Anyone who connects to the internet faces danger from malware. In this reading recommendation, Cybersecurity expert Mikko Hypponen offers a surprisingly entertaining tour through the dark regions of the internet. An engaging storyteller, Hypponen describes investigating notorious malware attacks and advises how businesses and individuals can better protect themselves online.
Cybersecurity expert Mikko Hypponen offers a surprisingly entertaining tour through certain darker regions of the internet. He focuses on malware, relating its history from the first viruses to the modern, more dangerous exploits of online criminal gangs, spies, terrorists and rogue nations. An engaging storyteller, Hypponen describes investigating notorious malware attacks, and advises how businesses and individuals can better protect themselves online.
- The internet enables new security threats to individuals, companies and nations.
- For decades, malware has been the main tool for breaching computer security.
- Money motivates malware attacks.
- Modern warfare utilizes malware.
- Law enforcement uses malware in criminal investigations.
- Security breaches succeed due to technological or human error.
- Maintaining security will grow increasingly challenging in the future.
The internet enables new security threats to individuals, companies and nations.
Anyone who connects to the internet faces danger from malware. Criminals use this software to extort money from victims worldwide. Governments use malicious software to spy on other nations and carry out new forms of warfare and sabotage.
“The internet is the best and the worst thing that has happened to us.”
As more devices, appliances and infrastructure connect to the internet, malware threats will multiply.
For decades, malware has been the main tool for breaching computer security.
Malware is the umbrella term for invasive programs such as viruses, worms and trojans. Viruses first surfaced in the 1980s, spreading via shared floppy discs on computers such as the Commodore 64 and Apple II.
Viruses didn’t become a significant problem until the advent of the IBM PC. Unlike earlier computers, the PC was “open” – other manufacturers could build compatible computers and accessories, and anyone could write programs for it.
With accessories such as modems and network cards, PC users accessed online file-sharing services such as bulletin board systems (BBSs). In the early 1990s, BBSs provided the main vector for the next generation of malware – file viruses. These viruses infected program files on MS-DOS operating systems and, later, on Windows. When the internet gained traction, email and FTP file sharing offered additional infection routes.
“We’re the first generation that is living part of our lives online and part of our lives in the real world.”
Subsequently, the malware world includes:
- Macro viruses – These viruses infected shared documents, such as Word or Excel files. The first macros weren’t damaging, but later versions corrupted or overwrote documents, and some made small, random changes that wreaked havoc in certain documents, such as budget proposals.
- Email worms – These spread through email attachments. The virus instructs an infected computer to send copies of the virus to all the addresses in a user’s contact list. An email appears to come from someone the recipient knows, which increases the likelihood they will open attachments to that email. If they do, the virus again sends copies to everyone on that recipient’s contact list. Email worms became more dangerous when malware authors combined them with macro viruses, which could spread private documents from infected computers.
- Internet worms – This malware eliminated the need for a recipient to open an infected email. Worms infected computers at great speed. In 2003, for example, the internet worm Slammer shot across the world. In 15 minutes, it infected every computer it could. Slammer caused significant difficulties at international banks, and infected a nuclear power plant’s local area network.
- Exploit kits – Hackers spread this malware by compromising popular websites, turning them into conduits for installing malware on visitors’ computers.
- Ransomware trojans – This malware locks the data in the victim’s computer by encrypting it. The attackers then sell the victim a decryption key.
Money motivates malware attacks.
Cybercrime is an industry worth billions. Online criminal gangs’ income increases about 100% a year, and the value of their assets – which they usually store as bitcoins – has also soared. Cybercrime is such a significant problem that the US State Department offers a $10 million reward for tips that lead to the arrest of members of certain online crime gangs.
Using viruses for monetary gain began in the early 2000s when “spammers” – people who send out junk email – collaborated with virus creators. Previously, email spam filters removed potential junk from inboxes by scanning for mail from blacklisted addresses and servers. But with the aid of viruses, spammers could hijack home computers to send out the spammers’ messages and infected attachments.
Criminals increasingly relied on ransomware trojan attacks. In a notable 2009 attack, the malware FileFixer encrypted users’ documents, and displayed an error message claiming the file system was corrupted. The message, which appeared to come from the Windows operating system, recommended purchasing the software Data Doctor. While it claimed to restore the corrupted files, it, in fact, decrypted them. Thousands of people paid the $89 licensing fee for Data Doctor.
Such schemes were somewhat risky for the perpetrators, because they had to collect the ransom by way of credit or gift cards. But in 2013, a newly discovered trojan, CryptoLocker, offered the option of paying a reduced ransom with bitcoin.
“The appearance of bitcoin and other cryptocurrencies is both wonderful and problematic – much like the internet itself.”
