Kaspersky Labs who first discovered the Flame threat described it as the 'most complex piece of malicious software yet.' With the widespread use of internet enabled devices and the increasing popularity of online portals for critical services such as e-banking in the region this attack raises serious questions about the security of such services.
Distribution Method and Infection Rates
Speaking about the manner in which the virus propagates, Nicolai Solling, Director of Technology Services at IT security expert help AG said, “The Flame virus is a highly advanced tool set of malicious code that can be executed on a windows based PC to gather or harvest data off the infected machine. It has now been revealed that the virus gains entry onto the machine by exploiting a vulnerability of the Windows Update Service. All updates provided for Windows require a security certificate signed by Microsoft. However, by providing a signed security certificate that appears to belong to Microsoft, the Flame virus bypasses this restriction. The unsuspecting PC then proceeds to download what appears to be a genuine Windows update which is in fact the loader for the Flame virus.”
“Once the loader has downloaded the actual virus, cyber criminals gain the ability to take screenshots, listen in to conversations though the system microphone and even capture video though an attached webcam. The size and sophistication of this attack is far beyond anything that has been seen before. Anyone could get Flame- for this the machine has to be exploitable for particular vulnerabilities. The good news is that many organizations do not have an environment where Flame could be installed. Also, as long as organizations and end users follow specific security practices and have a predictable environment, there is no reason for them to be concerned about the virus.”
As analysts uncover the details about Flame, it is now known that the distribution was fairly limited. As of last week, there were only a couple hundred machines known to be affected by the virus. This is a very small number especially when compared to infection rates of smaller and less sophisticated malware indicating that the attack has been targeted. Furthermore, the focus on the Middle East and the complexity of the virus and would indicate substantial financial backing and the support of a nation-state.
Currently, based on what is known about Flame, it would be safe to say that the average user should lose no sleep worrying about it. Flame wasn’t as distributed as initially feared. If the user is running an updated antivirus and follows the normal practices, he will be safe. Another thing to note is that Flame is not that difficult to remove. Of course, this leaves out some users particularly those users who use pirated software and such, because such software cannot be updated with the latest security patches.
The Legacy of Flame
From a technical perspective, Flame is very intriguing as it is a rather advanced and impressive tool. If a computer was infected with Flame, the extent of information Flame would be able to pull from the computer is extensive. We haven’t seen anything like this before. On the other hand, the distribution, vulnerability and the exploitability that Flame was using may have been exaggerated. Going forward, there will likely be more and more advanced versions of the virus.
The LinkedIn Hack
Unlike Flame which was a targeted attack, the hacking of LinkedIn accounts has the potential to affect a tremendously larger group of users. Reports from the company, which had 161 million registered users as of 31 March 2012, suggest that over 6.5 million of these users' passwords have been leaked from their database.
A Real Cause for Panic?
As a security measure, LinkedIn, as well as most other internet companies, does not store passwords as clear-text but instead use a technique called Password Hashing. When a user logs in, it is the hash-value of the password that is actually being sent to the application which is then compared to the hash-value stored in the database. So in spite of these hash-values being leaked, users are still safe, right?
To some extent, this is true, because decoding a hash is normally a tedious trial-and-error type process which requires trying all possible combinations of characters. So in theory yes, the clear-text password has not been leaked but here is the problem: today there are databases available which allow hackers to compare a hash-value and then recreate the clear- text password. Once this has been done, the hacker gains compete access to the online account.
Protective Measures and Necessary Steps
So what can users do to protect themselves? The first and most obvious thing would be to change their LinkedIn password. Also, while on LinkedIn, users should check their profiles to make sure that no changes have been done. In particular, check the email addresses that have been linked to the profile and ensure that only authorized addresses are in this list.
In the coming weeks, users will probably come across websites that allow them to check if their LinkedIn passwords were leaked. A good example being www.leakedin.org. A word of advice however would be to first change the LinkedIn password and then use this service to check if the old password was leaked. Be sure to NEVER type in the new password as it cannot be certain who is monitoring the site.
Finally, users should develop their own password policy. This would involve changing the password at least once in two months and using strong passwords that use a combination of lower case, upper case, special characters and numbers. Users tend to re-use passwords across sites such as Facebook, LinkedIn, email accounts and even e-banking services. This is absolutely unacceptable as a single compromised account may lead to all other accounts being jeopardized.
As the number of internet threats grow in terms of volume and sophistication, users have to be increasingly aware of the consequences of their actions. As these threats hit closer to home, users can no longer afford to adopt the 'it will never happen to me' mentality. It is time to take charge of your online presence and remember- a hacker has only to be lucky once!
About help AG
help AG is a strategic information security consulting company, founded in Germany in 1995 and has been present in the Middle East since 2004. help AG provides leading enterprise businesses across the region with strategic consultancy combined with tailored information security solutions and services that address their diverse requirements enabling them to evolve securely with a competitive edge.
Each and every vendor solution help AG presents to a Client has been thoroughly researched and evaluated. help AG is constantly identifying new and innovative solutions to offer to the market through its own in-house research & development laboratory. For more information, please visit www.helpag.com.
Tel: +97150 6400762