I am Mikko Hypponen. I hunt hackers. I'm here to answer your questions for Data Privacy Day. AMA!

What's the name of your first pet?

asking for a friend.

hunter2.

Thanks for doing this AMA. I'm kinda interested in the job you are doing. What did you study?

I studied computer science and programming. Everything beyond that I learned by doing. What helped me in getting better with malware analysis was that I did have a strong low-level programming experience (assembly). That I gathered by programming turbo-loaders for the old 8-bit home computers in the 1980s.

Do you have good suggestions for general areas to practice/do hobby work in/maybe even work in, if one is interested in getting into infosec?

We're running an online course on computer security. Why not start from there? It's free. http://mooc.fi/courses/2016/cybersecurity/

The course started a while back. Can you still finish it with credits if you start now?

Maybe. You can check with Lappis from our staff. You can reach him on Twitter at @thelappis.

Hi Mikko,

What was the largest scale/most advanced operation you took down?

I remember spotting a Facebook worm spreading from one user account to another couple of years ago. It was brand new, but spreading very fast and it was clear that it could potentially infect millions of accounts.

When investigating the domain name linked to the attack (fbhole dot com), I got lucky. The domain pointed to an IP address in Czech Republic. I did a reverse search for the IP address and noted that it hosted one other domain name: ironbrain dot net. More importantly, unlike fbhole dot com, which was registered with privacy protection, this domain had contact information in the WHOIS database, complete with a Czech phone number.

So I called the number.

The call went roughly like this:

– Hello?

– Hi. This is Mikko Hypponen from F-Secure Labs.

– What is this about?

– I'm looking for a person related to ironbrain dot net.

– ???

– We're investigating a Facebook worm on fbhole dot com. That domain shares an IP address with ironbrain dot net which is registered under your name.

– And you are?

– I'm from an antivirus company. Are you related to ironbrain dot net?

– I'll have to check… maybe my company is…

– Please do.

– Bye…

[Click]

About 15 seconds later, both fbhole dot com and ironbrain dot net went offline. The attack was over.

What would be your best advise to a new internet user about security and privacy, and how to protect themselves?

Also, what habits would you suggest a regular internet user to eliminate regardless of the technology they use to access the internet?

Here’s couple of things everybody should do:

Use a password manager. This will solve tons of other problems for you, as you will automatically have a unique strong password on every site. I prefer password managers that do not store your passwords in the cloud, but keep them locally encrypted on your own devices and just use an encrypted sync to keep them updated on them.

Sign up for data leak notifications on Have I been pwned. This free service will email you right away if your email address is part of some data breach - such as the recent Yahoo breaches (or, say, Ashley Madison). The service is run by Troy Hunt and it’s trustworthy.

Use a good VPN to secure yourself while using wi-fi networks. Without a VPN, it’s trivial for anyone else using the same wi-fi to see big parts of your traffic. Use a VPN on your laptop, on your phone and your tablet. I like VPNs that enhance your privacy by also removing tracking cookies and other potential breaches of privacy. The added benefit of this is that browsing becomes much faster - it’s often faster with a VPN than without!

Lastly, make a backup. Then make a backup of your backup. Backup your laptop, backup your phone, backup your tablet. And back them up so that you can recover your data even if your house burns down. Because sometimes your house really does burn down, and sometimes you are hit by encrypting ransom trojans. Our lives and memories are on our devices and they deserve to be backup up.

How dangerous is it, really, for the sitting President of the US to continue to use an unsecured phone?

I can't believe he continues to use his personal, outdated device to do realtime communication with the whole world.

It's easy to see how attackers could misuse the @POTUS account if they got their hands on it.

He really should not do it.

And, he should go to Twitter settings and change his settings on Security & Privacy / Password Reset / Require Personal Information To Reset My Password

How close are we to stopping the menace hacker known as 4 Chan?

VERY close. Trust me.

Hi, Mikko. Thanks for the AMA. It's great to have the opportunity to speak with you.

What would be your best advice for someone that wants to work in infosec?

Thanks again!

Hi!

You want to learn as much as possible, but you need to pick your focus area. What do you want to do? Penetration testing? Encryption? Malware analysis? Forensics? Underground intelligence? Counter-espionage?

Pick a niche, as narrow as possible. Then become as good as you can in that narrow niche.

As a good all-around backgrounder, start by reading Bruce Schneier's books. All of them.

Then you need to find mentors and coaches. The easiest way to do this is via online forums dedicated to your focus area.

SANS has some great online resources for people starting up in this area: check them out.

Follow the news. Follow the leaders on Twitter. Read /r/netsec on Reddit. Read Hacker News. Read Krebs.

