Flame's man-in-the-middle hash-collision attack is very interesting, I won't deny. It's an incredibly complex, chained exploit using MD5 collision, weak vendor digital certificate, WPAD (Web Proxy Auto-Discovery Protocol) vulnerabilities, and signed malware. This is one for the history books.
Still, I can't get overly upset about Flame. Microsoft (my full-time employer) has revoked the weak certificate. The WPAD vulnerability has been around forever. There are far easier ways to accomplish the same outcome, such as pass-the-hash. Plus, Flame isn't widespread.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Your antivirus may be killing your virtualization infrastructure. InfoWorld's Matt Prigge shows you how to detect the warning signs. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]
But the biggest reason I still can't get upset about Flame: The state of IT security is really bad already. Flame may add more fuel to the fire, but the inferno is already raging. How bad is it? Consider all that was happening before Flame and its effects became widespread:
- More than 1 million computers are successfully exploited every single day. That's one every 14 seconds.
- 39 percent of the world's computers are infected by malware of some type.
- 90 percent of the world's companies have suffered network breaches in the past year.
- One out of every seven adults has his or her online financial information, identity, or passwords compromised every year, according to Privacy Rights. That adds up to 280 million breached records in the last eight years.
- 82 percent of malicious websites are hosted on hacked legitimate websites.
- It's no longer unusual for a single hacking event to cause more than $100 million in damages. The attack against Sony is a fine example.
- Hackivist groups such as Anonymous routinely break into the world's largest companies and have even hacked the global authorities investigating them.
- Hacks resulting in millions of leaked passwords are so numerous, they practically go unnoticed. The successful attack against LinkedIn is a good example.
- A single worm, SQL Slammer, was able to infect almost every possible unpatched computer it targeted in 10 minutes -- and this was back in 2003.
- Malware is popping up on mobile platforms as though we've learned absolutely nothing over the 25 years of PC hacking.
- Spam rates are still above 65 percent, nearly 10 years after passing the CAN-SPAM Act of 2003.
- One out of every 14 Internet downloads is malicious.
- The annual cost of cyber crime is estimated at $114 billion.
- Successful prosecution rates for Internet cyber criminals is less than 0.01 percent.
- Hacking by nations is so pervasive that Google is now automatically alerting users of potential state-driven threats.
- Stuxnet, Duqu, and now Flame prove that complex malware can bypass any computer security defense.
With so much bad stuff going on, I have to wonder what would be the tipping-point event that will make people rise up and say they won't accept it anymore. I used to think that it would take Google or the stock market going down for a day, but now I doubt even events of that magnitude would take more than a week's news cycle.