By Chris Wood, Senior Analyst
"It pretty much redefines the notion of cyberwar and cyberespionage."
That's a quote from experts at the Russia-based antivirus firm Kaspersky Lab regarding malware they recently discovered while trying to determine what was deleting sensitive information from computers across the Middle East for the UN's International Telecommunication Union. While searching for that code, nicknamed Wiper, the group discovered a new, more insidious, malware codenamed Worm.Win32.Flame.
More on that new malware, simply dubbed "Flame," in a moment. First, some background on the state of cyberwar today. For starters it's important to recognize that although no cyberwar has ever been declared, cyberwarfare is now a part of life. The war is pervasive and we are all vulnerable to attack.
It's impossible to say who fired the first "shot" in this war, but the US government has certainly stepped up the fight. The New York Times recently came out with a report detailing how President Obama accelerated cyberattacks (begun during the Bush administration) on the computer systems that run Iran's nuclear enrichment facilities. The worm that the US (in conjunction with Israel) created to carry out the attacks accidentally became public in the summer of 2010; a programming error allowed it to escape its target in Iran, and it was discovered by computer security experts. They named it Stuxnet.
The cat was out of the bag. But it was still just speculation at the time that the US and Israel were behind the worm. In the weeks that followed, Iran's Natanz plant was hit by a newer version of Stuxnet, and then another after that. According to David Sanger of the New York Times, "The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium."
As far as we know, Stuxnet was the US's first sustained use of cyberweapons; the attacks marked the first time that a computer worm was used to cause physical damage, prompting many to call Stuxnet the most sophisticated piece of malware that had ever been crafted.
According to the experts at Kaspersky Lab, "Flame can easily be described as one of the most complex threats ever discovered. It's big and incredibly sophisticated." It's a back door, a Trojan, and has wormlike features, which allow it to replicate in a local network and on removable media if instructed. At almost 20MB in size when fully deployed, it dwarfs Stuxnet (which is 50 times larger than the typical worm) in size. And it's been infecting systems in parts of the Middle East and North Africa for at least two years.
Flame is a sophisticated attack toolkit that spies on the users of infected systems by sniffing network traffic, taking screenshots, recording keystrokes, and even recording audio conversations by turning on computer microphones remotely. Another impressive feature of Flame is its ability to use enabled Bluetooth devices to collect information about discoverable devices near the infected machine. The malware is also a platform capable of receiving and installing various modules for different goals. It allows operators to upload further plugins which expand Flame's functionality through a back door. There are about 20 modules in total; the purpose of most of them is still being investigated.
While Flame is similar to Stuxnet in that both are the product of highly advanced programming and detailed expertise in many specialized areas which use specific software vulnerabilities to target selected systems, it differs from Stuxnet in some important ways. Stuxnet was designed specifically for the purpose of infiltrating and wreaking havoc on the centrifuges at Iran's Natanz nuclear enrichment facility. At least part of Flame's purpose appears to be more broad-based in nature – as a general purpose tool for cyberespionage. Once Flame captures the data it's looking for, it compresses and encrypts the information and then holds it until it has a reliable connection to send it to its command and control servers.
By virtue of its general cyberespionage purpose, Flame is much more widespread than Stuxnet. Researchers have detected Flame on hundreds of computers throughout the MENA region and suspect that the total number of infections could be more than a thousand. The top affected areas are Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.
It's not yet known who is behind Flame, since no information in the code has been discovered that can tie it to its authors. But, like Stuxnet, Kaspersky Lab believes it is the product of a nation-state.
[Ed. Note: Some computer security firms say that Kaspersky has hyped Flame, and that it's too early to call it a cyberweapon. Whether the skepticism is warranted or a result of jealousy remains to be seen. But what can't be contested are the skills of the researchers at Kaspersky Lab.]
At this point you might be saying, "Well that's both kind of scary and cool, but so what? What's the point? How does it affect me?"
The point is that the genie is out of the bottle, and there's no going back. Unlike in a traditional war, in a cyberwar it's the more developed nations that are the most vulnerable to attack. When Flame was designed, the programmers did not employ "code obfuscation," which is a fancy way of saying that they didn't try to disguise the code in any way that would make it difficult to reverse engineer, like a commercial software developer would have. According to Fred Guterl from Scientific American, "Stuxnet code was not protected against reverse engineering, either, but this is less of problem because its purpose is narrow and hence the programming is less useful as a weapon than the more general-purpose Flame." This, coupled with the fact that the US has recently been so brazen in its cyberwar efforts, virtually ensures an increase in cyberattacks against the US government and US businesses.
