Risk
3/4/2014
06:26 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Security Firms Face Crisis Of Trust

Mikko Hypponen reflects on shift toward rampant government spying and use of malware -- and targeted attack attempts on F-Secure

Arguably the most high-profile speaker to boycott the 2014 RSA Conference in San Francisco last week in the wake of allegations that RSA Security entered into a private contract with the National Security Agency was renowned security expert Mikko Hypponen, chief research officer for Finnish security firm F-Secure.

RSA Conference 2014
Click here for more articles about the RSA Conference.

Hypponen -- who was the first speaker to cancel his talk from the conference after Reuters reported in late December that RSA Security had a secret pact with the NSA to use weak encryption technology in its products -- had not spoken publicly about his decision until last week at an F-Secure press luncheon, as well as at TrustyCon, a privacy-themed protest conference held next door to the RSA Conference.

"It's about trust. The main reason I canceled my talk at RSA was that I felt they weren't trustworthy anymore. Security companies like ours our built on trust," Hypponen told a group of journalists at his annual press luncheon in San Francisco last week. "If we lose that trust, there really isn't anything else."

[RSA Security executive chairman Art Coviello addressed publicly for the first time the security company's relationship with the NSA and its cyberdefense arm. See Coviello: RSA Security's Work With NSA 'A Matter Of Public Record'.]

Hypponen said he doesn't expect things to change much at all when it comes to the wave of allegations of NSA surveillance that came from NSA documents leaked by former contractor Edward Snowden. "Nothing has really happened" since the allegations about RSA, he said. Hypponen said he didn't attend RSA Security executive chairman Art Coviello's keynote address last week, during which Coviello said RSA's relationship with the NSA mainly has entailed working with NSA's Information Assurance Directorate (IAD), the cyberdefense arm of the agency.

"I'm glad Art addressed this. That's good," he said, noting that he had read some of the speech. But his keynote didn't confirm whether RSA was complicit in NSA spying, he said: "What I gathered from his talk was that they weren't complicit -- they were just incompetent, if that's supposed to make us feel any better."

RSA's Coviello stopped short of specifically addressing details about reports that the NSA in 2006 had paid RSA $10 million in a secret contract to use the Dual EC DRBG random-number generator algorithm in its Bsafe software to facilitate the NSA's spying programs. The encryption algorithm reportedly was one that the NSA was able to crack. In a blog post after the Reuters story ran, RSA said it had not "entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."

Coviello called for privacy reform and said the NSA "missed the opportunity" to provide transparency of its operations. "If they need to encroach on privacy in some form or fashion, it needs to be strictly governed, and so people feel comfortable about that process, it needs to be transparent so people can get visibility into how that governance model is actually being acted upon," he said in an interview with Dark Reading after his keynote. "The NSA missed the opportunity to give people that transparency. A lot in the press about the NSA is just not accurate."

Hypponen said there has been a relatively rapid mind-set shift to accepting the premise that all governments are involved in cyberespionage and using malware to do their spying. "That change has been very quick," he said. "If someone had told me in 2003 that governments would use malware and attack other governments, friendly governments, or would own the IT sector ... that would have been really far out. But that's exactly what happened."

Security firms themselves are becoming legitimate military targets, Hypponen said. "We are targets because we make technical contributions to military action by blocking [nation-state attacks]," he said. "That's not really what I signed up for in 1991" when I started in security, he said.

F-Secure, like other firms, has been targeted by nation-state type attackers. "We've had a handful of detections," Hypponen said, acknowledging that there could be others that have not been detected. He said in one case, a new F-Secure board member was targeted with a phishing email that came with a watering hole-rigged URL. F-Secure's gateway proxy stopped the board member from visiting the site; he reported it to the IT department, which then investigated the source and found it was actually from China rather than the U.S. as it had purported. "We got lucky," he said of the attempted attack.

And two months ago, the firm spotted an attack that used F-Secure's name with an extra hyphen in the domain name in an attempt to target one of its customers.