Bitcoin has become the currency of choice for online criminal transactions. Cryptocurrency transactions can be invisible to investigators, and are irreversible. You can’t stop payment on bitcoin transactions, and no entity provides refunds – as PayPal does, for example, in cases of scams or nondelivery. Rogue nation North Korea prefers to collect bitcoins, because unlike dollars or euros, cryptocurrency can pass through economic embargoes.
Modern warfare utilizes malware.
Nations utilize cyberweapons because they can inflict considerable damage and prove less costly than traditional armaments. Development costs for Stuxnet, one of the most effective cyberweapons, were probably about $20 million, a bargain compared to the cost of a conventional aerial bombing campaign. Experts believe Stuxnet sabotaged Iranian centrifuges that enriched uranium – a devastating setback for Iran’s nuclear weapons program. Cyberweapons such as Stuxnet can run for years before anyone discovers them.
Cyberweapons provide a veil of plausible deniability. Most experts believe the United States and Israel collaborated on the development and deployment of Stuxnet, but no hard proof has come to light. Cyberweapons also enable countries to launch attacks that appear to be the work of other nations.
“Technology is changing relationships between the superpowers, while altering the nature of conflicts and the way we wage war.”
Governments sponsored two global trojan attacks in 2017. NotPetya linked to GRU, a Russian military intelligence agency. Targeting computer systems in Ukraine, NotPetya adopted the appearance of a typical ransom trojan, even to the point of including a ransom demand. But NotPetya was actually a cyberweapon that impaired many Ukrainian companies, shutting down mass-transit servers, interrupting point-of-sale systems in retail chains, and disrupting bank networks. It infected the computers of Western companies with branches in Ukraine, and spread internationally. NotPetya inflicted unprecedented financial damage: The container shipping company Maersk, FedEx and pharmaceutical giant Merck all reported hundreds of millions of dollars in losses they traced to the malware.
“To protect our information systems, we need to know who we are fighting and why they are attacking us.”
Also in 2017, the North Korean government launched the WannaCry ransomware attack to raise money. The malware infected nearly a quarter of a million computers around the world, but its code was buggy, and the malware didn’t work correctly. News spread that WannaCry could not restore data after victims paid the ransom. North Korea ultimately collected only 60 bitcoins.
Law enforcement uses malware in criminal investigations.
Police have traditionally enjoyed authorization to tap suspects’ landline phones, and later expanded their eavesdropping to mobile phones, text messages and email. But when encryption of online communication became common, police needed a way to view a message before a suspect hit the send button. They do so by planting malware in suspects’ devices.
The police have access to infection routes criminal malware producers cannot utilize. Police can get a warrant to break into a suspect’s house and insert malware into a device. Alternatively, they can enlist a local internet provider to prepare software the suspect will download.
Law enforcement can seize a suspect’s devices, but then can face great difficulty retrieving data from those devices. Criminals often prepare stratagems for quickly destroying evidence on their devices in the event of arrest. When police seize an intact but locked device, they can try to break in by using all possible passwords. With sufficient computing power, decryption systems can try millions of password options every second, but it can take months to find the right one.
Even when the authorities can’t decrypt communications such as email and direct messages, they can find leads by examining a message’s metadata. This reveals, for example, who took part in a communication, the participants’ locations, and what time they conducted the conversation.
In some cases, the only option for gaining access to a suspect’s data is to create a distraction and grab the suspect’s unlocked device.
Security breaches succeed due to technological or human error.
Modern computer programs feature thousands or millions of lines of code, so typos and other coding mistakes are inevitable. These bugs provide loopholes through which hackers penetrate a system.
“Question: How many of the Fortune 500 are hacked right now? Answer: 500.”
Software developers can help eliminate these vulnerabilities by offering “bug bounties” – monetary rewards for people who find and report these errors.
Fixing bugs can be costly, but once programmers patch a weak point, it vanishes permanently. No one, on the other hand, can eliminate human error.
Common human errors include using the same password for everything, downloading dubious utilities from the web, opening any email attachment, falling for phishing sites, and other ruses. Instead of trying to eliminate human error, firms insist that responsibility for security lies not with users, but with telecom providers, data-security services, and the makers of operating systems and software.
“When information security works flawlessly, it is invisible.”
One common error companies make is limiting their security efforts to building impenetrable firewalls to keep attackers out. A company should always assume that its network is vulnerable. A security regimen should include regularly monitoring the internal network for unusual activity. Monitoring techniques include:
- Network profiling – Companies set up multiple sensors to record a “snapshot” of the network’s normal activity. They program sensors to seek deviations from typical behavior.
- Bait networks – This is an attractive but fake lure to snare intruders. The bait could be a folder on the document server containing fictitious financial reports or password lists. An intruder who peeks inside these folders triggers an alert.
