Interview The very software that is supposed to protect your security is an under-appreciated threat to privacy because of the massive amount of data many products secretly gather on customers, according to F-Secure's Jarno Niemelä.
Niemelä also told told The Register that despite the dismissive claim in the recent WikiLeaks' release of CIA documents, namely that “F-Secure has generally been a lower tier product that causes us minimal difficulty,” the company is confident it can handle intelligence agencies' espionage efforts.
Speaking to us at this year's IAPP's Europe Data Protection Intensive 2017 in London, Niemelä, who's the lead researcher at F-Secure labs, said his company had not been significantly offended by the mention: “Obviously we have only the leaked notes to go on with, but as far as we can see basically what they're talking about is the gateway product — so basically mail filters.”
Niemelä added “they are products, so anybody can buy them, and anybody with enough time can figure out some kind of mistake there. That's a fact of life, it's software, bugs happen, and then any attacker with enough resources will be able to find a way of bypassing that.”
Such products can handle the lower-level and more common threats that might hit the unwary, but “the more important defence systems are in the end-point itself, so there's the end-point protection systems, EPPs, which can identify that Word has started misbehaving,” which is “much more difficult to bypass,” said Niemelä, “and then we have this premium service, Rapid Detection Service, which basically then is a sensor which sends information to our back-end.”
The big difference with a security service rather than a product, is that the attacker can't see why they've been caught. “The thing is, when you have a feedback loop, as an attacker, it's invaluable, especially if the feedback loop is immediate, you can try until you succeed.”
While products can theoretically be bypassed “because when an attacker has theoretically infinite time and infinite budget sooner or later they'll find a mistake, when we're talking about premium services then they're much more difficult to bypass because the attacker doesn't know when he was caught — and he doesn't know why he was caught,” said Niemelä.
Asked if F-Secure was able to handle the CIA as an attacker, Niemelä was unequivocal: “Yes, we are.”
“You need a full stack from us,” he added. “We are not making a claim that just running a mail filter will keep you safe, but if you get our end-point protection, it is going to keep you safe until you really get targeted, and after that we have our Rapid Detection Service which then is designed against intelligence services.”
Spookier than spooks
While acknowledging the concerns many have expressed about global persistent surveillance, Niemelä said that security solutions can also be a threat to privacy by themselves. “Think about it, you have to analyse enormous amounts of data when you are doing detection rather than just trying to block something with a static antivirus scanner or a local behaviour monitoring system. So when you start doing a service instead of a product, you need to analyse data.
“The question then is how well the security provider is taking security into account in the implementation of that system — and the same thing by the way applied to antivirus solutions, how much information does your anti-virus solution upstream and how transparent is the vendor about what they do with the data?”
The first alert regarding whether security companies pay proper attention to customers' privacy is whether they provide whitepapers on how they handle telemetry data, said Niemelä, stating that F-Secure did so. “I'm not that much of a white knight that I wouldn't have my own agenda – we know we have taken very good care of this, and it's something that many other vendors don't, they upstream everything.”
“It is not putting enough value on privacy,” he added, and relying on the 'Oh, we're doing security, we don't have to tell customers what we're doing' approach. “Us being Finns, we are very meticulous… sometimes we say we are too Finnish whenever that gets in our way, but basically the kind of respect for individuals' privacy is very strong in our culture. Even as a multicultural company that is something we have retained in our company.”
Companies' blindness to the risk that they themselves might post to users reminded El Reg of a tweet by Matthew Green, the cryptographer and security technologist at the Johns Hopkins Security Institute.
@csoghoian The privacy and security threat model at Google does not include Google. Ever.— Matthew Green (@matthew_d_green) September 21, 2016
Niemelä said he hadn't worked for Google, but understood Google took security “very seriously” and described its internal security department as “top notch.”
“But they didn't do this until they got seriously hit by Operation Aurora back in the day,” Niemelä added, referencing the attacks in 2009 — involving a number of advanced and persistent threat actors based in China — which led to theft of Google's intellectual property and limited access to the Gmail accounts of Chinese political dissidents.
“It turned out that they were [mak]ing basic mistakes like transferring data between their data centres without encryption, not having proper monitoring at the end-points, etcetera. What I would say is that Google is very careful with the information nowadays, after a fashion because they are selling the information.”
“Security is needed to guarantee privacy,” F-Secure's lead researcher said, “but at the same time security has to be made so it isn't a potential privacy compromise. So that means that you do need to collect the kind of information that you need to implement security, and that's it.”
Encouraging fellows in the security vendor field to behave better, Niemelä said: “You should do active work on identifying and filtering out the kind of information that 'Okay, I don't have a need for this, this is clean, this has no place in my databases'. So the whole point is in order to implement security you need to monitor behaviour, you need to collect metadata, you need to collect data, but at the same time you have to be very careful what kind of data you collect – and if it's something that has no security value, why are you collecting it in the first place?” ®