Don't waste your commute to listening to pop music. Listen to infosec lectures and podcasts.

Check these resources:

https://www.troyhunt.com/careers-in-security-ethical-hacking-and-advice-on-where-to-get-started/

https://github.com/gradiuscypher/infosec_getting_started

https://medium.com/@laparisa/so-you-want-to-work-in-security-bc6c10157d23

http://www.defensivesecurity.org/entering-information-security-industry/

http://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/

http://www.thoughtcrime.org/blog/career-advice/

http://krebsonsecurity.com/category/how-to-break-into-security/

http://opensecuritytraining.info/

Also see our course material at http://mooc.fi/courses/2016/cybersecurity/

I wish I could give more guidance, but it's a fast-moving career. Nothing's constant for very long.

All the best, and thank you for your work.

do you have any advice for tampering with pinball machines?

Sure thing. The motherboard is always in the backbox, behind the glass. The lock is in the inside top part and is easily pickable. Older Williams pinballs are running an 8-bit 6809 CPU, or multiple of them. Which is cool.

PS. Here's my pinball. http://i.imgur.com/EUePByG.jpg

What kind of data that hackers typically steal besides the regular financial data (credit card info etc)? Is it like what hollywood often show in the movies how hackers could steal some sensitive information and sell it over the dark web? Thanks!

Not all online criminals try to steal data. Many simply want access; for example, gaining access to the desktop used in a company's financial department can be very valuable, as they would be able to wire money out of the company.

Those criminals that are looking for data are typically looking for financial information (such as credit cards) or credentials. Dumps of user accounts and linked passwords can easily be sold in the underground, as the same credentials will work on many services (because people use the same passwords on multiple sites).

Do you see any way end to end encryption for emails (e. g. PGP) would ever become mainstream?

Apparently this will never happen. We've all been waiting for it for 20 years or more, already.

How do you feel hackers could be portrayed better in the media?

Also in terms of fictionalised representation, are there any hackers in films or TV that looks a bit like hacking?

In Matrix, Trinity uses Nmap to find a vulnerable SSH server, and then proceeds to exploit it using the SSH1 CRC32 vulnerability. This was all very real and doable. Matrix was probably the first mainstream movie to get it right. Or maybe this was in Matrix Reloaded.

Mikko - what's the threat of the future?

Ransomware on our smart cars.

Do you think that is a true threat? Surely customers would appeal to their manufacturers for servicing or replacement? Any auto mfr who was both hacked, and refused to support their customers to restore full service, would halve their stock price overnight.

"Please pay now if you want to pick your kids from daycare in time"

Is long hair a requirement to become good at infosec?

Never trust a guy with a ponytail.

Hi Mikko,

What's your opinion on the UK's Snoopers Charter? An end to privacy?

It's not surprising that law enforcement agencies and intelligence agencies want to gain rights to do their work on the internet. It is 2017 and criminals and extremists really do use the internet for their purposes. However, we must not give away all of our rights just because bad people exist.

What I'm calling for is transparency. We need to know what our governments are doing in our name. We need to know how succesfully such intrusive methods are. And we need to be able to take away those rights from the agencies if they are not effective. Without transparency, we won't be able to tell how effective those tools are.

At the very least, we need statistics. For example: how many citizens were hacked by the government last year; how many of those turned out to be guilty; how many of those turned out to be innocent.

Hi Mikko,

I applied for a few summer placements at F-Secure (junior malware analyst, junior web threats analyst and junior cyber security consultant). Regretting putting the stuff about my Python tattoo in the motivation letter, but it's done now. Hopefully the actual relevant work will make up for it.

What does F-Secure look for in potential interns/employees? Been studying hard in case I get an interview, any extra advice would be greatly appreciated - would love to work with a company which openly fights for privacy in this political climate instead of continuing this trend that the need for someone's life to be their own is now grounds for suspicion (not touching GCHQ placements with a bargepole).

Regretting putting the stuff about my Python tattoo in the motivation letter,

I think it might serve the community if you posted a pic of that tattoo. And a copy of that letter. You know...for science.

What we're looking for in potential interns is Python tattoos.

Also, we're looking for the capability to work under pressure, as outbreaks can get hectic. And the usual things about emphasizing teawork, being good in working with others, and not being a dick.

Fantastic, here you go: http://i.imgur.com/UzFjQjs.jpg

Hectic sounds good, lots to learn! Thanks for the advice, just need to wait and see what happens.

Hey, nice looking tattoo! All the best.

Hi Mikko! What is the most comical security incident that you've ever had to deal with?

Also: I'm a junior security consultant and want to know if you can recommend any companies to work for in the UK?