A common mistake among manufacturing enterprises is to assume a factory’s computer-controlled machinery is secure because it does not connect to the internet. Managers may believe their plant’s control system resides on its own “closed network” – but almost any modern factory system connects to the internet somehow, including via accidental links.
“IT security is not always rocket science. You simply need to consider how to make life harder for attackers.”
A factory’s closed system could change if the manufacturer merged with another company and the two companies integrated their networks. An employee may create an inadvertent link by installing a connection that allows him or her to work remotely.
Maintaining security will grow increasingly challenging in the future.
Today all computers are online, and with the advent of the Internet of Things, all electrical devices will eventually connect to a network. Network connections will boost a product’s functionality while increasing its vulnerability. Smart, connected devices – watches, televisions, cars, homes and entire cities – will offer expanded functionality that will be more vulnerable to attack.
“The internet is controlled by a handful of corporations who couldn’t care less about the concerns of individual users.”
Vulnerabilities will increase when “dumb devices,” such as toasters or kitchen mixers, go online. Once connectivity becomes sufficiently inexpensive, machines will collect valuable data on the products’ owners – where they live or how they use the machines – and send it over a network to the manufacturers.
“Installing antivirus in a dishwasher will not work, and firewall software cannot run on coffee machines.”
These machines will probably use connection infrastructure that consumers can’t easily disable. Securing such devices will prove more difficult than protecting a phone or computer. One possible solution may be to institute regulations that hold manufacturers liable for damage that occurs due to vulnerabilities in the devices they sell.
About the author
Mikko Hypponen is the chief research officer at WithSecure and the principal research adviser at F-Secure.
MIKKO HYPPONEN is a global cyber security expert with over thirty years’ experience working as a researcher and investigator. He is a sought-after lecturer, and he was profiled in Vanity Fair. His TED Talk has been viewed more than 2 million times.
Technology, Nonfiction, History, Computers, Networking, Cloud Computing, Privacy and Online Safety, Digital Currencies, Internet, Telecommunications, Computer Security
Table of Contents
Foreword: Jeff Moss xiii
Saab 9000 Turbo xxi
The Good and the Bad of the Internet 1
Prehistoric Internet 2
The First Websites 5
Linux Is the World’s Most Important System 7
iPhone vs. Supercomputer 10
Online Communities 11
Money Is Data 13
Codes All Around Us 14
Security Tetris 21
Who Are We Fighting? 24
Professional Cybercrime Groups 28
The Rolex 30
Malware—Then, Now, and in the Near Future 33
The History of Malware 34
Viruses on Floppies 34
File Viruses 43
Macro Viruses 43
Email Worms 45
Internet Worms 46
The Virus Wars 49
Web Attacks 51
Mobile Phone Viruses 51
Worms on Social Media 54
Smartphones and Malware 55
Law Enforcement Malware 57
Case R2D2 58
Cracking Passwords 59
When a Hacker Spilled Her Coffee 60
Ransomware Trojans 61
The History of Ransomware Trojans 61
Honest Criminals 65
Case Maersk 67
My Week with Wannacry 72
Targeted Ransomware Trojans 76
Ransomware Trojans v2 77
The Human Element 79
The Two Problems 80
The Heist 82
CEO Fraud 89
Touring the Headquarters 92
Protecting Company Networks 95
Zero Trust 100
Bug Bounties 101
Mikko’s Tips 112
Mikko’s Tips for the Startup Entrepreneur 114
Boat for Sale 118
What If the Network Goes Down? 121
Electrical Networks 122
Security in Factories 124
A Search Engine for Computers 126
Hypponen’s Law 130
Dumb Devices 132
Car Software Updates 136
Online Privacy 137
Life Without Google 138
Murder Charges Never Expire 139
Is Google Listening to You? 142
Startup Business Logic 145
Antisocial Media 149
Online Influencing and Elections 151
Privacy Is Dead 153
Before and After Gmail 156
Encryption Techniques 160
Perfect Encryption 160
Unbreakable Encryption 161
Criminal Use of Encryption Systems 162
Data Is The New Uranium 166
CASE Vastaamo 168
Patient Registry 169
Extortion Messages 173
The Hunt for the TAR File 175
Innocent Victims 177
The Value of Money 180
Blockchain Applications 182
Blockchains and Money 183
The Environmental Impacts of Bitcoin 185
Playing the Market 187
Ethereum, Monero, and Zcash 189
Bitcoin and Crime 193
Border Guards vs. Bitcoin 195
Technology, Espionage, and Warfare Online 199
Lunch Break at Google 201
Technology and Warfare 202
Under a False Flag 204
Concealability of Cyberweapons 205
The Fog of Cyberwar 207
Case Prykarpattyaoblenergo 211
Case Pyeongchang 213
Governments as Malware Authors 214
Russia and China 216
Case Stuxnet 217
Damage Coverage 226
Explosion at the White House 227
My Boycott of RSA, Inc 229
The Future 233
Artificial Intelligence 234
AI Will Take Our Jobs 238
Smart Malware 239
The Technology of Warfare 241
“You Are Under Arrest for a Future Murder” 242
Those Who Can Adapt Will Prosper 243
Trends in Technology 247
Reimagine the future of the internet
All our devices and gadgets―from our refrigerators to our home security systems, vacuum cleaners, and stereos―are going online, just like our computers did. But once we’ve successfully connected our devices to the internet, do we have any hope of keeping them, and ourselves, safe from the dangers that lurk beneath the digital waters?
