Hundred Percent Security – Denis Legezo / Kaspersky Lab

by Sinan Oymacı 0

Denis Legezo who works as a global research and analysis team leader at Kaspersky Lab shared his opinions and ideas about security while visiting Istanbul. It was a very informative interview. Kaspersky Lab’s R&D Team is a worldwide team, and they are responsible for researching and finding targeted attacks.

You can ask what targeted attack is. Targeted attack is a class of cyber attack where developers know what they want to take precisely and from whom. They attack to the particular organization to get precise data. Denis describes their duty is to protect customers from such kind of attacks.

– Why are you interested in security topic?

– It’s hard not to be affected cyber attacks and stuff around it. Finding every day something new is good. There are no limits on new technology. We are on duty every time. It is a challenge. So, I am in the business.

– What kind of responsibilities do you have at Kaspersky Lab?

– We call it incident response. We need to find the attack with using different tools. We have to analyze what is behind this attack. It is like a technical investigation. We try to understand what happened.

– Are you in the position to prevent this kind of attacks?

– We place our products to avoid from this type of attacks. When we see new technique during our research, we add new ideas to our products. Our product like KATA, we have a unique solution for anti-targeted attack threats. In KATA, our engineers implement new measures to protect customer’s organization against this kind of attacks. I am not a developer myself.

– What kind of threats do we have nowadays?

– If we speak about the automotive industry, the truth is that they are plugged into the closed network. We don’t have any malicious attack yet – black hat attack – to the cars to steal data. But some cars could have been hacked.

– It’s very dangerous.

– It’s true. It is dangerous from the one hand. Let’s think this as a long commercial story. Mass manufacturers try to protect their devices, but malicious code developers try to solve it every day. They want to have some return on their investment. Spying stuff overtakes a connected car. It’s not just about money. It could be about killing someone, check someone’s voice when you speak to the mic in a car for espionage. It’s not widespread. If it’s not happened yet, it will happen.

Mass market will have to wait to observe mass threats to the intelligent cars on public network vehicles. If you have identified yourself with your VIN – vehicle identification number, your id of your vehicle – to pay for gasoline, to pay for something, there will be high risk as a target for mass malware code developers. They try to commercialize for their efforts with their knowledge. We can talk about connected cars about more stories for hijacking, spying.

At the other side, we – white hat hackers, nonmalicious guys – do these just for research to show the ability of such attacks how could be succeeded. For example; we could lock someone’s car. I am sure that you are aware of that great story about someone finds himself at a final destination from kilometers away two years ago. But all of that comes from researchers just to show that awareness of the car makers for such things and to hire information security consultant, information security professionals. In the future, there is a quite niche area for the specialist – information security expert – here.

– As an end user, I can buy a product to protect my devices. But is it possible to get something to protect my vehicle? Maybe not yet but at near future.

– When we are speaking about cars, it does not end user’s’ responsibility to buy some product to protect it. It’s about automakers responsibility which they preinstall all the security measures on board.

From our perspective, we develop ‘Kaspersky Industrial Security Protection.’ We have a branch in our company called future technologist to protect industrial systems. There is electronic control unit onboard in the cars. They can adapt our solution for their industrial products for the car makers.

We also have the automotive division – Kaspersky Motorsport. We try to walk with automotive market. It’s not a story of end user like plug some flash card and installs something.

From my point of view, we have to define what is a connected car. Connected car has a head unit. Head unit is like a powerful computer which has processors and lots of control units like brake system, lights, etc.  The ECU – electronic control units – are not so powerful. They have just small firmware inside. But the head unit is a powerful computer machine. You could preinstall almost everything. You have to pen test with the electronic head unit, and you have to preinstall security solution in it. Some information security industry companies only produce solutions, but now, car makers have road plans for an extended period. They need time. They are well aware of how to get measures to implement.

Ten years ago, someone showed a framework of hijacked a car to Ford and Toyota from the internal network. Automakers say that it is not a problem because it is a local hack not remote. Then researchers showed that they could hijack a car from a remote location. Now, it is a problem. Because Chrysler Automotive which is a part of FCA – Fiat Chrysler Automative – they had to reprogramme 1.5 million vehicles after it to patch all those cars.

– If we connect to the internet, there are always threats. Is it possible to be safe 100%?

– There is no such thing as hundred percent safety at security. The idea behind the information security investment is to obtain data then pay to protect the data. That’s the main idea.

Nobody could give you a guarantee one hundred percent.

