To Clarify Flame And AutoUpdate Security

The Flame used a MITM attack on users via a forged Microsoft certificate. Yes, it attacked you via Windows Update – it sucks but this can happen. Windows update does use a secure connection but apparently one of the certs was using a weak cryptographic hash (this is the most likely avenue of attack, not confirmed that it wasn’t hacked, Microsoft says ‘collison attack’) and, as I posted about the other day, Flame used this against its victims.

This is scary in that it’s kinda like your antivirus being exploited or some such thing. Updates should keep you safe, not put you in danger.

That said this wasn’t a typical case. While it still demonstrates the issue of trusting a single authority to verify contents (I’m not sure how well the Windows Update feature is handled, Linux has a lot of verification) it isn’t the typical case – they needed a few things to line up and one of those was probably a really weak cert as well as a mistake that led to those certs being connected to root certs. Most root certs aren’t MD5 anymore so it makes things more difficult for attackers to MITM without outright stealing them.

A lot of people have been critical of Chrome and Adobe Flash’s new autoupdate features. They say that this will be exploited. While it’s possible it isn’t hard to make autoupdating fairly difficult to hack, it’s a matter of strong crypto and a lot of verification. Remaining up to speed on patches is far more important than worrying about targeted attacks involving hacked certs – exercise some risk management here.

Think about it this way. If you didn’t ever update you were safe from the Flame directly trying to MITM you but it also attacked you using vulnerabilities that have patches out already. And there are a hundred other vulnerabilities it could have used if you hadn’t patched.

If you’re super paranoid you can try to download patches directly from what you can verify is a ‘trusted’ network and then implement them like hotfixes. I don’t recommend this. In fact, forget I said it.

Anyways, (and I say this with full knowledge of the irony) you should run Windows Update to remove the faulty certs.

If you’re fully up to date that should really cover it for preventing Flame infections.

Dealing With Advanced Threats – Where AV Fails

If the Flame malware gets one message to the masses it should be that antiviruses are a failure.

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. [1]

Yeah, no kidding.

The fact is that, at best, a few antiviruses would give a warning about generic heuristic detection for Flame and obviously that wasn’t enough because it’s been around for years. Potentially quite a few years, actually. And it’s not the first, Stuxnet went undercover sometime as well as various others.

Antiviruses, in terms of blacklists and heuristics, are actually a necessary part of security. I currently wouldn’t touch a single one of them out there but I appreciate the principal, that I as a human am not capable of knowing whether a file is malicious or not therefor an AV automates the process on a level only achievable programatically.

The point is, whether AVs can or can’t be great in some ideal world, the current security solutions aimed at users are not enough and trying to lock a users computer down beyond that is impractical with the tools we have been provided with. If we’re ever going to see improvement we need something radically new.

First The Flame And Now Tinba

The latest malware news has been featuring The Flame. A malware made famous for its complexity, sophistication, and massive size – a full 20MB.

Just a day later we meet Tinba, a banking trojan that performs MITM in-browser attacks. Whereas Flame is 20MB Tinba is 1/1024th the size, 20KB.

Just to put some perspective on things.

Apparently Tinba is “The worlds smallest banking trojan” but it’s plenty dangerous, hijacking the browser and stealing information from banking sites.

Both of the malicious programs attempt to steal or spy on the user but they go about it in vastly different ways. 

sources:

https://www.csis.dk/en/csis/news/3566/

And Now… The Worst Cyber Attack In History

That is the opening line to a youtube video that calls the attack “massive… historic.” Something about the British accents makes it sound so damn serious too… “The most complex *intense pause* they’ve ever seen.”

I wrote about The Flame in a post the other day and I was absolutely pointing out that this is a sophisticated and, yes, scary piece of malware.

While The Flame may be scary it is not all that new. It is highly modularized, more than anything in the past, but the exploits used are old news and the data collection, albeit it intense, isn’t new either.

These words like “attack” and “cyber war” and “super weapon” are scary. I’m not even running Windows and they make me a little scared.

I think Flame is definitely not your typical malware but is it deserving of such terms? It’s new and we’re learning more about it daily, but the media isn’t saying “We’re finding new information blah blah blah” it’s jumping straight to panic.

Where in the report is “Here’s how to stay safe” or “Don’t panic, the vulnerabilities seem to have been patched.”

Anyways, since I’ve already mentioned it, to stay safe you can run Windows Update right now (seriously, stop reading, now) and follow this guide to securing Windows.