>>Mikko Hypponen: My name is Mikko Hypponen.
I have been working for the past 20 years
researching, analyzing viruses and tracking
online criminals for F-Secure Corporation.
The Internet is a reflection of the real world
and just like the real world has problems
with criminals and crime and bad people. Obviously,
we have exactly the same problems in the online
world.
Since I have spent pretty much most of my
life watching these online criminals, I wanted
to share with you my view of who we actually
are fighting today. Because if we understand
where the attacks are coming from, we are
much better equipped in actually fighting
these problems. We can try to solve these
problems by having technical solutions, having
all the antiviruses, all the firewalls, all
the patching, all the backups. But if we want
to go a bit deeper, we have to understand
where the attacks are coming from. Of course,
the attacks are global and they are going
on right now.
When we track with our systems where different
attacks are coming from and where they are
going, they are constantly -- right now we
are finding more than 100,000 new malicious
samples of (inaudible) every single day. It
is just totally out of control.
Where are these coming from? And I group the
current attackers into three main groups.
We have the organized criminal gangs. Then
we have different kind of attacks coming from
hacktivists. And then we have attacks which
are launched by different countries and nation
states.
So, first, criminals who make money. Organized
criminal gangs, gangs operating from Russia,
from Ukraine, from Kazakhstan, from Belarus,
from Romania, from China, from Brazil. These
are global issues. And these guys, their motivation
is money. And money is a good motivator. People
do pretty much anything for money. And if
they can make good income by writing viruses,
infecting people's computers, they will be
doing that. And they have been doing it since
around 2003.
We found the very first PC viruses 25 years
ago in 1986. But we found the very first money-making
viruses only around eight years ago.
Today the Internet is full of millionaires
who became millionaires by writing viruses
and infecting people's computers.
For example, this photo right here was found
during a forensic examination of a lineup
server which was used as a drop site for a
banking Trojan attack. On that server was
a deleted folder which had deleted images
taken from a digital camera. One of those
images was this. We tried to estimate how
much money there is in the photo. It's around
$1.5 million, which looks like a lot of money.
But, then again, we have remember the value
of the dollar has been going down, so...
[ Laughter ]
Here's I-Frame Biz. This is a Web site run
in St. Petersburg, Russia, specializing in
buying access to infected computers. So if
you are a virus writer anywhere in the world,
you can infect computers, you can simply sell
the access to those infected home computers
and corporate computers to these guys. They
will pay you money for infecting machines,
which, of course, then means they have to
be able to monetize those computers somehow.
You can sort of see the lifestyle image they
are trying to portray to people they would
like to buy infected computers from.
[ Laughter ]
Infect computers, sell them to us, become
rich, meet girls, that's the way it works.
[ Laughter ]
This is Albert, known as Segwick online. Photographed
in the penthouse suite of, I believe, the
Peninsula Hotel in New York while he is hacking
away. Here is his partner in crime, Mr. Watt,
known online as UNIX terrorist, partying in
the same hotel in the pool.
Nice lifestyle. How can these guys afford
a lifestyle like this? Well, they can afford
it by paying their bills with your credit
cards. That's what they do. So these are Americans.
But, of course, we have attackers coming from
eastern Europe as well like (saying name)
from the City of Kiev which is in Ukraine,
or Vladimir Tsastsin from the city of Tartu,
which is in Estonia.
And the amount of the attacks these guys are
making are actually being monitized through
things like keyloggers. Keyloggers sit on
your computer and save everything you type.
So every password you type is saved and sent
to the criminals. Every email you type is
saved and sent to the criminals. Every Google
Search you do, the same thing. Every Bing
search you do, the same thing. Of course,
that's a joke. They are not really recording
Bing searches because nobody uses Bing.
[ Laughter ]
Nice, smooth.
[ Laughter ]
Now, the real target of these attacks, of
course, is to have the keylogger active when
you do online shopping because when you do
online shopping you will be typing in your
name, address, credit card number, expiration
date, security code which means they gain
access to your systems.
Many of these guys have made a total business
out of these operations. They run Web sites
where they can -- where they will buy access
to infected computers. They buy and sell stolen
credit card numbers, buy access to infected
servers. This is a flash animation from a
Web site called Carderplanet where they advertise
their services. Buy credit cards from us,
become rich, be independent. It has become
very organized.
This is the bigger problem we fight. Organized
criminal gangs are the single biggest problem
we have.