Alan Paller, director of research at the SANS Institute, said that the revelation of US involvement in Stuxnet dramatically altered the cybersecurity landscape:
"The public airing of the US involvement in Stuxnet is going to make others bolder about launching similar attacks against the country using the same kind of tactics and cyber weapons. We are now going to be the target of massive attacks."
The takeaway for US businesses should be that they need to pay more attention to securing their networks.
The takeaway for investors should be that with the proliferation and increasing sophistication of cyberthreats, there will be growing demand to protect against it. As the weapons in this cyberwar evolve, so too must the defenses against them. And that's big business.
As Intel CEO Paul Otellini said, "We have concluded that security has now become the third pillar of computing, joining energy-efficient performance and Internet connectivity in importance."
Otellini hit the nail on the head. And investors are already capitalizing on the huge growth that will come in this area over the coming decades. Estimates of the total market opportunity vary widely, but to get some sense, Canalys recently announced the results of its latest enterprise security forecasts, which indicate that the market is expected to grow to about $23 billion worldwide this year. Steady, double-digit growth is projected for years to come.
As one example of the gains that can be had by investing in this space, Casey Extraordinary Technology subscribers were rewarded with a one-week return of nearly 50% in August of 2010 when we recommended buying ArcSight Inc., which developed monitoring software to seek out nefarious code or malicious insiders that had breached a company's firewall. Just seven days after our recommendation, news of a potential buyout of the company by HP, at a 50% premium, caused the shares to pop and we exited with a huge gain.
Another example: One of our core portfolio holdings which operates in the network security space is up almost 170% since we bought in just two years ago.
Not all the computer and network security firms out there are gems, but given all the money that's necessarily going to be pumped in to these industries in the coming years, it behooves you as an investor to investigate the options.
[Ed. Note: We usually save the funnies for Friday, but I came across these "science translations" recently and just had to throw them in here. Of course we are in no way mocking any of the important work being done by scientists throughout the world – we're just having a little fun.]
The following list of phrases and their definitions might help you understand the mysterious languages of science and medicine. These special phrases are also applicable to anyone working on a Ph.D. dissertation or academic paper anywhere.
"It has long been known" = I didn't look up the original reference.
"A definite trend is evident" = These data are practically meaningless.
"While it has not been possible to provide definite answers to the questions" = An unsuccessful experiment, but I still hope to get it published.
"Three of the samples were chosen for detailed study" = The other results didn't make any sense.
"Typical results are shown" = This is the prettiest graph.
"These results will be in a subsequent report" = I might get around to this sometime, if pushed/funded.
"In my experience" = once.
"In case after case" = twice.
"In a series of cases" = thrice.
"It is believed that" = I think.
"It is generally believed that" = A couple of others think so, too.
"Correct within an order of magnitude" = Wrong.
"According to statistical analysis" = Rumor has it.
"A statistically oriented projection of the significance of these findings" = A wild guess.
"A careful analysis of obtainable data" = Three pages of notes were obliterated when I knocked over my coffee.
"It is clear that much additional work will be required before a complete understanding of this phenomenon occurs"= I don't get it.
"After additional study by my colleagues"= They don't get it either.
"Thanks are due to Joe Blotz for assistance with the experiment and to Cindy Adams for valuable discussions" = Mr. Blotz did the work and Ms. Adams explained to me what it meant.
"A highly significant area for exploratory study" = A totally useless topic selected by my committee.
"It is hoped that this study will stimulate further investigation in this field" = I quit.
32 Innovations That Will Change Your Tomorrow (New York Times)
Some of the "innovations" on this list are kind of fun, but most will not change your tomorrow. We plan to release our own list in a future issue of this publication.
The State of the Web (SAI Business Insider)
Kleiner Perkins partner Mary Meeker is one of the best in the business when it comes to summarizing the state of technology. Here's her new presentation on Internet trends.
Mobile Tactile Tech Gets Physical (Engadget)
Tactus Technology is showcasing its next-gen mobile tactile tech at SID Display Week 2012 in Boston. Tactus uses microfluidic technology to create physical buttons that rise from the touchscreen to give users the feeling of a physical keyboard. When no longer needed, the buttons recede back into the touchscreen, leaving no trace of their presence.