Security Firms Face Crisis Of Trust

Mikko Hypponen reflects on shift toward rampant government spying and use of malware -- and targeted attack attempts on F-Secure

Arguably the most high-profile speaker to boycott the 2014 RSA Conference in San Francisco last week in the wake of allegations that RSA Security entered into a private contract with the National Security Agency was renowned security expert Mikko Hypponen, chief research officer for Finnish security firm F-Secure.
Hypponen -- who was the first speaker to cancel his talk from the conference after
Reuters reported in late December
that RSA Security had a secret pact with the NSA to use weak encryption technology in its products -- had not spoken publicly about his decision until last week at an F-Secure press luncheon, as well as at TrustyCon, a privacy-themed protest conference held next door to the RSA Conference.
Its about trust. The main reason I canceled my talk at RSA was that I felt they werent trustworthy anymore. Security companies like ours our built on trust, Hypponen told a group of journalists at his annual press luncheon in San Francisco last week. If we lose that trust, there really isnt anything else.
[RSA Security executive chairman Art Coviello addressed publicly for the first time the security companys relationship with the NSA and its cyberdefense arm. See
Coviello: RSA Securitys Work With NSA A Matter Of Public Record
.]
Hypponen said he doesnt expect things to change much at all when it comes to the wave of allegations of NSA surveillance that came from NSA documents leaked by former contractor Edward Snowden. Nothing has really happened since the allegations about RSA, he said. Hypponen said he didnt attend RSA Security executive chairman Art Coviellos keynote address last week, during which Coviello said RSAs relationship with the NSA mainly has entailed working with NSAs Information Assurance Directorate (IAD), the cyberdefense arm of the agency.
Im glad Art addressed this. Thats good, he said, noting that he had read some of the speech. But his keynote didnt confirm whether RSA was complicit in NSA spying, he said: What I gathered from his talk was that they werent complicit -- they were just incompetent, if thats supposed to make us feel any better.
RSAs Coviello stopped short of specifically addressing details about reports that the NSA in 2006 had paid RSA $10 million in a secret contract to use the Dual EC DRBG random-number generator algorithm in its Bsafe software to facilitate the NSAs spying programs. The encryption algorithm reportedly was one that the NSA was able to crack. In a blog post after the Reuters story ran, RSA said it had not entered into any contract or engaged in any project with the intention of weakening RSAs products, or introducing potential backdoors into our products for anyones use.
Coviello called for privacy reform and said the NSA missed the opportunity to provide transparency of its operations. If they need to encroach on privacy in some form or fashion, it needs to be strictly governed, and so people feel comfortable about that process, it needs to be transparent so people can get visibility into how that governance model is actually being acted upon, he said in an interview with Dark Reading after his keynote. The NSA missed the opportunity to give people that transparency. A lot in the press about the NSA is just not accurate.
Hypponen said there has been a relatively rapid mind-set shift to accepting the premise that all governments are involved in cyberespionage and using malware to do their spying. That change has been very quick, he said. If someone had told me in 2003 that governments would use malware and attack other governments, friendly governments, or would own the IT sector ... that would have been really far out. But thats exactly what happened.
Security firms themselves are becoming legitimate military targets, Hypponen said. We are targets because we make technical contributions to military action by blocking [nation-state attacks], he said. Thats not really what I signed up for in 1991 when I started in security, he said.
F-Secure, like other firms, has been targeted by nation-state type attackers. Weve had a handful of detections, Hypponen said, acknowledging that there could be others that have not been detected. He said in one case, a new F-Secure board member was targeted with a phishing email that came with a watering hole-rigged URL. F-Secures gateway proxy stopped the board member from visiting the site; he reported it to the IT department, which then investigated the source and found it was actually from China rather than the U.S. as it had purported. We got lucky, he said of the attempted attack.
And two months ago, the firm spotted an attack that used F-Secures name with an extra hyphen in the domain name in an attempt to target one of its customers.
Hypponen noted that Sweden is among one of the more high-profile players in cyberespionage and, like the U.S., is relatively transparent about peering at foreign data that passes through its nation. Hypponen said his native Finland -- which has a long and proud tradition of being privacy-centric -- is trying to get into the act as well. The Finnish military intelligence agency and law enforcement have begun lobbying politicians in Finland to loosen privacy laws that prevent them from spying. We [F-Secure] are lobbying for the first time and trying to convince lawmakers that we would be shooting ourselves in the foot by changing our privacy laws, he said.
Meanwhile, security firms still arent getting much better at detecting APTs, he said. We [the industry] still suck. Its very hard -- thats why we suck. They have serious resources behind it, he said.
Rick Howard, CSO at Palo Alto Networks, says the industry, indeed, has been focused on APTs, but there are all types of adversaries. [Attackers] are getting smarter, but they dont have unlimited resources, he says. The battle just goes on between attackers and their targets, according to Howard.
Java Threats Dropping
Hypponen revealed that F-Secures
new threat report
(PDF) for the second half of 2013 found Java attacks on the decline. While Java remains a popular vehicle for attackers, it accounted for about 26 percent of reported attack vectors. According to F-Secures report, the drop may be due to
the October arrest of the alleged writer of the BlackHole and Cool exploit kits
.
No one really knows why [Java attacks went down], Hypponen said. And although Paunch was arrested in Russia for writing the toolkits, its unclear whether he will actually be sentenced in the end, he said.
According to F-Secure, malicious websites, malvertising, rigged software from shared sites are the most common infection vectors for victims.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Security Firms Face Crisis Of Trust