Forgot your password?
typodupeerror
Security The Military IT

Kaspersky Says Cyber Weapons "Cleaner" Than Traditional Weapons But "Much Worse" 89

Posted by samzenpus
from the give-me-email-or-give-me-death dept.
DavidGilbert99 writes "Eugene Kaspersky and Mikko Hypponen have been watching the cyber security world every since happy hackers were writing viruses for nothing more than their own entertainment. Today however things are very much different. At the DLD 2013 conference, the pair debated the current state of cyber warfare and cyber weapons. Kaspersky said that while cyber weapons may be much 'cleaner' than traditional missiles, guns and bombs, they are 'much worse' as they can be used by just about anyone who has some level of computer proficiency. Both agreed that it was very difficult to protect against the highly-complex nation-state developed malware like Stuxnet, Flame and Gauss. Hypponen said that we are in the 'first stages of a cyber-arms race' warning: 'I think we've only seen the very beginning of these problems.'"
This discussion has been archived. No new comments can be posted.

Kaspersky Says Cyber Weapons "Cleaner" Than Traditional Weapons But "Much Worse"

Comments Filter:
  • not worse (Score:5, Interesting)

    by rubycodez (864176) on Monday January 21, 2013 @12:15PM (#42647719)

    defacing websites? taking down SCADA systems of those stupid enough to internet connect them? who has died as direct result of cyber crime?

    • by coldsalmon (946941) on Monday January 21, 2013 @12:17PM (#42647753)

      Most people would rather die than lose the ability to watch cat videos on YouTube.

    • by oodaloop (1229816)
      How about destroying our power network? We discovered in 2009 that China has been infiltrating our power grid and emplacing logic bombs. They could shut down our power, meaning wrecking the generators themselves. We could replace them of course, except that China makes them.
    • Re:not worse (Score:5, Insightful)

      by Elbereth (58257) on Monday January 21, 2013 @12:45PM (#42648103) Journal

      It's not just Internet-connected infrastructure. In many cases, people took the proper precautionary steps, but weren't actively paranoid. To protect your infrastructure today, you really do need to be paranoid. People bring in gadgets infected with malware, plug the malware-infected gadget into a PC, and the PC infects every system on the network. OK, so you ban people from bringing in gadgets, and now you remove all secretarial PCs from the main network. Maybe you even disable every USB port and force people to use PS/2 keyboards and mice. Well, the next infection comes in from a contractor who installs software directly from the manufacturer. If the hackers know that you use Flash and/or Java in your company's intranet, it's not inconceivable that they manage to infect Flash or Java. I mean, we're talking about nation states here. They can do whatever the fuck they want, and money is not much of an issue.

      Somewhere along the line, people with resources a hundred times greater than yours will come up with a line of attack that you didn't defend against. And if you protect against everything obvious, who knows what the crazy fuckers will do? If I were on the Iranian nuclear power commission, I'd probably give the Americans and Israelis a semi-obvious backdoor to my network, just so that they don't send in black ops teams. I'm not saying that I think the Americans and Israelis would be so stupid, but, then again, these people probably grew up watching James Bond movies. They probably think that shit is exciting.

      • It's not just Internet-connected infrastructure. In many cases, people took the proper precautionary steps, but weren't actively paranoid. To protect your infrastructure today, you really do need to be paranoid. People bring in gadgets infected with malware, plug the malware-infected gadget into a PC, and the PC infects every system on the network. OK, so you ban people from bringing in gadgets, and now you remove all secretarial PCs from the main network. Maybe you even disable every USB port and force people to use PS/2 keyboards and mice. Well, the next infection comes in from a contractor who installs software directly from the manufacturer. If the hackers know that you use Flash and/or Java in your company's intranet, it's not inconceivable that they manage to infect Flash or Java. I mean, we're talking about nation states here. They can do whatever the fuck they want, and money is not much of an issue.

        Somewhere along the line, people with resources a hundred times greater than yours will come up with a line of attack that you didn't defend against. And if you protect against everything obvious, who knows what the crazy fuckers will do? If I were on the Iranian nuclear power commission, I'd probably give the Americans and Israelis a semi-obvious backdoor to my network, just so that they don't send in black ops teams. I'm not saying that I think the Americans and Israelis would be so stupid, but, then again, these people probably grew up watching James Bond movies. They probably think that shit is exciting.

