Bigger Than Flame, Stronger Than Stuxnet: Why 'Idiot' Humans Are Best Cyber Weapon
For the second time in as many years, computer security experts have hailed the discovery of a new cyber weapon as one that could change the face of cyber warfare forever.
Flame, publicly disclosed earlier this week and found in dozens of computers in Iran and the Middle East, is thought to be the biggest cyber espionage program ever, capable of recording just about everything that is done on an infected system, all while staying hidden from the user. Before that, Stuxnet, an offensive cyber weapon found in 2010, was reportedly powerful enough to cause physical damage to an Iranian nuclear facility - a feat that had never been accomplished before. Both of these cyber weapons, experts estimate, cost millions of dollars and many years in research and development, most likely under the direction of some nation's intelligence agency.
But as for how to get that advanced code loaded onto the right computers, some of the best hackers in the world may have been forced to rely on a decidedly low-tech but generally dependable ally: human carelessness.
A super cyber weapon is no good if it can't get to the target networks and to do that sometimes requires a window to be left open by either a spy on the inside or, more commonly, regular rubes who don't realize they're opening their systems up to a world of hurt.
As The New York Times reported today, in Stuxnet's case, the powerful worm had to get into the Iranian nuclear facility's system, but the system was air gapped - meaning it was not connected to any outside networks - so there was no way to hack it directly. Instead, someone would have to physically bring the worm in, either on purpose or without knowing it.
"That was our holy grail," one of the people involved in the Stuxnet operation told The Times. "It turns out there is always an idiot around who doesn't think much about the thumb drive in their hand."
According to Liam O Murchu, operations manager for the security response team at the U.S.-based cyber security firm Symantec and one of the first to analyze the Stuxnet code, that's likely just how it happened: Someone who had been tricked into downloading Stuxnet onto their personal computer unknowingly transferred the malware to a thumb drive and then, after heading to work at the supposedly secure Iranian facility, plugged the thumb drive into the internal network, letting Stuxnet loose to wreak its havoc - all without knowing a thing was wrong.
Similarly, reports by several international cyber security firms said that analysis of the Flame code suggests it's designed in part to be able to transfer secretly from one network to another by thumb drive as well.
But carelessness when it comes to thumb drives is not reserved for overseas users. Last June, the Department of Homeland Security ran a test in which it secretly dumped computer discs and thumb drives into the parking lots of U.S. government buildings and private contractors, according to a Bloomberg report. The test found that 60 percent of people who picked up the devices plugged them into their office computers - potentially compromising the entire internal network. If the drive or CD had an official seal on it, the number shot up to 90 percent plugged in.
Beyond thumb drives, O Murchu said one of the most popular ways hackers attempt to gain access to a network through human error is by spear phishing, a method in which the hacker specifically targets an individual and poses as a friend or colleague in an attempt to trick him or her into downloading a compromised file, usually in the form of an email attachment. It's this way that Duqu, another highly sophisticated espionage program believed to be closely linked to Stuxnet, was able to spread throughout computers in Europe when it was discovered last October, O'Murchu said.
It's also the method the DHS said earlier this month was being used by a foreign power for months as they targeted the control systems for American gas pipelines. In November, the U.S. State Department reported it had experienced a 35 percent increase in "spear phishing and/or malicious email traffic" over just the year before.
All this is evidence, O Murchu said, that attackers are increasingly relying on the "human aspects" of cyber attacks, rather than targeting the systems directly, and reiterates a mantra that O Murchu and some other cyber security experts have been repeating for years: no matter how sophisticated the attack or how capable the defenses, the weakest link in cyber security is often the human at the keyboard.