• United States




16 security problems bigger than Flame

Jun 12, 20125 mins
CybercrimeData and Information SecurityHacking

Flame has proven a complex piece of malware, but if it were to disappear today, the Internet would just as insecure

Flame’s man-in-the-middle hash-collision attack is very interesting, I won’t deny. It’s an incredibly complex, chained exploit using MD5 collision, weak vendor digital certificate, WPAD (Web Proxy Auto-Discovery Protocol) vulnerabilities, and signed malware. This is one for the history books.

Still, I can’t get overly upset about Flame. Microsoft (my full-time employer) has revoked the weak certificate. The WPAD vulnerability has been around forever. There are far easier ways to accomplish the same outcome, such as pass-the-hash. Plus, Flame isn’t widespread.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld’s expert contributors in InfoWorld’s “Malware Deep Dive” PDF guide. | Your antivirus may be killing your virtualization infrastructure. InfoWorld’s Matt Prigge shows you how to detect the warning signs. | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

But the biggest reason I still can’t get upset about Flame: The state of IT security is really bad already. Flame may add more fuel to the fire, but the inferno is already raging. How bad is it? Consider all that was happening before Flame and its effects became widespread:

  1. More than 1 million computers are successfully exploited every single day. That’s one every 14 seconds.
  2. 39 percent of the world’s computers are infected by malware of some type.
  3. 90 percent of the world’s companies have suffered network breaches in the past year.
  4. One out of every seven adults has his or her online financial information, identity, or passwords compromised every year, according to Privacy Rights. That adds up to 280 million breached records in the last eight years.
  5. 82 percent of malicious websites are hosted on hacked legitimate websites.
  6. It’s no longer unusual for a single hacking event to cause more than $100 million in damages. The attack against Sony is a fine example.
  7. Hackivist groups such as Anonymous routinely break into the world’s largest companies and have even hacked the global authorities investigating them.
  8. Hacks resulting in millions of leaked passwords are so numerous, they practically go unnoticed. The successful attack against LinkedIn is a good example.
  9. A single worm, SQL Slammer, was able to infect almost every possible unpatched computer it targeted in 10 minutes — and this was back in 2003.
  10. Malware is popping up on mobile platforms as though we’ve learned absolutely nothing over the 25 years of PC hacking.
  11. Spam rates are still above 65 percent, nearly 10 years after passing the CAN-SPAM Act of 2003.
  12. One out of every 14 Internet downloads is malicious.
  13. The annual cost of cyber crime is estimated at $114 billion.
  14. Successful prosecution rates for Internet cyber criminals is less than 0.01 percent.
  15. Hacking by nations is so pervasive that Google is now automatically alerting users of potential state-driven threats.
  16. Stuxnet, Duqu, and now Flame prove that complex malware can bypass any computer security defense.

With so much bad stuff going on, I have to wonder what would be the tipping-point event that will make people rise up and say they won’t accept it anymore. I used to think that it would take Google or the stock market going down for a day, but now I doubt even events of that magnitude would take more than a week’s news cycle.

But as the world and its mission-critical applications keep growing, I predict someone, someday will commit such an egregious cyber crime that it’s bound to cause a tipping point. If history is any indicator, the global event might happen by accident after a malicious programmer loses control of his or her creation à la the Robert Morris worm of 1988, SQL Slammer, or the Melissa Word virus. But accident or not, someone is likely to push the boundary and cause too much damage too fast. I’d love to know what you believe the tipping-point event would have to be.

One day, we’ll hit that tipping point, and the world will go crazy for a little while. The news channels will be full of “experts” telling us what happened and what needs to happen to prevent the next big one. We’ll finally implement what we should have put in place two decades ago and move the Internet out of its Wild West phase. I, for one, can’t wait. It’s been much too long in coming.

As I’ve said before, there are ways to “fix” the Internet today. We can make it a significantly safer place to compute. It will take an Internet 2.0, in which all participants are identified and verified before being involved in activities that could cause harm to themselves or others. It necessitates the loss of default anonymity. People who need absolute anonymity could still surf and work on the original Internet infrastructure, but those of us who want more assurance and safety could use the newer version. We can do this with existing protocols running on existing infrastructure.

I’ve covered this before in my plan to fix the Internet [PDF]. My employer, Microsoft, has offered its vision for a more secure Internet in its End-to-End Trust initiative. I’ve always loved the ideas from the Trusted Computing Group, which has long worked on the basic building blocks needed to get us to a more secure world.

But back to my original subject and why I can’t get worked up about Flame and its MD5 collision: The real problems are related to infrastructure and not to a particular worm or endpoint exploit. It’s not as though defending ourselves against everything Flame can accomplish will address any part of the larger problem.

Get rid of Flame and every single fact I state above is still true. Nothing has changed. It needs to.

This story, “16 security problems bigger than Flame,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author