Mikko Hypponen, Chief Research Officer at security firm F-Secure, has answered a range of your questions. Read on to find his insight on the kind of security awareness training we need, whether anti-virus products are relevant anymore, and whether we have already lost the battle to bad guys. Bonus: his take on whether or not you should take backups of your data.
by Anynoymous reader
Do you have any suggestions on how to create a successful security awareness program in a tech company? Some people like Bruce Schneier prefer the time and money spent on better security engineering. What's your take on this?
Mikko Hypponen: If there's one thing that I have learned over my 25-year career in computer security, it is that people never learn. They just won't. They will always follow every link, they will always double-click on every attachment, they will always type their password on every phishing site. Quite often, education just seems like a waste of time. I think we should do the best we can to move the responsibility away from the end user, as much as we can. Most users can't handle it, anyway. The average Slashdot reader can, but most can't.
With recent reports of anti-virus software sometimes actually adding security vulnerabilities to the system, and the fact that Windows ships with its own bundled anti-virus, what advantages do commercial third-party anti-virus solutions offer these days?
MH: Security companies should clearly do a better job in making sure their low-level code is not exploitable. Heck, there's still a lot of security companies who do not run an open bug bounty (we do)! Having said that, it's clear that anti-virus products drastically improve the security level of a typical workstation. We see this every day from our analytics. Every single day, we prevent tens of thousands of our customer from getting infected with malware. These are real cases where our product is the last layer of protection and the user would have been infected without us. The malware went through everything else, including Windows' own security layers and we blocked it. Feels good, man.
Is it too late? Have we lost the battle?
Hi Mikko, in my day job I am a security evangelist, carrying out developer education and design reviews. For 8 years previous to that I helped companies use static analysis to detect and eliminate security vulnerabilities at the implementation layer. I am becoming convinced that, with the poor state of software today and extreme complexity, there is simply no way the good guys can win. Defenders have to get it right, every single time while the bad guys only need to be right once, to establish an APT and destroy your company. If the bad guys were parasites I would say this would all simmer down to a balancing point where the parasites existed off a slow background noise of constant attacks, but never enough to kill civilization completely. But with a lack of collusion, attackers are more likely to race to the bottom and to not pay attention to the health of their host. So basically my prediction is: crime will eventually kill technology; it will become unusable. Do you have a more hopeful outcome for us?
MH: Criminals need the internet to make money. They do not want to kill the net and they do not want to make it unusable for their victims. They do want to keep it operational - so they can make money. So, the internet is not about to crash any time soon.
Some wisdom on the future...
by Anonymous reader
We (as a society) put different emphasis on security and privacy at different times. What do you think we should optimize for and where do you think is the optimum?
MH: We are the first generation in mankind's history that can be monitored at this level. We can be monitored digitally throughout our lives. Almost all of our communication can be monitored one way or another. We even carry small tracking devices on us all the time - we just don't call them tracking devices, we call them smartphones. What does that level of monitoring mean to us in the long run? I'm afraid we do not have an answer for that yet. And, security and privacy are not a direct trade off. We need both. It might be that we've already lost the war on privacy, But I refuse to accept that we would have lost the war on security too.
Complicated issues #1
by Aryeh Goretsky
Do you think it is still possible to secure embedded systems (aka the Internet of Things), or is that an impossibility now, practically speaking?
MH: Legacy appliance vendors know a lot about safety. But they don't know much about security. So you can rest assured that your smart lightbulb will not give you an electric shock, and it will not catch fire. But it will leak your wifi password. And this isn't getting better quickly, as security is not a selling point for household appliances: price is. Which means vendors are installing the minimum to their security features.
Users mostly don't care, as they don't understand the scope of the problem. "Why would anybody hack my fridge?" "Why would anybody hack my toaster?" Well, the attackers are not after your toaster: they are after your network. Your toaster is just the easiest way in. IoT devices are not the target - they are the vector. Even more so when those IoT devices are not at your home but at your office.
I'd like to think that in the long run IoT will turn out to be useful like the internet itself. It's clear that the internet exposed our systems to a wide range of new kinds of risks, but the benefits outweighed the risks. I hope that will apply to IoT one day as well.
Complicated issues #2
by Aryeh Goretsky
If there was one thing you could suggest every average computer user to do to improve their security, what would it be?
MH: Back up.
Back up your computer. Back up your phone. Back up your tablet.
Back them up so you can recover them even if your house burns down.
And then take a backup of your backup.
by Anonymous reader
Do you have a favorite "That one who got away" story? By that I mean some piece of malware you could almost track down the creator of, figure out how it worked or automate discovery of it, but not quite?
MH: Oh, there are several mysteries in the world of malware research. I've always wondered where Dark Avenger is today. He was a legendary Bulgarian virus writer in the early 1990s and he was never caught. One rumour is that he's working at some motherboard vendor nowadays, writing BIOS code. Then there was the mystery of the WHALE virus. I still think about that sometimes, and about what the mysterious message 'I AM '~knzyvo}' IN HAMBURG' means. And then we have Conficker. It's still the most common malware out there today. It was a massive and well-orchestrated operation, for apparently now reason. I believe there's more to that story, but we don't have all the pieces of the puzzle.
Computer health class
What would you like to see in a computer 'health' class?
MH: Things like:
- how to uninstall Java and Flash
- how to install a better browser
- how to drop the admin rights
- how to use a password manager
- a lecture on how things that seem too good to be true are never true
- especially on the net