When you are on the plane, no one can give a guarantee that the plane will never crash. In our life, there is no such thing hundred percent probability everything. But we make necessary precautions that malware code developers investment is unreasonable.

When we look at the modern head unit on the car, electronic components maker who is responsible for the head unit has to know what they do and trying to do their best. It is not an automaker problem just.

– What about general security, protection. We have to think about it for every industry because there are lots of devices connected at IoT space.

– The root of the problem, industrial security. Automotive security just was produced about thirty years ago. For example, KANBAS which inside the modern cars was invented thirty years ago. It serves its purpose perfectly. It doesn’t lose signal physically. But nobody thought thirty years ago that car would be connected to somewhere. It was an isolated environment. Every car maker thought about the isolated environment and implemented their solutions for the isolated environment.

But now, everywhere we have computers on industrial control systems between the private network and public network accessible for everyone. I could tell you that high profile attack could jump those airbags. Malicious code developer can use USB stick to update something or upload some data. Or someone can use that flash disk without attention and car can be infected with that.

It is not a one particular automaker problem. All car makers have to put protection on their cars. It’s a matter of standardization at information security for connected vehicles.

If we speak about embedded devices, not just for enterprise devices but whole embedded devices, there is a problem mostly on the vendor site. The end user does not like to change the default password. And many malware and malicious code writers just use that. I saw a malware that doesn’t use any vulnerability. It just scans the internet and checks in for the standard password. If the standard password doesn’t fit, go to the next device or IP address.

If an end user does not apply new firmware, a vendor has to do it. Even, a nontechnical user can install malware if you use default credentials.

Some network equipment vendors have bounty programs. I appreciate this practice. It’s a matter of after vulnerability found. But sometimes malware coders do not need vulnerability. They just need default credentials.

When white hat hackers found a vulnerability, an end user has to apply that patch to cover that vulnerability asap. That’s a primary protection method against that stuff. Because there are tools to scan all networks to find vulnerable devices. If you find a video camera with a default password, you can take control of video, manage it even get pictures from that camera.

You can also find industrial control systems. Shodan works as a service. Shodan does not index of web pages contents but index binary responses. They know the typical responses.

Exploit, or vulnerability is the next level. You have to use correct credentials. It’s the first level of security.

Thirty years ago, devices like televisions, cars, refrigerators, etc. were not connected to the internet. And manufacturers felt safe themselves. But now, they need to think about information security. Even, Cryptolocker could also be installed to the smart tv.

– Let’s talk about smart cities?

A smart city is a city that collects a vast amount of data about citizens. For example; Traffic control centers install lots of sensors. It’s not just about speed control but count vehicle numbers to build roads etc. Those devices have Bluetooth interfaces accessible from Bluetooth capable devices. Even when they are in automatic mode; they can send some commands. They control for example which line will be used or not. Someone can change the settings with Bluetooth protocol. You can modify the system time etc. So, at the rush hour, there could be a traffic jam. Small DDoS attack to the city center can make data communication interrupted. So, sensors can’t transmit any video, audio or data. I do not think municipal authorities want their devices accessible for someone who is not authorized. It is a matter of some pen test from the vendor and the installer site.

Another part of a smart city is internet services. You can pay tax, prepaid electricity, etc. They use networks to get data. It is a matter of network security. They need to know personal data and your id to use city services comfortably. Citizens have not to give credentials every time. Those data also have to be protected from city staff. Cities are the collection of data besides buildings, roads, etc.

– What do you think about privacy, personal data? If I drive a connected car, they know where I am, what time I drive, etc.?

– If you use a mobile phone and connect to gsm network, nobody can spoof you because if someone spoofs you, you can’t talk. But when you use some technology, you need to agree to share your data with the operator because this is an idea of technology. It’s not a matter of protection.

– If I don’t enable location services on my mobile phone, is it still possible?

– You are talking about location services. I am speaking about triangulation with cell towers. You couldn’t avoid triangulation. You could say to location service that you do not want to share your location. You can tell that if you are not interested to find your phone when you lost your phone.

Also, you can use some web browsers that don’t store personal data. If you use some free services, you must accept their policies. It’s a skim of monetization. If your concern is about your data, do not connect to the internet.

– So, there is no private data?

– Of course, there is private data if you setup properly. You need to think before you press any button. Be careful about which services you are using. But if you want to hide from gsm network, you have to choose not to use a mobile phone. Sorry.

When we talk about privacy, we have a robust software makes face recognition. There are lots of cameras all around the major cities. It is not quite an easy task to see where that man walks in the street just recognize from the city cameras and store the data.