P.S F-Secure 4 lyf, ^{plz send freebies}

Most comical security incident? How about White House press secretary tweeting out his Twitter password?

Or how about this? https://twitter.com/giIrsgeneration/status/670431562807177216

Do you have any videos on you attacking hackers? I rather enjoy the comeuppance

When we collect enough evidence on online criminals, we pass them on to local police. Here's a video of the head of the Carberp banking trojan gang getting arrested by Moscow City police. https://www.youtube.com/watch?v=Iryyn_-iUiw

Your views on the US Election & Russia ?

Russia just tried affecting the outcome of the Presidential elections in the biggest superpower on the planet.

I think news stories don't become much bigger than that.

What are the biggest barriers to a major country doing online only voting in elections?

The biggest barrier is probably that smart people are telling the decision makers that online voting is a bad idea. Because it is a bad idea.

hypothetically, What would it take for an intelligent and skilled group of hackers to break into a banking system or debt agency and rid the people of their debt owed?

It would have to be done so it wouldn't get detected. Otherwise the banks would just restore their systems back to the state were they were before the hack. So you couldn't wipe everybody debt. But for wiping individual debts, maybe doing it slowly, over months...I guess it would be doable. Hypothetically.

Hi Mikko, welcome to Reddit.

I like the line

"I believe data is the new oil. And just like oil brought us both prosperity and problems, data will bring us prosperity, and problems."

Unfortunately in Australia, our Government recently enacted a metadata law that can soon allow access to citizens' metadata without a warrant. This was rushed into Parliament though, to satisfy copyright holders to combat piracy, reason I say this though is because we are known to be the top pirating country only because accessing shows legally are a nightmare.

Sorry for going off tangent there but have some questions;

• 1) What measures should we take to be safe whilst using our constantly internet connected mobile phones?. Where NFC, Wifi are exploitable features.
• 2) Do you have a recommendation for VPNs?. I've used PIA for a while now and find that it's good.
• 3) In the tv show Mr Robot the characters deal with hacking, is it a true representation of what the hacking world is?
• 4) As Donald Trump uses Twitter alot, do you think he will be hacked?
• 5) I'm somewhat interested in cyber security as a career as I can see it being in demand. What would I need as a pre-requites before studying?. Is the maths level quite high?, as my maths isn't the best.

Lol, "welcome to Reddit". Please! I just had my 7-year cake day.

1. Smartphone are not really a security nightmare, but they are privacy nightmare. Check your settings and grant minimum rights to apps.

2. I would of course recommend our own VPN: Freedome

3. I've heard of the Mr. Robot show but I haven't watched it.

4. Secret Service is supposed to protect Mr. Trump, but this might be a hard one.

5. Check my reply earlier in this thread.

European Union and data protection: what is your favourite regulation, what was a missed opportunity, and what is Europe doing wrong right now?

My favorite regulation is coming up with GPDR 2018. We are finally making it mandatory in EU for companies to report when they lose your data. This has been the norm in USA for years and years. But right now, is most European countries, when a company gets hacked and your credit card number is stolen, they don't have to tell you. Which is ridicilous and it's good to see this change.

An example of regulation that had good intentions but doesn't really work is the cookie law. Every god damn site shows this boilerplate about how they use cookies when you enter, and users click it away. I don't think it really increased awareness of privacy, or anything else. We all just click OK to make the box go away.

1) There are so many security and privacy problems nowadays with hacks being on the news constantly. Are people losing trust in computers and internet services? How can we restore this trust?

2) If Microsoft wanted to spy on us, could they do it? And would we ever know?

4) None of my friends wants to use Signal. Do I change messenger or ... friends?

5) Do you like Mr Robot? 6) If you could sit on a bench for one hour and talk to anyone (from the present or the past), who would it be?

1. RESTORE the trust? Why would we want to restore trust? People already trust too much on the net, clicking on every link, opening every attachment etc.

2. Microsoft could definitely spy on us on our Windows computers without getting detected. But not on our phones.

3. Whatsapp is fine for chatting with friends. Use Signal for stuff where security really matters.

4. Mr. who?

5. Tony Stark.

Hey Mikko!

Do think that a show like Mr. Robot has a positive or negative impact on how the general public views cyber/information security and hacking? Why or why not?

Thanks for doing this AMA!

I can't really say. I haven't seen Mr. Robot. But I do know there's something called "F-Society" in it. Which sounds cool.

Its on amazon video if you have prime!

I have prime but I don't have time.

How can I determine how easily doxxed I can be based on my public online presence on social media, etc.?

