This week a couple of interesting tidbits landed in my security news feed. The first comes from the Middle East where security researchers have uncovered a new infection known by the cutsy moniker of “The Flame”. It’s a very advanced attack that seems to function more as a collection of infection vectors organized into scripted modules than a plain virus. It’s notable for two things – first, the collection of files is almost 20MB, which is huge in terms of malware or spyware payloads. Generally, the idea is that the smaller the package is, the less likely it is to be detected before delivery. Also curious is that the writers of this nasty little bug decided to think outside the box and use the Lua scripting language. This allows not only for some pretty high-level programming logic but also enables the writers to extend the functions of the program by utilizing C code at some point down the road. Lua isn’t typically seen in malware today due to the complexity of writing code. Even the ~3000 lines of Lua code in “The Flame” would take the average Lua programmer about a month to work out. Most researchers are calling “The Flame” one of the most complicated pieces of malicious code ever encountered.
The second piece of news that caught my attention was the uncovering of a “backdoor” in some military Field Programmable Gate Array (FPGA) chips. At first, many were scrambling to accuse the Chinese of putting this particular hole into the hardware. However, a very detailed analysis by Robert David Graham (@ErrataRob) has shown that in all likelyhood the Chinese had nothing to do with this. Instead, a debugging interface that is normally disabled when a device ships was instead found to have capabilities of accessing the system in an unintended way. You know, kind of like the point of having a debugger in the first place? Rob goes on to pick apart the other pieces of the released story, taking special consideration to downplay any involvement in the Chinese government may or may not have had in “planting” the backdoor in the first place. This also isn’t the first time I’ve heard about the idea that the Chinese government was installing backdoors or other kinds of monitoring technology in things being shipped to the US. I’ve also heard that even travelers headed behind the Great Wall take extra precautions not to expose too much information or technology while abroad. It honestly sounded like something out of a James Bond film with all the formatting and burn phones.
After reading both of these items, I started thinking a bit more. All of this discussion and rhetoric seems vaguely familiar. To me, it sounds an awful lot like the Cold War-era that I heard as a kid. Sure, I’ve seen Red Dawn a few times. I can remember watching the Berlin Wall fall down. I enjoy watching movies and reading books about when the Russkies were the bad guys. All of the discussion about state-sponsored cyber espionage and discussions about the Chinese hacking everything in sight bring me back to those times. I do believe that there will soon be a Cyber Cold War if it’s not already upon us. However, instead of the interactions of spies in places like Berlin and the moves and countermoves from Langley and Moscow, all of the conflict in this Cold War will take place in the ether(net). Information seems to be fairly accessible now to anyone that wants it. Organized groups of malcontents seem to be amusing themselves with hacking every kind of database imaginable and spilling the contents far and wide in an attempt to make a name for themselves. These people don’t really worry me. As I said before when I talked about Stuxnet, the real concern in my mind comes from organized groups of state-sponsored agents that spend a large amount of time attacking cyber infrastructure quietly for the purpose of stealing and not getting caught. It’s the kind of feeling you get when you read about old-schools spy stories like those of Aldrich Ames and Robert Hanssen. The Advanced Persistent Threat (APT) technology of today allows programs to sit in place for months (if not years) and quietly exfiltrate data back to interested parties with little to no clue about what might be going on. APTs don’t go out and buy fancy cars or new houses. APTs don’t make suspicious phone calls (usually) or get tailed by FBI agents hot on their trail. They just collect data and send it away for someone else to look at. APTs are low profile on purpose. And they scare me a lot more than the worst spies in history.
At the rate things are headed right now, it won’t be long before the new Berlin Wall is instead a firewall doing a horrible job of separating your network from those that would seek to take all the data they can find. Instead of the CIA looking for moles, it’s going to be security researchers and IT admins looking for all manner of programs lurking around, stealing data. With access to big data technology, it wouldn’t take long for someone in the know to start crunching data and finding out things they aren’t supposed to know. Yeah, it sure does sound like the plot of a TV show or some movie. But back in 1985, the idea that the Russians would be our friends was pretty far-fetched as well. I’m very interested to see what happens in the coming months in regards to advances in state-sponsored hacking. I think things are only going to escalate from here. The question is whether or not those of us in the private sector are in the crosshairs as well. And if we are, how quickly we can adapt.