In If It’s Smart, It’s Vulnerable, veteran cybersecurity professional Mikko Hypponen delivers an eye-opening exploration of the best―and worst―things the internet has given us. From instant connectivity between any two points on the globe to organized ransomware gangs, the net truly has been a mixed blessing. In this book, the author explores the transformative potential of the future of the internet, as well as those things that threaten its continued existence: government surveillance, censorship, organized crime, and more.
Readers will also find:
- Insightful discussions of how law enforcement and intelligence agencies operate on the internet
- Fulsome treatments of how money became data and the impact of the widespread use of mobile supercomputing technology
- Explorations of how the internet has changed the world, for better and for worse
- Engaging stories from Mikko’s 30-year career in infosec
Perfect for anyone seeking a thought-provoking presentation of some of the most pressing issues in cybersecurity and technology, If It’s Smart, It’s Vulnerable will also earn a place in the libraries of anyone interested in the future of the internet.
“What makes him stand out is that, although he is a master coder and cyber security engineer, he is a superb communicator.” ―Misha Glenny, Financial Times
“An excellent and engaging survey of cybersecurity…” ―Kristie Lu Stout, CNN anchor and correspondent
“Mikko Hypponen’s If It’s Smart, It’s Vulnerable is a fascinating and engaging tour of the past, present, and likely future of cybersecurity by an expert who’s spent three decades at the front lines of the global war against malware. Technical and non-technical readers alike will find Hypponen’s personal anecdotes informative and highly entertaining as he explores the evolution of the systems that power modern society―along with the risks and rewards they present to us all. Highly recommended.” ―Daniel Suarez, New York Times bestselling author of Daemon
“If It’s Smart, It’s Vulnerable is not just a book for techies and hackers. The stories and examples make it accessible to anyone!” ―Keren Elazari, friendly hacker and a TED speaker
“As the namesake of Hypponen’s law, Mikko is the right person to explain how everything is getting connected, and what we should do to secure all devices on the internet ― both the smart ones and the stupid ones.” ―Robert M. Lee, founder and CEO of Dragos Inc.
“As we rush forward with an insatiable desire to connect everything, Mikko shines a light on the risks we accept yet often fail to understand…until it’s too late.” ―Troy Hunt, founder of Have I Been Pwned
“Mikko has a remarkably lucid understanding of cyber security and the history of the Internet. You’ll come away with an appreciation of the major problems and the high stakes that come with any attempt to keep our networks and systems secure.” ―Jack Rhysider, Creator of the Darknet Diaries podcast
“A breezy survey of cybersecurity from one of the pillars of our industry. There’s not a lot that Mikko hasn’t seen.” ―Eva Galperin, Director of Cybersecurity, Electronic Frontier Foundation
“A guided tour of the intersection between security and technology by the best kind of storyteller. Mikko lived it, shaped it, and now explains it.”―John Lambert, Microsoft
“Hypponen has seen a lot in his more than 30-year career in information security. There is much to learn from what he shares and has witnessed. He is a great writer, and if you are smart, you will read this book.” ―Ben Rothke, Tapad
“It’s hard to understand a revolution when we are living in the middle of it. Mikko clearly explains the technology megatrends shaping our future and illustrates his points with fascinating real-world stories from his long career in infosec.” ―Dave DeWalt, Founder of NightDragon and former CEO of McAfee and FireEye/Mandiant
“Surprisingly up to date account of the vulnerable world we live in! Mikko is a natural storyteller who draws you into his world.” ―Charlie Miller, Computer Security Researcher
“Mikko uses his remarkable experience to give the reader an understanding of the challenges we as digital citizens face. If It’s Smart, It’s Vulnerable; no truer words have been said in this digital age.” ―Raj Samani, Senior Vice President and Chief Scientist at Rapid7
“There is nobody out there that is more knowledgeable when it comes to cyber threats in the modern world. Mikko has taken his knowledge and captured it in this book in a fascinating way, making this a must read.” ―Aki Anastasiou, talk radio host
“Before the internet, people were not used to reality having multiple dimensions. Now that the globe is being connected at an exponential pace, we are lucky to have talented guys like Mikko Hypponen explain how we can move to the next step.” ―Marcelo Tas, Brazilian actor, author and TV host