        If you can't inspect the source code and the compiler then it could very well be suspect. A backdoor in the compiler itself is all it takes to put a backdoor on everything compiled with that compiler. How would you defend against that?

        • by Anonymous Coward

          Unless you're, line by line, going through every line of code - code you're compiling yourself, having safely built the compiler yourself, you're not preventing anything.

          "But everybody's looking at it! Open source man!"

          Said everybody who failed to notice the numerous compromised repositories over the years.

          Granted, having the ability to do that - despite how painful and unlikely it is anybody will do it, is a good thing.

    • by nurbles (801091)
      SCADA systems don't need to be on the internet to get infected. I thought I read that Stuxnet got in via USB drive. If a SCADA system's software is EVER updated/enhanced and/or there is any way to load new software to it, then it can be infected. The infection may require a human agent to infiltrate a facility and physically access a machine, but if there's a network then that only needs to be done once.
      • by rubycodez (864176)

        true, but I was just giving specific examples. but again, who has died thus far? wouldn't "the terrorists" have done it if it were possible. reality is you cause inconvenience by messing with SCADA systems, the engineers already put in other safegaurds to any halfway well designed system. for example, "hack" a nuclear power plants systems (or even manually manipulate the controls in the control room) and the very worst you can do is trip the plant offline and piss of the stockholders for downtimes. tha

  • by BoRegardless (721219) on Monday January 21, 2013 @12:19PM (#42647769)

    I am not surprised by Kapersky saying what he does.

    If you don't want your automation system attacked, then keep it off line and what is off line monitored and limited so it can't be accessed improperly and then treat your crew right...with supervision.

    Life is not easy.

    • His company is developing a secure OS specifically designed to deal with the problem he is talking about. He definitely has a real interest in getting people as scared of 'cyber weapons' as possible.

      Also, saying "cyber weapons can be used by anyone with some proficiency" is misleading. Sure, any script kiddy can send a virus to their friend, but there aren't many people who can figure out how to get Stuxnet on their enemy's SCADA system.

      If anyone is interested, as far as I can tell, the primary securi
    • No kidding. Why doesn't Kaspersky tell the mothers of the couple hundred kids killed by drone strikes that cyber "weapons" are worse?

      • by babybird (791025)

        Because drones are just one of many human interfaces to cyber-weapons? What happens when one of those is hacked? Especially when the difference between one and a hundred is how many hosts you connect to. Far-fetched definitely, but a drone is almost by definition a hackable weapon system.

        • Fair enough. But what would the hackers do? Use them with reckless disregard for the safety of civilians? Oh wait.

          The only reason we would care is if the hackers used them on white people as the US has been using them on brown people.

          • by babybird (791025)

            The U.S. so far has been using them in conflict with terrorists. Hackers/terrorists would be using them for crime or terrorism.

            I know the arguments-- why is it different when the government does it? Why is it OK for the government to do it? Why is it OK that they're killing civilians? Women? Kids? And so on, ad infinitum.

            The difference is that they're (currently) being used in a "war" against a non-nation state. There are civilian and innocent casualties in all conflicts, but the casualties so far have been

            • You're making valid points and I was with you until you said it has nothing to do with race or religion. The you lost me.

              If it were white Christian or jewish civilians it would be so different. You have to be so naive or dishonest not to see that.

              • by babybird (791025)

                You're absolutely right that it would be different if they were white Christian or Jewish, I don't deny that. What I do deny though is that the attacks themselves are because they're brown. They're only less objectionable because they're brown. Welcome to racist America. :/

    • by melikamp (631205)

      I am not surprised by Kapersky saying what he does.

      Nor am I. After all, Kapersky should know all about the dangers of professionally written malware, since how he's been producing and distributing it for many years. How else can I characterize a closed-sourced package resistant to any kind of audit that claims to be an "antivirus" and gobbles up the resources to perform tasks on Kapersky's behalf?

