With its ever-increasing number of users, the Internet has become the primary communication mechanism for many individuals around the world. Governments who wish to maintain the ability to protect their citizens from harm need to develop evermore sophisticated methods of capturing and analysing data flowing through the ever-increasing numbers of social networks, online chat and Internet telephony services.
The UK government is in the process of extending the powers granted to inteligence agencies and the police to allow them to gather the information relating to the meta-data about a particular communication (originating IP address, destination IP address, senders e-mail address, recipient e-mail address, etc.).
However, the Flame worm has highlighted the potential that a nation-state may not be content with just this high-level overview of communications flow, as more and more people share their Internet connections with multiple devices owned by different people, the need to place software on the machine(s) used by a specific target arises, although IPv6 will remove the ambiguity currently associated with using an IP address to definitively identify a specific individual.
The Flame worm, which has been called the 'most sophisticated malware of its kind', has in fact been in circulation since 2009, but was only recently detected.
According to preliminary reports, it gathers information from the infected machines, including keystrokes, audio and screenshots, it may also have the ability to spread via removable media.
There has been speculation that, due to the sophisticated nature of this particular threat, and the area in which it has been detected, it was commissioned by a government agency, although none are claiming responsibility for it, and why would they?
If they claim responsibility, they lose the most effective tool they currently have for gathering an unprecedented amount of surveilence data.
Should a nation-state be responsible for Flame, they currently have a rather large problem to solve: the world now knows about the tool, and the anti-virus researchers are working to develop detection signatures and removal tools as fast as they can, and any hope they have of maintaining their abilities is dwindling as more and more researchers begin to analyse the threat.
The fact that this threat has taken so long to discover highlights yet another problem: user awareness.
This particular threat, if it has the capabilities described by those who are researching it, would have given users clues to its presence almost as soon as it was activated.
If, for example it activates any webcams connected to the infected machine, they usually turn on an indicator light to tell the user they are working, this is fairly easy to spot, and if you're not currently in a video chat, a real sign that something else may be controling aspects of your computer.
Again, if it records audio from connected microphones, it has to store those files somewhere, and, depending on the audio format used, these files can become rather large, which would show up if the user monitors their disk usage.
The reason why no one spotted these things? Users are not trained to look for these things while they are using their computers. This has to change, NOW.
User training is the most effective tool a business has against any form of cyber attack. If your users know how the system should respond, and what an attacker may do/use to gain access, then they can help you to defend your data.
Leave a Reply