Hello! Who are you and what do you do?
My name is Johannes, and I currently work for Wepardi as a Business Technology Solutions Manager. I’ve been working in this company for ten years now, and I have around fifteen years of total experience in IT. I’m not only responsible for choosing the best tools to serve our customers, but I also implement security policies against cyber-threats.
Are threats so serious that someone needs to constantly work on this?
Yes, they are. And the problem is that you don’t know what they’re going to throw at you next. Technology evolves so quickly that by the time you find how to plug an existing vulnerability, they hit you somewhere else with something new. Lately, for example, botnets and DDoS attacks are on the rise.
Sounds scary. What are those?
Okay. First we need to define malware, which is malicious software designed with the purpose of infiltrating legitimate software on remote computers. It doesn’t stop the computer from running, but it turns it into a “bot” that can do several things, like recording what you type looking for passwords, email addresses, credit card information, and then send the info somewhere. Another type of malware targets and infiltrates smart devices that are connected to Wi-Fi, like phones, air-fryers, dishwashers, robot vacuum cleaners, refrigerators, anything. When the hacker decides, this network of malware (a botnet) can launch a concerted attack on a particular domain. Imagine literally thousands and thousands of devices across the world flooding a server requesting a webpage, over and over. When the server tries to reply to all of these overwhelming amounts of traffic, it crashes. This is known as a distributed denial-of-service (DDoS) attack.
I was right. It is scary.
I’m afraid so. And it’s getting worse, because people are buying more and more “smart” devices for the home. Do I really need to use an app to tell my air-fryer to start frying?
So who deploys botnets and what for?
Individuals who create these sophisticated malicious networks, and then sell their services for a price. For example, someone with a grudge against a company can go on the dark web and use Bitcoin to purchase an attack.
Wait, hold on. What is the dark web?
The dark web is… content and communities that exist on the Internet we all use, but can’t be accessed via common software, like Chrome or Firefox. They are highly encrypted networks that use special anonymization software (TOR, for example) to prevent tracking by the authorities. Something important to understand is that the dark web is used by bad people (to sell drugs, sharing child pornography, committing fraud, extortion, and other scary stuff) but also by activists, journalists, and whistleblowers who want to spread information which may be blocked by the country they’re operating in, and could get them into trouble.
But back to the DDoS attack, anyone can go to the dark web, put down a hundred, or a thousand euros and purchase via bitcoin (which is difficult to track) a botnet attack on a specific domain, like mylovelywebsite.com for example. Depending on the amount the hacker asks, you can choose when and for how long the attack will last: a few hours, a day, a week.
Like hiring a contract hitman.
Something like that. And hacker groups like to brag “We brought down such-and-such website, it was US, we did that!” But actually they just paid the guy who actually controls the bot networks.
Is there no way to protect a server against DDoS attacks?
It is possible, but depending on how severe the attack is, it can become expensive and time-consuming. In a large-scale attack, you may need to hire a company like Cloudflare, who specializes in mitigating DDoS attacks. They have thousands of servers globally, and the capacity to filter the traffic before it reaches your server. They also offer autoscaling, which creates copies of your content in other servers, if yours is under attack.
And you say attacks are on the rise?
We started seeing some new attacks about a year ago. YLE News reported in an article that several Finnish harbors had been targeted by a cyberattack. The docks at Vaasa, Helsinki, Naantali and some other cities were attacked at the same time.
What else has been targeted?
Many Finnish brands have been targeted, and of course branches of the government like suomi.fi, vero.fi, and eduskunta.fi. Hackers can’t steal any sensitive data, because in most cases they can’t get access to it. But they can tease these organizations and companies and make a lot of trouble, because it takes time to build protection systems, communicate with the customers… It’s like a bug infestation: annoying, expensive, and time-consuming.
How do you experience it from your desk at Wepardi?
We are targeted almost every week. We have protections in place, and if something goes down, or slows down, we react immediately. The goal is to continuously monitor that the systems are working normally, so customers don’t notice anything.
It’s like the cold war.
