Cyber-Thriller, ver. 2011

Costin Raiu, one of our top generals in the war against malware, recently published an interesting post on the ten most significant events in the security field in 2011. I liked it; and the idea of a top-ten; so much so I decided to come up with my own. It mostly matches Costin’s report, but somehow this is a slightly different view. It’s not just regarding the past year – it’s a little broader: tendencies in the security market and about security in general. An “unofficial”, non-hoity-toity view of the important stuff – both that’s with us now, or that will be soon…

And so here’s my top-ten:

1. Hacktivism
2. Militarization of the Internet and Cyber Weapons
3. Social Networks and Politics
4. The Duqu Cyber-Bomb
5. Widely Publicized Hacks and Industrial Espionage
6. Certification Authorities: the Beginning of the End
7. Cybercrime: as Romantic as Sewage
8. Android Malware
9. Mac Malware
10. Intel Taking Over McAfee – Intel-ligent Move or Epic McFail?

And now in detail…

1. Hacktivism

Hacktivists. Costin gave a good summary of the mischief these modern-day Robin Hoods get up to. I want to just add that the emergence and rapid spread of this phenomenon (hacking for hacking’s sake) is completely logical. On the one hand, hacktivism is a natural progression for the anti-globalist movement and the accompanying protests. On the other, hacktivism is made up of the hackneyed net archetypes: (i) teenagers with more than a few illusions of grandeur and self-assertion, (ii) the “sixteen forever” brigade (the actual age varies), and (iii) the “once a hooligan, always a hooligan” set (sometimes even sensible “oldies” can revert to their latent inner teen-nutter type occasionally). It seems all of them – the anti-globalists and the hackneyed hackers – have all found each other: circumstances coincide, and wallop – hacktivism goes mainstream.

I reckon that in 2012 hacktivists will be appearing more and more frequently in the headlines around the world. A lot of them will be caught and jailed, but that in no way means the phenomenon will become a thing of the past – for two simple reasons: being a hacktivist in some circles is, alas, considered (i) cool, and (ii) always profitable. (But see point 7 for more details on how cool and profitable it really is). A lack of candidates to fill the hacktivist roles is hardly realistic.

2. Militarization of the Internet and Cyber Weapons

On this subject a lot’s already been written, like here and here. So, briefly:

The military is “on” the Internet big-time. Some countries’ militaries – officially, others – on the quiet. But everyone’s actively up to something, and also bolstering their cyber defenses and fine-tuning their plans of cyber-attack. What’s of concern here is that the consequences of accepting this status quo are far from predictable. Two things that are clear – and which personally give me the fear – are as follows:

First – when something kicks off in this regard it’s not going to be pretty: the world will be propelled back to at least 60 years ago, to the dreary pre-computer era – if not back as far as the Middle-Ages. If the former – we’ll be back to paying our bills at the bank every month with cash, and business correspondence will be conducted via snail mail. (Incidentally, it’s possible that someday the creation of a new Internet-like network might eventually be thought about – one with a safer architecture under the aegis of some kind of benevolent international organization. Let’s see…).

Second – an inter-state cyber conflict could easily grow into a physical “real world” conflict. We’re heading that way when we see the US already defining cyber-attacks on it the same as military attacks on it. Scary stuff…

Conclusion: not only for the sake of the Internet, but also for the world and humanity as a whole, either the Internet should become a demilitarized zone, or the development and application of cyber-weapons should at least conform to some well-defined “rules of the game” and be regulated by some “trusted” international authority, whatever that may be.

3. Social Networks and Politics

The Arab Spring, the British summer riots, the US autumn protests, the Russian winter protests… all these seasons, representing major localized political shocks, are also parts of a global-scale puzzle, and, further, the clearest proof of the existence of Internet Man, aka Homo Retis! And we’re not talking here about a few freakish loners, but real Internet-connected communities with impressive IQs, their own firm views on how life and society should be organized, and the will to push for change. Well, let’s just wait and see how everything pans out. Expect big crowds, vociferous leaders, increasingly popular dissidents, manipulation, scandal, propaganda, winners and losers. What also promises to be interesting will be watching how “real” politics will flirt with this influential electoral layer.

4. The Duqu Cyber-Bomb

The file on Stuxnet and family is getting fatter. Obese. In October a little-known Hungarian laboratory found the Duqu Trojan – the son/grandson/nephew/whatever of Stuxnet. There’s still a lot more to this ongoing saga than meets the eye, but to me it’s clear that both these cyber-Moriartys are parts of the large clandestine Tilded platform project – a special, very professionally done, finely-tuned platform used for the creation of cyber-weapons. And it’s blatantly obvious it’s supported by a generous nation state.

But Duqu and Stuxnet themselves are just tips of the iceberg. And maybe they’re just the simplest models of the platform – and that’s how they came to be uncovered! So let’s get the popcorn in – multiple buckets thereof – and wait for the next shocking details in this episodic cyber thriller – alas, concerning real events.