  • I do not think it means what you think it means....

    Well, I guess it comes down to what criteria one means when one says 'worse'. In terms of ease of access or ability to defend against it might be 'worse'.. but worse in the same way that, say, pigeon crap is worse. Sure it might be everywhere and you can't do much about its absolute existence, but you can do a LOT against it actually doing harm.

    One can not do much to 'defend' against cyber weapons on the whole, but one can do a lot to mitigate the impac
    • by dkleinsc (563838)

      I think he means "potentially bad for him". I mean, if some bad guys over in Afghanistan have AK-47s or IEDs, sure some soldiers are going to get wounded or killed, but Kaspersky will be sitting quite comfortably at home. But if a cyberweapon hits a company that happens to be one of his major stock holdings, that could severely hamper production for a couple of days, lowering the stock price and costing Kaspersky significant amounts of cash.

      Same story with the many many people who think that the US, the UK,

      • by jythie (914043)
        Sounds about right.

        On the other end, there is the idea that poverty kills and thus things that cause mass economic damager really do hurt people and cause shortened lifespans.. but I have yet to hear of any cyber attack that even begins to approach that and, if we were going to use that metric, the people who create AI systems for stock trading would be in far more legal trouble then even the worst cyber criminals.
  • You mean those things that can attack Windows systems?

    STOP USING MICROSOFT PRODUCTS!

  • OMG folks, the scenarios are far more dangerous than those involving nuclear and biological weapons!

    Hoo-kay Mr Kaspersky.

  • About twenty years ago people were writing malware mostly because they could. I was working on a well known (at the time) product and one day someone joked that we write a virus that targeted our main competitor's product. This led to a serious discussion of what could happen if a team like ours of about 25 experienced professional programmers started writing viruses. It was not a pretty picture.

    We now live in this world with Stuxnet/Flame/etc. It is even scarier now than it was tthen.

  • by paiute (550198) on Monday January 21, 2013 @12:59PM (#42648217)
    In meatspace war, the object was always to damage flesh. We first had blunt objects (stones, clubs) which gave way to sharp piercing weapons (spears, arrows) which gave way to propelled metal (flintlocks, rifles) which gave way to blast waves and shrapnel (shells, bombs) which evolved into directable versions (cruise missiles, armed drones). The next step is probably autocontrolled weapons v1.0, iRobots which scurry through the battlefield and club the enemy or some such.

    I wonder where we are on that scale with weaponizable viruses. Are Stuxnet and its peers the equivalent of Predator drones or will we look back decades from now and think that they were the crude matchlock blunderbusses of their day?
  • Just about anyone. (Score:3, Insightful)

    by Anonymous Coward on Monday January 21, 2013 @01:13PM (#42648335)

    they are 'much worse' as they can be used by just about anyone who has some level of computer proficiency. Both agreed that it was very difficult to protect against the highly-complex nation-state developed malware like Stuxnet, Flame and Gauss.

    Um, nation-states are not "just about anyone". They actually tend to be the same people who have all those "dirty" traditional weapons too. Sure, in theory some rogue basement dweller could launch a massive cyber attack just before his mother calls him up for dinner, but in general such attacks build on information gathered by intelligence services and the State Department (you need to know what you are targeting to do it efficiently).

    The fact that such dire warnings come from someone who just happens to profit from the existence and above all fear of malware makes it a little hard for me to take it as seriously as he apparently does.

    Incidentally, if some basement dweller on the other side of the planet really does pose a threat to your national security, you need to fire the clowns who set up your IT infrastructure and hire some people who actually know wtf they are doing. Stay on top of exploits, keep your software and patchsets up-to-date, plug the holes in your firewalls, don't do stupid things like plaintext storage of passwords anywhere, force the use of keys where possible, etc... you know, all the basic stuff that gets discussed whenever security comes up. Most successful attacks that make the news are not examples of very clever attackers but rather abysmally unaware defenders.

