An Open Letter to: Joseph M. Tucci - Chairman and Chief Executive Officer, EMC Art Coviello - Executive Chairman, RSA
Dear Joseph and Art,
I don't expect you to know who I am.
I've been working with computer security since 1991. Nowadays I do quite a bit of public speaking on the topic. In fact, I have spoken eight times at either RSA Conference USA, RSA Conference Europe or RSA Conference Japan. You've even featured my picture on the walls of your conference walls among the 'industry experts'.
On December 20th, Reuters broke a story alleging that your company accepted a random number generator from the National Security Agency, and set it as the default option in one of your products, in exchange of $10 million. Your company has issued a statement on the topic, but you have not denied this particular claim. Eventually, NSA's random number generator was found to be flawed on purpose, in effect creating a back door. You had kept on using the generator for years despite widespread speculation that NSA had backdoored it.
As my reaction to this, I'm cancelling my talk at the RSA Conference USA 2014 in San Francisco in February 2014.
Aptly enough, the talk I won't be delivering at RSA 2014 was titled "Governments as Malware Authors".
I don't really expect your multibillion dollar company or your multimillion dollar conference to suffer as a result of your deals with the NSA. In fact, I'm not expecting other conference speakers to cancel. Most of your speakers are American anyway – why would they care about surveillance that's not targeted at them but at non-americans. Surveillance operations from the US intelligence agencies are targeted at foreigners. However I'm a foreigner. And I'm withdrawing my support from your event.
Mikko Hypponen Chief Research Officer F-Secure
Updated to add on the 8th of January 2014:
I was scheduled to deliver a talk at and participate in an FTC panel at the RSA Conference USA 2014.
Initially I only canceled my talk, as I didn't want to punish the FTC which had nothing to do with the events I was protesting about. However, partial participation sends mixed messages. I don't want to send mixed messages, so I have canceled all my appearances at RSA 2014. I'm sure the FTC will understand.
I can also confirm that F-Secure is not speaking, sponsoring or exhibiting at RSA Conference USA 2014.
While I am glad to see that many other speakers have decided to cancel their appearances at RSA 2014 in protest, I don't want to portray myself as a leader of a boycott. I did what I felt I had to do. Others are making their own decisions.
I have declined every interview on the topic and will continue to do so. This open letter says everything I want to say on this.
I'd like to thank the people who have translated and reviewed the translations of my Brussels talk: Els De Keyser, Petra van der Burg, Sami Andberg, Gemma Lee, 남준 김, Leslie Louradour, Mira Kraïmia, Stefanie Ramcke, Julia-Carolin Zeng, Chryssa Rapessi, Dimitra Papageorgiou, Shlomo Adam, Ido Dekkers, Mariann Buzás, Laszlo Kereszturi, Gustavo Rocha, Mariana Yonamine, Dewi Barnas, Arief Rakhman, Anna Cristiana Minoli, Alessandra Tadiotto, Maryam Manzoori, Amirpouya Ghaemiyan, Doina Zamfirescu, Ariana Bleau Lugo, Ciro Gomez and Lidia Cámara de la Fuente -- and everyone working on future translations.
There were some UX designer positions open last week. And possibly more stuff in the future.
A lot of Pekka's hiring revolves around our corporate security business line's goal of developing cloud security for SMBs (combining a lot of our recent consumer offerings into one SMB product).
Combining younited, Freedome, and mobile device management with a completely redesigned UX? Plenty of folks will need to be very busy…
No wonder this is Pekka's "executive" lunch:
Actually, I've socialized with Pekka outside of the office and he's a rather regular kind of guy, like a lot of our management. If he wasn't doing a working lunch while meeting with Jussi (out of frame), then he'd just be next door at the company commissary.
If you're still using XP, please do yourself a big favor this Christmas shopping season and buy yourself a new PC. Or maybe a Mac. The women in the picture above probably own a Mac in real life, don't you think?
