Return to Video

Three types of online attack | Mikko H. Hypponen | TEDxBrussels

  • 0:11 - 0:13
    In the 1980s
  • 0:14 - 0:17
    in the communist Eastern Germany,
  • 0:18 - 0:20
    if you owned a typewriter,
  • 0:21 - 0:24
    you had to register it
    with the government.
  • 0:24 - 0:25
    You had to register
  • 0:25 - 0:27
    a sample sheet of text
  • 0:27 - 0:29
    out of the typewriter.
  • 0:29 - 0:30
    And this was done
  • 0:30 - 0:35
    so the government could track
    where text was coming from.
  • 0:35 - 0:36
    If they found a paper
  • 0:36 - 0:40
    which had the wrong kind of thought,
  • 0:40 - 0:42
    they could track down
  • 0:42 - 0:44
    who created that thought.
  • 0:44 - 0:46
    And we in the West
  • 0:47 - 0:50
    couldn't understand
    how anybody could do this,
  • 0:50 - 0:54
    how much this would restrict
    freedom of speech.
  • 0:54 - 0:55
    We would never do that
  • 0:55 - 0:57
    in our own countries.
  • 0:59 - 1:01
    But today in 2011,
  • 1:01 - 1:04
    if you go and buy a color laser printer
  • 1:05 - 1:09
    from any major laser printer manufacturer
  • 1:09 - 1:10
    and print a page,
  • 1:10 - 1:12
    that page will end up
  • 1:12 - 1:15
    having slight yellow dots
  • 1:15 - 1:18
    printed on every single page
  • 1:18 - 1:20
    in a pattern which makes the page unique
  • 1:20 - 1:23
    to you and to your printer.
  • 1:25 - 1:26
    This is happening
  • 1:26 - 1:28
    to us today.
  • 1:30 - 1:33
    And nobody seems to be
    making a fuss about it.
  • 1:33 - 1:36
    And this is an example
  • 1:36 - 1:38
    of the ways
  • 1:38 - 1:40
    that our own governments
  • 1:41 - 1:43
    are using technology
  • 1:43 - 1:46
    against us, the citizens.
  • 1:47 - 1:50
    And this is one of the main three sources
  • 1:50 - 1:52
    of online problems today.
  • 1:52 - 1:55
    If we take a look at what's
    really happening in the online world,
  • 1:55 - 1:58
    we can group the attacks
    based on the attackers.
  • 1:58 - 2:00
    We have three main groups.
  • 2:00 - 2:02
    We have online criminals.
  • 2:02 - 2:04
    Like here, we have Mr. Dimitry Golubov
  • 2:04 - 2:07
    from the city of Kiev in Ukraine.
  • 2:07 - 2:09
    And the motives of online criminals
  • 2:09 - 2:11
    are very easy to understand.
  • 2:11 - 2:13
    These guys make money.
  • 2:13 - 2:15
    They use online attacks
  • 2:15 - 2:17
    to make lots of money,
  • 2:17 - 2:19
    and lots and lots of it.
  • 2:19 - 2:22
    We actually have several cases
  • 2:22 - 2:25
    of millionaires online, multimillionaires,
  • 2:25 - 2:27
    who made money with their attacks.
  • 2:27 - 2:30
    Here's Vladimir Tsastsin
    form Tartu in Estonia.
  • 2:30 - 2:32
    This is Alfred Gonzalez.
  • 2:32 - 2:34
    This is Stephen Watt.
  • 2:34 - 2:35
    This is Bjorn Sundin.
  • 2:35 - 2:38
    This is Matthew Anderson, Tariq Al-Daour
  • 2:38 - 2:40
    and so on and so on.
  • 2:40 - 2:42
    These guys
  • 2:42 - 2:45
    make their fortunes online,
  • 2:45 - 2:47
    but they make it through the illegal means
  • 2:47 - 2:50
    of using things like banking trojans
  • 2:50 - 2:52
    to steal money from our bank accounts
  • 2:52 - 2:54
    while we do online banking,
  • 2:54 - 2:56
    or with keyloggers
  • 2:56 - 2:58
    to collect our credit card information
  • 2:58 - 3:01
    while we are doing online shopping
    from an infected computer.
  • 3:01 - 3:03
    The U.S. Secret Service,
  • 3:03 - 3:05
    two months ago,
  • 3:05 - 3:07
    froze the Swiss bank account
  • 3:07 - 3:09
    of Mr. Sam Jain right here,
  • 3:09 - 3:13
    and that bank account had
    14.9 million U.S. dollars on it
  • 3:13 - 3:15
    when it was frozen.
