Online attacks against such prominent targets as Sony, Target and Home Depot have brought cybersecurity and digital privacy to the forefront of the national consciousness. But as the technologies we use grow more sophisticated, so will criminals' attempts to defeat them, according to Chris Doggett, North American managing director of Kaspersky Lab, a Moscow-based international information security firm. In an interview this month in Washington, Doggett said financial fraud and identity theft pose far more danger to Americans than shadowy hacking groups such as Lizard Squad, which has taken partial credit for breaching Sony's systems. He added that no network is ever completely secure — as one major Wall Street client found out when Doggett was working as a private security consultant. The following transcript has been edited for length and clarity.
Brian Fung: What are some of the big issues in cybersecurity now, and what do you see as the top priorities in 2015?
Chris Doggett: What we've seen is a major acceleration in cybercriminal operations, number one, and then secondarily in cyberespionage operations. Targeted attacks have been on the rise, and they're now a major part of the threat landscape. That's something that's been of a lot of interest to us in the security community and something we do a lot of research on.
The common theme we see is that the actors in a lot of these operations, whether they're criminals or nation states, have continued to become more and more sophisticated and more and more elusive. So it's become harder and harder to uncover these operations, unless they're folks that want to get recognized.
Which do you see as the more pernicious threat, the Lizard Squad-type hacking groups or state-based actors?
I think it was [computer security and privacy expert] Bruce Schneier who referred to the Lizard Squad guys as being kids playing politics. I think that's troublesome, and certainly in the case of Sony some of the information disclosures are damaging for sure. But I think the more concerning areas are more primarily based around financial fraud and theft. It's very clear that organized crime has started to really become a major player in the cyberthreat landscape, so most of these attacks that we see that are major thefts are very sophisticated and involve almost an ecosystem of different players.
Financial crime obviously has a very long history. What's new about the attacks we're seeing now against banks or other institutions?
In this past year we saw just how deeply these guys can get into the systems. For example, there was a major operation that we saw in Eastern Europe, "Tyupkin," which involved ATM attacks. These guys were basically able to upload malware to ATMs and then send mules into this ATM network and have them walk up to a machine at a prescribed time and enter a code that would bring up a management console that would show them how much money was in each cassette in the ATM. And they could select to dump the cash out of that cassette right into their hands, and then they had to go make a drop.
That is not just an easy, interesting visual story for people to see -- it's clearly a sophisticated attack when it comes to banking.
It certainly seems like there have been more data breaches and hacks in the past year. But are there really more, or are people paying more attention?
I think it's both. In terms of any of the stats we've looked at, we've seen a rise in attacks. We're now seeing 325,000 pieces of new malware daily coming through Kaspersky Labs. We saw a tenfold increase in mobile malware over the last year.
And malware is the common thread that's used in all these attacks. It doesn't matter if you look at Home Depot or Sony or JP Morgan or any of these attacks that are going on, what's the common thread? It's malware.
To answer the question, I think some of it has to do with our awareness, and some of it has to do with the actual level of activity. Many of these operations we've discovered recently have been going on for a year or several years. But certainly there's a much higher concentration of them. People are waking up to the fact that systems are fundamentally insecure. The presumption that things were secure, whether it's their company's data or their money in the bank, people are waking up to the fact that that's no longer true. And it hasn't been for some time.
You said we're getting better at detecting these attacks. How have our capabilities improved?
That varies a lot depending on the segment you're in. We [at Kaspersky] have been in the business of detecting malware since our inception. So our capabilities and our technology have obviously improved over that time, and that's been an ongoing arms race of sorts versus the criminal elements. Part of it has to do with how you collect information. If you have our software to protect your system, you can opt in to providing anonymous diagnostic information about how often that machine is being attacked, and diagnostic information on the malware that's been detected. And if you aggregate that across 400 million machines in our case, you begin to get very good real-time information about what attacks are going on, where and how.
In a lot of retail breaches, consumers have been hit with fraudulent charges that they didn't have to pay. Who bears the cost for that, and are consumers fully insulated?
