Long suspected of having been developed by a well-resourced state full of old-school Highway 101 programmers recent revelations now suggest that the commentators were, embarrassingly, spot on.
Something was going on and then some, taking in, many now believe, several other pieces of odd-looking malware, including Duqu and almost certainly the recently-discovered and disturbing follow-up to Stuxnet called Flame.
Let’s spell out the implications. If states such as the US have been developing and deploying sophisticated malware with omnipotent nonchalance, that realisation contains a threat. Security systems can’t stop this sort of stuff easily if at all and indeed took years to spot Stuxnet once it had escaped from its ostensible target, the Iranian Natanz nuclear enrichment plant.
The design of Flame in particular shows us how this sort of malware can call on unknown zero-day vulnerabilities at will, using forged certificates that undermine basic authentication systems, and even finessing the Windows Update system with fake servers and cryptographic brilliance.
This sort of stuff makes everyday cyber-criminals look like rank amateurs. Instinct alone should tell us this is scary because it sets a precedent that will be followed if indeed it that hasn’t already happened.
Far from feeling vindicated, the security community is feeling very uneasy. Flame initially divided opinion between those who thought it interesting but oversold and others who believed that, if anything, the implications were too large to take in.
As revelations of its inner workings trickle out, the sceptics are starting to melt. Whoever created it, Flame went to work on its targets with terrifying ease, ripping the heart out of some long-cherished pieces of the global security defence as if it was mere software bureaucracy.
This might suit the ends of realpolitik, but it is misconceived madness to toss aside security protocols as if they were paper fences. The claim that successive US Presidents sanctioned cyber-warfare on this scale without any semblance of a contingency plan should it become public or spread beyond its intended targets is incredible.
This programme suggests that the policy-makers don’t understand that techies can’t simply be tasked to attack a target and left to get on with it. Programmers, even very clever ones, make mistakes, and adopt assumptions about acceptable parameters in ways that won’t be evident to their paymasters.
Presidents and chiefs-of-staff can guess at the effects of a drone strike in a hostile zone but can they do the same for a software strike? Can anyone? This is new territory and there are many unknowns.
There will be voices dismissing such concerns as the anxiety of naÃ¯ve minds; the security services have in the past employed unsavoury and illegal acts, including killing, to further their aims in the name of a greater good. This was seen as fine as long as the scale was small, the targets well-chosen and plausible deniability maintained.
Stuxnet and Flame were simply this modus operandi by another name and if it disrupted Iran’s alleged nuclear weapons programme then its creation will have been vindicated.
Unfortunately, cyber-weapons aren’t casual creations. Just as they set out to operate in a hidden way so their effects and unintended consequences can remain out of sight too. Flame in particular looks like an exercise in software subversion that offers every state interested in cyber-warfare - not to mention criminals - a live laboratory of state-of-the-art thinking.
Flame’s command and control was disconnected on the very afternoon that security firms publicised its behaviour and has since attempted to erase the evidence of some of its activities. It’s too late, though; the world knows enough.
As respected and generally sober security expert Mikko Hypponen said in a piece published this week in the New York Times:
“The cyber-arms race has now officially started. And nobody seems to know where it will take us. By launching Stuxnet, American officials opened Pandora's box. They will most likely end up regretting this decision.”
Posted by John Dunn