  • 3:15 - 3:17
    Mr. Jain himself is on the loose;
  • 3:17 - 3:19
    nobody knows where he is.
  • 3:19 - 3:21
    And I claim it's already today
  • 3:22 - 3:25
    that it's more likely for any of us
  • 3:25 - 3:28
    to become the victim of a crime online
  • 3:28 - 3:31
    than here in the real world.
  • 3:32 - 3:33
    And it's very obvious
  • 3:33 - 3:35
    that this is only going to get worse.
  • 3:35 - 3:37
    In the future, the majority of crime
  • 3:37 - 3:40
    will be happening online.
  • 3:42 - 3:44
    The second major group of attackers
  • 3:44 - 3:45
    that we are watching today
  • 3:45 - 3:48
    are not motivated by money.
  • 3:48 - 3:50
    They're motivated by something else -
  • 3:50 - 3:52
    motivated by protests,
  • 3:52 - 3:54
    motivated by an opinion,
  • 3:54 - 3:56
    motivated by the laughs.
  • 3:56 - 3:58
    Groups like Anonymous
  • 3:58 - 4:01
    have risen up over the last 12 months
  • 4:01 - 4:03
    and have become a major player
  • 4:03 - 4:06
    in the field of online attacks.
  • 4:07 - 4:09
    So those are the three main attackers:
  • 4:09 - 4:11
    criminals who do it for the money,
  • 4:11 - 4:13
    hacktivists like Anonymous
  • 4:13 - 4:15
    doing it for the protest,
  • 4:15 - 4:18
    but then the last group are nation states,
  • 4:18 - 4:21
    governments doing the attacks.
  • 4:23 - 4:25
    And then we look at cases
  • 4:25 - 4:27
    like what happened in DigiNotar.
  • 4:27 - 4:29
    This is a prime example of what happens
  • 4:29 - 4:30
    when governments attack
  • 4:30 - 4:33
    against their own citizens.
  • 4:33 - 4:36
    DigiNotar is a Certificate Authority
  • 4:36 - 4:38
    from The Netherlands -
  • 4:38 - 4:40
    or actually, it was.
  • 4:40 - 4:41
    It was run into bankruptcy
  • 4:41 - 4:44
    last fall
  • 4:44 - 4:46
    because they were hacked into.
  • 4:46 - 4:48
    Somebody broke in
  • 4:48 - 4:50
    and they hacked it thoroughly.
  • 4:51 - 4:54
    And I asked last week
  • 4:54 - 4:57
    in a meeting with Dutch
    government representatives,
  • 4:57 - 5:01
    I asked one of the leaders of the team
  • 5:03 - 5:05
    whether he found plausible
  • 5:05 - 5:07
    that people died
  • 5:07 - 5:10
    because of the DigiNotar hack.
  • 5:12 - 5:14
    And his answer was yes.
  • 5:16 - 5:18
    So how do people die
  • 5:18 - 5:21
    as the result of a hack like this?
  • 5:21 - 5:23
    Well DigiNotar is a C.A.
  • 5:23 - 5:25
    They sell certificates.
  • 5:25 - 5:27
    What do you do with certificates?
  • 5:27 - 5:28
    Well you need a certificate
  • 5:28 - 5:31
    if you have a website that has https,
  • 5:31 - 5:33
    SSL encrypted services,
  • 5:33 - 5:36
    services like Gmail.
  • 5:38 - 5:39
    Now we all, or a big part of us,
  • 5:39 - 5:42
    use Gmail or one of their competitors,
  • 5:42 - 5:44
    but these services are especially popular
  • 5:44 - 5:46
    in totalitarian states
  • 5:46 - 5:47
    like Iran,
  • 5:47 - 5:49
    where dissidents
  • 5:49 - 5:52
    use foreign services like Gmail
  • 5:52 - 5:55
    because they know they are
    more trustworthy than the local services
  • 5:55 - 5:58
    and they are encrypted
    over SSL connections,
  • 5:58 - 6:00
    so the local government can't snoop
  • 6:00 - 6:02
    on their discussions.
  • 6:02 - 6:06
    Except they can if they hack
    into a foreign C.A.
  • 6:06 - 6:08
    and issue rogue certificates.
  • 6:08 - 6:10
    And this is exactly what happened
  • 6:10 - 6:12
    with the case of DigiNotar.
  • 6:16 - 6:18
    What about Arab Spring
  • 6:18 - 6:21
    and things that have been happening,
    for example, in Egypt?
  • 6:21 - 6:22
    Well in Egypt,
  • 6:22 - 6:24
