Bruni. (Fashion Insider)

French cyber security experts say the U.S. government used software resembling Flame to hack into computers of the French presidential staff, the magazine l'Express said in a report that was picked up by The Hill.

The computers of advisers to former President Nicolas Sarkozy were hacked in May, l'Express reported, during the run-up to elections in which Mr. Sarkozy was defeated by Francois Hollande. Flame is the same virus allegedly created by the U.S. and Israel to attack Iran's nuclear program.

Homeland Security Secretary Janet Napolitano didn't deny or confirm the allegation in an interview with l'Express, but according to The Hill, reiterated the close ties between the U.S. and France in an interview with the magazine.

“We have no greater partner than France, we have no greater ally than France,” Ms. Napolitano told l'Express. "We cooperate in many areas related to security."

As to why the U.S. would hack the computers of such a close ally, l'Express suggests, simply, that intelligence agencies crave intelligence. Or maybe they were just looking for photos of Carla Bruni in the buff.

Mr. Kaspersky not looking supervillain-like at all. (Photo: flickr.com/cebitaus)

Inspired by the behaviors of sophisticated malware such as Stuxnet, Flame, Duqu and Gauss, Russian billionaire and possible real-life Batman Eugene Kaspersky announced today that his Kaspersky Lab is developing a new operating system.

Mr. Kaspersky's announcement wasn't heavy on details about the OS, but security was obviously priority one. Acknowledging that Microsoft, Apple and the open source communities haven't been able to create truly secure controls, Mr. Kaspersky basically said the problem with the previous systems was their universality:

First: our system is highly tailored, developed for solving a specific narrow task, and not intended for playing Half-Life on, editing your vacation videos, or blathering on social media. Second: we’re working on methods of writing software which by design won’t be able to carry out any behind-the-scenes, undeclared activity. This is the important bit: the impossibility of executing third-party code, or of breaking into the system or running unauthorized applications on our OS; and this is both provable and testable.

Mr. Kaspersky linked to "Securing Critical Information Infrastructure: Trusted Computing Base" to help answer questions regarding the new OS. It's essentially a paper that dissects the way industrial cyber-attacks work and details why they work.

The study lists the following necessary elements of a "maximally secure" computer network:

• The operating system can’t be based on existing computer code; therefore, it must be written from scratch.
• To achieve a guarantee of security it must contain no mistakes or vulnerabilities whatsoever in the kernel, which controls the rest of the modules of the system. As a result, the core must be 100% verified as not permitting vulnerabilities or dual-purpose code.
• For the same reason, the kernel needs to contain a very bare minimum of code, and that means that the maximum possible quantity of code, including drivers, needs to be controlled by the core and be executed with low-level access rights.
• In such an environment there needs to be a powerful and reliable system of protection that supports different models of security.

With these features in mind, Kaspersky Lab states that its new system's central feature will be a "categorical impossibility" of running any background programs, giving engineers total control and management of the system.

Cyber-warfare being what it is today, it's safe to say the malware makers who inspired Mr. Kaspersky's Lab to develop this new system are likely already working on new exploits with it in mind.

Countries where MiniFlame and Flame have been found. (Kaspersky Lab)

Researchers at Kaspersky Lab have been patiently picking apart the ingenious malware packages that romped through computer networks in the Middle East, sucking up data and destroying Iranian nuclear centrifuges and it seems Kaspersky finds a new addition to the allegedly U.S. and Israeli-sponsored family of cyber-weapons every other month. Monday they announced the discovery of the Flame malware's baby cousin, MiniFlame.

Kaspersky's bug hunters found that MiniFlame's association with Flame and related infections was Transformers-like in nature:

In early July 2012, we discovered a smaller Flame module, which appeared to be able to work by itself. The module had many similarities with Flame, so we thought it might simply be an earlier version. In the months that followed, we not only studied the connection of this malware with Flame, but also came across examples of this module being used concurrently with Gauss and being controlled by the Gauss main module.

Researchers found that MiniFlame was something of a ninja assassin compared to the other programs. Whereas Flame, Duqu and Gauss had large missions to infiltrate multiple computers in countries like Iran, Syria and Lebanon, MiniFlame targeted just a few select victims in what Kaspersky calls "highly targeted attacks." Kaspersky reported that MiniFlame, while rare compared to the more well-known malware packages, was more likely to show up in a variety of countries, including a computer located at the Francois Rabelais University in Tours, France.

Wired also noted that Kaspersky determined that one machine in Lebanon is the lucky recipient of every nasty cyber weapon in the family:

[There] is one machine in Lebanon – what [senior Kaspersky researcher Roel] Schouwenberg calls "the mother of all infections" – which has Flame, Gauss, and miniFlame/SPE on it. "It is like everybody wanted to infect that specific victim in Lebanon for some reason," he says.

Kaspersky knows there are two more malware packages still in the wild, currently code-named only SP and IP. They may function much like the previously known malicious programs, churning through the guts of target computers for sensitive data to send home to their controllers before they execute the final trick in their arsenal, deleting themselves and vanishing from the infected system as if they'd never been there at all, like ghosts. Or ninjas.