– Are there any examples of hacked some devices mostly IoT devices like botnet?

– It’s mostly DVR – digital video recorders -. The reason is simple. Manufacturers put embedded devices. For DDoS attacks, it is enough to choose those. They online every minute. That’s why they are infected. And they are the easiest target. The password must be tough to read.

Routers also. Mostly home routers.

Video cameras. There are enough cameras as a starting point. It is quite hard to imagine. For example, the network entirely secured but some embedded crazy device like camera plugged to the outside of a public network. It could be a starting point of attack. They have Linux operating system. They have a shell to execute some commands so on.

They use these devices for mining of the bitcoins. Botnet usage is like a commercialization.

– Can they harm the people? Could home be cold or hot?

– I am talking about mass threats. For targeted attack, everything could be done.

– Is it possible to start a fire at the factory or at the house to overdrive the machine?

Last year, there were some issues about attacks to industrial systems. Everyone know Stuxnet. German regulator reported some incident on German factory.

We are speaking about what incident affect an industrial system. Typical attacks on computer infrastructure of industrial companies happen every day but not affects industrial systems. It distinguishes at a typical structure of a Windows domain which some computers use just in the industry. It happens every day. There is another case also at Ukraine which it also seems related to the industrial control system. They disrupt the work.

– What is the purpose of your visit to Turkey?

I talk to students about a career in information security world because there is a shortage of specialist. It is nice to know people who are interested security area for our company. It is also not just for our firm but all industry.

– What do you recommend for the young people? What kind of education do they need to have?

First of all, I recommend that they must have an interesting life. They need to focus on mathematical, programmatical problems. Information security is not the most convenient way to spend your life. But it has some interesting opportunities. If you find yourself as a researcher for targeted attacks, it is fascinating. You know to cover new tricks. It is such a boxing match. The vendor sends a new attack to the researcher. Some people think that it is like an exercise from minds. It is an exciting business to find new things every day. Information security suits for someone.

The atmosphere here at Kaspersky Lab is different from other companies. That is not so straight. Of course, we have some rules, some structures but we could also have trips, exciting projects. Working at Kaspersky Lab is nice.

– Do you have any research laboratory in Turkey?

– We have a commercial office. The most technical job is technical presale position at this kind of commercial offices. You have to be skilled as IT person background. You give consultancy to customers. You have to know how to implement a solution, how to deploy? You have to have some intuition about IT background.

– How many product lines that you have at Kaspersky Lab?

– The Traditional one is a security of endpoints. I cannot define it is an antivirus. It is more than that. It has Network attack blocker, also anti-malware.

The latest product that we have is anti-targeted attack platform. Kata. Kata brings the Kaspersky Lab’s experience to the threats as targeted attacks.

We have a standalone product called Robo who knows as much as we are aware of targeted attacks and trying to detect.

Besides product lines, we have pen testers and a services line. Customers can subscribe to our investigation reports, research for targeted attacks. Also, producers of hardware could subscribe to the feed of the malicious samples, malicious domain. We know the reputation of the domains, status of the files. If some hardware producer wants to use such data – for example, to stop connection to some domain or auto stop execution of some sample if they want – they could subscribe, and at the hardware level they take data from us asking is it a safe file or is it proper domain. We have a massive database. We call it Kaspersky Critical Network KCN. It collects data from different places. If you are hardware or software producer, you can subscribe to one of our services. Consumers, business, and services.

Last years, the world of endpoint was changed dramatically. Kaspersky Lab would not sit and wait what will happen to these endpoints. There are lots of new type of endpoints, users,  new connections, new security service providers.

– Add something?

– Producers and end users have to think about their embedded devices like health monitoring device, cars. It is a connected computing technique.

Just spend a small amount of time to setup properly, and it will defend itself somehow shielded enough.

Do not just plug device.

Think about a little bit about the commercial security of every device like fitness tracker, camera. A child could be connected to the public network.

Spend a little bit of time. Spend time to setup and update.

The living with Embedded Devices is a little bit easier. But vulnerabilities will not go anywhere. New vulnerabilities will be developed for new embedded devices.

We need to prevent even previously unknown vulnerabilities.

We have automatic exploit prevention in our product. If new exploit appears Automated Exploit Prevention system says that aha, it is an exploit typical behavior they have to stop an execution. We can stop vulnerabilities even unknown ones.

– Thanks. It was a pleasant conversation.

– I thank you for this.

Sinan Oymaci