Security Warnings for the Rest of Us

If you live in Finland, there is a good chance you will get a warning if your networked devices are in the hands of the criminals. If you work for a critical enterprise your infosec team may get warnings from the government or their threat intelligence vendor. So what about the rest?

In my previous blog, I talked about the high-level motivation for founding Badrap Oy. Let’s drill in deeper.

UPDATE: we now forward also information about data breaches with Data breach monitoring for emails

The Problem: Way Too Many Vulnerable Devices in the Internet

Security researchers scan the net to find vulnerable devices. Scans come in various shapes and forms. Researchers find about a bazillion vulnerable devices (see Figure 1). Great work!

Figure 1: A single source can find a bazillion instances of a specific issue. There are many sources and many issues.

Here is the problem. The vulnerable devices tend to stay there. There are databases wide open, all sorts of encryption issues, and ways to amplify attacks against large corporations, some of which are really critical.

A Model Which Solves It

There is a model to significantly reduce the number of vulnerable devices connected to the net. Here it comes:

Tell the owners.

This model seems to work great. Take a look at Finland’s position in Microsoft’s Security Intelligence Report (Figure 2 and the quote below it).

Figure 2: Finland — the least infected country. Source: Cyber Security Review 1/2014 from FICORA, pages 21–22

“One key factor influencing the small number of malware observations is the fact that Finnish telecoms operators effectively detect infected terminal devices in their networks and urge the users to clean them.”

When there is a hiccup in the model, the results are also visible. One Finnish ISP, Elisa, temporarily lost their capability to notify a big portion of their customers. In 2014 it became so evident that the press picked it up. As a result, infection rates started raising and a finally a whopping 85% of the known Finnish infections were in Elisa’s network. Once Elisa got their capability back, the infection rates started to drop again. Phew.

Figure 3: % of observed Finnish infections over time.

Sources: Viestintävirasto (anonymous data). Helsingin Sanomat — “Haittaohjelmat iskivät Elisaan” (the name and background. Paywall warning)

So why there are still a lot of vulnerable devices in the net?

Scientific Background Research

The current method for telling the owners of connected and vulnerable devices is to go through ISPs. You might get lucky and be able to get direct contact if the owner is an organization who owns the network. The problem is, that when ISP notifies their customers (netizens), a portion of them calls back to their help desk. And that is bad for their bottom line. So some ISPs only do what they must, and some what they can. The result? Those bazillion devices stay in the net and serve the bad guys.

Figure 3: Our source.

We started thinking. Is there an alternative? Our sources said yes (Figure 3). Our background study revealed that corporations have talked to the consumers already decades without depending on the Internet Service Providers.

Nike got enough people running to pivot their declining sales, just by repeating “Just do it.” to the consumers.

Furthermore, we just heard about the Silicon Valley’s next big thing. They just can’t keep a secret, can’t they? We know it is coming and they call it the “Cloud”. With it you can run these really scalable services on the Internet. We’re gonna buy one and serve the humongous amount of netizens with it. Like a hundred!

We’ve Taken the Challenge — Will You Help Us?

With the confidence provided by our robust pre-study, we decided to set up a company which focuses on this problem. Our early days are funded by Ääkköset Oy and TEKES. With this money we are validating our idea. We are first going to focus on you — the netizen. We are spending a lot of time and brainpower to figure out the best ways to reach you. And to serve you. And if one day a security researcher has a relevant warning for you, you will hear about it and get help to sort things out. We are aiming to keep the service free for you. We also don’t want to sell your personal information, like many other “free” services. Gladly there are many alternative business models available.

You can help. If you think we are on a worthy mission, show us you care. When we release the campaign site, use it to check the networks you use. When we conduct surveys, answer them. On our journey, there will be financial sponsors who will love the idea, but just can’t help but wonder if it is really going to work. In such cases, your feedback (in the form of using the service or answering surveys) will be invaluable.

If you liked this story, you might also like “Three things that need to happen to scale the use of existing security information.”