Privacy’s 3 main invaders: Security expert’s view

By Anne Collier

While we’re all thinking and talking about privacy so much, think about what Mikko Hypponen, chief research officer at F-Secure Corp. in Finland, said in his 9 min. TEDx Talk in Brussels late last year. He said that the three main sources of online attacks that F-Secure is watching are: criminals who attack us and our computers for the money (with tools such as “banking Trojans,” software that steals from our accounts while we’re banking online); “hacktivist groups” such as Anonymous who attack as a form of protest, for political or ideological reasons; and “nation-states,” or governments. Hyppoen didn’t mention corporations, but stay with me….

The first example he gave was an attack against Netherlands-based DigiNotar, a certificate authority – a company that sold “certificates” which enabled secure (encrypted) communications and transactions. DigiNotar received such a severe attack last year that it went bankrupt. Hypponen explained how it got hacked: Foreign email services like Gmail “are especially popular in totalitarian states like Iran, where dissidents use them because they know they’re more trustworthy than the local services and they’re encrypted over SSL connections,” he said, “so the government can’t snoop on their discussions. Except,” he added, the government can do that snooping “if it hacks into a foreign certificate authority and issues rogue certificates” allowing for that spying. “And this is exactly what happened with DigiNotar.” He asked the head of the Dutch law enforcement team investigating the attack whether it was “plausible that people died because of the DigiNotar attack,” and the team leader answered “yes.”

Governments’ ‘hacks’

Hypponen gave another example involving Egypt under Mubarak – this one pointing to a fourth, corporate, “invader” working with that government. When protesters were looting the headquarters of the Egyptian Secret Police last April, he said, among the papers they found was a binder labeled “FINFISHER” that contained “notes from a company [based in the UK, Gamma Group] which had sold to the Egypt government a set of tools for intercepting – on a very large scale – all the communications of the citizens of the country. [Gamma] had sold these tools for 280,000 euros.”

But “western governments are doing it themselves as well,” he added, pointing to the case of the “Bundestrojaner,” or “federal Trojan,” last fall, when “a well-established group of German hackers, the Chaos Computer Club, accused the German government of releasing a backdoor Trojan into the wild,” ZDNET reported. The CCC called it “a ‘lawful interception’ malware program used by German police forces.” And not just German law enforcement. Slate just this week reported that, in “information released last month by the German government … between 2008-2011, representatives from the FBI; the UK’s Serious Organised Crime Agency (SOCA); and France’s secret service, the DCRI, were among those to have held meetings with German federal police about deploying ‘monitoring software’ used to covertly infiltrate computers.” Hypponen didn’t say this, but the just-published Slate article reports that the Trojan technology alleged to have been used by the German police, “FinSpy,” is from the same UK company whose technology the Mubarak government used. Is this just today’s version of legal wire-tapping – fighting fire with fire?

Privacy for our children’s children

Hypponen said that, “when we think deeper about things like this, the obvious response from people is ok, that sounds bad, but it doesn’t really affect me, a legal citizen. I have nothing to hide.” He explains why “this is an argument that doesn’t make sense:

“Privacy is implied. Privacy is not up for discussion. This is not a question of privacy against security, it’s a question of freedom against control. And while we might trust our governments right now, right here, in [2012], any rights we give away we’ll be giving away for good. And do we blindly trust any future government – a government we might have 50 years from now?”

Leave a comment