Hypponen: Ban admin rights for all online users

By on
Hypponen: Ban admin rights for all online users

F-Secure's head of research talks Internet security

If he could change one thing about the design of the world's computer systems, says Mikko Hypponen, chief research officer for Helsinki-based F-Secure, "I would take away administrative rights from all online users."

Most wouldn't notice (although those who did would be incandescent with annoyance) and most malware would be stopped from functioning.

"It should have been done already."

Hypponen agrees, however, that there would be a price to pay: where would tomorrow's clever programmers come from?

He himself got his start alongside his two siblings - "We were all nerds" - by being obsessed with computer games as a teenager, tinkering with the code to make them run faster on his Commodore 64. He still loves games and collects and restores old coin-operated video arcade games as a hobby.

Hypponen has been with F-Secure since 1991. He got noticed by the wider world in the early 2000s when he led the team that stopped the Sobig.F worm, and issued early warnings about the Sasser and Storm worms. In 2007, PC World named him one of the 50 most important people on the Web.

None of that stopped Twitter from briefly banning him late last year for posting a warning that contained a malware link.

The irony: he had actually helped the company secure itself against worms.

The idea of removing administrator rights has, in a sense, already been tried and proven: just look at mobile phones, which Hypponen estimates have been hit by only about 500 virus attacks.

"There are two main reasons why the problems of phones aren't bigger yet," he says.

"One, criminals have no reason to invest in porting their attack software to new platforms."
They make plenty of money focusing on Windows XP. Once that installed base starts to shrink and they have to port their software, some will likely target mobile phones while others pick later versions of Windows.

"Two, phones have a completely different security model."
Manufacturers like Apple, Sony, and Symbian all manage a signing framework; without permission your software won't run. In contrast, anyone can add new software to the Internet at any time - good for tinkerers, bad for making consumers malware targets.

Hypponen believes that malware attacks will increasingly be directed at social networks. Many people think there's nothing of value to steal in their Twitter or Facebook account, but criminals can take advantage of the chains of trust these networks rely on.

"Malware still works best when you combine it with the social aspect and misuse trust," Hypponen says.

A web link that leads to an infected site will get a lot more clicks when it's apparently been posted by someone you know and trust. The bigger risk if someone infiltrates your Facebook account, therefore, is that they can impersonate you and destroy your reputation.

"These attacks will continue. The amount of users makes them a prime target," he says.

In the physical world, criminals were sometimes caught because they were stupid about spending the proceeds of their crimes. The analogy in cyberspace is the difficulty criminals have in converting stolen credit card numbers into cash.

"It's fascinating to watch how creative the current online criminals are in trying to reroute their money," he says.

Lately he's noted a weird merger of auction fraud and credit card fraud, in which the fraudster posts expensive goods for auction - say a brand new laptop. When the auction ends the criminal uses the stolen credit card to buy the laptop as a "gift", and gets the winning bidder to pay him in Western Union, web money, or egold - any more or less anonymous cash mechanism.

It never crosses the buyers' minds that they are laundering; they just think they got a really good deal.

For the crooks online crime pays better and carries far less risk of getting caught and/or punished than its real-world counterpart. International law enforcement was designed for a small number of million-dollar drug deals, not thousands of thousand-dollar deals.

This relative safety from prosecution worries Hypponen: "It's sending a message to potential new online criminals that you're safe, you won't get caught. That's what we're doing by not fighting these criminals."

But even if law enforcement had enough resources, "Of the cases we see every single day there's only a fraction of a percent where even we know which continent the attacker is coming from."

Plus, we are vulnerable because our ideas haven't changed fast enough.

"The Internet revolution is not that old. Our sense of risk and crime has all grown up in the real world."

Someone who steals your car probably lives within 100 kilometres of you; someone who hits you with a drive-by download from an infected Web site and raids your bank account could be anywhere.

"You don't normally have to worry about the criminals in Argentina."

"[But] it's as if the Internet had given them free plane tickets to anywhere in the world."

Got a news tip for our journalists? Share it with us anonymously here.
theinquirer.net (c) 2010 Incisive Media

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?