Security Firms Face Crisis Of Trust

Mikko Hypponen reflects on shift toward rampant government spying and use of malware -- and targeted attack attempts on F-Secure
Arguably the most high-profile speaker to boycott the 2014 RSA Conference in San Francisco last week in the wake of allegations that RSA Security entered into a private contract with the National Security Agency was renowned security expert Mikko Hypponen, chief research officer for Finnish security firm F-Secure.

RSA Conference 2014
Click here for more articles about the RSA Conference.

Hypponen -- who was the first speaker to cancel his talk from the conference after Reuters reported in late December that RSA Security had a secret pact with the NSA to use weak encryption technology in its products -- had not spoken publicly about his decision until last week at an F-Secure press luncheon, as well as at TrustyCon, a privacy-themed protest conference held next door to the RSA Conference.

"It's about trust. The main reason I canceled my talk at RSA was that I felt they weren't trustworthy anymore. Security companies like ours our built on trust," Hypponen told a group of journalists at his annual press luncheon in San Francisco last week. "If we lose that trust, there really isn't anything else."

[RSA Security executive chairman Art Coviello addressed publicly for the first time the security company's relationship with the NSA and its cyberdefense arm. See Coviello: RSA Security's Work With NSA 'A Matter Of Public Record'.]

Hypponen said he doesn't expect things to change much at all when it comes to the wave of allegations of NSA surveillance that came from NSA documents leaked by former contractor Edward Snowden. "Nothing has really happened" since the allegations about RSA, he said. Hypponen said he didn't attend RSA Security executive chairman Art Coviello's keynote address last week, during which Coviello said RSA's relationship with the NSA mainly has entailed working with NSA's Information Assurance Directorate (IAD), the cyberdefense arm of the agency.

"I'm glad Art addressed this. That's good," he said, noting that he had read some of the speech. But his keynote didn't confirm whether RSA was complicit in NSA spying, he said: "What I gathered from his talk was that they weren't complicit -- they were just incompetent, if that's supposed to make us feel any better."

RSA's Coviello stopped short of specifically addressing details about reports that the NSA in 2006 had paid RSA $10 million in a secret contract to use the Dual EC DRBG random-number generator algorithm in its Bsafe software to facilitate the NSA's spying programs. The encryption algorithm reportedly was one that the NSA was able to crack. In a blog post after the Reuters story ran, RSA said it had not "entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use."

Coviello called for privacy reform and said the NSA "missed the opportunity" to provide transparency of its operations. "If they need to encroach on privacy in some form or fashion, it needs to be strictly governed, and so people feel comfortable about that process, it needs to be transparent so people can get visibility into how that governance model is actually being acted upon," he said in an interview with Dark Reading after his keynote. "The NSA missed the opportunity to give people that transparency. A lot in the press about the NSA is just not accurate."

Hypponen said there has been a relatively rapid mind-set shift to accepting the premise that all governments are involved in cyberespionage and using malware to do their spying. "That change has been very quick," he said. "If someone had told me in 2003 that governments would use malware and attack other governments, friendly governments, or would own the IT sector ... that would have been really far out. But that's exactly what happened."

Security firms themselves are becoming legitimate military targets, Hypponen said. "We are targets because we make technical contributions to military action by blocking [nation-state attacks]," he said. "That's not really what I signed up for in 1991" when I started in security, he said.

F-Secure, like other firms, has been targeted by nation-state type attackers. "We've had a handful of detections," Hypponen said, acknowledging that there could be others that have not been detected. He said in one case, a new F-Secure board member was targeted with a phishing email that came with a watering hole-rigged URL. F-Secure's gateway proxy stopped the board member from visiting the site; he reported it to the IT department, which then investigated the source and found it was actually from China rather than the U.S. as it had purported. "We got lucky," he said of the attempted attack.

And two months ago, the firm spotted an attack that used F-Secure's name with an extra hyphen in the domain name in an attempt to target one of its customers.

Hypponen noted that Sweden is among one of the more high-profile players in cyberespionage and, like the U.S., is relatively transparent about peering at foreign data that passes through its nation. Hypponen said his native Finland -- which has a long and proud tradition of being privacy-centric -- is trying to get into the act as well. The Finnish military intelligence agency and law enforcement have begun lobbying politicians in Finland to loosen privacy laws that prevent them from spying. "We [F-Secure] are lobbying for the first time and trying to convince lawmakers that we would be shooting ourselves in the foot by changing our privacy laws," he said.

Meanwhile, security firms still aren't getting much better at detecting APTs, he said. "We [the industry] still suck. It's very hard -- that's why we suck. They have serious resources behind it," he said.

Rick Howard, CSO at Palo Alto Networks, says the industry, indeed, has been focused on APTs, but there are all types of adversaries. "[Attackers] are getting smarter, but they don't have unlimited resources," he says. The battle just goes on between attackers and their targets, according to Howard.

Java Threats Dropping
Hypponen revealed that F-Secure's new threat report (PDF) for the second half of 2013 found Java attacks on the decline. While Java remains a popular vehicle for attackers, it accounted for about 26 percent of reported attack vectors. According to F-Secure's report, the drop may be due to the October arrest of the alleged writer of the BlackHole and Cool exploit kits.

"No one really knows why [Java attacks went down]," Hypponen said. And although Paunch was arrested in Russia for writing the toolkits, it's unclear whether he will actually be sentenced in the end, he said.

According to F-Secure, malicious websites, malvertising, rigged software from shared sites are the most common infection vectors for victims.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading