The Slashdot Interview With Security Expert Mikko Hypponen: 'Backupception' 38
You asked, he answered!
Mikko Hypponen, Chief Research Officer at security firm F-Secure, has answered a range of your questions. Read on to find his insight on the kind of security awareness training we need, whether anti-virus products are relevant anymore, and whether we have already lost the battle to bad guys. Bonus: his take on whether or not you should take backups of your data.
Security awareness training Mikko Hypponen, Chief Research Officer at security firm F-Secure, has answered a range of your questions. Read on to find his insight on the kind of security awareness training we need, whether anti-virus products are relevant anymore, and whether we have already lost the battle to bad guys. Bonus: his take on whether or not you should take backups of your data.
by Anynoymous reader
Do you have any suggestions on how to create a successful security awareness program in a tech company? Some people like Bruce Schneier prefer the time and money spent on better security engineering. What's your take on this?
Mikko Hypponen: If there's one thing that I have learned over my 25-year career in computer security, it is that people never learn. They just won't. They will always follow every link, they will always double-click on every attachment, they will always type their password on every phishing site. Quite often, education just seems like a waste of time. I think we should do the best we can to move the responsibility away from the end user, as much as we can. Most users can't handle it, anyway. The average Slashdot reader can, but most can't.
Anti-virus software
by NotInHere
With recent reports of anti-virus software sometimes actually adding security vulnerabilities to the system, and the fact that Windows ships with its own bundled anti-virus, what advantages do commercial third-party anti-virus solutions offer these days?
MH: Security companies should clearly do a better job in making sure their low-level code is not exploitable. Heck, there's still a lot of security companies who do not run an open bug bounty (we do)! Having said that, it's clear that anti-virus products drastically improve the security level of a typical workstation. We see this every day from our analytics. Every single day, we prevent tens of thousands of our customer from getting infected with malware. These are real cases where our product is the last layer of protection and the user would have been infected without us. The malware went through everything else, including Windows' own security layers and we blocked it. Feels good, man.
Is it too late? Have we lost the battle?
by dougTheRug
Hi Mikko, in my day job I am a security evangelist, carrying out developer education and design reviews. For 8 years previous to that I helped companies use static analysis to detect and eliminate security vulnerabilities at the implementation layer. I am becoming convinced that, with the poor state of software today and extreme complexity, there is simply no way the good guys can win. Defenders have to get it right, every single time while the bad guys only need to be right once, to establish an APT and destroy your company. If the bad guys were parasites I would say this would all simmer down to a balancing point where the parasites existed off a slow background noise of constant attacks, but never enough to kill civilization completely. But with a lack of collusion, attackers are more likely to race to the bottom and to not pay attention to the health of their host. So basically my prediction is: crime will eventually kill technology; it will become unusable. Do you have a more hopeful outcome for us?
MH: Criminals need the internet to make money. They do not want to kill the net and they do not want to make it unusable for their victims. They do want to keep it operational - so they can make money. So, the internet is not about to crash any time soon.
Some wisdom on the future...
by Anonymous reader
We (as a society) put different emphasis on security and privacy at different times. What do you think we should optimize for and where do you think is the optimum?
MH: We are the first generation in mankind's history that can be monitored at this level. We can be monitored digitally throughout our lives. Almost all of our communication can be monitored one way or another. We even carry small tracking devices on us all the time - we just don't call them tracking devices, we call them smartphones. What does that level of monitoring mean to us in the long run? I'm afraid we do not have an answer for that yet. And, security and privacy are not a direct trade off. We need both. It might be that we've already lost the war on privacy, But I refuse to accept that we would have lost the war on security too.
Complicated issues #1
by Aryeh Goretsky
Do you think it is still possible to secure embedded systems (aka the Internet of Things), or is that an impossibility now, practically speaking?
MH: Legacy appliance vendors know a lot about safety. But they don't know much about security. So you can rest assured that your smart lightbulb will not give you an electric shock, and it will not catch fire. But it will leak your wifi password. And this isn't getting better quickly, as security is not a selling point for household appliances: price is. Which means vendors are installing the minimum to their security features.
Users mostly don't care, as they don't understand the scope of the problem. "Why would anybody hack my fridge?" "Why would anybody hack my toaster?" Well, the attackers are not after your toaster: they are after your network. Your toaster is just the easiest way in. IoT devices are not the target - they are the vector. Even more so when those IoT devices are not at your home but at your office.
I'd like to think that in the long run IoT will turn out to be useful like the internet itself. It's clear that the internet exposed our systems to a wide range of new kinds of risks, but the benefits outweighed the risks. I hope that will apply to IoT one day as well.
Complicated issues #2
by Aryeh Goretsky
If there was one thing you could suggest every average computer user to do to improve their security, what would it be?
MH: Back up.
Back up your computer. Back up your phone. Back up your tablet.
Back them up so you can recover them even if your house burns down.
And then take a backup of your backup.
"Question"
by Anonymous reader
Do you have a favorite "That one who got away" story? By that I mean some piece of malware you could almost track down the creator of, figure out how it worked or automate discovery of it, but not quite?
MH: Oh, there are several mysteries in the world of malware research. I've always wondered where Dark Avenger is today. He was a legendary Bulgarian virus writer in the early 1990s and he was never caught. One rumour is that he's working at some motherboard vendor nowadays, writing BIOS code. Then there was the mystery of the WHALE virus. I still think about that sometimes, and about what the mysterious message 'I AM '~knzyvo}' IN HAMBURG' means. And then we have Conficker. It's still the most common malware out there today. It was a massive and well-orchestrated operation, for apparently now reason. I believe there's more to that story, but we don't have all the pieces of the puzzle.
Computer health class
by hendric
What would you like to see in a computer 'health' class?
MH: Things like:
- how to uninstall Java and Flash
- how to install a better browser
- how to drop the admin rights
- how to use a password manager
- a lecture on how things that seem too good to be true are never true
- especially on the net
Google (Score:1, Funny)
All my data is on google drive, so I know it's backed up.
If I ever loose anything, I'll just file a FOIA and get it back through the government.
Re: (Score:1)
And wait 5 to 10 years for it to be delivered via fax, while submitting renewals for the request every 30 days.
My main question (Score:2)
My main question: should there be a regulatory agency who oversees various types of security practices for companies? There is already PCI standards, but that is brought on by the credit card industry, not government, and the penalty for not being compliant is just a small fee each month. An example of a problem I've seen in the wild: my old ISP transmits user passwords in plain text via unsecured email messages. This means the odds are also extremely high that they're also storing the passwords as plain te
Re: (Score:2)
should there be a regulatory agency who oversees various types of security practices for companies?
Please hold still so we can smash your fingernails and toenails with hammers repeatedly.
I am so sick and tired of the mentality that leads people to think that making more *laws* will change human behavior and or make things better. How about this everyone, lets all take responsibility for our own actions and in-actions.
Mikko Hyppönen, dammit! (Score:1)
His name has an umlaut. Scandic letter. Whatever you want to call it. The 'o' sound and the 'ö' sounds are completely different in Finnish.
Mikko Hyppönen
'ö' is similar to the vowel sound in the word 'bird'
'o' is similar to the vowel sound in 'thought'
Re: Mikko Hyppönen, dammit! (Score:3)
Um, in English, can you identify a region or accent that pronounces "thought" as anything other than "thawt" / "thort"* ??
*Sorry, I don't know the phonetics alphabet, which would be here appropriate here.
Re:Mikko Hyppönen, dammit! (Score:1)
Anti-virus products and typical workstation (Score:2)
Re: (Score:3, Interesting)
Vulnerabilities exist on Linux too. And they always will exist. Prevention is most important of course, but for the bad guys who break past that, we'll likely need active threat monitoring on Linux as well before too long. And just handing someone Linux isn't magically going to improve their personal security. Bad habits can own a Linux install as much as it can Windows. Social engineering can work just as well against the unwitting Linux user as it can Windows or Mac users.
Re:Anti-virus products and typical workstation (Score:5, Insightful)
The problem is that most skilled crackers working against Linux systems will be writing their own custom code which is significantly more difficult for AV software to detect. In addition, the nature of the threat has to be considered. How can AV tell the difference between software that read/writes user files and opens network connections? Malware uploading user data appears just like a web browser during normal use. Heck, such a program could call itself FireFoxHelper and only run while Firefox is running...
Damn. Security is hard.
Re: (Score:1)
Damn. Security is hard.
