TechnologyI am Mikko Hypponen. I hunt hackers. I'm here to answer your questions for Data Privacy Day. AMA!
Jan 27th 2017 by mikkohypponen • 46 Questions • 6413 Points
Thanks, lots of great comments! Now I need to run. See you online and remember to be careful out there! -- Mikko
This is Mikko Hypponen. I've been working with computer security since 1991 and I've tracked down various online attacks over the years. I've written about security, privacy and online warfare for magazines like Scientific American and Foreign Policy.
I work as the CRO of F-Secure in Finland. I speak a lot about security and privacy. Here is a playlist featuring dozens of talks and interviews I've given: https://www.youtube.com/playlist?list=PLkMjG1Mo4pKIRUqHj1eUMDqvV5a0o2CoS
If you only want to watch one talk, here's a talk I gave about Hackers and Elections at Websummit: https://www.youtube.com/watch?v=JAChQaySECY
I'm here for Data Privacy Day, which is actually tomorrow -- January 28. It's an international day observed across Europe, USA and Canada. The point, quite obviously, is to raise awareness about controlling our personal data. I believe data is the new oil. And just like oil brought us both prosperity and problems, data will bring us prosperity, and problems.
I'm glad to answer your questions about anything related to privacy, security, old Atari games or anything. AMA!
What would be your best advise to a new internet user about security and privacy, and how to protect themselves?
Also, what habits would you suggest a regular internet user to eliminate regardless of the technology they use to access the internet?
Here’s couple of things everybody should do:
Use a password manager. This will solve tons of other problems for you, as you will automatically have a unique strong password on every site. I prefer password managers that do not store your passwords in the cloud, but keep them locally encrypted on your own devices and just use an encrypted sync to keep them updated on them.
Sign up for data leak notifications on Have I been pwned. This free service will email you right away if your email address is part of some data breach - such as the recent Yahoo breaches (or, say, Ashley Madison). The service is run by Troy Hunt and it’s trustworthy.
Use a good VPN to secure yourself while using wi-fi networks. Without a VPN, it’s trivial for anyone else using the same wi-fi to see big parts of your traffic. Use a VPN on your laptop, on your phone and your tablet. I like VPNs that enhance your privacy by also removing tracking cookies and other potential breaches of privacy. The added benefit of this is that browsing becomes much faster - it’s often faster with a VPN than without!
Lastly, make a backup. Then make a backup of your backup. Backup your laptop, backup your phone, backup your tablet. And back them up so that you can recover your data even if your house burns down. Because sometimes your house really does burn down, and sometimes you are hit by encrypting ransom trojans. Our lives and memories are on our devices and they deserve to be backup up.
do you have any advice for tampering with pinball machines?
Sure thing. The motherboard is always in the backbox, behind the glass. The lock is in the inside top part and is easily pickable. Older Williams pinballs are running an 8-bit 6809 CPU, or multiple of them. Which is cool.
PS. Here's my pinball. http://i.imgur.com/EUePByG.jpg
Thanks for doing this AMA. I'm kinda interested in the job you are doing. What did you study?
I studied computer science and programming. Everything beyond that I learned by doing. What helped me in getting better with malware analysis was that I did have a strong low-level programming experience (assembly). That I gathered by programming turbo-loaders for the old 8-bit home computers in the 1980s.
Do you see any way end to end encryption for emails (e. g. PGP) would ever become mainstream?
Apparently this will never happen. We've all been waiting for it for 20 years or more, already.
How do you feel hackers could be portrayed better in the media?
Also in terms of fictionalised representation, are there any hackers in films or TV that looks a bit like hacking?
In Matrix, Trinity uses Nmap to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 vulnerability. This was all very real and doable. Matrix was probably the first mainstream movie to get it right. Or maybe this was in Matrix Reloaded.
Hi, Mikko. Thanks for the AMA. It's great to have the opportunity to speak with you.
What would be your best advice for someone that wants to work in infosec?
You want to learn as much as possible, but you need to pick your focus area. What do you want to do? Penetration testing? Encryption? Malware analysis? Forensics? Underground intelligence? Counter-espionage?
Pick a niche, as narrow as possible. Then become as good as you can in that narrow niche.
As a good all-around backgrounder, start by reading Bruce Schneier's books. All of them.