    Maybe I don't know what I'm talking about, but from here it looks like someone complaining that they're car might get stolen because they keep leaving it running with the doors open in a busy part of town with no police or cameras. "Omg auto theft is likely to go up and people will be run over by inexperienced/drunk/high drivers who shouldn't be behind the wheel, we must do something!" Yeah, park it in a better spot, turn of the engine, take the keys out of the ignition, lock the door, and come back to check on it at least once a day. Derp.

    • by elucido (870205)

      they are 'much worse' as they can be used by just about anyone who has some level of computer proficiency. Both agreed that it was very difficult to protect against the highly-complex nation-state developed malware like Stuxnet, Flame and Gauss.

      Um, nation-states are not "just about anyone". They actually tend to be the same people who have all those "dirty" traditional weapons too. Sure, in theory some rogue basement dweller could launch a massive cyber attack just before his mother calls him up for dinner, but in general such attacks build on information gathered by intelligence services and the State Department (you need to know what you are targeting to do it efficiently).

      The fact that such dire warnings come from someone who just happens to profit from the existence and above all fear of malware makes it a little hard for me to take it as seriously as he apparently does.

      Incidentally, if some basement dweller on the other side of the planet really does pose a threat to your national security, you need to fire the clowns who set up your IT infrastructure and hire some people who actually know wtf they are doing. Stay on top of exploits, keep your software and patchsets up-to-date, plug the holes in your firewalls, don't do stupid things like plaintext storage of passwords anywhere, force the use of keys where possible, etc... you know, all the basic stuff that gets discussed whenever security comes up. Most successful attacks that make the news are not examples of very clever attackers but rather abysmally unaware defenders.

      Maybe I don't know what I'm talking about, but from here it looks like someone complaining that they're car might get stolen because they keep leaving it running with the doors open in a busy part of town with no police or cameras. "Omg auto theft is likely to go up and people will be run over by inexperienced/drunk/high drivers who shouldn't be behind the wheel, we must do something!" Yeah, park it in a better spot, turn of the engine, take the keys out of the ignition, lock the door, and come back to check on it at least once a day. Derp.

      Who they use to launch the attack isn't necessarily the people who you would expect. Anyone could be used to launched the attack but the code could be written by the military. Or it could be the other way around where the military contracts anyone to write the code but then uses it's people. It's impossible know who is what or who does what.

  • Kaspersky would certainly say that. They are one of the parties most benefited by general security related panic.
  • If mr. Kaspersky sold nuclear weapons, he would say that A-bombs are cleaner but more powerful than cyber weapons.
  • Surprising eh- such a quote from someone who hangs with the FSB and is busy drumming up business for he and his ex? He's also argued this as the motivation behind his call for a complete lack of transparency and privacy for average citizens including the need for government provided authentication as a "protection". He's a self-serving corrupt ass using his money and influence to impose his and his friends will on anyone he can. He (along with the internet braintrust represented by Russia, the UAE, China,

  • FTA:

    Hypponen added that what set cyber-weapons apart from traditional weapons was the fact that anyone could get their hands on one of these weapons, unlike a nuclear bomb, missiles or tanks which only armies would have access to.

    Regular people can't get ahold of traditional weapons? What? Isn't that a large part of what most of the US (and the peanut gallery around the world) has been arguing about for the last month? That people can get their hands on the terrible traditional weapons?

    So why don't "they" (go as far up the chain as need be) just outlaw cyber-weapons around the world. Seems like that would take care of the whole problem... or does that only apply to computers... or neither? And do you think "they" would be sc

  • Military uses packet sizes of 1500 bytes. We should limit the packet sizes for TCP to 768 bytes for civilian (non law-enforcement) use. Law-enforcement can use 1500 byte packets only after going through special training. This will help mitigate the threat posed by cyber warfare - and it makes as much sense as any other policy being proposed.

  • Mikko Hypponen

    Ahem...the other dude's name is Mikko Hyppönen.

    (comicbookguy-voice) Worst, summary, ever.

  • Kaspersky really should stop pretending to know anything other than DOS and Windows malware. "Cyber weapons" exploit easily avoidable vulnerabilities, that exist because companies responsible for infrastructure-critical software are incompetent and greedy. Stop filling the market with overpriced hastily built crap, and there would be no "evil hackers" to speak about.

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...