Tuesday 12 June 2012

Flame Culprit Fingered

Flame, also known as Flamer and Skywiper, is a highly sophisticated espionage focused malware, which targets and infects Microsoft Windows systems. Flame is known to spread over the network and by USB thumb drives, and this malware is centrally controlled by 'those' who created and released it onto the world, more on 'those' later. To say Flame is an extremely sophisticated piece of malware is not an understatement,  it can covertly can grab screenshots, log all keyboard entry (think usernames, passwords), record Skype voice calls and even monitor network traffic,  returning all this information is sent covertly to "those" who created it. Those controlling Flame infections can even send specialised control commands, which includes a "kill command", which makes the Flame malware stop running and delete itself, so covering up any evidence of it ever being present on the PC.

Flame: Commendable Malware

Flame is not the product of cyber criminals, it is way too sophisticated, and you only have to look at which area of the world is mostly infected with Flame, which just happens to be middle eastern countries. Cyber criminals tend to target online affluent first world counties like the USA and countries within Europe. You only need to look at the Zeus worm in comparison, which is a worm which targets online banking.  There is a clear difference between a cyber criminal created malware and state sponsored malware, both have different targets, and have different goals following the infection of their targets.

Flame Infection Area
The Flame / Stuxnet Connection
I have to be a little careful how I word this as I don't want a holiday in Guantanamo, so according to this must read New York Times article (http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?) and industry experts I have spoken with off the record, the United States' National Security Agency (NSA) and Israel's Unit 8200 are said to be responsible for creating and launching the Stuxnet worm against Iran's nuclear enrichment facilities. The US government are said to have dubbed their cyber warfare activity as Operation Olympic Games. Now given the great success of Stuxnet in impacting the Iranian Natanz nuclear plant, it was always going to be a matter of time before Stuxnet was followed up.

Kaspersky Labs who have recently analysed Flame, concluded there is a solid link with the development of Flame with Stuxnet (http://www.bbc.co.uk/news/technology-18393985):

"What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected"

"The new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups co-operated at least once."

"There is a link proven - it's not just copycats.

"We think that these teams are different, two different teams working with each other, helping each other at different stages."

The findings relate to the discovery of "Resource 207", a module found in early versions of the Stuxnet malware. It bears a "striking resemblance" to code used in Flame"

"The list includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming"

So joining up all the dots, it is an obvious conclusion that the United States and/or Israel are responsible for creating, deploying and controlling Flame, and therefore are using Flame to harvest private information on mass.

I am not clear about the United Nation treaties and rules in relation to cyber warfare/espionage engagements against other nation states, I don't think anyone is which could be the problem. But I'll leave you with some food for thought, the US government said it would respond to any state sponsored cyber attack made on it with military force.

“Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, allies and interests." - http://www.fas.org/irp/congress/2011_cr/cyberwar.html

Thursday 7 June 2012

LinkedIn Password Breach: Change Your Password Now

Yesterday we learnt a hacker posted 6.5 Million LinkedIn passwords onto a Russian forum. These passwords were weakly encrypted (that's an unsalted SHA-1 hash for the techies), which means the actual passwords can be recovered by the bad guys with very little technical ability.
Advice to LinkedIn Members
1. Change your LinkedIn Password Right Now
6.5 Million accounts may only be a portion of the total LinkedIn membership, and you may not consider your account as being affected because you have yet to receive a warning message from LinkedIn.  However in my view it is highly likely the bad guys will have ALL the LinkedIn account details and passwords for all LinkedIn users. So assume your account login (Email) and password is known by the bad guys, given this it is essential to change your LinkedIn password as soon as possible.

2. If your LinkedIn password is the same password you use on any other websites, Change Those Passwords
Most people use the same password on different websites simply because it is difficult to remember lots of different passwords on each website. The hackers know this and so target weaker protected websites like LinkedIn to obtain your username, email address and particularly your password. Then they try the same combinations to access higher protected and more valuable websites (money making opportunities for them) such as online banking, Email, Facebook, PayPal, Ebay etc.
The Problem with Website Passwords

3. Assume all your LinkedIn Personal Details as Compromised
If the hackers can obtain the password field within the database, it is safe to assume they will have harvested all the other unprotected fields in the database as well, which unfortunately will include a full profile of your personal information. LinkedIn aren't the the first website to neglect security and lose your personal information to hackers, and they won't be the last. So always be cautious of criminals trying to use your personal information against you, typically they try to make money from it.  This can manifest as identify theft or as an elaborately personalised phishing Email, always be suspicious and be cautious of non-face-to-face (Email/Phone) communications, and check your finical transaction statements for signs of foul play on a regular basis.