Incident Response, Malware, TDR

TrustyCon: Malware expert Mikko Hypponen kicks off conference on “trust”

On Thursday, famed malware researcher Mikko Hypponen wasted no time addressing his decision to pull out of the RSA Conference.

Instead of presenting his talk on governments developing malware at RSA, he delivered his speech in an AMC movie theater directly across the street from one of the conference's massive venues in San Francisco's Moscone Center.

The largely filled 400-seat theater contained a lineup of speakers, such as Hyponnen, that pulled out of their RSA Conference talks after a December Reuters exposed an alleged $10 million deal between the National Security Agency (NSA) and security firm RSA, which led to the company using a weakened algorithm in one of its security products.

“RSA should have known better,” F-Secure's chief research officer Hypponen told attendees at the Trustworthy Technology Conference, called TrustyCon.

In its first year, the event was described by organizers as a “trust conference” – as opposed to a security conference.

“The suspicions had been floating around for years,” Hypponen said, referencing the flawed algorithm and RSA deal.

“And I'm not going to speak at the RSA Conference in the future either,” he later added.

Hypponen, who had spoken numerous years at the well-known RSA Conference in the past, said he distinctly remembers “being proud about seeing his name on the wall” during his first talk.

“Today, I'm happy not to have an RSA Conference badge on me,” he said.

After addressing his decision, he dived into his talk on how governments, which have entered into the space of writing malware, have completely transformed the level of sophisticated cyber threats users now face.

In his presentation, he gave an overview of the evolution of malware, from something often “written by 15-year-olds for fun,” in the early 90s, to the likes of Stuxnet and Flame, conceived and developed by nation states.

“If someone would have told me that 10 years ago, I would have thought it was a movie plot,” Hypponen shared, while ironically delivering his talk in front of the big screen featuring his PowerPoint presentation.

Upon increasing revelations about the U.S. government's ability to spy on, or target, the data of users around the globe, he said that it was a “failure” on the industry's part that there weren't many major internet service providers or software firms in Europe as compared to the U.S.

This fact puts global users in a dependent position with American companies, which often manage online services or handle data for worldwide users, Hypponen explained.

He later said that security is taken for granted when firms, who are hit by major breaches or cyber attacks, hardly ever suffer major consequences with lasting impact on the business – such as their stock significantly dropping or the company folding.

Security professional Alex Stamos, who helped organize TrustyCon, supported Hypponen's call to action for the security community.

“We are failing,” Stamos said of the industry, before introducing Hypponen.

He added that the community must stop blaming users for security shortcomings, and find ways, in spite of sophisticated actors, to latch onto avenues for “building technology that people can feel comfortable using from day to day.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.