Back in the late ’90s, the president of a prominent U.S. anti-virus company was approached by a delegation from India. Their request? Weapons-grade malware. In the same month, he was also approached by representatives from Pakistan with the same request. As he explains it: “Two nuclear armed nations with a common border and a history of armed conflict have only one interest. How can they surreptitiously disable the big red launch button of the other side to give themselves a momentary strategic advantage?” Of course AV companies do not create malware and they sent the supplicants packing.
Fast forward to today and we find ourselves on the doorstep of a new world of cyber conflict represented by the June 1, 2012 revelation by David Sanger of the New York Times that the United States, with a little help from friends (Israel), was responsible for the first ever weaponized software, Stuxnet. And on June 19, Ellen Nakashima of the Washington Post filed a story that claimed the more recently discovered malware Flame also was created by the U.S.
To paraphrase Mikko Hypponnen of F-Secure, the game is on. It’s a new game. The rules are changing. The actors are changing. The consequences are still masked from any of us hoping to make predictions about these changes.
But it is incontrovertible that:
- Software is being weaponized for the purpose of cyber attack. Flame was a reconnaissance tool in preparation for the deployment of Stuxnet which is responsible for destroying Iran’s ability to refine weapons grade uranium. Other than the few times benevolent hackers have released worms to clean up machines infected with crimeware, Stuxnet has largely been well received by the world community. Slowing down a rogue state’s attempt to join the nuclear club is generally perceived as a good thing.
- The sophistication of Flame represents a seismic shift in power for malware. On the face of it, Flame is no more than a Remote Access Trojan (RAT) that steals passwords, documents, and files and can also be directed to record audio and video. But when you dig deeper into this massive (24 Mbytes) package you find an unprecedented level of sophistication. It can use Bluetooth to spread. It encrypts everything. The most amazing feat of prestidigitation is Flame’s use of an MD5 collision to generate a fake Microsoft Update certificate by which it tricks target machines into thinking they are installing a trusted patch from Microsoft. One group of researchers estimates that the compute costs to calculate that collision, because it requires guessing the microsecond that the original certificate was created, at over $200K if run on Amazon’s cloud. With this level of sophistication and available funding, the anti-malware industry is going to be severely challenged. Future threats from nation states and cyber criminals will up the ante.
- The IT security industry is at a crossroad. For the first time ever, commercial entities in the security space find themselves detecting and blocking malware created by a friendly country, the United States. Microsoft had to issue an emergency update to change their digital certificates to so-far un-crackable SHA-1. This comes at a cost to them and their customers that could be considered a new cyber-tax on computer users. What are the consequences? Will AV and firewall vendors engage in research to predict and defend against new methodologies coming from the NSA? Will the U.S. government restrict these vendors from applying these defenses in the name of national security? Will future cyber weapons run amok causing untold damage?
Mark your calendars. June 1, 2012 is a demarkation point and the point of no return. The weaponization of software is a reality that will shape the security industry of the future. The Big Boys have arrived on the playground. We are about to experience a rougher, bloodier game.