What Flame did to Iranian computers. (Image: William Warby, Flickr)

The Cold War is over and Russia and America are getting along. So surely the Men in Black behind the United States' cyber weapons program based at Area 51 or wherever will not be too concerned that a Russian researcher cracked an encoded password associated with the now infamous, allegedly American-made Flame malware.

Symantec and Kaspersky recently teamed to pick apart Flame's command and control systems, discovering at least three previously unknown infectious scripts in the process. The researchers also discovered a great deal about how the weapons were assembled and launched against enemy targets, but were left with a hashed passcode they couldn't break. They put out a call for help but didn't need the assistance of anyone outside either outfit, after all:

Kaspersky analyst Dmitry Bestuzhev cracked the hash for the password Sept. 17 just hours after Symantec put out a public request for help getting into the control panel for Flame, which infected thousands of computers in the Mideast. [...]

The hash - 27934e96d90d06818674b98bec7230fa - was resolved to the plain text password 900gage!@# by Bestuzhev.

So now the whole world knows the password that once protected the servers behind Flame, a complex and sophisticated cyber weapon that was a major blow to Iran's nuclear program.

Which is a little scary, because if someone can crack the password that once protected such a covert weapon created by a nation state, the average Internet user's method of password protecting their GMail with a pet's name plus grandma's birthday doesn't seem too safe anymore.

Attack workflow for Flame controllers (Symantec)

Kaspersky Lab and Symantec have teamed up to peel apart the United States' cyber warfare efforts. So far, they have uncovered the command and control systems behind the sophisticated malware as well as three previously unknown chunks of malicious code possibly related to alleged American cyber superbugs Flame and Duqu.

Reuters reports that researchers from the security firms discovered how the malware was disseminated--through an outwardly innocent-seeming content management system (CMS) named Newsforyou:

It was designed to look like a common program for managing content on websites, which was likely done in a bid to disguise its real purpose from hosting providers or investigators so that the operation would not be compromised, Kaspersky said in its report.

Newsforyou handled four types of malicious software: Flame and programs code-named SP, SPE and IP, according to both firms. Neither firm has obtained samples of the other three pieces of malware.

According to Symantec, Newsforyou allowed attackers to "upload packages of code, to deliver to compromised computers, and to download packages containing stolen client data." Symantec writes that the mystery chunks of code were "likely unknown variants" on Flame but could have been "totally distinct malware."

More intriguing, researchers uncovered nicknames for a handful of programmers who worked on the malware over the course of the last six years or so:

The attackers were not thorough enough, however, as a file revealing the entire history of the server‘s setup was available. In addition, a limited set of encrypted records in the database revealed that compromised computers had been connecting from the Middle East. We were also able to recover the nicknames of four authors—D***, H*****, O******, and R***—who had worked on the code at various stages and on differing aspects of the project, which appear to have been written as far back as 2006.

Symantec and Kaspersky have an additional mystery for which they seek the public's help--this mysterious encoded password: 27934e96d90d06818674b98bec7230fa.

Researchers say they have attempted "brute-force" cracks of the hashed code, to no avail. If you're up for a juicy password cracking challenge that may also put you on a government watchlist, hit them up on Twitter.

This guy could also be a government agent. (Image Devdsp on Flickr

Humanity's fear of "war without end" has yet to be completely fulfilled in the analog world, but state-sponsored cyber warfare has been afoot for years and is only getting worse. That's one takeaway from cyber security expert Pete Warren's report in The Guardian on government-created malware.

Mr. Warren consulted a number of anonymous security experts with military ties to get a sense of how long major governments have been developing nefarious software packages like Flame, Duqu and Stuxnet. Some systems, writes Mr. Warren, "have been under development since at least 1996."  Moreover, the United States and its allies aren't the only nations with skin in the malware game:

"There are a lot of countries that now have these systems. Every Middle Eastern country and all the states now known as the 'Stans' [Pakistan and the former satellite states of the Soviet Union] have them", said another expert with close links to the UK intelligence agencies and who is actively engaged in combating the software.

An unnamed ex-military man in London went further, telling Mr. Warren that "Every nation now has an armory; whether well-stocked or not depends on their resources."

Like guerrilla soldiers adopting military tactics to cause destruction and mayhem, government-made software like the Flame worm has inspired copycats. The mid-August Shamoon attack, for example, targeted a Saudi-owned oil company and knocked up to 75 percent of that company's workstations offline. Shamoon resembled Flame, but a hacker group calling itself The Cutting Sword of Justice claimed credit for Shamoon. They say they are an "anti-oppression hacker group" and are "fed up of (sic) crimes and atrocities taking place in various countries around the world."

Ours is a brave new world, with lots of scary new creeping software in it.

Cover of Kaspersky Lab's report on Gauss

Kaspersky Lab recently uncovered a new and sophisticated cyberweapon they dubbed Gauss. Wired reports that intrepid researchers employed by Russian billionaire and possible Batman Eugene Kaspersky need the public's help figuring out the the malware's mysterious payload:

The warhead gets decrypted by the malware using a key composed of configuration data from the system it’s targeting. But without knowing what systems it’s targeting or the configuration on that system, the researchers have been unable to reproduce the key to crack the encryption.