Either way, now is an excellent time to make the jump. Even a basic, relatively inexpensive PC is far more productive than any hardware which would still be running XP.
And yeah, if you're reading this blog — you already know that. So tell your friends and family already.
We get a lot of samples here at F-Secure Labs, most of them being submitted online. But every now and then, somebody visits one of our labs and brings along their computer for forensics.
Earlier this year, a guy in his early 20's pulled up and parked his Audi R8 just outside our Helsinki HQ. His name is Jens Kyllönen — a professional poker player — both in real world tournaments and in the online poker world. He's a high-roller by any measure, with wins in the range of 2.5 million dollars from the past year.
So why would this poker star detour from his usual routine and drop by for a visit? This is his story…
Last September, Jens participated in the European Poker Tour event in Barcelona. He was staying at the event hotel, which is a 5-star location, and spent his day mostly at the tournament tables. He took a break from the tournament and went to his room. And his laptop wasn't there. He checked to see if his friend had borrowed it, no, and then when he returned to his room… his laptop was back. He knew that something was amiss. To add to his suspicion, the OS, Windows, didn't boot properly.
Jens provided a more detailed scenario of what happened that day in this forum:
Thinking he had possibly been compromised, Jens asked us to investigate his laptop. This is quite important, as laptop security is paramount for professional poker players, especially those who play online. We agreed to investigate, and so we made full forensic images and started digging.
After a while, it was obvious that his hunch was correct, the laptop was indeed infected. There was a Remote Access Trojan (RAT) with timestamps coinciding with the time when the laptop had gone missing. Apparently, the attacker installed the trojan from a USB memory stick and configured it to automatically start at every reboot. A RAT, by the way, is a common tool that allows an attacker to control and monitor a laptop remotely, viewing anything that happens on the machine.
Below are succeeding screenshots to give you a better view on how this particular RAT works. In this screenshot, the attacker is able to see his own cards, similar to what any other players would experience.
Using the trojan, however, he can also see that the infected machine or the victim is holding a pair of queens. This gives the attacker an edge, so he knows to hold out for a better hand.
This kind of attack is very generic and works against any online poker site that we know of. The trojan is written in Java and uses obfuscation, but isn't all that complicated. Since it's in Java, the malware can run in any platform (Mac OS, Windows, Linux). Here is a snippet of the code that takes screenshots of the victim's screen:
After analyzing Jens's laptop, we started looking for other victims. It turned out that yet another professional player, Henri Jaakkola, who stayed in the same room as Jens at the EPT Barcelona event, had the exact same trojan installed in his laptop.
This is not the first time professional poker players have been targeted with tailor-made trojans. We have investigated several cases that have been used to steal hundreds of thousands of euro. What makes these cases noteworthy is that they were not online attacks. The attacker went through the trouble of targeting the victims' systems on site.
The phenomenon is now big enough that we think it warrants its own name: Sharking. Sharking attacks are targeted attacks against professional poker players (a.k.a. poker sharks). It's similar to Whaling attacks which are targeted at high profile business managers.
So, what's the moral of the story? If you have a laptop that is used to move large amounts of money, take good care of it. Lock the keyboard when you step away. Put it in a safe when you're not around it, and encrypt the disk to prevent off-line access. Don't surf the web with it (use another laptop/device for that, they're relatively cheap). This advice is true whether you're a poker pro using a laptop for gaming or a business controller in a large company using the computer for wiring a large amount of funds.
If you were running Windows on your computer 10 years ago, you were running Windows XP.
In fact, you were most likely running Windows XP SP1 (Service Pack 1).
This is important, as Windows XP SP1 did not have a firewall enabled by default and did not feature automatic updates.
So, if you were running Windows, you weren't running a firewall and you had to patch your system manually – by downloading the patches with Internet Explorer 6, which itself was ridden with security vulnerabilities.
No wonder then, that worms and viruses were rampant in 2003.