It feels that way, yeah. You start seeing red alerts on your screen, which means sudden high loads on the server, so you scramble to monitor log files, unusual activity… You have to react and fix the problem before the customers notice.
And these attacks to Finnish servers, where do they come from?
Some Russian hacker groups claim that they are behind the attacks.
Where do they claim that?
There are websites where they announce their “achievements”. YLE reported that a group called NoName, for example, bragged “we took your website down for two hours!” I personally think it’s such a childish thing to do.
Why do they do it, you think?
Mainly to annoy, but it can also be for political reasons. It’s also possible that they really weren’t the ones ordering the attack. It could be anyone, even some other country from Europe. But they just claim they are behind it.
So you can’t possibly know the truth.
No. If it’s a large bot network, millions of computers or devices are attacking your website, it’s impossible to know who’s behind it. The devices themselves aren’t powerful, but millions of them pinging requests from the server…
If our home devices can be hacked so easily, is it a good idea to have more and more of them? Some people are already implanting chips into their bodies!
Installing automation systems into everything could become a nightmare, that’s true. Like my air-fryer, which is connected to my Wi-Fi network for no good reason. Everything that is “smart” is vulnerable, so I think we should minimize the amount of such devices.
Soon even our luggage will be broadcasting their location.
Um, actually mine does! I also have smart lights at home, a robo-vacuum…
And you can’t track who is controlling your devices?
Because the traffic comes from all countries, it’s basically impossible to pinpoint a location. The IPs change every second, coming from France, USA, China, Russia, everywhere. You could examine one hacked device in real time, and perhaps find an IP address. But whose IP is it? Is it masked within the TOR network? Are they using a VPN (Virtual Private Network)? Even if you see their IP, you can’t track a hacker in the real world.
What other cyberthreats are there? Any rogue AIs coming for us?
Not yet (as far as I know). But yes, AI is already being used for malicious purposes, unfortunately. And the name AI is a bit misleading, at least at this stage of development of Artificial Intelligence, because services like ChatGPT are just large language models.
Aren’t we humans beings a big language model too?
That’s a very good question; Elon Musk may have something to say about it! But something individuals and companies should understand is that AI is very good at creating realistic texts, like fake emails. If you get a perfectly written email, that doesn’t mean you can trust it. Let’s say it’s an invoice. You have to stop for a moment and think “did these guys or this company really send this email?” You can confirm it with a quick phone call or sms, just to make sure. I myself have seen a company pay 20.000 eu for an invoice, and it was a scam. Hackers were already able to read the company’s email (they got usernames and passwords) so they were waiting for the right moment. When the real monthly or weekly invoice was due, they sent the real invoice but switched the proper account number with their own bank account. In their inbox, the company’s accountant sees the invoice, he knows it was coming, the amount is the right one, he pays it. When the due amount is not received on time by the legitimate company they phoned, compared account numbers, and understood they had been scammed.
Oh, no. What can be done?
Nothing, just report it to the police. I analyzed their log files and found out that someone had been logging into their email accounts for months, waiting for the right moment. Maybe the money went to another country, then cashed. The banks can see whose account it was, but how do you get the money back? So always, always think for a minute: “is this really valid?”
We are so busy with so many things, do we have to add paranoia on top?
I understand, but you’re either cautious or you pay the consequences. Many of our customers have received emails saying “your email password will expire soon. Click on this link to renew it!”. Or “your email inbox is full. Please login using this link and input your email password”. That’s an old one, but people still fall for it and click on those links. You can avoid it by simply calling us to ask “is this really valid”? And our response will be “no, that message is not from us. Your password will never expire and that is a scam email”.
Another great technology put to bad use is synthetic voice generation. If I can record your voice for ten seconds, then I could make phone calls to all your contacts using a clone of your voice asking for money, or something else.
I’m not going to be able to sleep tonight.
There are now apps you can use to prevent this. Signal, for example, imprints every message with a digital signing, even during phone calls. So if I call my father, he opens the dashboard and looks at the safety number, if they match with mine, he knows it’s really me.
Could you yourself get targeted, because of your work?
