Wednesday, June 6, 2012

Flame: A U.S. Cyber Spy Detected?

Flame: A Glimpse Into the Future of War by Elinor Mills at "A new 'worm' that's been spying on computers in the Middle East appears to be nation-state sponsored. We have Stuxnet, Duqu, and now 'Flame'. Stuxnet (and likely Duqu) was developed by the U.S., probably in collaboration with Israel. (Israel has denied involvement in both Stuxnet and Flame, while the U.S. has not outright distanced itself from either.) And the Department of Homeland Security (DHS) declined to answer questions about Flame, which has been called "the most sophisticated cyber weapon yet unleashed." Infections have been concentrated in Iran and other Middle Eastern countries, and seem designed mostly for spying. Flame can be instructed to spread itself via USB thumb drive, network shares, or a shared printer spool vulnerability. It has at least 20 different components that do things like sniff network traffic, take screenshots, record audio conversations, log keystrokes, and gather information from nearby Bluetooth devices. Experts believe more modules are in the wild. There are more than 80 command-and-control servers being used to send instructions to infected computers. The malware isn't an entirely new beast really, and the individual functions aren't uncommon. But the size of the program, the fact that it has so many different functions, and its modularity make it unique. An attacker can mix and match components at will. Flame's emergence isn't game changing necessarily, but it does give an indication of how far geopolitically-motivated malware has come and who might be ahead in that "arms race". "This is confirmation for the public that very sophisticated attacks are prevalent," said Stewart Baker, formerly at the DHS and now practicing cyber law in the Washington office of Steptoe & Johnson. "This is bad for countries that have secrets to protect, like the U.S. and Western Europe, and for the Chinese and Russians too. And it's probably good for countries like North Korea and Iran that are going to go to school with this tool." "... Flame suggests we're in a new era here," agreed Scott Borg, director of the nonprofit research institute U.S. Cyber Consequences Unit. Even before Stuxnet hit the news two years ago, he made prescient remarks to the effect that Israel's weapon of choice would be malware that would give the country the ability to interfere with Iran's nuclear program without launching a massive military strike. According to the NY Times, the Bush administration turned to malware as an alternative to launching a military strike against Iran and the Obama administration continued with the operation, code-named Olympic Games. However, while malware might save lives in the short term, it doesn't mean it's safer in the long run. "Cyber can be a much better alternative," Borg said, noting that the Russian cyber campaign against Georgia in 2008 targeted communication and media sites with Distributed Denial of Service (DDS) attacks and spared them from air strikes. But there's nothing to stop an aggressor from using both online and offline attacks. "If you are planning drone strikes, what better intelligence could you ask for than a tool that will turn on a camera and microphone of a machine in your enemy's possession to let you know who is there and what is going on?" One big problem with Flame is that the malware authors didn't use code obfuscation, which means it can easily be dissected and re-used by any organization with some advanced programming skills and experience, which would include a large number of nation-states and terrorist groups, according to Borg. "That's a terrible mistake" on the part of the creators, Borg said. "This is not a good thing to have released into the world in a form that is decipherable." Even though Flame doesn't initially appear to be designed for sabotage, there may be components in the wild that would give it that function. "If it's that sophisticated, it can probably have physical manifestations as well," said Greg Garcia, of Garcia Cyber Partners consulting firm and formerly of DHS. "It could have consequences that are even broader and potentially more deadly than a drone strike if you think about infiltrating and corrupting control systems that are managing electrical grids, water purification, or transportation systems." Borg declined to speculate which country is behind Flame but said he suspects it was created by "friendly forces." "The countries capable of writing these kinds of tools? China, Russia, U.S., Britain, Germany, Israel, and probably Taiwan," he said. The code, which at 20 megabytes is huge compared with Stuxnet, most likely required hundreds of people to be working on it for many months. Don't expect the Stuxnet-Duqu-Flame triumvirate to scare anyone straight though. The perception of threat or possibility for danger in cyber security hasn't been enough in the past to merit much action on the part of responsible parties, be they electricity providers or the untold corporate networks that are hacked daily. "There is no shortage of information that says we have a problem," said Herb Lin, chief scientist at the Computer Science and Telecom Board at The National Academies. "But there have been a lot of other wake-up calls and people just put the snooze button back on."