Flame Is No Stuxnet
The more security wonks learn about the Flame malware, it seems, the less of a threat they think it is. "The code is not armored at all, and while it has many different components which can make it marginally more time-consuming to reverse engineer than other threats, it doesn't have any of the covert methods or self-protection methods that smarter threats would have," said Webroot's Joe Jaroch.
Jun 4, 2012 6:00 AM PT
Fanned by a security community hungry for the next Stuxnet, a new so-called superworm called "Flame" made headlines last week.
Comparisons to the now infamous worm that attacked Iran's nuclear development program quickly appeared. Flame may have been created by a nation state. It apparently targets countries in the Middle East. It gathers information, not money.
But there are more ways to turn information into money than the naked snatching of credentials with a banking Trojan.
"In my experience, there are mercenary hacker crews out there who steal intellectual property and then find buyers for it," Jeffrey Carr, CEO of Taia Global, told TechNewsWorld.
"The ultimate customer may be a foreign government, but they're just a customer," he continued. "The tool itself could have been created by a professional group. They have the money and the skill."
Flame has very little in common with Stuxnet, he added. "Stuxnet was created to cause damage, which would qualify it as a weapon," he explained. "The other is purely multiple tools for gathering information."
Flame also lacks the degree of sophistication found in malware created with rootkits like TDL4 and ZeroAccess, according to Webroot Vice President Joe Jaroch.
"The code is not armored at all, and while it has many different components which can make it marginally more time-consuming to reverse engineer than other threats, it doesn't have any of the covert methods or self-protection methods that smarter threats would have," he told TechNewsworld.
It's also relatively easy to stymie Flame once it's discovered, he added. "It uses static locations and can be cleaned just using a batch script, whereas Stuxnet and newer infections require advanced algorithms and significant research," he said.
U.S. Behind Stuxnet
Since its discovery, the origin of Stuxnet has been a source of lively debate among security professionals. While it seems most agree that a nation state was behind it, fewer agree on exactly which nation state it was.
David Sanger may have put an end to that debate last week in a lengthy article in The New York Times about a campaign of cyberattacks against Iran that was crafted in the Bush Administration and accelerated by the Obama Administration.
Sanger's article was based on interviews conducted over 18 months with former American, European and Israeli officials involved in the program, as well outside experts.
Even though parts of the code had leaked out of Iran and been analyzed by independent security experts and it was unknown how much Iran had figured out about it, Sanger wrote, evidence that Stuxnet was wreaking havoc with the country's uranium enrichment infrastructure persuaded Obama to launch two more waves of cyberattacks on Iran using malware based on the Stuxnet code.
FBI Anxious About IPv6
The formal shift from the old Internet numbering system, IPv4, and the new system, IPv6, is scheduled to kick off Wednesday, and not everyone will be sighing with relief about the Internet solving its dwindling IP address problem.
For the FBI, the new system's nearly unending number of IP addresses is just another step in what it's calling its "Going Dark" problem -- the steady decline of law enforcement's ability to see what criminal elements are doing.
At a Congressional hearing in February 2011, FBI General Counsel Valerie Caproni explained that it's becoming more and more difficult to intercept electronic communications data. "We confront, with increasing frequency, service providers who do not fully comply with court orders in a timely and efficient manner," she said.
Some providers don't have the capability to comply with the court orders, she noted, others can comply only after considerable spending of time and money.
"As the gap between authority and capability widens, the government is increasingly unable to collect valuable evidence in cases ranging from child exploitation and pornography to organized crime and drug trafficking to terrorism and espionage -- evidence that a court has authorized the government to collect," she said. "This gap poses a growing threat to public safety."
The arrival of IPv6 may make that gap even wider.
- May 30: The Australian branch of toymaker Lego informed 1,591 parents that personal information, including credit card numbers, may have been compromised. The site was not secure while accepting membership details between March 27 and May 5. The company said no fraudulent activity connected to the breach had been reported to it yet and it has no evidence of suspicious activity using the information.
- May 31: A hacker posted to the Internet account information and nearly 200 email addresses from the U.S. Navy website navy.mil. Email addresses were from all branches of the military.
- May 31: Sen. Susan Collins (R-Maine) requested Thrift Savings Plan, which runs the retirement savings plan for the federal government, to provide her with further information on a data breach that exposed sensitive information, including Social Security numbers, of 123,000 of the plan's account holders.
- June 1: The University of Nebraska announced it has identified a student responsible for a data breach that could affect up 650,000 students and alumni dating back to 1985.
- June 1: The largest data breach penalty in UK history was imposed by that country's Information Commissioner's Office. Brighton and Sussex University Hospitals were fined pounds 325,000 (US$498,322) for allowing hard drives containing sensitive patient information to be sold at public auction.
- June 1: Trustco Bank filed complaint in Schenectady (N.Y.) County Supreme Court claiming poor data protection practices at the Five Guys burger chain allowed hackers to compromise the accounts of debit card customers and rack up more than $89,800 in charges on them.
- June 6: Protecting End Users Against Emerging Threats. 1 p.m. ET. Free Webcast sponsored by GFI and Vipre AntivirusBusiness.
- June 17-22: 24th Annual FIRST Conference. Malta Hilton. Sponsored by Forum of Incident Response and Security Teams. Late fee registration (April 1-June 1): US$2,500.
- June 26: Cyber Security: The Perfect Storm. 2-4:15 p.m. Capital Visitor Center, Washington D.C. Sponsored by MeriTalk Cyber Security Exchange and Sens. Tom Carper (D-Del.) and Scott Brown (R-Mass.).
- June 29: Third Suits and Spooks Anti-conference. Bel Air Bay Club, Palisades, Calif. Sponsored by Taia Global and Pacific Council on International Policy.
- August 20-23: Gartner Catalyst Conference. San Diego, Calif. Early bird price (before June 23): US$1,995. Standard price: US$2,295.