Risk
3/4/2014
06:26 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Security Firms Face Crisis Of Trust

Mikko Hypponen reflects on shift toward rampant government spying and use of malware -- and targeted attack attempts on F-Secure

Arguably the most high-profile speaker to boycott the 2014 RSA Conference in San Francisco last week in the wake of allegations that RSA Security entered into a private contract with the National Security Agency was renowned security expert Mikko Hypponen, chief research officer for Finnish security firm F-Secure.

RSA Conference 2014
Click here for more articles about the RSA Conference.

Hypponen -- who was the first speaker to cancel his talk from the conference after Reuters reported in late December that RSA Security had a secret pact with the NSA to use weak encryption technology in its products -- had not spoken publicly about his decision until last week at an F-Secure press luncheon, as well as at TrustyCon, a privacy-themed protest conference held next door to the RSA Conference.

"It's about trust. The main reason I canceled my talk at RSA was that I felt they weren't trustworthy anymore. Security companies like ours our built on trust," Hypponen told a group of journalists at his annual press luncheon in San Francisco last week. "If we lose that trust, there really isn't anything else."

[RSA Security executive chairman Art Coviello addressed publicly for the first time the security company's relationship with the NSA and its cyberdefense arm. See Coviello: RSA Security's Work With NSA 'A Matter Of Public Record'.]

Hypponen said he doesn't expect things to change much at all when it comes to the wave of allegations of NSA surveillance that came from NSA documents leaked by former contractor Edward Snowden. "Nothing has really happened" since the allegations about RSA, he said. Hypponen said he didn't attend RSA Security executive chairman Art Coviello's keynote address last week, during which Coviello said RSA's relationship with the NSA mainly has entailed working with NSA's Information Assurance Directorate (IAD), the cyberdefense arm of the agency.

"I'm glad Art addressed this. That's good," he said, noting that he had read some of the speech. But his keynote didn't confirm whether RSA was complicit in NSA spying, he said: "What I gathered from his talk was that they weren't complicit -- they were just incompetent, if that's supposed to make us feel any better."

RSA's Coviello stopped short of specifically addressing details about reports that the NSA in 2006 had paid RSA $10 million in a secret contract to use the Dual EC DRBG random-number generator algorithm in its Bsafe software to facilitate the NSA's spying programs. The encryption algorithm reportedly was one that the NSA was able to crack. In a blog post after the Reuters story ran, RSA said it had not "entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."

Coviello called for privacy reform and said the NSA "missed the opportunity" to provide transparency of its operations. "If they need to encroach on privacy in some form or fashion, it needs to be strictly governed, and so people feel comfortable about that process, it needs to be transparent so people can get visibility into how that governance model is actually being acted upon," he said in an interview with Dark Reading after his keynote. "The NSA missed the opportunity to give people that transparency. A lot in the press about the NSA is just not accurate."

Hypponen said there has been a relatively rapid mind-set shift to accepting the premise that all governments are involved in cyberespionage and using malware to do their spying. "That change has been very quick," he said. "If someone had told me in 2003 that governments would use malware and attack other governments, friendly governments, or would own the IT sector ... that would have been really far out. But that's exactly what happened."

Security firms themselves are becoming legitimate military targets, Hypponen said. "We are targets because we make technical contributions to military action by blocking [nation-state attacks]," he said. "That's not really what I signed up for in 1991" when I started in security, he said.

F-Secure, like other firms, has been targeted by nation-state type attackers. "We've had a handful of detections," Hypponen said, acknowledging that there could be others that have not been detected. He said in one case, a new F-Secure board member was targeted with a phishing email that came with a watering hole-rigged URL. F-Secure's gateway proxy stopped the board member from visiting the site; he reported it to the IT department, which then investigated the source and found it was actually from China rather than the U.S. as it had purported. "We got lucky," he said of the attempted attack.

And two months ago, the firm spotted an attack that used F-Secure's name with an extra hyphen in the domain name in an attempt to target one of its customers.

