Earlier this month, security media were ablaze with news of the freshly discovered Flame malware toolkit, which according to reliable sources began infecting Iranian computers as early as 2008.
Since the first reports, we’ve learned more about Flame, its capabilities and intent. The results of this analysis have been impressive and sobering.
Like its alleged sibling, Stuxnet, Flame is highly sophisticated, purpose-built and effective. As someone who spent many years in software development, I appreciate what it takes to write code for many platforms and devices while minimizing flaws. The authors of Stuxnet and Flame deserve credit for this, if nothing else.
Unlike Stuxnet, Flame is a toolkit – a veritable Swiss Army knife – of attacks that can be activated remotely by its command and control operator. The Flame payload is delivered such that all of the modules are available and integrated into the initial assembly, with no additional download or communication required.
Bluetooth sniffing, keylogging, an Autorun infector, the ability to hijack the Windows AutoUpdate function and more – up to twenty unique modules – all nicely packaged in one nefarious kit.
With all of this, Flame may have supplanted Stuxnet as the most complex and sophisticated piece of weaponized software ever developed in the [known] history of mankind.
But as powerful as Flame seems, the economic ecosystem on which its built may be even more interesting.
For decades, Microsoft, Adobe, Google and Oracle have been recruiting, paying for and getting the absolute best and brightest software designers, architects and developers on the planet. Until now.
In this post-neo-infosec-challenged world that we live in, the uber-software Gods work for the bad guys.
You may not put it on your CV or LinkedIn profile, but if you want a fun, exciting, incredibly well-paying job writing the newest, coolest and most coveted code on the planet, move to Romania and hook up with a Russian cybergang.
And it gets worse. As these malicious international software factories become more successful, they get richer, they buy better people and the cycle repeats.
Over the past several weeks the FBI, Interpol and other international law enforcement agencies arrested twenty-four individuals suspected of various card fraud schemes and activities. Suspects were spread out across thirteen countries around the world. One of them was arrested less than 45 minutes from GreyCastle Security headquarters.
None of them were software developers.
The people most typically being arrested for online crime are the individuals using the tools, not the ones building them. No, these digital mercenaries are tucked safely away in their posh Baroque villas on the outskirts of some small town in Estonia, busy writing their next module and withdrawing laundered cash from untraceable bank accounts.
And the hits keep coming. And the fire burns brighter.
Flame may just be the spark that starts the inferno.
On Wednesday, January 11, as the USS John Stennis and three other carrier battlegroups arrived in the Gulf region, two anonymous hitmen rode up alongside the Peugeot 405 being driven by Mostafa Ahmadi-Roshan and “pasted” magnetic shape charges to the cabin exterior. They exploded seconds later, destroying the interior of the vehicle and leaving their surroundings untouched.
This bold, high-tech act comes on the heels of two other attacks, both aimed at disabling or stalling Iran’s nuclear capabilities.
The first is a series of suspicious explosions at Iran’s nuclear facilities, one of which killed another top scientist. These explosions were documented by US satellites which clearly demonstrate the origin and impact of the blasts. These explosions occurred “around the time” that Iran was found to have in its possession an RQ-170 stealth drone.
It is suggested that the Lockheed Martin RQ-170 Sentinel is designed primarily for reconnaissance. Of course it’s 66 feet wide and weighs close to 10,000 pounds. That’s one mighty big camera. Oh and it also has modular bays that can be adapted for “strike missions”.
The second is a high-tech operator that executed missions on the ground. Using covert tactics and the latest intelligence, this foot-soldier infiltrated Iran’s top-secret nuclear facilities and quietly disrupted core processing. Rapidly moving from reactor to reactor, this highly trained assassin combined speed, stealth technology and the latest weapons to sabotage Iran’s nuclear capabilities.
It wasn’t until the damage was done that this assassin was given a name.
We called him Stuxnet.
Now we can speculate whether or not Israel or the United States was behind Stuxnet, but one thing has become alarmingly clear – someone wants to destroy Iran’s ability to produce nuclear assets and weaponized software was a key component of the campaign.
Stuxnet, at its time hailed as the most sophisticated piece of malware ever conceived, dawned a new era. It was not the first time that cyberwar had been waged, but it was the first time that cyber was elevated to that rarefied ether of air, land, sea and space. Even the decompiled code was classified for a time.
Today, nation states are hard at work developing weaponized software that will disable their enemies’ critical infrastructure, destroy military intelligence and render nuclear and other traditional weaponry useless. Cyberwarfare is young, but maturing in dog years. Stuxnet already has one child, and they’re multiplying fast.
In October of 2011, it was made public that the United States Air Force experienced an outbreak of malware on a network associated with assets used to control drones in the Mideast. The origin of the malware was never declassified, nor was the resolution of the incident. Some of us thought that perhaps it was a US Government concoction once again targeting Iran that escaped the labs.
