F-Secure’s Mikko Hypponen weighs in on cybersecurity and the new mobile frontier.
IN 1984 two brothers, wanting to make a point about the vulnerability of DOS — that’s disk operating system, for those of you who are the Windows PC generation — wrote a piece of code and secretly released it into the world.
Their code, that only came to light in 1986, altered the instructions that a computer executes on start-up when a floppy disk was inserted and replicated the same message on every PC hard disk it came into contact with.
The brothers had written the first recorded PC virus. Their code was named Brain and the message that ended up on countless machines was their names and address in Lahore, Pakistan.
On the 25th anniversary of Brain — in January, last year — Mikko Hypponen, security expert and chief research officer for digital security company F-Secure, and his team revisited the original code.
“I flew to Lahore and went to the address, knocked on the door and there they were,” said Hypponen, who made headlines with his visit and subsequent documentary on the topic.
Brain was harmless; Amjad Farooq Alvi and his brother Basit had only wanted to prove that DOS had security issues. They had no inkling of the Pandora’s Box that they had unwittingly opened.
In 2003, a virus called Fizzer claimed a spot in the history books as the first written for one purpose — to make money.
Since then a cat and mouse game with criminals that strongly defines the cybersecurity industry has been growing exponentially, with cybercrimes reportedly costing society an estimated US$1 trillion (RM3 trillion) a year, maybe more.
These crimes encompass a broad range of activities — from laptop theft and financial fraud to phishing and pharming schemes to malware attacks and database breaches.
It is a world that Hypponen has been an active member of (on the side of the good guys) since 1991 when he joined F-Secure in Finland.
He said that the challenge of establishing international protocols for cooperation between different jurisdictions to fight cybercrime remains an ongoing battle.
Agencies such as Interpol, set up to deal with crimes committed on an international scale such as drug smuggling and money laundering are, he said, “built to fight a completely different type of crime.”
“It is different when it’s not about one tonne of cocaine being moved, but one grandmother who has lost 1,000 dollars from her bank account,” he said.
Because money stolen from one victim’s account could be small, it doesn’t look that serious and this makes it harder to get the police involved, especially if there are no victims in their own country that they know of.
Things are improving though, with Interpol announcing the creation of an Interpol Global Complex in Singapore, with full operations projected for late 2013 or early 2014.
One of the areas the Singapore-based operations will focus on is cybercrime, and it is a development that could not have happened sooner for Hypponen.
He believes that it is more likely these days for someone to be a victim of cybercrime than for someone to have his or her wallet stolen.
Same old story
Despite this ever-changing landscape of cybersecurity, some things remain the same.
“I remember in the early 1990s when we started shipping antivirus software for PCs, and most people thought we were trying to fool them. They thought that there weren’t any real viruses and that it was some sort of a scam,” Hypponen said.
“We’re facing the exact same attitude today with mobile devices like smartphones and Tablets,” he said.
And it’s not just the perception of the masses that security professionals have to deal with.
In November last year, open-source programs manager at Google, Chris DiBona, labelled antivirus companies as “charlatans and scammers,” adding that such companies were playing on consumer fears “to try to sell protection software.”
DiBona was reacting to an article which described open-source software as “inherently insecure.” The article also stated that Google’s smartphone operating system — Android — was littered with viruses.
Naturally, Hypponen took it personally and was offended, especially since cybersecurity involves “much more than just antivirus software.”
“I would like to publicly call him a scammer and charlatan in return. He will learn that we are not trying to fool people; we are trying to help people who have problems with the security on the platform that they (Google) are making,” he said.
All is not lost, according to Hypponen, because the “sky isn’t falling on these devices” as yet, with the real-world risk of getting hit by malware on one’s smartphone still very small and users should “worry more about the phone getting stolen, lost or dropping into a lake.”
While mobile malware exists and his team has detected thousands of infected files, typically on Android platforms, the situation isn’t as bad as it is for PCs.
This is partly because the attackers haven’t aggressively moved to the mobile space yet and also due to the built-in security on smartphones being better than what it was on PCs.
Hypponen pointed to the Apple iPhone as a good example of how some smartphones leverage on better in-built security.
“You have to give credit for a job well done. Despite it being a “very visible device and major target for modifications and jail breaking,” it is five years after the phone’s launch and there have been no significant attacks to date, with the exception of some isolated cases targeting jail-broken iPhones.
Calling the situation “a thousand times worse for PCs than it is for mobile” right now, Hypponen said that it was also a good sign of the industry learning from mistakes made on past systems, and the improvements made in cybersecurity.
Anonymous no more
The recent high-profile actions of hacker groups such as Anonymous and LulzSec have been credited by some for not only raising public awareness but also company budgets for cybersecurity measures.
Hypponen would not be the first to endorse such commentary but admits that in many ways, it is true.
“Especially LulzSec with their successful intrusions; this has really been a wake-up call for companies to rethink their cybersecurity,” he said. However, he argues that the existence of WikiLeaks may have had a bigger impact on the corporate sector.
WikiLeaks is an international organisation that publishes on the Web submissions of secret and classified information from anonymous sources, leaks, and whistleblowers.
“I may be a bit naïve to say that I think companies are now behaving more responsibly cause of the very real likelihood that if they do evil things, somebody from their own company could leak the information without getting detected,” he said.
Hypponen pointed out that even the best-known whistleblower Bradley Manning — the US Army soldier who is accused of passing secret information to WikiLeaks — was caught not due to any technical failure on WikiLeaks’ part but rather through his own actions.
“Which means WikiLeaks has successful methods of protecting the identities of whistleblowers and this knowledge will drive companies to behave more ethically.
“Anonymous has had a similar impact, because this group of ‘hacktivists’ always has a motive behind its attacks,” he said.
If there’s one thing companies should take into account is that in most cases, one can avoid becoming a target for such attacks. Hypponen pointed to two companies — Sony and Apple — to illustrate.
In 2010, George Hotz successfully hacked his Sony PlayStation3 game console, resulting in the company taking him to court.
A year later, then 19-year-old Nicholas Allegra, also known as “@comex” hacked his iPhone but was hired by Apple.
“It was a good move by Apple. Sony was hacked 37 times last year while Apple wasn’t. In fact, Apple has never been targeted by hacktivists or others,” said Hypponen.
Twenty-six years after the Brain virus was released, the industry that sprung up to safeguard computer users and organisations from online threats is now a big business.
According to a report by Global Industry Analysts (GIA), the cybersecurity market is estimated to be worth more than US$80bil (RM240bil) before 2017.
GIA has also stated that the global market for managed security services, which comprises network security services that have been outsourced, is projected to reach US$11.2bil (RM33.6bil) in the same period.
So what are the brothers Amjad and Basit up to these days?
They’re still in business at that same building in Pakistan where they wrote Brain, with a licence to deploy fibreoptic cable.
Their company — no surprise here – is called Brain Telecommunication Ltd.
During that historic meeting last year, Hypponnen handed them a floppy disk with a copy of Brain.
“Yes, I brought the virus home,” he said.
To view the F-Secure documentary on the creators of the Brain virus, point your browser here.
Related Stories: What is the F-Secure Response Lab?
Did you find this article insightful?