As companies have woken up to the fact that "pretty good" security is no longer enough, they've had to really up their defenses. And that includes upping their costs, significantly increasing the amount they're spending on securing their systems and infrastructure. Ultimately, that flows down to consumers. Cybercrime and cyberespionage have a very significant cost: You've seen estimates from hundreds of millions of dollars a year to tens of billions of dollars. Are consumers insulated? If your credit card is breached, you're liable for $25 or $50, and the company covers the rest, initially. So in some respect, yes. If your banking card credentials are stolen, you could have your account wiped out. And that does happen.
Can you talk a bit about Apple Pay and Bitcoin and some of the potential — and potential pitfalls — of these technologies?
I think one of the things we can say with Apple Pay is that while it's a great concept, and certainly Apple puts a lot more effort and thought and strategy into security than you see in some of the open operating systems like Android and therefore is more secure, we also know that no system is totally secure. We've seen a rise in Mac OS X malware that's very significant. About 40 percent of that right now is targeting users in the U.S. It's very easy to predict that as the adoption of mobile payment systems like Apple Pay increases, that attacks will grow to follow that. It's like that famous saying, "Why do you rob banks? Because that's where the money is." If Apple Pay becomes a big, pervasive system for payments, you can be sure that the criminals are going to be right behind, figuring out how to breach Apple's security and how to steal money.
What about virtual currencies? People say they are secure and relatively anonymous, and folks are working to integrate Bitcoin into the financial system.
Bitcoin is used not only for legitimate financial transactions but for financial transactions amongst the folks who are doing the hacking. So I think it's going to be interesting to see — in one sense, if hackers, cybercriminals are using Bitcoin to move money around or do money laundering or other things as part of the financial portion of their operations, they're probably going to be somewhat reticent to develop ways to compromise Bitcoin. And actually Bitcoin itself is obviously based on an encryption algorithm, so that in some ways creates inherent security, as well. One could speculate that that would not be an attractive target because the guys who are the attackers are also using it. That's number one.
Number two, it comes down to how easy a target is to breach. There's fundamentally two parts to the formula for cybercriminals. One is, how big a target? How juicy is it? How attractive is it? How much money is there to steal? The other one is, how easy is it to breach? In mobile malware, for example, we see over 98 percent of the mobile malware that's created is created for Android. Why? Because it's much, much easier to exploit than iOS.
In the case of Bitcoin, you have to look at it relative to other forms of currency and things guys could go steal. I don't think it's the most attractive target because of not only who's using it but the difficulty in compromising Bitcoin.
As Bitcoin becomes more integrated with the financial system, do you see its role shrinking as the mode of exchange for hackers? Or do they wind up coexisting somehow?
That's a great question. This is purely my personal opinion, but I would expect to see it coexisting. I don't necessarily see it going away, and I'm not sure it gets more dangerous because of the anonymity that's involved for cybercriminals to use it and risk getting caught.
Can you tell me about how business needs differ from consumer needs and how you're addressing them?
The consumer is primarily concerned with two things. One is privacy. I don't want my data getting out there. As we've seen with some celebrity picture hacks, for example, that can be a really big concern with people. Corporations also have to worry about mobile devices being the weak link in their security posture, and the way a criminal can use that to get into their network.
The challenge for corporations is that they no longer have a perimeter. We used to think about this perimeter where everything was either outside the firewall or inside the firewall, and it was easy to control on a network infrastructure. With mobile devices there's no longer a perimeter. The perimeter is the device. Because your phone is sitting there on the table —
I'm taking it out of the building, I can download all kinds of apps —
Sure, and it's got direct access into your [company's] e-mail server, for example. And that's just one of probably many things you can do with your mobile device. And, yes, you're taking it into a lot of dangerous environments.
Darkhotel is a specific operation where attackers are targeting C-level executives at major companies, and they're compromising hotel WiFi networks such that when you go to log into the hotel network, you get into the network and you think you're on the hotel's network, but they've actually gotten into the middle, so to speak, and your device then tells you, "Oh, you need to download a security patch for Adobe. Click here to update." And you're actually executing some malware on your device.
Why are the C-level execs the target? Well, a couple of reasons. First, C-level execs are famous for wanting the rules bent for them. "I know you've got your security policies, but just make my iPad work, please!" That kind of thing. And number two, it's much easier to pick up and anticipate when those people are going to be in that hotel.
I imagine they're also more attractive targets, too — access to more information.