Hmm. Ask a friend to try to collect as much as info on you as they can from online sources, then draw your conclusions?

what smartphone setup/device would you reccomend as most privacy-preserving against tracking for commercial purposes and data harvesting?

All smartphones track us, one way or another. If you want to avoid that, use a dumb phone.

If you're looking for a security-centric smartphone, look at products like Blackphone, Bittium Tough Mobile or DTEK50.

Could you tell me the top 10 people I should follow for example on Twitter if I want to be up2date about security stuff?

You only really have to follow @SwiftOnSecurity to do that.

A little off-topic - if I moved to Finland from Canada, how easy would it be to live there knowing no Finnish in the beginning?

Everybody in Finland speaks English. At F-Secure HQ, we have employees from around 30 countries. Pretty much none of them speak Finnish.

Did you get the new pinball balls yet?

I recently found out FSF had this guide for securing email with GPG. How do you like it? I think inconvenience and difficulty are some of the biggest hurdles in promoting secure and privacy-friendly habits to the general population, and easy and simple instructions like that being more common would help immensely. Would you agree?

Atari or Commodore? Choose your weapon!

I really should get some bling chrome mirror balls for my Ghostbusters Premium. Haven't had time to order them.

FSF has done good work with the guide. But PGP is still a nightmare to use. Unfortunately.

My weapon? Commodore. Forever.

What seems to be hackers greatest weaknes, we all know they are pretty smart but what is that something that gets them off track?

Companies only need to make one mistake to get hacked...but this works the other way too. Criminals only need to make one mistake to get caught. That mistake could be something simple like forgetting to hide their IP address with a VPN when connecting to a service, or leaking information via WHOIS entries of their domains. Simple stuff.

Do you think Russians were capable of hacking the election? If so, how do you suspect they did it?

They were capable of hacking political targets and leaking the information they stole in order to shape opinions. They did not hack actual election systems.

Do you think AI will be foundamental for the cyber security? If yes, how?

Vulnerabilities are basically just bugs in the programs. And we will always have bugs because programs are being written by human beings, and they make mistakes. So to fix this, we have to get rid of the programmers.

Years ago, I wrote a program that would write programs. It wrote terrible programs, but still. But if we would but a lot of effort into improving this program-that-programs, eventually it could become as good as a human programmer.

And that’s the last day that any programmer on the planet has to write anything ever again. The program would write a better version of itself, which would in turn write a better version of itself.

An advanced AI writing better versions of itself is scary, but it would provide a giant leap towards the creation of more secure software. And a breakthrough like that could finally create programs free of vulnerabilities. Or at least vulnerabilities that we humans would be able to exploit.

Also, I believe introducing an entity with superior intelligence into your own biosphere is a basic evolutionary mistake. But we seem to be set on doing just that.

how common are badusb attacks? (http://phisonresearch.freeforums.net lil research by me)

BadUSB is one of those attack categories where the potential risk is huge but practical risk is low. So, we're not seeing these attacks happen in the real world. But they could, and then it would be really bad.

Mikko, I'm disappointed, where's the ö?

You mean the umlauts, aka the Rock'n'roll dots? I only use them in my last name domestically and drop them in international use. Makes things much easier for me.

Hello Sir; thank you for taking the time to answer this iAmA. I was wondering how do you feel about Ruslan Stoyanov arrest, and why do you think it happened?

I do not know Ruslan. I believe I have exchanged one or two emails with him years ago.

Since the Russian authorities arrested him for treason, they probably believe that his actions were going to hurt Russian goverment some way.

But I don't really know.

Who is @swiftonsecurity? Is s/he like Banksy, but with cybersarcasm in place of paint?

Actually, @Swiftonsecurity is Banksy.

Hi Mikko. How do you manage to balance your public and commercial roles with staying technical?

It's hard. I'm losing my technical skills. I still try to get my hands dirty every now and then, but the research work with todays advanced attacks is getting very hard. I miss the old days or reversing viruses through the night...

For forensics there are some distributions that have a nicely packaged toolkit. Do you use these distros or do you tend to build your own toolkit? What is in your toolkit?

We have forensics experts at F-Secure, I don't directly work with digital forensics myself.

What are the modern limitations to the direct physical impact a hack can have on a countries infrastructure?

Our societies run on computers & software. Almost anything can be affected by hacking. Most obviously, electricity distribution can be disturbed. And when the power is cut, nothing works. We would cope for a day or a few, but then what? No food. No communication. It could get pretty bad.

Hello /u/mikkohypponen,

How do you see IOT in 5 years? Is it the next blackmarket target ? I don't see B2B market going ham on this, meaning this should be less relevant for hackers to generate cash.