Then we have the these guys. Group number
two, hacktivists, social activists who operate
globally thanks to the Internet. The Internet
is global. No distances, no borders. And people
who would like to protest something used to
be able to do it locally. Now, of course,
they can do it globally and they can do it
everywhere in the world.
Groups like Anonymous made the headlines late
last year. They have been around for quite
a while, but they really started making headlines
when they started large-scale attacks, mostly
related to WikiLeaks' saga, trying to shut
down Web sites of companies like Visa and
MasterCard and so on.
Anonymous is like an amoeba. It changes structure,
no clear leadership, no clear roster, no clear
membership list, different operations have
different people behind them. And nobody really
knows who is actually a member and who's not.
Like they say themselves, we are all anonymous.
But he decided to investigate this. He is
Mr. Aaron Barr. He used to be a CEO for a
company called HBGary Federal. It is a security
company which did a lot of consulting for
the U.S. government.
And they specialized, well, in many things
but one was social -- gathering intelligence
from social networks. So Mr. Aaron Barr infiltrated
these different chat boards and online forums
used by different anonymous operations and
became one of them, collected information
about their group.
And then he gave an interview about this.
He spoke to a journalist called Andy Greenberg
from "Forbes" and explained he has done all
this research and is going to make all this
information public next week in a conference
in San Francisco. And this was in February.
He gave the interview on Friday. It was printed
in "Forbes" on a Friday. He was due to give
the talk on Tuesday.
He never did because during the weekend, his
Facebook was hacked. His Twitter was hacked.
His email accounts were hacked. The email
archives of the whole company was hacked.
In fact, they were put online and they are
still online today on a system where anybody,
including any of you, can go and search for
the whole email history of this company for
the past five years, since then the company
was started, including reading every single
confidential email, every single private email,
every single classified email that this company
has sent or received, which is pretty devastating.
It is a good example of just how ruthless
groups like these can be when they feel threatened.
And then we have group Number 3, nation states,
countries launching the attacks. We've seen
online espionage and spying for a number of
years. Spying, of course, is collecting information.
Information obviously is data today. If you
want to reach information, you don't really
go after paper in physical locations anymore.
You go after the computers and the computer
networks. You know of the attacks, like the
Aurora attack against Google itself last year
and many, many similar cases.
Then we have other kinds of attacks like what's
been going in Iran. Iranian hackers have gained
access to at least two certificate authorities,
so they are able to issue SSL certificates
and code-signing certificates including issuing
SSL certificates for -- a fake certificate
for google.com apparently because then the
Iranian government can monitor dissidence
within Iran while they are using Gmail to
do their communication.
And then we have cyber sabotage, maybe in
the feature real cyber warfare. Best example,
of course, is what we saw with stocks net.
Stocks net, the worm, we found in the summer
of 2010. Stocks net, which is the first worm
in history that targets automation systems,
in fact, it targets these. This is a Siemens
S7-400. It is a PLC box roughly this size,
costs you around $5,000. And this is what
runs our modern societies. This runs factories,
(inaudible), heaters, pumps. The elevators
in this building are most likely controlled
by something like this, and that's what stocks
net targets and through that targeted the
nuclear enrichment program in Iran.
So what can we do about these three problems?
Problem number one, organized criminal gangs,
the solutions are obvious. Of course, we have
to do technical safeguards like taking backups,
patching, running antivirus. That's clear.
But even more importantly, we should be able
to catch these guys, find them and put them
behind the bars. That's something we are doing
really, really poorly at the time.
Hacktivists. This is the next generation.
That's The generation that's growing up, the
generation that doesn't know of a time when
Internet wasn't around. And for them, it seems
to be as natural to go online and launch denial
of service attacks to make their point as
it is to go to the streets and have a real-world
protest. And we have to be able to reach them
and explain to them that it is not the same
thing. Freedom of speech, support, you can
go and have a peaceful protest. Going online
and launching denial of service attacks is
illegal.
And then we have the last group, nation states,
behind these attacks. And that is a tough
problem because I think universally, it is
probably a good thing that somebody is doing
something about the Iranian nuclear program,
right? That's probably not something we would
try to stop. But we have a real problem that
we have security mostly being provided by
private security companies from independent
countries. And if you are getting your security
solutions from a vendor in Country A and you
actually might be worried about attacks targeting
your own country from the same country, things
get really complicated.
So, while the Internet really is global, the
situation is that the borders still sometimes
matter. Thank you very much.
[ Applause ]