In fact, we saw some of the worst outbreaks in history in 2003: Slammer, Sasser, Blaster, Mydoom, Sobig and so on.
They went on to do some spectacular damage. Slammer infected a nuclear power plant in Ohio and shut down Bank of America's ATM systems. Blaster stopped trains in their tracks outside Washington DC and shut down Air Canada check-in systems at Canadian airports. Sasser thoroughly infected several hospitals in Europe.
The problems with Windows security were so bad that Microsoft had to do something. And it did.
In hindsight, the company did a spectacular turnaround in their security processes.
Microsoft started Trustworthy Computing. It stopped all new development for a while to go back and find and fix old vulnerabilities.
Today, the difference in the default security level of 64-bit Windows 8 is so much ahead of Windows XP you can't even compare them.
We've seen other companies do similar turnarounds.
When the Microsoft ship started to become tighter and harder to attack, the attackers started looking for easier targets.
One favorite was Adobe Reader and Adobe Flash. For several years, one vulnerability after another was found in Adobe products, and most users were running badly outdated products as updating wasn't straightforward. Eventually Adobe got their act together.
Today, the security level of, say, Adobe Reader, is so much ahead of older versions of the PDF readers you can't even compare them.
The battle at hand right now is with Java and Oracle. It seems that Oracle hasn't gotten their act together yet. And maybe don't even have to: users are voting with their feet and Java is already disappearing from the web.
The overall security level of end users' systems is now better than ever before. The last decade has brought us great improvements.
Unfortunately, the last decade has also completely changed who we're fighting.
In 2003, all the malware was still being written by hobbyists, for fun. The hobbyists have been replaced by new attackers: not just organized criminals, but also hacktivists and governments. Criminals and especially governments can afford to invest in their attacks.
As an end result, we're still not safe with our computers, even with all the great improvements.
But at least we don't see flights grounded and trains stopped by malware every other week, like we did in 2003.
• F-Secure KEY uses the Advanced Encryption Standard (AES-256) algorithm in the CCM mode (CTR with CBC MAC) for encryption to protect your sensitive data. The security of the AES was carefully analyzed by many crypto experts prior to selecting it as a recommended algorithm for modern data encryption.
• The encryption key is derived from your master password using the Password-Based Key Derivation Function 2 (PBKDF2) algorithm specified in Public-Key Cryptography Standards (PKCS) #5. In PBKDF2, we use Hash-based Message Authentication Code (HMAC) SHA256, random salts and 20,000 of iterations. This makes it much more difficult to recover the keys through exhaustive search or dictionary attacks even for weak passwords.
• Each password record is individually encrypted using a unique and strong random encryption key. The record-specific keys are encrypted using a master encryption key which is derived from your master password using the PBKDF2 algorithm.
• Your master password and the master encryption key are never stored anywhere. The encryption keys live only when you use the product. There is no way to recover your password or data if you forget the master password.
• When we developed F-Secure KEY, our guiding design principle was: "We don't need to know who you are. We just hope you like the product." Consequently, all the F-Secure KEY users are fully anonymous. We don't track you in any way, even when you synchronize your data across devices.
• The F-Secure KEY servers are owned and operated by F-Secure within the European Union in compliance with Finnish law and applicable EU rules.
Question: You state that my information is encrypted. What encryption do you use, and are you able to decrypt my information and hand it over to a third party?
Answer: We use AES-256 encryption in CCM (counter with CBC-MAC) mode. We have no way of decrypting any information that you have saved. In addition, anyone using F-Secure Key is anonymous to F-Secure, so we have no way of identifying an individual user's data. So we never see any of your information at any stage, and therefore we can't decrypt it or hand it over to a third party.
Both the choice of encryption and anonymity of users were conscious decisions made to improve the security of the product and protect the privacy of people using it.
One password to rule them all.
A young woman holding what appears to be an Ikea coffee cup in one hand and a smartphone in the other.
Just another day in Finland.
KEY is free for individual device use — an optional paid sync service across devices is available.