Name of the game is risk mitigation, not actual impenetrable defenses. Best we can do against Linux malware is defense in depth. Not allow processes to run unless they are known, lock down system accounts as well as user accounts, utilize access restrictions and permissions, encryption, keep patching, run AV anyway, well-crafted firewalls, DMZ, ACLs, content filtering, backups, NIDPS and HIDPS, monitor and have thorough IR/DR/BC plans.
But that one bug in millions of lines of code from a hotshot developer ca
Re: (Score:1)
"Damn. Security is hard."
Security is hard with an open system that is always changing. The reality is if you want security you need to minimise device complexity. These "all in one" general computing devices are what make security hard. If you move to app specific hardware security gets much easier outside of social engineering attacks.
Re: (Score:1)
The problem is that most skilled crackers working against Linux systems will be writing their own custom code which is significantly more difficult for AV software to detect. In addition, the nature of the threat has to be considered. How can AV tell the difference between software that read/writes user files and opens network connections? Malware uploading user data appears just like a web browser during normal use. Heck, such a program could call itself FireFoxHelper and only run while Firefox is running...
Big data. When you have millions of Symantec, F-Secure, Intel, whatever endpoint agents deployed around the world, sucking on peoples data, network statistics, reported problems etc. you get the data to build the service. From that data you build Threat Intelligence and analytics services, sell the information to everyone, and apply it to your security products to identify global threats. This is what the vendors do. For some customized APT that won't necessarily work, but a customized APT is not most peopl
Shut off javascript in browsers (Score:1)
Notice how the client-side attacks through JS never stop? It's time to acknowledge that it will never be gotten right. Browsers should phase it out, with at most some whitelist exceptions that can only be made through nasty security dialogues like the ones for invalid SSL certificates. JS is just too powerful in the hands of bad people. Shut it down.
Gee, thanks! (Score:2, Informative)
It took him nearly 4 months to answer and I estimate he answered less than 5% of all the questions posed. I remember some very interesting ones (for example this one [slashdot.org]) that were modded up and he didn't even bother with them.
maybe (Score:2)
If there's one thing that I have learned over my 25-year career in computer security, it is that people never learn. They just won't. They will always follow every link, they will always double-click on every attachment, they will always type their password on every phishing site. Quite often, education just seems like a waste of time.
Maybe he's just a bad teacher. I know plenty of people who have learned this.
Re: (Score:2)
Sure, most people learn, but what he is saying is that some percentage do not learn and that is enough to allow a security breach. No matter how small a percentage - all it takes is one. We had such a person - time and again they would click on malware links, after warnings, explanations, etc. One day their spouse emailed them saying there was thus and such a phishing email out and not to click on it (I guess this happened at home as well), and still they clicked on it. Fortunately, they left to plague some
Conflicker (Score:2)
I've always wondered where Dark Avenger is today. He was a legendary Bulgarian virus writer in the early 1990s and he was never caught. One rumour is that he's working at some motherboard vendor nowadays, writing BIOS code.
Forget "bad" guys. Your real risk is to your DATA. (Score:2)
I love this guy's take on "the one thing everybody should be doing a whole lot more of": Backup your stinkin' data. And then make a backup of your backup.
I couldn't agree more. This, for me, is why I will never, ever stop using Dropbox or its equivalent. Every user in my family circle gets backed up to Dropbox. I bought a couple of network storage boxes, and use them to backup Dropbox.
In all the years and years I've been using computers, data loss is the only thing that has ever truly hurt me. Bad guys?
Re: (Score:2)
Protecting it requires management out outbound data and not just preserving your information.
I do my part (doing more for less, natively) (Score:1)
APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?... [google.com]
Ads rob speed, security (malvertising) & privacy (tracking).
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively.
Works vs. caps & PUSH ads.
Avg. page = big as Doom http://www.theregister.co.uk/2... [theregister.co.uk] & ads = 40% of it.
Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
Less powe
Have we lost the battle? Tragedy of the Commons (Score:2)
"Criminals need the internet to make money. They do not want to kill the net and they do not want to make it unusable for their victims."
But the tragedy of the commons shows how a group of criminals, none of whom want to kill off the net may end up doing so anyway because they are (a) greedy and (b) unable to coordinate their actions to keep their greed in check.
The net is a classic common pool resource, which means that Tragedy of the Commons is a real threat when each additional attack increases the profi