I have to be careful, because I have credentials that give me access to many places, many servers. My laptop is encrypted, of course. Even if I use my finger to open the screen lock on my phone, there are other layers of protection. Certain apps ask for a pin code, so even if the device gets stolen you couldn’t get anything out of it. With your phone, it’s important at least to have a screen lock, because if someone gets access to your phone number, they could send your contacts a message saying “hey, I’m in trouble, can you send me 50 eu!”
Okay, I’ll let you give a round of good cyber-mommy advice.
Alright! If you ever have to connect to an open Wi-Fi, use a VPN (Virtual Private Network) to prevent your data from being read by other malicious parties listening in. Wepardi has good VPN partners to recommend.
Use different passwords for different services, and change them from time to time. Actually the recommendation nowadays is not to use passwords, but pass-phrases: six random words, which (in theory) is nearly impossible to crack.
Another very good, inexpensive protection is Yubikey, developed by a Swedish company. It’s a mix of software and hardware that’s supported by all the major players (Google, Apple, Microsoft, and many others). There’s no subscription or anything, it’s just a small USB key that you carry with you and insert into the device you want to use (phone, tablet, laptop, desktop). It supports passwords, cryptography, and authentication, and it’s very secure. If you use it to protect your iCloud or Google master account, nobody can use your Gmail or Apple email to reset the passwords of other services.
And you should NEVER use any device or software that is not being updated anymore. An old Android phone that you haven’t used for a while is asking to be hacked, because it has so many security holes. Old PCs using Windows 7, for example, are running a lot of malware. The newspaper Ilta Sanomat ran an article where they tested installing Windows XP into a PC, connected it to the internet, and monitored the result. In a few minutes it was so full of malware that it stopped running altogether! That’s what happens when you use non-updated software and give it access to the Internet.
Is Finland a leading country in the field of cybersecurity?
I think Finland is influential in the field. In many other countries the situation is not so good, but we have to stay vigilant, because new threats develop as we speak. Problems usually occur when you start saving on costs. Not spending enough money on security for a company will mean trouble sooner or later. But with enough resources and the right people, you can be pretty safe.
How do stay current when everything happens so fast?
By reading a lot, and talking with people more clever and more experienced than me. It’s important in this game to have a network of experts, and you have to follow all the news. YouTube has surprisingly good interviews with researchers of AI. There are so many clever people to follow.
Every week or month there’s something new. Look at what’s being done with AI image generation, it’s amazing. And things are getting very weird very fast with AI and language models. Not long ago the common opinion was “nah, it’s not possible to do this; not in my lifetime, not in the next ten years…” And suddenly we have ChatGPT, you ask it a question and the answer is correct. And everyone’s like “What? We have it NOW? This thing is here?”
You can’t prevent development. If you don’t do it, someone else will, so it’s just a question of time. I can already download a language model into my PC and run it. Of course it’s slow and not as effective as the newest versions of GPT 4, but imagine that my laptop can already be completely offline and run a language model and give me answers! So if there is a language model that has been trained, anyone can access it. It will be interesting to see who comes up with the best language models, which companies or countries will have the capacity to run them, and what will they use it for. Countries can use AI to target other countries and generate misinformation, for example. So then the problem is that you have to be able to evaluate if AI has been used in news articles. So far, everything AI generates is of course based on everything that has been written to this day, it can’t generate anything new at this point. So when AI is used for making news articles or writing books or making software, it’s basically the same stuff we have been making all these years, an average noise from everything. It’s a good tool for translating text, generating news articles, and so on, but there should always be a human being checking up on it, I think.
It seems you enjoy your work, in spite of the scary stuff.
Yes, I think it’s very interesting. There’s always new things to develop, new challenges on the cybersecurity frontier. Now we are starting to build AI systems for companies, and I don’t mean ChatGPT, but private AI systems that run language models on their own server, with automation on top of that.
Does the bad stuff depress you sometimes?
I think everyone gets that sometimes. But I like to focus on the possibilities rather than on the bad stuff.
This article is sponsored by Wepardi, a family-owned Finnish company which offers great hosting and other excellent online services. We featured them previously in this article. Header photography gently provided the amazing Naser Bayat.