The big cybersecurity news over the holiday weekend was the discovery of new malware that hit Iran's oil industry, as well as systems in other Middle Eastern countries. According to Kaspersky Lab, which discovered the computer virus during an investigation initiated by International Telecommunication Union (ITU):
The malicious program, detected as Worm.Win32.Flame by Kaspersky Lab's security products, is designed to carry out cyber espionage. It can steal valuable information, including but not limited to computer display contents, information about targeted systems, stored files, contact data and even audio conversations.
It sounds like a big deal, and I thoroughly expected my inbox to be littered with emails from any number of my security industry friends with commentary announcing doom and gloom and telling me that Flame is truly the start of cyber war (there have been a few hints that Flame is the product of U.S. and Israel, similar to rumors about Stuxnet) and that it is cause for high alert. And I got a few of those, like this comment from Andrew Brandt of Solera Networks, who told me:
From what I've read, this is like no Advanced Persistent Threat anyone has ever encountered. Flame has been engineered, from the ground up, to steal valuable information over a prolonged period by means of techniques the crimeware makers could not be bothered with. Weighing in at a massive 20MB, the Flame Trojan and its various downloadable components represent an entirely new threatscape not only for businesses but for governments and nongovernmental entities: Any organization, with any valuable information traversing its network, could be a target. Businesses, law enforcement, elected officials, militaries, NGOs -- you are all potential targets. Until the security community can build a greater pool of knowledge about the functions of the malware and the motives of its creators, we all remain at risk. This is no mere password stealer, it's a data siphon.
Neil Roiter, director of research, Corero Network Security, pointed out to me that while Flame was just announced over the holiday, it has been in use for two years. (Has anyone else noticed how often cybersecurity news breaks on holiday weekends?) Roiter said:
Learning that Flame has been in use for two years, perhaps longer, underscores concerns that similarly complex malware could be directed against U.S. companies, institutions and government agencies. Organizations should not be lulled by the fact that this particular malware has been used against selected targets - primarily in the Middle East - but increase vigilance in network monitoring and analysis to detect anomalous, surreptitious activity within their perimeters.
A wise warning, I think. But I was surprised to find that not everyone has bought into the Flame hype. Marcus Carey, security researcher at Rapid7, said something that made a lot of sense to me:
We seem to be getting to a point where every time new malware is discovered it's branded "the worst ever." I'm not only skeptical of those claims, but I'm also hesitant of buying into claims of state sponsored malware. This new "discovery" shouldn't change the day-to-day lives of security operations professionals.
Carey went on to say that nothing in this piece of malware is particularly new and it is common for attackers, no matter who is doing the attacking, to take elements that are already available and not re-invent the wheel. I interpreted that to mean that there really are no surprises in how this new malware was developed, so we should have the tools in place to fight it.
Finally, Carey added this, and I think it is a comment that deserves a lot of thought, not only in a case like Flame, but in all security approaches. He said:
Another thing that is disturbing is the constant emphasis on whether a tool uses zero-day exploits. The question we need to ask is "Does the tool work?" Effectiveness is the only thing that matters. Once one computer is compromised on a network, there is no need for zero-day propagation techniques.
We can't ignore malware like Flame, of course, and eventually the bad guys (or the good guys in the name of national defense) will come up with something bigger, badder and more effective at doing damage than Flame or Stuxnet. But I think I'm with Carey in thinking we can't call anything the "worst ever" or decide whether or not this is the newest beginning of cyber war because we just don't know how effective Flame is - yet.