Yeah, unfettered access to pretty much all information in their company. If you're compromising their devices and using that as a way in, that's a pretty good bet you can get anywhere you want to go.
So companies are starting to become more aware about the threats that are out there and steps they need to take. On the other hand, you have consumers who fall victim all the time to phishing or social engineering attacks. Are we getting better as a society about understanding how these attacks take place and how to safeguard ourselves? We are, and we aren't.
We see people still not practicing good security hygiene in terms of basics — like not having your password be "password" or "qwerty." It's humorous, in some respects. But I think, generally, user awareness has gotten better. People are smarter and, generally speaking, know to be suspicious about e-mails from people they don't know and clicking on links.
To tell you a little story: I used to run a boutique security consulting organization that specialized in doing vulnerability assessments. The thing for me that was most shocking that I quickly developed as I was talking to the CEO of a company or the VP of security was that I could guarantee them that I could break in. I'd say, "Look, I guarantee if you let us use every tool in our toolbox, including social engineering, that we will find at least one way and usually multiple ways into your organization." And they'd say, "How can you guarantee that?" Very simple answer: If we don't succeed, we will write you a report telling you we couldn't find a way in, and you don't have to pay us a dime." You know how many of those I gave away for free? None. Not a single time did we fail.
What was the fastest you were able to break your way in?
The fastest and one of the most alarming ones was a — I have to be very circumspect about — a publicly traded financial company where the CEO hired us because he wanted to double-check the security he was getting from an outsourced, third-party provider. Because of the nature of their business, we had an agreement that we would not start the testing until after business hours on Friday and we would test over the weekend.
We commenced our test on 6 p.m. on Friday, and our lead engineer called me within 15 minutes of starting the test and said, "You've gotta get the CEO on the line and tell him to pull the plug on their Internet connection, immediately."
It took less than 15 minutes. That was through compromising an FTP server that wasn't properly secured, which in turn gave them access to a Web server that was behind the firewall but that was used to communicate with most of the major banks in New York. This was an institution with a large credit facility, shall we say. And he had the ability within minutes to establish connections, sending wiring instructions, and to wire transfer funds to the tune of several hundred million dollars to anywhere in the world within 15 minutes.
All this inevitably leads to the Sony hack, and I wonder if you've had any opportunity to look into that.
Well, I'll start by saying my comments reflect an outside view as opposed to an inside view. So nothing that I'm commenting on reflects any relationship that we do or don't have, or any interaction that our company may or may not have had with Sony. But, yes, I'm certainly familiar with what's going on, and I think it's another example of where we can say that "pretty good enough" security was totally insufficient.
If Sony, for example, had been monitoring their network flows, they could've easily detected that there was a lot of data being exfiltrated from the organization, fairly easily. That's one example that as an outsider I can say is common guidance for companies, and some basic, top-10 guidance likely would've protected them from that happening.
In January 2013, the New York Times reported that the Chinese hacking unit had been sitting in their network for a long time undetected, exfiltrating data on a very quiet basis. I understand that's a very hard thing to do. It seems like the Sony case is a much less subtle attack.
Yes, it doesn't appear to be nearly as sophisticated an attack as some of the other cases we've seen — New York Times being a good example. Many of the targeted attacks we've seen are much more sophisticated, much more covert, where the attackers are much more elusive. Sony certainly appears from an external view to be not terribly sophisticated. More along the lines of your garden-variety hacking operation than a highly sophisticated state-sponsored cyberespionage group, for example.
So you're skeptical that North Korea was behind the driving force behind this.
I think the way I would put it is, attribution is very, very difficult to do conclusively. And certainly there's nothing that I'm aware of — in terms of diagnostic information in Sony's case -- that provides either conclusive or high-confidence-level attribution to North Korea. Is it possible the Sony attack was a highly sophisticated attack that's been made to look not so sophisticated and that there have been false flags planted? That's possible.
If you take a look at any of our in-depth reports, you'll find a huge amount of research and a lot of detail about specifically how the attack was perpetrated, what the steps were, what malware was used. We provide a huge amount of information, but we don't do what we call the last mile of attribution and apprehension. We provide all the diagnostic information to get you there, and then we turn that information over to victims, to law enforcement agencies, and we finally publish it publicly.