NEWS FROM THE LAB - Thursday, June 21, 2012

Commoditization vs. Specialization Posted by Sean @ 14:07 GMT

Another rebuttal to Mikko's Flame related opinion column in Wired magazine, this time from Bruce Schneier.

Schneier's summary of Mikko's argument:

"His conclusion is simply that the attackers — in this case military intelligence agencies — are simply better than commercial-grade anti-virus programs."

But Schneier doesn't buy it:

Schneier Security, June 2012

A couple of points.

First, regarding military malware's supposedly slow and stealthy spread. It's relative. Compared to something such as Conficker, most "non-military" malware is as quiet as a mouse. It's as stealthy as it needs to be.

Second, actually… Flame didn't really "spread". It was used in targeted attacks. Think sniper bullet, not germ warfare. (Stuxnet is a different story. But it wasn't supposed to spread in-the-wild.)

Third, if conventional malware writers want to evade detection they should adopt Flame's techniques? Look… most "conventional" malware writers don't actually use the malware they author. They sell it as a service. Buyers and users of malware kits have to pay for stealth. It isn't free. The real difference between crimeware and Flame/Stuxnet/DuQu is commoditization vs. specialization.

Let's use a real-world example.

Here's a screenshot from Securitas, a global provider of security services that employs more than 300,000 people.

About Securitas

And this is Iranian nuclear engineer Majid Shahriari's car soon after he was assassinated in November 2010 by unidentified assailants riding motorcycles that launched separate bomb attacks and detonated them from a distance.

Majid Shahriari

Look carefully.

Can you spot the difference between the services Securitas typically provides and the protection Shahriari would have needed?