Hypponen noted that Sweden is among one of the more high-profile players in cyberespionage and, like the U.S., is relatively transparent about peering at foreign data that passes through its nation. Hypponen said his native Finland -- which has a long and proud tradition of being privacy-centric -- is trying to get into the act as well. The Finnish military intelligence agency and law enforcement have begun lobbying politicians in Finland to loosen privacy laws that prevent them from spying. "We [F-Secure] are lobbying for the first time and trying to convince lawmakers that we would be shooting ourselves in the foot by changing our privacy laws," he said.

Meanwhile, security firms still aren't getting much better at detecting APTs, he said. "We [the industry] still suck. It's very hard -- that's why we suck. They have serious resources behind it," he said.

Rick Howard, CSO at Palo Alto Networks, says the industry, indeed, has been focused on APTs, but there are all types of adversaries. "[Attackers] are getting smarter, but they don't have unlimited resources," he says. The battle just goes on between attackers and their targets, according to Howard.

Java Threats Dropping
Hypponen revealed that F-Secure's new threat report (PDF) for the second half of 2013 found Java attacks on the decline. While Java remains a popular vehicle for attackers, it accounted for about 26 percent of reported attack vectors. According to F-Secure's report, the drop may be due to the October arrest of the alleged writer of the BlackHole and Cool exploit kits.

"No one really knows why [Java attacks went down]," Hypponen said. And although Paunch was arrested in Russia for writing the toolkits, it's unclear whether he will actually be sentenced in the end, he said.

According to F-Secure, malicious websites, malvertising, rigged software from shared sites are the most common infection vectors for victims.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
3/22/2014 | 5:20:28 AM
re: Security Firms Face Crisis Of Trust
1.) Java install now requires mandatory whitelisting as opposed to previous security add of optional blacklisting. Java has always been a fool's choice; even more so as its being depreciated by its current owner, Oracle. Transfer of Java ownership to FOSS or to IBM (a major Java fanboy) would go a log way to reviving it.
2.) Phishing (Spear Phishing): executives and IT managers requiring full admin rights. (Rem Vista that senior IT managers had log in to Server to do power user stuff on their desktop.) Target: how does a billing query get access to software deployment tools?
3.) IoT. Hawuei was putting backdoors into the backbone routers it built for Cisco. We've had exploits from hacked pronters for many years now. Recently an infected refrigerator was found to be a spambot. Recently hackers have shown how simple it was to take over a car computer. (The missing Malay flight apparently executed its divergent turn under flight computer control.) And almost all of our electronics is manufactured in China. Phones and tablets inherently allow wireless provider and manufacturer (Chinese) takeover. Add to that software (or OS like Windows 8) that binds phone/tablet to all your devices, desktop et al, and hacking is not your worst scenario.
4.) Perhaps I read Tom Clancy conspiracy books, but a hack on NYSE or NASDAQ deleting ownership records and transferring stock/futures ownership offshore may cost $ Trillions. Or its the TV shows where spy gets dressed up like janitor or IT person; consider what high school dropout tech support grunt Snowden did to NSA. The military harps on physical security and blocking all binary access to critical systems.
5.) Most server systems I've known (400+) do not run anti-malware, USB ports are enabled and autorun (funny stories about that). Could you find an MK802 sized device set up to monitor your network? (hint: thermal adhesive.) So how did the State of Wisconsin IT find out about the rogue router in the Governor's Office?
macker490
50%
50%
macker490,
User Rank: Ninja
3/8/2014 | 1:27:36 PM
re: Security Firms Face Crisis Of Trust
the computer industry as a whole has a complete credibility problem as far as security goes. "Computer Security" means less than "Honest Politician". this has resulted from the drunken cow-town stampede that started with the 1980s and has continued into the computers that are most widely used today. a better approach is required for the use of computers in commercial applications. Industry is reluctantly accepting the truth that the status quo is un-acceptable. As a result we will see a correction,-- and as usual the "failure to adapt to change" will result in the demise those who either do not see or are just stubborn.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.