- Step 1: Build Malware
- Step 2: Infect Drone
- Step 3: Crash Flying USB Stick in Iran and Watch From Satellites as it Blows Up Nuclear Plant
Looking forward, it’s clear that software has become part of our military arsenal. We will continue to see more frequent headlines telling stories of cyberattacks on military installations, cyberespionage and weaponized software. Let’s remember that just as China and other countries have stolen our blueprints for drones, tanks and fighter aircraft, they have also built their own cyberweapons.
For now though, I’d turn down that job as an Iranian nuclear scientist.
This morning I exercised my true American right. I voted.
For some, voting is a delicate process that involves days of analysis, research and personal preference. For some, just having the ability to vote is more important than the outcome.
For some, however the election is a ruse. A rote, choreographed series of motions undermined by well-scripted television ads, slick marketing campaigns and overstated commitments.
For those who truly understand the global state of information security, it’s something altogether different.
In fact some believe that the new regime has already assumed power. This new guard isn’t a bunch of Harvard-educated attorneys and career politicians. They have no experience in legislative process, and they’ve never run a campaign. They are nameless and faceless. They’re 17 years old. They’re in their mid-thirties. They’re Russian, British and American.
And they control the world.
Using 100 million infected PCs globally, they can shut down power grids and cause financial chaos. Using weaponized software they can destroy intellectual property and control military networks. They own your credit card number and can listen to your mobile phone calls. They are CyberGods, and there are no term limits.
They have assumed control.
The world in which they operate is limited only by their imaginations, and their cyberwar is not bounded by rules of engagement. Their power is growing. Their reach is expanding. Their wealth is multiplying. Their armies have already overthrown nations in Africa and the Middle East. They are so much more than thieves. They are organized. They are evolving.
They are motivated.
On this Election Day, remember that the true ruling party – this legion – was not voted into power by throngs of rabid fans, they were implicitly elected by a movement of ignorance. An ethos of apathy.
Throughout history the people have risen up to unseat their oppressors, but not before tremendous hardship. A body in motion tends to stay in motion, as Newton once said, and geo-political movements have been no exception. Those in power will do their best to stay in power, and the cybercrimelords that are feasting on our negligence will find new, more deceptive ways to maintain their rule.
We have waited too long. Their momentum is too great. This global network of organized cybercriminals will not simply resign. The people will need to rise up. We will need to stand and fight.
It may take bloody revolution.
This past Saturday I woke up early and suddenly found myself running from bloody, muddy, brain-hungry zombies.
No, the world hadn’t suffered a raging viral infection. And no, I wasn’t a movie extra. It was the first annual Run for Your Lives Zombie 5K race near Baltimore, MD. There were thousands (OK maybe hundreds) of zombies to avoid, a dozen obstacles to overcome and endless fields of mud. There was blood. Whole pools of it. And there were several “teachable moments”.
Now in many ways, I feel like I’m better prepared than the next guy for the impending Zombie Apocalypse – my cardio level is above average, I prefer moving around at night and I love me some good baked beans. I also consider myself a bit of a survivalist, and I keep an ample supply of batteries, bleach and duct tape ready to go for when things get apocalyptic.
All that being said, this weekend’s events reminded me that there’s no way to prepare for everything. Despite the semi-lighthearted nature of the 3.1-mile obstacle course, I found myself surprised – even shocked – on several occasions. Midway through the race I found myself deciding between diving into a muddy lake filled with 55-degree water or being attacked by a crazed horde of killer undead. This particular teachable moment taught me that hypothermia may be for a while, but dead is for ever.
So what does all of this have to do with information security?
Just like the doomsday scenarios that scientists, religious zealots and Al Gore all predict for the human race, there is no way to prepare for everything in information security. In fact, the best preparation may be in preparing to be unprepared.
The harsh reality is, most businesses have already been compromised, whether they know it or not. Yesterday my company met with yet another organization who has been the victim of cybercrime. Not only did this business suffer major losses, but two months later they are still unsure if the money-stealing malware has been eradicated.
Having an Incident Response plan is an important part of running a successful business. Detection of malware and anomalies, containment of incidents and processes for forensics investigations and business resumption should be regular discussions for all management teams. If you haven’t already done so, add a chapter to your plan that accounts for the “unexpected”. Failing to plan is planning to fail.
Hindsight, as they say is 20/20. I’ve already thought of a few things that I’ll do differently to be better prepared for next year’s race. Luckily, it’ll only cost me $57 to learn from my mistakes.
If you’re a business without an Incident Response plan, it may be a little more expensive.
