Who Can You Trust in the Age of Flame, Duqu, and Stuxnet?

How Stuxnet and Flame Are Changing the Security Game

Much has been written recently about Flame, the latest sophisticated cyber attack /malware discovered by security researchers. Flame follows Duqu, and Stuxnet before that, as a very sophisticated cyber attack vehicle that seems to be a state-sponsored cyber weapon. In fact, the NY Times ran a whole expose on the issue last week.

If you have the chance take the time and read the Times article. It is a fascinating piece of reporting that pieces together bits and pieces from all over the globe to give us a picture of how the U.S. and Israel designed a computer virus with the intent of taking out Iran's nuclear centrifuges.

RELATED: Flame Malware Blurs the Line Between Fiction and Reality

We in the security industry have known about Stuxnet (the name given to the virus that attacked the Iranian centrifuges) for some time now. The folks at Symantec and others have done some great work researching who was responsible for it. Most security folks have known for some time that it was probably a joint U.S.-Israeli operation aimed at Iran.

RELATED: Flame malware's structure among most complex ever seen, says Kaspersky Lab

It was sort of stupefying to me that whenever I would talk to non-security folks about Stuxnet, very few if any of them seemed to have any idea of what it was about. They were all fascinated to find out about a computer virus actually doing something like this. I didn't understand why more people weren't aware. Was it just me being a security geek or was news of Stuxnet not being reported in the mainstream, and if so, why not?

MORE: Microsoft recalls certificates exploited by Flame malware

Stuxnet, according to the NY Times report, was part of a clandestine program called Olympic Games that was started under the Bush administration but expanded under the Obama team. While primarily aimed at Iran, other cyber attack weapons may have been developed with different countries (say North Korea for example) as their intended targets.

Before you blame the U.S. for starting this new era of cyber warfare though, let's be clear. Cyber attacks and cyber war did not start with Stuxnet. This sort of thing has been going on for some time. Nor are these weapons limited to nation-to-nation types of attacks either. 

Operation Aurora is generally believed to have been approved by, if not sponsored by, the Chinese government, for instance. According to my friend Lawrence Walsh at Channelnomics, Operation Aurora "stole untold millions in intellectual property from U.S. corporations. A well-known security researcher described the China theft of U.S. corporate data as 'wholesale rape,' and the greatest transfer of wealth potential in history."

Russia, European nations and even terrorist cells have all tried to use cyber attacks to further their own interests. But that should not surprise anyone really. What new technology hasn't been used to further any group's agendas and goals? Cyber attacks are just the latest super weapons because of the characteristics that make them perfect for that purpose: Nice and neat, no blood on the hands, no radiation (well, almost no radiation, unless you caused a Chernobyl style meltdown or something). White collar warfare.

Make no doubt about it, the game has changed. Cyber attacks, cyber warfare and cyber weapons are here to stay. They may even become a bigger driver for better security than financially motivated cyber criminals have been.

But what will this mean for the security industry? How does it respond to this new class of threat? Mikko Hypponen of F-Secure has a great article up on Wired about why security companies failed to catch Flame and Stuxnet before it. (Flame is the latest "son of Stuxnet" type of sophisticated attack).

You should read Mikko's article for both the background it provides as well as to understand the view from the trenches. One thing that should be clear from Mikko's article is that there are probably newer and more attacks already out there.

These attacks can rely on unknown zero-day vulnerabilities, they might have forged certificates or for all we know are designed with the full cooperation and assistance of friendly software companies and perhaps even friendly security companies. At the very least, these new cyber attack weapons can be tested against commercially available security products to see if they can evade them. As Hypponen says, many of these attacks used malware that was "hiding in plain sight."

For our purposes, suffice to say it is hard and getting harder all the time for security companies to detect and block these sorts of attacks. Today, word came down that Flame was probably using some forged Microsoft certificates.

How the authors of Flame were able to forge these certificates is open to conjecture. But you see where the speculation could be going, don't you? How can we be sure that any company is not conspiring with its host government?

When I was selling security solutions to the U.S. government there was always an unwritten if not unspoken bias against Israeli security companies. The rumor was that the government was leery to buy Israeli security solutions because they feared the Mossad had built a back door into many of them. Whether this was true or not isn't the issue. The fact that people thought about it and as a result chose other security solutions is the point.

In this hypercompetitive global market we live in, can U.S.-based companies afford to lose business because foreign companies are wary of backdoors or cooperation with certain government agencies? What about those that aren't based in the U.S.? Can we trust them on our own computers? What about U.S.-based companies doing business in foreign companies? How do we know they have not been compromised?

From a security company point of view, if a U.S.-based company does not detect the next Stuxnet, do we wonder if they didn't detect it because they didn't want to? Were they told or influenced by their government to "turn the other way"? If you are a security company that wants to do business in the lucrative government market, do you want to be blowing the whistle on your government? What about if you are a foreign corporation seeking to open new markets in the U.S. or other countries? How do you prove your loyalty? Do we think security companies are incompetent and unable to detect an attack or do we always have in the back of our mind the question of did they want to detect that attack? Indeed, this opens a whole new chapter in the security industry. Who can you trust?

For an industry that is always espousing to trust no one, the chickens can come home to roost here. How can we trust any security company from being above national self-interest?

So the age of innocence in security is over. It is no longer the good guys versus the bad guys. Instead, security is now entering the James Bond era. We will have agents and double agents, silent cyber wars that we may never find out about. We may hear rumors and whispers of compromises and stealth stealing. I don't know what exactly this will mean for the world wide security market. But I do know it will never be the same.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022