was a lack of reporting of lost information to the data owner, such as the credit card holder – but proposed EU laws calling for mandatory reporting of loss could change that, a move Hypponen supports.
And the reporting should include informing the data owner, not just an official body, as “I need to know if my payment data and passwords have been compromised so I can do something about it.”
SC also asked whether corporate hackers are really a concern. Hypponen noted that corporate espionage and cheating in compliance tests by vendors is not new, with datasets heavily optimised to get the desired results – from games chip performance to energy consumption and anti-virus tools.
“And the car is in the real world with real world damage. VW's cheating killed 40 to 100 people. If they'd shot them there would be outrage,” he said.
Asked what are the main threats expected in the year ahead, Hypponen cited ransomware attacks given the availability of tools and the anonymity afforded by crypto-currencies. In particular their move to mobile is expected to increase, with a potential future shift to smart TVs and smartcars being ransomed.
This vulnerability of connected devices would also extend further into warfare: “In the next war EMV pulses in the stratosphere would work to close down technology without killing people directly,” concluded Hypponen.
