By Nicolai Solling
The Middle East which has over the last year seen a dramatic rise in malware attacks targeted at both private as well as government organizations recently fell victim the much talked about Flame virus. Another major security breach that has drawn tremendous media attention has been the leakage of over 6.5 million user passwords from the business networking site LinkedIn. The intentions behind these two attacks as well as their implications and impact are however vastly different.
Before we get into the discussion on the LinkedIn hack, let’s first gain an understanding of the much talked about Flame virus. Kaspersky Labs who first discovered the threat described it as the ‘most complex piece of malicious software yet .’ So with the widespread use of internet enabled devices and the increasing popularity of online portals for critical services such as e-banking in the region, what are the implications of this attack and how can internet users safeguard themselves against it?
Distribution Method and Infection Rates
The Flame virus is a highly advanced tool set of malicious code that can be executed on a windows based PC to gather or harvest data off the infected machine. It has now been revealed that the virus gains entry onto the machine by exploiting a vulnerability of the Windows Update Service. All updates provided for Windows require a security certificate signed by Microsoft. However, by providing a signed security certificate that appears to belong to Microsoft, the Flame virus bypasses this restriction. The unsuspecting PC then proceeds to download what appears to be a genuine Windows update which is in fact the loader for the Flame virus.
Once the loader has downloaded the actual virus, cyber criminals gain the ability to take screenshots, listen in to conversations though the system microphone and even capture video though an attached webcam. The size and sophistication of this attack is far beyond anything that has been seen before. Anyone could get Flame- for this the machine has to be exploitable for particular vulnerabilities. The good news is that many organizations do not have an environment where Flame could be installed. Also, as long as organizations and end users follow specific security practices and have a predictable environment, there is no reason for them to be concerned about the virus.
As we find out more about the virus, we are relieved know that the extent of its distribution is quite limited. As of last week, there were only a couple hundred machines known to be affected by the virus. This is a very small number especially when compared to infection rates of smaller and less sophisticated malware indicating that the attack has been targeted. Furthermore, the focus on the Middle East and the complexity of the virus and would indicate substantial financial backing and the support of a nation-state.
Currently, based on what we know about Flame, it would be safe to say that the average user should lose no sleep worrying about it. Flame wasn’t as distributed as initially feared. If you are running an updated antivirus and follow the normal practices, you will be safe. Another thing to note is that Flame is not that difficult to remove. Of course, this leaves out some users particularly those users who use pirated software and such, because such software cannot be updated with the latest security patches.
The Legacy of Flame
From a technical perspective, Flame is very intriguing as it is a rather advanced and impressive tool. If a computer was infected with Flame, the extent of information Flame would be able to pull from the computer is extensive. We haven’t seen anything like this before. On the other hand, the distribution, vulnerability and the exploitability that Flame was using may have been exaggerated. Having said that, at the time the news came out we did not know how many machines were infected or the extent of the virus. It will be interesting to see how Flame evolves. Going forward, we will see more and more advanced versions of the virus. It may have a different name but this isn’t the last ‘Flame’ we shall see.
The LinkedIn Hack
Unlike Flame which was a targeted attack, the hacking of LinkedIn accounts has the potential to affect a tremendously larger group of users. Reports from the company, which had 161 million registered users as of 31 March 2012, suggest that over 6.5 million of these users’ passwords have been leaked from their database.
A Real Cause for Panic?
As a security measure, LinkedIn, as well as most other internet companies, does not store passwords as clear-text but instead use a technique called Password Hashing. Hashing is a mathematical operation which converts the clear-text password into an irreversible hash-value of the password. This means that when you log in, it is the hash-value of the password that is actually being sent to the application which is then compared to the hash-value stored in the database. So in spite of these hash-values being leaked, users are still safe, right?
To some extent, this is true, because decoding a hash is normally a tedious trial-and-error type process which requires trying all possible combinations of characters. So in theory yes, your clear-text password has not been leaked but here is the problem: today there are databases available which allow hackers to compare a hash-value and then recreate the clear- text password. Once this has been done, the hacker gains compete access to the online account.
Protective Measures and Necessary Steps
So what can users do to protect themselves? The first and most obvious thing would be to change their LinkedIn password. Also, while on LinkedIn, users should check their profiles to make sure that no changes have been done. In particular, check the email addresses that have been linked to the profile and ensure that only authorized addresses are in this list.
In the coming weeks, users will probably come across websites that allow them to check if their LinkedIn passwords were leaked. A good example being www.leakedin.org. A would of advice however would be to first change your LinkedIn password and then use this service to check if your old password was leaked. Be sure to NEVER type in your new password as you do not know who is monitoring the site.
Finally, make sure you develop your own password policy. This would involve changing your password at least once in two months and using strong passwords that use a combination of lower case, upper case, special characters and numbers. Users tend to re-use passwords across sites such as Facebook, LinkedIn, email accounts and even e-banking services. This is absolutely unacceptable as a single compromised account may lead to all other account being jeopardized.
As the number of internet threats grow in terms of volume and sophistication, users have to be increasingly aware of the consequences of their actions. As these threats hit closer to home, users can no longer afford to adopt the ‘it will never happen to me’ mentality. It is time to take charge of your online presence and remember- a hacker has only to be lucky once!
Written by Nicolai Solling – Director of Technology Services at help AG