    the rioters looted the headquarters
  • 6:24 - 6:26
    of the Egyptian secret police
  • 6:26 - 6:28
    in April 2011,
  • 6:28 - 6:31
    and when they were looting the building
    they found lots of papers.
  • 6:31 - 6:33
    Among those papers,
  • 6:33 - 6:36
    was this binder entitled "FINFISHER."
  • 6:36 - 6:38
    And within that binder were notes
  • 6:38 - 6:41
    from a company based in Germany
  • 6:41 - 6:44
    which had sold the Egyptian government
  • 6:44 - 6:46
    a set of tools
  • 6:46 - 6:47
    for intercepting -
  • 6:47 - 6:49
    and in very large scale -
  • 6:49 - 6:52
    all the communication
    of the citizens of the country.
  • 6:52 - 6:53
    They had sold this tool
  • 6:53 - 6:57
    for 280,000 Euros
    to the Egyptian government.
  • 6:57 - 6:59
    The company headquarters are right here.
  • 6:59 - 7:01
    So Western governments
  • 7:01 - 7:04
    are providing totalitarian governments
    with tools
  • 7:04 - 7:06
    to do this against their own citizens.
  • 7:08 - 7:11
    But Western governments
    are doing it to themselves as well.
  • 7:11 - 7:12
    For example, in Germany,
  • 7:12 - 7:14
    just a couple of weeks ago
  • 7:14 - 7:17
    the so-called State Trojan was found,
  • 7:17 - 7:18
    which was a trojan
  • 7:18 - 7:21
    used by German government officials
  • 7:21 - 7:23
    to investigate their own citizens.
  • 7:23 - 7:27
    If you are a suspect in a criminal case,
  • 7:27 - 7:30
    well it's pretty obvious,
    your phone will be tapped.
  • 7:30 - 7:32
    But today, it goes beyond that.
  • 7:32 - 7:34
    They will tap your Internet connection.
  • 7:34 - 7:36
    They will even use tools like State Trojan
  • 7:36 - 7:39
    to infect your computer with a trojan,
  • 7:39 - 7:41
    which enables them
  • 7:41 - 7:43
    to watch all your communication,
  • 7:43 - 7:46
    to listen to your online discussions,
  • 7:46 - 7:48
    to collect your passwords.
  • 7:52 - 7:55
    Now when we think deeper
  • 7:55 - 7:57
    about things like these,
  • 7:57 - 8:01
    the obvious response from people should be
  • 8:03 - 8:05
    that, "Okay, that sounds bad,
  • 8:05 - 8:09
    but that doesn't really affect me
    because I'm a legal citizen.
  • 8:09 - 8:11
    Why should I worry?
  • 8:11 - 8:13
    Because I have nothing to hide."
  • 8:14 - 8:15
    And this is an argument,
  • 8:15 - 8:17
    which doesn't make sense.
  • 8:17 - 8:20
    Privacy is implied.
  • 8:21 - 8:24
    Privacy is not up for discussion.
  • 8:25 - 8:26
    This is not a question
  • 8:26 - 8:29
    between privacy
  • 8:31 - 8:34
    against security.
  • 8:34 - 8:37
    It's a question of freedom
  • 8:38 - 8:40
    against control.
  • 8:40 - 8:44
    And while we might trust our governments
  • 8:44 - 8:47
    right now, right here in 2011,
  • 8:47 - 8:50
    any right we give away
    will be given away for good.
  • 8:50 - 8:54
    And do we trust, do we blindly trust,
  • 8:54 - 8:55
    any future government,
  • 8:55 - 8:57
    a government we might have
  • 8:57 - 8:59
    50 years from now?
  • 9:02 - 9:04
    And these are the questions
  • 9:04 - 9:07
    that we have to worry about
    for the next 50 years.
  • 9:08 - 9:10
    Thank you very much.
    (Applause)
Title:
Three types of online attack | Mikko H. Hypponen | TEDxBrussels
Description:

Cybercrime expert Mikko Hypponen talks us through three types of online attack on our privacy and data -- and only two are considered crimes. "Do we blindly trust any future government? Because any right we give away, we give away for good."
more » « less
Video Language:
English
Team:
closed TED
Project:
TEDxTalks
Duration:
09:17

English subtitles

Revisions

Our website uses cookies for analysis purposes.