In blog post published on SecureList.com, one of Kaspersky's experts also mentions another puzzle, the presence of "the uniquely named 'Palida Narrow' font" that is installed along with the malware. If you don't have the knowledge of "cryptology, numerology and mathematics" Kaspersky seeks, investigating Palida Narrow may be for you.

Kaspersky's ThreatPost addressed the intriguing presence of Palida Narrow in a blog entry published Friday. Dennis Fisher wrote that one intriguing theory about Palida Narrow is that it may be "a kind of brand to mark infected PCs for the command-and-control servers."

Kaspersky Lab has published a detailed report on Gauss that gives rates of infection--from 1660 computers infected in Lebanon to 43 compromised machines in the United States--as well as fascinating but possibly useless details like the (most likely fake) names and addresses used to register domains found embedded in the malware's code.

Call Daphne and Velma and put on your orange ascot and get out there and solve this mystery today!

Mr. Kaspersky not looking supervillain-like at all. (Photo: flickr.com/cebitaus)

Eugene Kaspersky's security researchers at Kaspersky Lab have sleuthed out a new "cyber-espionage weapon." The Russian supervillain's (or awesomely cool billionaire, depending on your point of view) labs say this weapon has nearly as cool a name as previously discovered cyber worms Flame and Duqu--"Gauss." It also has a specific and potentially telling target: Lebanese lending institutions. Bloomberg tells us more:

"Similar to Flame and Duqu, another cyber-espionage weapon, Gauss is a complex cyber-expionage toolkit, with its design emphasizing stealth and secrecy," Alexander Gostev, Kaspersky's chief security specialist, said in the statement. "However its purpose is different. Gauss targets multiple users in select countries to steal large amounts of data, with a specific focus on banking and financial information.'

Officials at one of the targeted institutions would only admit to Bloomberg that they were aware of the worm.

Kaspersky Lab's blog post about the threat gives a timeline detailing Gauss's life and the timing of its discovery, which Kaspersky writes "was made possible due to strong resemblances and correlations between Flame and Gauss."

Could it be Gauss, like Flame, was made in the USA? Maybe we'll find out if America's cyber weapons gurus are still leaking like a watering can.

THUNDA STRUCK!

Looks like the Iranian nuclear facility at Natanz is, at the very least, 0 for 2 against cyber attacks. First came Stuxnet, which wreaked havoc with the equipment used to purify uranium. And now--at least, if a recent report (via VentureBeat) is true--they are dealing with a malware infestation involving sudden, late-night AC/DC.

F-Secure chief research officer Mikko Hypponen received the following email from someone who claimed to be an Iranian nuclear scientist: 

I am writing you to inform you that our nuclear program has once again been compromised and attacked by a new worm with exploits which have shut down our automation network at Natanz and another facility Fordo near Qom.

According to the email our cyber experts sent to our teams, they believe a hacker tool Metasploit was used. The hackers had access to our VPN. The automation network and Siemens hardware were attacked and shut down. I only know very little about these cyber issues as I am scientist not a computer expert.

There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing 'Thunderstruck' by AC/DC.

Hypponen was unable to confirm the story--but he was able to confirm the email came from the Atomic Energy Organization of Iran.

Memo to the American cyberweapons program: We're not saying this was you guys, but if it was, you might want to opt for a less obvious calling card in the future.

Let slip the dogs of cyber war. (flickr.com/anhonorablegerman)

Remember last summer, when all anyone could talk about was hacktivists? For a while there, we were living in a William Gibson novel, with hackers wreaking havoc and corporate types running scared. Well, so far, this June is shaping up a little differently, with a wave of state-sponsored attacks straight out of a spy novel.

Much as we love lone teenaged lone wolves typing away in their moms' basements, it's clear they're just the loudest and proudest of hackers. Just because the spies don't have official Twitter accounts and release YouTube videos doesn't mean they're not there, though. The latest two instances come courtesy of Fast Company, which points out that dissidents are increasingly a target of state-sponsored hacks.

For example: Tibetan activists recently received a phishing email, disguised as an official communique regarding a recent European resolution, which takes root in their computers and calls up a server in Hong Kong. Meanwhile, members of the Syrian opposition are being targeted with malware, distributed via Skype, that installs spying software.

Google has even started warning Gmail users when they've been targets of an attempted state-sponsored cyber attack.

This is different from just a couple of months ago, when Stuxnet and Flame looked conveniently aligned with the strategic goals of the U.S. and Israel, but mum was the word as to where the infections came from. Now, thanks to exposes in the New York Times and the Washington Post respectively, we've good as got confirmation they were programs developed by the two nations working in concert to slow Iran's nuclear weapons program.

Nor is the cyber tussle between the U.S. and Iran is over. Just today, an Iranian news agency (described by the AP as "semiofficial") claimed to have fought off another "massive" cyber attack. The expression "can of worms" comes to mind.

LulzSec, we have to say, was a lot more entertaining.