Then you need to find mentors and coaches. The easiest way to do this is via online forums dedicated to your focus area.
SANS has some great online resources for people starting up in this area: check them out.
Follow the news. Follow the leaders on Twitter. Read /r/netsec on Reddit. Read Hacker News. Read Krebs.
Don't waste your commute to listening to pop music. Listen to infosec lectures and podcasts.
Check these resources:
Also see our course material at http://mooc.fi/courses/2016/cybersecurity/
I wish I could give more guidance, but it's a fast-moving career. Nothing's constant for very long.
All the best, and thank you for your work.
What was the largest scale/most advanced operation you took down?
I remember spotting a Facebook worm spreading from one user account to another couple of years ago. It was brand new, but spreading very fast and it was clear that it could potentially infect millions of accounts.
When investigating the domain name linked to the attack (fbhole dot com), I got lucky. The domain pointed to an IP address in Czech Republic. I did a reverse search for the IP address and noted that it hosted one other domain name: ironbrain dot net. More importantly, unlike fbhole dot com, which was registered with privacy protection, this domain had contact information in the WHOIS database, complete with a Czech phone number.
So I called the number.
The call went roughly like this:
– Hi. This is Mikko Hypponen from F-Secure Labs.
– What is this about?
– I'm looking for a person related to ironbrain dot net.
– We're investigating a Facebook worm on fbhole dot com. That domain shares an IP address with ironbrain dot net which is registered under your name.
– And you are?
– I'm from an antivirus company. Are you related to ironbrain dot net?
– I'll have to check… maybe my company is…
– Please do.
About 15 seconds later, both fbhole dot com and ironbrain dot net went offline. The attack was over.
Ransomware on our smart cars.
How close are we to stopping the menace hacker known as 4 Chan?
VERY close. Trust me.
What are the biggest barriers to a major country doing online only voting in elections?
The biggest barrier is probably that smart people are telling the decision makers that online voting is a bad idea. Because it is a bad idea.
What kind of data that hackers typically steal besides the regular financial data (credit card info etc)? Is it like what hollywood often show in the movies how hackers could steal some sensitive information and sell it over the dark web? Thanks!
Not all online criminals try to steal data. Many simply want access; for example, gaining access to the desktop used in a company's financial department can be very valuable, as they would be able to wire money out of the company.
Those criminals that are looking for data are typically looking for financial information (such as credit cards) or credentials. Dumps of user accounts and linked passwords can easily be sold in the underground, as the same credentials will work on many services (because people use the same passwords on multiple sites).
hypothetically, What would it take for an intelligent and skilled group of hackers to break into a banking system or debt agency and rid the people of their debt owed?
It would have to be done so it wouldn't get detected. Otherwise the banks would just restore their systems back to the state were they were before the hack. So you couldn't wipe everybody debt. But for wiping individual debts, maybe doing it slowly, over months...I guess it would be doable. Hypothetically.
What's your opinion on the UK's Snoopers Charter? An end to privacy?
It's not surprising that law enforcement agencies and intelligence agencies want to gain rights to do their work on the internet. It is 2017 and criminals and extremists really do use the internet for their purposes. However, we must not give away all of our rights just because bad people exist.
What I'm calling for is transparency. We need to know what our governments are doing in our name. We need to know how succesfully such intrusive methods are. And we need to be able to take away those rights from the agencies if they are not effective. Without transparency, we won't be able to tell how effective those tools are.
At the very least, we need statistics. For example: how many citizens were hacked by the government last year; how many of those turned out to be guilty; how many of those turned out to be innocent.
How dangerous is it, really, for the sitting President of the US to continue to use an unsecured phone?
I can't believe he continues to use his personal, outdated device to do realtime communication with the whole world.
It's easy to see how attackers could misuse the @POTUS account if they got their hands on it.
He really should not do it.
And, he should go to Twitter settings and change his settings on Security & Privacy / Password Reset / Require Personal Information To Reset My Password
Hi Mikko! What is the most comical security incident that you've ever had to deal with?
Also: I'm a junior security consultant and want to know if you can recommend any companies to work for in the UK?
P.S F-Secure 4 lyf, plz send freebies
Most comical security incident? How about White House press secretary tweeting out his Twitter password?