5. Widely Publicized Hacks and Industrial Espionage

Costin rightly labeled 2011 an “explosive year in terms of hacks” in his post. All sorts of different organizations were broken into last year – and aplenty. There was a tendency – which sadly looks set to continue – to break into government organizations and large businesses. Have hackers become more ingenious and professional? Yes, I believe they have. But that’s not all it boils down to. They’ve also become better organized, more dedicated and, as a result, altogether more harmful. It’s clear that without serious support from “above” or other places the hack/industrial espionage boom would not have occurred. And large corporations and nation states have joined in the “game” directly themselves too.

The whole business is gaining serious momentum, and from here it’s not all that far to an inter-state cyber conflict – see point 2 in this list, above. On the other hand, all these well-publicized hacks have at least shown the world that no one can be fully secured against a computer break-in, even large organizations. But perhaps I shouldn’t say “even”, since it is specifically large organizations that most commonly of all are targeted, despite the fact they’ve invested many millions into security hardware and software! It works out that in practice security is negatively proportional to the number of employees, and positively proportional to the investment spent on employees in terms of training in the basics of security. And the majority of the investigated hacks of 2011 confirm that they occurred not using some super-duper malware techniques but with the use of finely-tuned social engineering.

6. Certification Authorities: the Beginning of the End

Quick backgrounder: certification authorities are one of the essential “supporting walls” in the system of security (and trust!) on the Internet (or at least, perhaps, were). They issue digital certificates that are something like an access-all-areas VIP pass. With the right pass the bearer can get into and around any place he wants.

The incident with the signed Stuxnet drivers is an illustrative example of how this feature can be used with malware. In this regard in 2011 several unpleasant incidents occurred all at once (more details here, here and here), which together dealt a heavy blow to the very basis of this system. How many other similar hacks will it take before the IT community bins the whole idea of certification authorities? And what will take their place? If anything?…

7. Cybercrime: as Romantic as Sewage

Cybercrime: serious, large-scale, very bad, internationally organized. But it’s still not yet quite the end of the world. Cyber-swine this year took one heck of a pummeling. Most importantly, the romantic image of a digital undergrounder took the greatest pummeling, with a healthy dose of reality being put in its place. The simple reality became clearer to everyone: if you steal, you go to prison. Nil romance. Thus we had the arrest of the ZeuS gang, multiple arrests of card skimmers, the taking down of the Rustock, Coreflood and Kelihos botnets, and more.

And it should be made clear that the fight against cybercrime is not all that technically challenging. What makes the fight difficult most of all are outdated law enforcement and bureaucracy. Still, we’re doing all we can…

8. Android Malware

Malware designed for mobile platforms has been talked about aplenty for a while already – but it’s going to keep being talked about, and more so – you watch.

Two or three years ago we were almost laughed at when we had stands at mobile phone exhibitions, since we don’t make mobiles. Today those laughers have had the smile wiped from their face – because all we forecasted has come true: in November 2011 the quantity of new Android malware went over the 1000 mark – in that month alone (that’s more than the total for the previous six years of mobile virology!). Oops. And then there was Chris DiBona saying – in that same month of November – that Android malware was impossible and that antivirus companies are charlatans for banging on about it all the time. Hmmm. At first I wanted to vent some steam here and have a pop back at DiBona for his rant at us. But I guess I don’t have to. I think he’s already sussed his cock-up. He’s getting enough flak as it is from others :).

9. Mac Malware

Here the situation’s pretty similar to Android malware. And also fairly similar to the computer virus situation – in 1988, when Peter Norton announced that they were as believable as the legend about alligators in the sewers of New York! So let’s get it straight. First, Mac malware exists. Second, there’s more of it on the way (that is, if Tim Cook doesn’t stem the rising popularity of Macs). Third, malware isn’t the only thing that poses a risk to Mac users. There’s plenty of other bad stuff that needs fighting. IMHO, the proliferation of threats on this front is lagging behind Android by about three years. And incidentally, Apple has been lucky in one sense with Android. If not for Android, cybercriminals would have directed a lot more of their attention towards Mac OS :).

10. Intel Taking Over McAfee – Intel-ligent Move or Epic McFail?

Intel bought McAfee at the end of 2010. A lot remains unclear regarding the whole affair, and as such there’s been plenty of conjecture and speculation making the rounds. Nonetheless, little by little, the signs seem to favor the latter part of the heading of this paragraph as the most accurate.

In October 2011 McAfee finally presented to the market its DeepSAFE technology – a result of its cooperation with Intel. I don’t know how the general public has interpreted this message (a message that nothing less than spectacular has occurred, a “revolution in security”, no less) but the industry pros were far from impressed. A fantastic marketing package, all the stops pulled out, but essentially – all mouth, no trousers: real info – zero. As a result their detection rate in tests hasn’t changed, employees are abandoning ship, and the market’s getting itself ready for the fight for the “McAfee inheritance”.

In 2011 in the security world there was a lot of the sad, the cheerful, the silly, the tragic and even the scary, but still – it was all far from dull. I don’t see any reason why 2012 won’t be equally as content rich. And so I say (again!) that all viewers should stock up on the popcorn and get ready for the coming news. And some simple advice (not only to infosec readers): when connected to the Internet – don’t forget to use your head – it’ll come in handy!

And finally in closing – I’m ready to try and answer any and all your questions you might have after reading this post. If I can’t answer any, I’ll find someone who can…

Godspeed, everyone!