30 May 2012 | 0
My initial reaction to the story of the Flame malware which has gone undetected for two years, if not more, was scepticism. I can’t help it. It’s not that I don’t believe it is true rather that I’m not sure it’s quite as true as we’re led to believe. There tends to be a common pattern that’s followed when this type of malware is discovered. Initial reports of its discovery are swiftly followed by ever more lurid speculation on what it could have been used for and the extent to which it has propagated out in the wild.
Something similar seems to be happening here. Depending on which reports you read, there are plenty of people willing to speculate that Flame has been created by a government agency (rather than malicious individuals) as a particularly potent weapon in an ongoing cyber conflict. This premise was probably buttressed by the linking of the incidence of Flame infection to Iran, the West Bank, Syria, Egypt and Israel.
Certainly, it makes for a better narrative as far as the security vendors are concerned if the malware their products have failed to detect for such a long time is incredibly sophisticated and complex. Such complexity would obviously argue the involvement of a shadowy government organisation rather than a criminal operation. And that’s the stuff that sells papers and books and a movie of the book.
Anyway, I’m sure we’ll find out who is behind it in due course. Right now, however, the question of who is behind Flame is secondary. A point acknowledged in this statement by Ross Brewer, managing director and vice president of international markets at LogRhythm, on MicroScope’s web site.
"As cyber warfare continues to escalate, criminal tactics are becoming increasingly damaging and sophisticated. The fact that Flame avoided detection from 43 different anti-virus tools and took more than two years to detect is simply unacceptable in this day and age," he said, adding that it provided solid proof "traditional perimeter defences such as anti-virus software just aren’t enough".
He then went on to list the attributes required to improve data security, most of which fitted neatly with LogRhythm’s role as a provider of a Security information and event management (SIEM) solution.
Rather like the arms industry, the IT security world is becoming adept at using security breaches and malware detection to persuade customers to adopt more powerful forms of defence in the face of increasingly sophisticated threats. I don’t blame them, especially if they can deliver something that negates whatever happens to be today’s high profile security threat.
But there’s an intriguing difference between the arms and IT security industries and it was highlighted, albeit not directly, in a statement by Eugene Kaspersky, CEO of Kaspersky Labs, on the emergence of Flame. Describing it as another phase in the cyber-war, he stated: "It’s important to understand that such cyber-weapons can easily be used against any country. Unlike with conventional warfare, the more developed countries are actually the most vulnerable in this case."
In other words, security becomes more important the more widely deployed and developed your IT infrastructure is, because it makes you more vulnerable to attack and increases the number of things you need to do to secure the network. Now if that’s not a virtuous sales circle, I don’t know what is.