Computer security isn’t part of what we sell but it’s part of what we have to know to do our job. Over the last few weeks, there’s been a raft of new information about Stuxnet (aka the computer virus that attacked Iran’s nuclear program) and Flame (an industrial strength spy virus that likewise targeted Iran’s nuclear program).
My suspicion from the beginning was that Stuxnet was created by either the Israeli or US government. It turns out it was created over the Obama and Bush administrations with significant Israeli government help.
Stuxnet was code-named Olympic Games (and referred to as the bug) and it was introduced into Iran’s Natanz enrichment facility by an unwitting Iranian. One source was quoted as saying “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.” The New Times noted that President Obama “was acutely aware that with every attack he was pushing the United States into new territory, much as his predecessors had with the first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade.”
Flame is a separate effort from Olympic Games and more complex and virus companies say they’ve found copies of it in their automated detection systems going back several years (Stuxnet’s code has been available publically since ’10). It has the ability to rewrite Windows (even the latest most hardened versions) to use the Windows Update process to protect itself. It’s larger than most programs that run on smart phones making the ‘virus’ label wrong. As these things go, the comparable (scale analogy) would be a big spider or small mammal. There’s no confirmation yet, but it’s going to be very surprising if it’s not also a product of the US Government. More important than the analogy is that it “achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers, two of the world’s foremost cryptography experts said”
Researchers have copies of both Stuxnet and Flame. They’re busy reverse engineering them. Copies of Stuxnet are also known to have become available on the internet. Essentially, the most powerful weapons in the cyber realm are available to anyone. More positively, utilizing either is still going to take a certain level of knowledge. Attacks that make websites unreachable have been rolled up into programs simple enough for anyone to use. Stuxnet and Flame are presumably going to require a programming team.
Stuxnet (probably as a weapon and as the threat behind blackmail) and Flame (for stealing information) probably won’t be used by Anonymous but I expect more governments, organized crime groups and even large business (with a big ethical blindspot) to put them to use. You may not be a target but businesses and government agencies you deal with, will be targets.
And, where will that threat come from? The avenues of attack just grew tremendously. We haven’t thought of viruses on removable devices as a real threat since the days of the floppy. Well, they’re back. The wrinkle we’ll probably see soon (with the rise of viruses targeting smart phones) is that thumb drives, phones, tablets and almost anything else with a computer built in (or used by computers) can be an infection vector.
Where does that leave us? I think a starting point is to realize that nasty viruses with the ability to attack physical systems and still a wide variety of documents and information are a fact of life we will all deal with. I usually have a credit card cancelled every year or so because somebody (they never say who) had their servers compromised. When our information is everywhere and computer systems run everything (including something as simple as opening and closing the water valves in a factory), that’s a pretty scary realization.
But, information is power. Some solutions are the ones we already know. When it comes to personally identifiable information (Social Security Number, date of birth, etc.,) don’t give it out more than necessary. Some are not. Awareness is the starting point: think about how these things can impact you (and your business) as well as how they can be delivered. Thumb drive use on computers can be disabled. If you’re involved in running a factory or managing a large building, you can figure out where controllers vulnerable to Stuxnet are used in your business.
Which is all just a start. This article could go on for a while just covering the basics that we’ve learned about. But, awareness that the storm is here is coming is a start.
Source articles:
Cheat Sheet: Behind The U.S. Cyberattacks on Iran
Crypto breakthrough shows Flame was designed by world-class scientists
Remember Stuxnet? Why the U.S. is Still Vulnerable
Update: Microsoft announced changes designed to prevent exploits similar to Flame from exploiting the Windows Update process.