Do you have any videos on you attacking hackers? I rather enjoy the comeuppance
When we collect enough evidence on online criminals, we pass them on to local police. Here's a video of the head of the Carberp banking trojan gang getting arrested by Moscow City police. https://www.youtube.com/watch?v=Iryyn_-iUiw
Do think that a show like Mr. Robot has a positive or negative impact on how the general public views cyber/information security and hacking? Why or why not?
Thanks for doing this AMA!
I can't really say. I haven't seen Mr. Robot. But I do know there's something called "F-Society" in it. Which sounds cool.
Could you tell me the top 10 people I should follow for example on Twitter if I want to be up2date about security stuff?
You only really have to follow @SwiftOnSecurity to do that.
How can I determine how easily doxxed I can be based on my public online presence on social media, etc.?
Hmm. Ask a friend to try to collect as much as info on you as they can from online sources, then draw your conclusions?
Do you think AI will be foundamental for the cyber security? If yes, how?
Vulnerabilities are basically just bugs in the programs. And we will always have bugs because programs are being written by human beings, and they make mistakes. So to fix this, we have to get rid of the programmers.
Years ago, I wrote a program that would write programs. It wrote terrible programs, but still. But if we would but a lot of effort into improving this program-that-programs, eventually it could become as good as a human programmer.
And that’s the last day that any programmer on the planet has to write anything ever again. The program would write a better version of itself, which would in turn write a better version of itself.
An advanced AI writing better versions of itself is scary, but it would provide a giant leap towards the creation of more secure software. And a breakthrough like that could finally create programs free of vulnerabilities. Or at least vulnerabilities that we humans would be able to exploit.
Also, I believe introducing an entity with superior intelligence into your own biosphere is a basic evolutionary mistake. But we seem to be set on doing just that.
A little off-topic - if I moved to Finland from Canada, how easy would it be to live there knowing no Finnish in the beginning?
Everybody in Finland speaks English. At F-Secure HQ, we have employees from around 30 countries. Pretty much none of them speak Finnish.
What seems to be hackers greatest weaknes, we all know they are pretty smart but what is that something that gets them off track?
Companies only need to make one mistake to get hacked...but this works the other way too. Criminals only need to make one mistake to get caught. That mistake could be something simple like forgetting to hide their IP address with a VPN when connecting to a service, or leaking information via WHOIS entries of their domains. Simple stuff.
Russia just tried affecting the outcome of the Presidential elections in the biggest superpower on the planet.
I think news stories don't become much bigger than that.
Who is @swiftonsecurity? Is s/he like Banksy, but with cybersarcasm in place of paint?
Actually, @Swiftonsecurity is Banksy.
What are the modern limitations to the direct physical impact a hack can have on a countries infrastructure?
Our societies run on computers & software. Almost anything can be affected by hacking. Most obviously, electricity distribution can be disturbed. And when the power is cut, nothing works. We would cope for a day or a few, but then what? No food. No communication. It could get pretty bad.
For forensics there are some distributions that have a nicely packaged toolkit. Do you use these distros or do you tend to build your own toolkit? What is in your toolkit?
We have forensics experts at F-Secure, I don't directly work with digital forensics myself.
what smartphone setup/device would you reccomend as most privacy-preserving against tracking for commercial purposes and data harvesting?
All smartphones track us, one way or another. If you want to avoid that, use a dumb phone.
If you're looking for a security-centric smartphone, look at products like Blackphone, Bittium Tough Mobile or DTEK50.
European Union and data protection: what is your favourite regulation, what was a missed opportunity, and what is Europe doing wrong right now?
My favorite regulation is coming up with GPDR 2018. We are finally making it mandatory in EU for companies to report when they lose your data. This has been the norm in USA for years and years. But right now, is most European countries, when a company gets hacked and your credit card number is stolen, they don't have to tell you. Which is ridicilous and it's good to see this change.
1) There are so many security and privacy problems nowadays with hacks being on the news constantly. Are people losing trust in computers and internet services? How can we restore this trust?
2) If Microsoft wanted to spy on us, could they do it? And would we ever know?
4) None of my friends wants to use Signal. Do I change messenger or ... friends?
5) Do you like Mr Robot? 6) If you could sit on a bench for one hour and talk to anyone (from the present or the past), who would it be?