Any chance to see you at Les Assises? I missed you at FIC...

IoT is such a n easy target right now. All the devices are running old Linux kernels, and they have default admin credentials that nobody changes. And admin connections are done over a god damn telnet connection. Wtf.

IoT attackers are mostly using them for building DDoS botnets for now. And you can make cash with DDoS botnets.

I won't be at Assises, see you somewhere else!

Hey!

What's your computer device history. What system did you get first etc?

Do you still get chance to play games?

Cheers

Ah, nice question.

I got a Commodore 64 in 1984 (receipt: http://imgur.com/ByqjYiG)

I bought a Morse 386DX 25MHz in 1989.

I bought some Pentium system maybe in 1993.

After that I have not bought home computers. I have my work laptops and my private tablets and that's it.

I mostly play retro arcade games and modern pinballs. I did buy an Xbox to play Trials HD. And I will buy a PS4 to play Nex Machina.

Hi Mikko! How to spread awareness to small brick&mortar stores or small companies like barbers, hotels and B&Bs, etc. that have no clue about infosec and still need to maintain a web-presence or social media presence?

Education is hard, and there are no shortcuts. Many countries run data security days, during which basic info is circulated to homes, companies etc. They seem to have a positive effect.

Great timing as the Data privacy day is just around the corner. I was wondering if I am fully protecting my privacy with just a premium VPN installed and setup on router and my devices? Or are there some other recommendations too?

One good tip is to use different browsers for different purposes, so it's harder to track you. For example, use Firefox for Facebook but Chrome for everything else. That way, Facebook can't track your movements across the web.

Hi Mikko! I live in Helsinki and i study IT engineering, my goal is to work in infosec, or to be exact as a pentester. And ofcourse F-Secure has been the dream for me. One question i've wanted to ask someone at F-Secure for a long time is, when someone applies for an infosec position @ F-Secure, how much do you care about certifications? And what certs do you prefer the applicant has? And can a cert like the OSCP compensate having work experience in the field? Thanks in advance!

Certifications are not required. First and foremost, we're looking for really technical people who are willing to become even more technical.

What do you think is likely to happen as a response to Trump's executive order on privacy?

https://techcrunch.com/2017/01/26/trump-order-strips-privacy-rights-from-non-u-s-citizens-could-nix-eu-us-data-flows/

What would you like/hope to happen? ;)

What will happen is that a lot of lawyers will get to do a lot of work.

European internet users do not want to stop using U.S. services, and U.S. companies do not want to lose EU customers.

What steps should the average person take to protect their privacy online?

See /r/IAmA/comments/5qgrm0/i_am_mikko_hypponen_i_hunt_hackers_im_here_to/dcz8of1/

I am a huge fan. Following you since you did the Quora session recently. Staying with one organization for such a long time is something, so are you partnered with F-Secure?

Yeah, it's my 26th year here at F-Secure, but it's not my company. I just like working here.

What would be the best certification in your buisness ? CISSP or any other ?

Beats me. I have no certifications.

How the hell do you show up here on the wrong day?

Don't know where you're from mate, but over here in Australia it's the 28th tomorrow.

Here in the US it's the 28th tomorrow too.

Here in Finland it's the 28th tomorrow too.

Sorry to ask but is VPN can really protect my data?

VPNs can really protect your connections (encrypt them). It won't help with the security of your stored data.

Hi Mikko, thank you for taking the time to do this AMA. In a nutshell, will hackers always be two to ten steps ahead?

Taking Yahoo! as an example, one of many companies struggling to fend off hackers, keep our data safe and say no to any advertisers, is it even realistic to expect organisations to prevent cybercrime incidents effectively? There's a sense of false economies mattering more than security when it should be the reverse.

When attackers are creating their attacks, they can analyse how protection systems - like firewalls and antiviruses - work, then work around them. They have unlimited time to do this. Then when they release their attacks, the defenders have to be able to find the attacks and add defense against them very quickly. It's not a fair fight between the malware writers and malware fighters.

What personalty type are you?

Supervillain.

1. Is he symbol "ଙ" in your twitter name some kind of protest against twitter's VIP verification?

2. Do you still hunt for security breaches as a hobby? I'm assuming this is not part of your job as a CRO and public speaker, but correct me if I'm wrong Edit: I'm stupid, it's right in the title of the AMA!

3. Do you know Edward Snowden personally?

1. I've tried getting Verified on Twitter many times over the years, but no luck. At the same time, accounts like these get verified: https://twitter.com/ret2libc (slow clap). But the ଙ symbol isn't about that. I just thought it looks neat.

2. Yes

3. No, I don't know Ed personally.