Cybercriminals yet to figure how to make money from IoT: Raimund Genes

Trend Micro CTO Raimund Genes on cybersecurity trends and how his team is working to protect users from these threats


Photo: Abhijit Bhatlekar/Mint
Photo: Abhijit Bhatlekar/Mint

Raimund Genes, chief technology officer at security software firm Trend Micro Inc., has held several executive positions at the company, prior to which he worked in the German air force for 12 years in radar guidance and aircraft tracking.

In an interview in Mumbai, Genes spoke about cybersecurity trends in the digital world, and how his team is working to protect users and companies from these threats. Edited excerpts:

Can we really compute the cost of cybercrime?

We at Trend Micro don’t compute the cost of cybercrime, and all assumptions and statistics about the cost of cybercrime being floated around are simply estimates. We have been in this security business for 27 years and we don’t feel the need to scare people with these figures (Intel Corp.’s security arm McAfee pegs the likely annual cost to the global economy from cybercrime at more than $400 billion.)

I could tell you the exact cost of a piece of malware but when it comes to the total cost of cybercrime, all I can say is that cybercriminals make more than drug traders, and the risk of them being caught is much lower than that of a drug trader because cybercrime is international and does not know any borders.

How much of a risk does India face, especially from ransomware that tops the cybercrime list in developed countries?

The risk in India is much lower than in other countries, at least as of now. But the attacker would not necessarily be from India. He or she could be from Eastern Europe, where many attackers are from.

Globally, ransomware appears on the top of the list because it is so visible—cybercriminals want you to see their message on your devices to scare you so that you pay the ransom. On the other hand, other malware like keyloggers, which sit on your computer silently but steal vital information like your PIN numbers, can go undetected for even six months and more.

Ransomware is in your face. In terms of malware distribution, ransomware is definitely on the top of the list in the US, and in parts of Europe where keyloggers, remote access Trojans (RATs), etc., make up for the rest of the malware. In Japan, ransomware is typically low. In parts of Asia, it is high. But in India, ransomware is low on the list.

In India, cybercriminals typically use keyloggers, RATs that try to siphon off credit card and other financial information from your computer.

Why is ransomware low in India?

Cybercriminals typically seek return on investment (ROI) from their crimes. Hence, it makes more sense to seek ransom from people in developed countries who have more money. For instance, a recent study revealed that 5% of companies in the US paid ransom but in Canada, the number was very high at 75%, which shows how nice Canadians are (laughs). There are some cybercriminals who even do not know how to use ransomware, so they hire other cybercriminals who sell ransomware-as-a-service, and then try to find out which company or country gives the best ROI.

Cybercriminals have now begun targeting Internet of Things (IoT) devices...

We don’t see large-scale IoT attacks because cybercriminals have not figured out how to make money here. You have so many IoT devices with so many versions of software, so it is unlikely that we will see large-scale IoT attacks in the near future.

You do hear a lot about IoT attacks by White Hats (ethical computer hackers) but that’s for fame. For example, at the recent Defcon event in the US, we demonstrated Drone hacking, etc., but it was basically to show that better security measures need to be implemented.

This March, at the CeBIT event in Hanover, for instance, we demonstrated sex toy hacking by placing a large, neon-pink vibrator on a desk and bringing it to life by typing out a few lines of code on a laptop. We got a lot of press for it. But if you want to do something bad with this, I can get to the back-end infrastructure and blackmail people by getting hold of the sensitive (and embarrassing) data of the people who use this.

Also consider the case of smart TVs. Till now, there were hardly any attempts by cybercriminals to hack these because of the different versions of software. But in China, recently, a smart TV was hacked by a cybercriminal—that is because of the now common Android OS (operating system) build. This implies that malware is used most where standardization prevails, which is not yet the case with IoT devices.

If I want to make money as a hacker from IoT devices, I would rather attack the infrastructure that connects these IoT devices to render them useless. For instance, of what use will be an IoT device that cannot connect to the cloud—it will be garbage. You can do a DDoS (distributed denial of service) on the infrastructure or steal all consumer data like health, geolocation, etc.

Are cyberattacks on the rise in the financial sector, especially with digital payments picking up around the globe?

We saw isolated attacks in those in the US on companies like Target and Home Depot (in 2014), where millions of customer debit and credit cards were put at risk after hackers broke into the companies’ payment systems. That was primarily because the US was using cards that mostly used magnetic stripes for swiping rather than the chip-and-pin system that others were using in Europe.

Also consider the banking heist in Bangladesh where the hackers seemed to be well aware of the infrastructure (in February, the hackers used the Society for Worldwide Interbank Financial Telecommunication, or SWIFT, credentials of the Bangladesh central bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking it to transfer millions of the Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia). Hackers can physically open the service port of ATM machines, plug in a USB stick and get the ATM to dispense all the money held in the machine.

Earlier, most of the work was done on mainframes where every CPU (central processing unit) cycle cost money and where controls were tight because they were UNIX-based systems. Then came the age of PCs (personal computers) and users could install all kinds of software.

This is both good and bad. It means that when your in-house development team releases a new application, it needs to train the system before the application can be deployed—at least on critical systems like servers.

Android apps appear to be posing a big security risk to users.

Android, by design, is not insecure. However, the rights management in Android is not good. It allows you to access third-party apps and users do so when they are desperate to acquire popular free apps. You are relatively safe if you download apps only from Google Play.

This is not the case with iOS because Apple has very strict rules for its developers and does not allow users to download apps from any store other that its own Apple Store.

China is the biggest mobile phone market store?? but Google does not operate in China. However, the fact is that we get the biggest mobile malware from China. If Google accounts for the malware from China, then users who download Android apps from third parties and not from the Google Play store are definitely at risk.

Of late, there have been more attacks on Linux-based systems while earlier it was Windows that was the primary target...

That’s because a majority of your cloud-based systems run Linux—like your Web servers. It makes more sense for hackers to attack the infrastructure rather than individual devices. Apple is pretty immune because it created a closed ecosystem. It only runs software from a certified developer community. So is the Windows mobile ecosystem. Of course, they don’t have a market share.

Public Wi-Fi hotspots are becoming more popular. How safe are these?

Don’t use them if you don’t trust them. They are prone to vulnerabilities like the man-in-the-middle (where a cybercriminal gets between two parties and gains access to private information) attack. You must use a VPN (virtual private network) to access your company data when using a public Wi-Fi, else it can prove dangerous.

How is Trend Micro’s partnership with Interpol (International Criminal Police Organization) shaping up?

We have been working with Interpol for over two years. (The collaboration was announced in June 2013). We recently helped in the arrest of the head of an international criminal network, suspected of stealing more than $60 million through scams like the business email compromise.

READ MORE