RESTORE the trust? Why would we want to restore trust? People already trust too much on the net, clicking on every link, opening every attachment etc.
Microsoft could definitely spy on us on our Windows computers without getting detected. But not on our phones.
Whatsapp is fine for chatting with friends. Use Signal for stuff where security really matters.
Hi Mikko, welcome to Reddit.
I like the line
"I believe data is the new oil. And just like oil brought us both prosperity and problems, data will bring us prosperity, and problems."
Unfortunately in Australia, our Government recently enacted a metadata law that can soon allow access to citizens' metadata without a warrant. This was rushed into Parliament though, to satisfy copyright holders to combat piracy, reason I say this though is because we are known to be the top pirating country only because accessing shows legally are a nightmare.
Sorry for going off tangent there but have some questions;
- 1) What measures should we take to be safe whilst using our constantly internet connected mobile phones?. Where NFC, Wifi are exploitable features.
- 2) Do you have a recommendation for VPNs?. I've used PIA for a while now and find that it's good.
- 3) In the tv show Mr Robot the characters deal with hacking, is it a true representation of what the hacking world is?
- 4) As Donald Trump uses Twitter alot, do you think he will be hacked?
- 5) I'm somewhat interested in cyber security as a career as I can see it being in demand. What would I need as a pre-requites before studying?. Is the maths level quite high?, as my maths isn't the best.
Lol, "welcome to Reddit". Please! I just had my 7-year cake day.
how common are badusb attacks? (http://phisonresearch.freeforums.net lil research by me)
BadUSB is one of those attack categories where the potential risk is huge but practical risk is low. So, we're not seeing these attacks happen in the real world. But they could, and then it would be really bad.
Did you get the new pinball balls yet?
I recently found out FSF had this guide for securing email with GPG. How do you like it? I think inconvenience and difficulty are some of the biggest hurdles in promoting secure and privacy-friendly habits to the general population, and easy and simple instructions like that being more common would help immensely. Would you agree?
Atari or Commodore? Choose your weapon!
I really should get some bling chrome mirror balls for my Ghostbusters Premium. Haven't had time to order them.
FSF has done good work with the guide. But PGP is still a nightmare to use. Unfortunately.
My weapon? Commodore. Forever.
What's your computer device history. What system did you get first etc?
Do you still get chance to play games?
Ah, nice question.
I got a Commodore 64 in 1984 (receipt: http://imgur.com/ByqjYiG)
I bought a Morse 386DX 25MHz in 1989.
I bought some Pentium system maybe in 1993.
After that I have not bought home computers. I have my work laptops and my private tablets and that's it.
I mostly play retro arcade games and modern pinballs. I did buy an Xbox to play Trials HD. And I will buy a PS4 to play Nex Machina.
How do you see IOT in 5 years? Is it the next blackmarket target ? I don't see B2B market going ham on this, meaning this should be less relevant for hackers to generate cash.
Any chance to see you at Les Assises? I missed you at FIC...
IoT is such a n easy target right now. All the devices are running old Linux kernels, and they have default admin credentials that nobody changes. And admin connections are done over a god damn telnet connection. Wtf.
IoT attackers are mostly using them for building DDoS botnets for now. And you can make cash with DDoS botnets.
I won't be at Assises, see you somewhere else!
Hi Mikko! How to spread awareness to small brick&mortar stores or small companies like barbers, hotels and B&Bs, etc. that have no clue about infosec and still need to maintain a web-presence or social media presence?
Education is hard, and there are no shortcuts. Many countries run data security days, during which basic info is circulated to homes, companies etc. They seem to have a positive effect.
Do you think Russians were capable of hacking the election? If so, how do you suspect they did it?
They were capable of hacking political targets and leaking the information they stole in order to shape opinions. They did not hack actual election systems.
Hi Mikko! I live in Helsinki and i study IT engineering, my goal is to work in infosec, or to be exact as a pentester. And ofcourse F-Secure has been the dream for me. One question i've wanted to ask someone at F-Secure for a long time is, when someone applies for an infosec position @ F-Secure, how much do you care about certifications? And what certs do you prefer the applicant has? And can a cert like the OSCP compensate having work experience in the field? Thanks in advance!
Certifications are not required. First and foremost, we're looking for really technical people who are willing to become even more technical.