The complex Stuxnet worm, which some allege was designed by US and Israeli government agents to cripple Iranian nuclear technology, could be re-engineered at far less expense by civilian hackers to inflict more general damage, says anti-malware company founder Eugene Kaspersky.
"According to information [gleaned] from the code, we understand this is high-end malware," Kaspersky says "To develop such malware needs a million dollar budget. I'm afraid it's quite obvious that this malware is not done by ordinary cyber-criminals."
"Media sources [also] allege this was done by governments, by secret services in the US and Israel. It looks like that," he says, but he can't say for certain; "the secret services don't report to us."
Stuxnet used a specific set of software vulnerabilities, which have now been repaired. But this would not stop an adaptation of the malware being used, he says. "It's quite easy to disassemble the code to discover how it works, to extract the components and to redesign the same idea in a different way. I'm afraid this is just the beginning of a new era; the era of cyber-wars and cyber-sabotage."
Kaspersky spoke with Computerworld from Melbourne last week, where he was attending the Australian Grand Prix. Kaspersky sponsors the Ferrari Formula 1 motor-racing team. The cars bear its logo and it has released a version of its anti-malware products with Ferrari's characteristic red in the marketing livery and a digital racing simulator bundled in.
"Customers will enjoy high-level security - which is almost invisible, running in the background - and at the same time they can drive the virtual Formula 1 car on the virtual track," Kaspersky says.
Ferrari uses Kaspersky products in its corporate operation, Eugene Kaspersky says, and the company is pitching software to the Ferrari engineers to guard against potential malware in embedded control gear.
Ferrari's business "is not just about cars," Kaspersky says "There are more and more devices - cars, machines, planes - that have computers managing all their systems. The security problems are getting more and more important because a proportion of those systems are not secure enough. There are reports about security issues in a non-computer environment which are serious and are caused by malware."
Some experts suggest widespread power failures on the East Coast of the US in 2003 were an indirect consequence of computer malware, Kaspersky says. The main report on the incident saw other causes, "but an alternative report says the blackout was caused by computer malfunction in the power grid management centre. They ran Unix machines but those stopped operations because they were affected by heavy data traffic generated by Microsoft Windows systems that had been infected by the Blaster worm.
Kaspersky also refers to an air crash in Spain in 2008 which left more than 150 dead.
"Last August [experts] said the plane crashed because of technical problems. But the problems were not found by on-ground inspection because the systems [diagnosing] the plane's condition were connected to infected computers, so the engineers didn't have a report about the technical problems. The malware wasn't a direct cause of the catastrophe; but it wouldn't have happened without it."
Mobile devices are the new frontier for malware, as more and more consumer data interaction is done in this way, Kaspersky says. Google's Android, because of its adoption on many brands of mobile hardware, will become "the new Windows" -- the platform most malware is written to attack.
Governments' growing awareness of the dangers has led to calls for everyone changing data on internet-connected systems to be securely identified. Eugene Kaspersky supports this move, "for two reasons: Firstly, computer systems and the internet are dangerous. Damage can be done to computer and other systems. Cars are recognised as dangerous, so when you drive a car you have to have a licence and [registration] plates." That's why digital identifiers are advisable, he says.
"I'm not talking about Big Brother. If you want to read some data, or exchange emails with your friends if you blog about personal matters, you shouldn't need to present your ID; you're like a passenger in a car.
"But if you access your bank account or if you post an executable file to the internet you must present your ID to show it's you who changed the content of the internet, or accessed critical data."
Kaspersky also suggests professional journalists, whose views are relied on to be factual, should have to present an identity credential with their copy "so we can verify it's really you".
The second reason for digital ID, he says, is that online channels are increasingly the accepted way to do everything, particularly to play our democratic part in government. "The new generation are comfortable with interacting online. They don't buy paper books, CDs or DVDs. This generation want to have everything online and will never go to [polling stations]. They will want to vote online. If there is no online government, the new generation will never vote." Verifiable identity is essential to voting and interacting online with government in other ways, he says. "So if we don't have digital passports, within 20 to 40 years there will be no democracy."
This story, "Cut-price Stuxnet successors possible: Kaspersky" was originally published by Computerworld New Zealand.