Hypponen noted that Sweden is among one of the more high-profile players in cyberespionage and, like the U.S., is relatively transparent about peering at foreign data that passes through its nation. Hypponen said his native Finland -- which has a long and proud tradition of being privacy-centric -- is trying to get into the act as well. The Finnish military intelligence agency and law enforcement have begun lobbying politicians in Finland to loosen privacy laws that prevent them from spying. "We [F-Secure] are lobbying for the first time and trying to convince lawmakers that we would be shooting ourselves in the foot by changing our privacy laws," he said.

Meanwhile, security firms still aren't getting much better at detecting APTs, he said. "We [the industry] still suck. It's very hard -- that's why we suck. They have serious resources behind it," he said.

Rick Howard, CSO at Palo Alto Networks, says the industry, indeed, has been focused on APTs, but there are all types of adversaries. "[Attackers] are getting smarter, but they don't have unlimited resources," he says. The battle just goes on between attackers and their targets, according to Howard.

Java Threats Dropping
Hypponen revealed that F-Secure's new threat report (PDF) for the second half of 2013 found Java attacks on the decline. While Java remains a popular vehicle for attackers, it accounted for about 26 percent of reported attack vectors. According to F-Secure's report, the drop may be due to the October arrest of the alleged writer of the BlackHole and Cool exploit kits.

"No one really knows why [Java attacks went down]," Hypponen said. And although Paunch was arrested in Russia for writing the toolkits, it's unclear whether he will actually be sentenced in the end, he said.

According to F-Secure, malicious websites, malvertising, rigged software from shared sites are the most common infection vectors for victims.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
3/22/2014 | 5:20:28 AM
re: Security Firms Face Crisis Of Trust
1.) Java install now requires mandatory whitelisting as opposed to previous security add of optional blacklisting. Java has always been a fool's choice; even more so as its being depreciated by its current owner, Oracle. Transfer of Java ownership to FOSS or to IBM (a major Java fanboy) would go a log way to reviving it.
2.) Phishing (Spear Phishing): executives and IT managers requiring full admin rights. (Rem Vista that senior IT managers had log in to Server to do power user stuff on their desktop.) Target: how does a billing query get access to software deployment tools?
3.) IoT. Hawuei was putting backdoors into the backbone routers it built for Cisco. We've had exploits from hacked pronters for many years now. Recently an infected refrigerator was found to be a spambot. Recently hackers have shown how simple it was to take over a car computer. (The missing Malay flight apparently executed its divergent turn under flight computer control.) And almost all of our electronics is manufactured in China. Phones and tablets inherently allow wireless provider and manufacturer (Chinese) takeover. Add to that software (or OS like Windows 8) that binds phone/tablet to all your devices, desktop et al, and hacking is not your worst scenario.
4.) Perhaps I read Tom Clancy conspiracy books, but a hack on NYSE or NASDAQ deleting ownership records and transferring stock/futures ownership offshore may cost $ Trillions. Or its the TV shows where spy gets dressed up like janitor or IT person; consider what high school dropout tech support grunt Snowden did to NSA. The military harps on physical security and blocking all binary access to critical systems.
5.) Most server systems I've known (400+) do not run anti-malware, USB ports are enabled and autorun (funny stories about that). Could you find an MK802 sized device set up to monitor your network? (hint: thermal adhesive.) So how did the State of Wisconsin IT find out about the rogue router in the Governor's Office?
macker490
50%
50%
macker490,
User Rank: Ninja
3/8/2014 | 1:27:36 PM
re: Security Firms Face Crisis Of Trust
the computer industry as a whole has a complete credibility problem as far as security goes. "Computer Security" means less than "Honest Politician". this has resulted from the drunken cow-town stampede that started with the 1980s and has continued into the computers that are most widely used today. a better approach is required for the use of computers in commercial applications. Industry is reluctantly accepting the truth that the status quo is un-acceptable. As a result we will see a correction,-- and as usual the "failure to adapt to change" will result in the demise those who either do not see or are just stubborn.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.