Tech and Law Center interviews Mikko Hypponen, Chief Research Officer for F-Secure. He has worked for the company since 1991 and has led his team through the largest malware outbreaks in history. In 2003 Hypponen’s team took down the global network used by the Sobig.F worm and in 2004 he was the first to warn the world about the Sasser outbreak. In 2007 he named the infamous Storm Worm and in 2010 he produced classified briefings on the operation of the Stuxnet worm. Hypponen is also an inventor for several patents, including US patent 6,577,920 “Computer virus screening”. Mikko Hypponen has assisted law enforcement authorities in the United States, Europe and Asia on cybercrime cases.
He has also written for international publications like the Scientific American, Foreign Policy, New York Times and Virus Bulletin, as well as addressing the most important security-related conferences worldwide. He has been the subject of dozens of interviews in global TV and print media, including a 9-page profile in Vanity Fair. In 2007 he was selected among the 50 most important people on the web by the PC World magazine. In 2010 he received the virus Bulletin Award as “The Best Educator the Industry”, which is given every ten years.
He is a TED‘s speaker.
Source of the bio.
What is the single most challenging thing we deal with in information security today?
The most challenging thing is user education. Because users never learn. No matter how many times you tell them, they will always click every link, accept every attachment, doubleclick on every executable and type their passwords on every form. Which means, we should build our security systems so that they would work regardless of the mistakes done by the users. We can’t just blame them forever.
Will the shift into more embedded systems present new challenges for security, or will old problems just continue as they have in the past?
Embedded systems remove the user from the equation. If your fridge or toaster or light bulb has a CPU and an IP address, it is hackable – but it doesn’t have a user in the traditional sense. So you can’t target it with attacks that require a user. Unfortunately, there are several ways of infecting devices without a user and even making money on such a system, without the user.
Looking forward, what security trends, offensive or defensive, scare you the most?
Military malware made with multimillion dollar budgets scares me.
On the flip side, what trends, if any, in information security give you the most hope?
Reputation systems look very promising. It’s hard, but we can block even the most advanced malware attacks based on file reputation. The idea here is that we know which programs are common and which are rare. Most programs you run (notepad.exe, Adobe Reader, Firefox etc) are very common: millions of people have ran them before you. But if you get hit by a targeted attack, you will be the first person in the world to run that app. We could detect that and block the file, just based on it’s rarity. In effect, we’d be using the attackers tricks (obfuscation, polymorphisism) against himself. It’s Judo.
For people who work in security, is the existence of PRISM surprising? Which aspects of it are routine or expected or even necessary, and which are genuinely dangerous?
Existence of PRISM is surprising and don’t let anybody tell you otherwise. Saying that ‘we all knew this’ about PRISM downgrades the significance of these revalations. We didn’t know this. We might have feared that something like this exists, but now we know for a fact. And the reality seems to be worse than the worst fears. Indeed, western intelligence agencies have infiltrated standardization bodies to sabotage secure encryption algorithms on purpose. What the hell.