There’s been a lot of chatter over the past week regarding the alleged breach of U.S. Military unmanned aerial vehicles, or at least the networks that they use to transport video streams back to Operation Command Centers in Nevada, or wherever their 19-year old operators and joysticks are positioned.
The media have speculated that a virus, introduced from external media penetrated critical networks and was doing bad things. The Government has done its best to misinform and parry, suggesting (and confirming in some way?) that whatever malware did make its way onto its networks is just a nuisance. It was even suggested that the malware was the military’s own, a weapon that somehow escaped the labs.
Of course, the Department of Defense doesn’t comment on classified networks, so there’s a good chance we’ll never know the real story.
The real question we should be asking is, who cares?
I don’t mean to sound glib, but if Uncle Sam says it’s not a problem, maybe it’s not? After all, even if video streams from Unmanned Aerial Vehicles (UAVs) were intercepted, intended targets likely wouldn’t have time to escape before they were made into Afghani pottery anyway, so what’s the big deal? Perhaps, you say, the enemy is collecting intelligence on UAV flight patterns, so that it can predetermine and thusly avoid detection. Perhaps.
Or perhaps this story is more important to the media than it is to the masses? Not unlike the incessant droning (sorry) on about malware being delivered to Android-based phones these days. It’s a [nearly] proven fact that over 10% of Android applications do things we don’t want them to do, whether they’re harmlessly hijacking GPS coordinates and personal information to push personalized ads to your browser or they’re outright malware stealing online banking credentials. Here’s the thing – people don’t care. Androids – and their applications, stuffed with privacy-violating “features”, are flying off the shelves.
And when will it be time to start vulnerability scanning our cars? We’ve already seen Subaru Outbacks compromised using integrated Wi-Fi, and many vehicles braking systems are vulnerable to attack. And let’s face it – OnStar is a mass botnet just waiting to happen. Don’t look for the “Hardened Security Vehicle” checkbox at your local auto dealer – they don’t care either.
Perhaps the Department of Defense is giving us the cold shoulder because they’re a little embarrassed. Perhaps they’ve declassified this information because it’s helpful for the information security community. Or perhaps it’s because redirection and confusion is all part of their Computer Incident Response Team (CIRT) procedure.
Or perhaps they’re just teaching us a lesson. If we can care so much about a remote control airplane flying over a desert 7,000 miles away that we’ve never seen and will never have any effect whatsoever on us, why can’t we care about the stuff we use every day?
Cybersecurity insurance continues to be an increasingly popular investment for businesses of all types and sizes. Seen as a catch-all for the unpredictable, unreasonable or undesirable, cybersecurity insurance has become an attractive option for businesses who don’t have or don’t take the time to understand their alternatives.
But cybersecurity insurance policies, like other insurance vehicles can be tricky and expensive. They’re not a cloak of invincibility. Heck, they’re not even a security blanket. Here are just a few of the issues.
- First, cybersecurity insurance is a moving target and you may find yourself underinsured or not insured at all. The less you understand about security, your assets and your risks, the less you will understand your insurance policy. One of the most painful lessons of Hurricane Irene was in the area of insurance. We heard countless stories of homeowners who thought that their expensive flood insurance policy would cover their losses, only to find out that they weren’t covered due to some esoteric loophole. Little did these policyholders know that there are many types of flood insurance, each covering a specific condition. The same is true of cybersecurity insurance.
- Insurance can be more expensive than prevention. Insurance premiums for flood, fire and other policies are based on endless mountains of actuarial data that have been analyzed, sliced and diced such that the carrier knows exactly how much to charge for coverage. This premium ensures that the carrier will continue to make money even when its policyholders have claims. These calculations are based on statistical certainties. Because cybercrime is both immature and ever-changing, these piles of actuarial data do not exist, causing carriers to conservatively over-charge. The money you’re spending on insurance could have been better spent on avoiding the problem in the first place.
- Insurance won’t replace all assets. If insurance is your primary security mechanism for assets that are irreplaceable, you’re putting yourself and your business in jeopardy. Things like backups, historical data, documents and other sensitive or confidential assets cannot be recovered by insurance. There’s a reason that 25% of businesses that are victimized by cybercrime never recover.
- Insurance won’t protect your reputation. When your business experiences a databreach, a malware outbreak or other security incident that results in a public relations issue, no amount of insurance coverage is going to repair the damage. Understanding your risks will help you avoid an incident, paying for insurance that doesn’t help only adds salt to the wound.
Cybersecurity insurance can be a valuable defensive mechanism for businesses when applied properly. When properly understood and selected, it can address areas of risk that are difficult to manage with other controls. When misunderstood, it can compound a security incident with confusion, frustration and expenses.
If you’re considering cybersecurity, give the policy a close read. If you already have a policy, give it a closer read. The last thing you want to hear from your insurance carrier after a security incident is, “sorry Charlie”.