The cyber security implications of Iran's government-backed antivirus software
Summary: According to independent industry reports, Iran has banned the import of foreign security software, and has been secretly working on its own antivirus solution since 2010.
According to independent media reports, Iran has banned the import of foreign security software, and has been secretly working on its own antivirus solution since 2010.
Developed by Iranian experts from Shiraz Computer Emergency Response Team of APA (Academic Protection and Awareness), the software has undergone active testing and is ready to be used on government and military installations.
Key points to consider:
- The U.S, Russia and China are developing offensive cyber warfare weapons -- weaponized malware -- successfully bypassing the most popular antivirus solutions. Will Iran undermine the effectiveness of these cyber weapons? - not necessarily. What Iran's decision to rely on a government-backed antivirus software will do, is increase the interest of foreign governments into obtaining and analyzing the software on their way to exploit vulnerabilities in its design for the purpose of successfully bypassing it in the long term. Until access to the software is obtained, it will definitely undermine QA (quality assurance) practices aiming to ensure that the weaponized malware is not detected by popular antivirus vendors.
- Reliance on largely untested in-house built software in comparison to outsourcing to vendors with decades of experience is a flawed strategic approach - Iran's adversaries should be thankful for Iran's largely flawed approach to secure the nation's infrastructure from malicious code. Instead of importing innovative solutions, and embedding multiple antivirus solutions to protect endpoints, the country's nationalist sentiments seems to be prevailing, potentially exposing the country's infrastructure to malicious attacks.
- Basing your entire strategy on a single endpoint solution, undermines the concept of defense in-depth - Iran doesn't seem to be aware of the defense in-depth concept, ensuring multi-layered approaches to securing a network or an endpoint system. The country's ban on foreign security products, mean it will have to build firewalls, intrusion prevention/detection systems from scratch, in complete isolation from the rest of the industry. This will result in major flaws in the design and actual applicability of these in-house built products.
- From an Information Warfare perspective, by banning foreign imports of security products, Iran might be setting the foundations for a successful self-mobilizing cyber militia campaign - Antivirus tools don't just detect viruses, they detect malicious code in general such as DoS (denial of service) attack and DDoS (distributed denial of service attack) tools. In case of a cyber conflict, relying on the basis of Information Warfare, Iran could distribute software agents to civilians in order to use their bandwidth or Internet connectivity in general for waging Information Warfare. We've seen this happen on numerous occasions in the past. In event of a cyber conflict, Iran's antivirus software could on purposely skip the detection for these malicious tools that would otherwise be detected by foreign antivirus software in an attempt to ensure that the Iranian population will participate in the cyber conflict. See: Attack of the Opt-in Botnets
Moreover, Iran's antivirus doesn't participate in any of the industry comparative reviews performed on a periodic basis evaluating the effectiveness of antivirus software, it doesn't participate in chapters of such organizations such as the Honeynet Project, it doesn't share samples with competing vendors, and it doesn't require them to share samples in the same way. This self-serving mentality typical for communist regimes, will ultimately allow foreign adversaries easy access to Iran's infrastructure, and in particular to hosts running the largely untested antivirus software.
Diversification may results in complexities which on the other hand result in insecurities, but basing the protection of endpoints on a single, largely untested product, results in monocultural insecurities posed by the use of a single, potentially 'buggy' product.
Iran isn't the first country to start developing its own hardened security products, however it's among the few to ban imports of foreign security software on the local market. China with its Red Flag Linux and Kylin OS, the European Union with its secure OS Minix, and Russia which also expressed interest in the concept, are among the countries that are considering to migrate from using U.S developed Operating Systems in order to migrate from the monocultural insecurities posed by the world's most popular Operating System - Microsoft's Windows.
What do you think? Is Iran's move putting the U.S, Russian or China at a strategic disadvantage, of is the move largely exposing Iran's infrastructure to amateur malware authors who will inevitably start bypassing Iran's proprietary antivirus software?
TalkBack.
Find out more about Dancho Danchev at his LinkedIn profile, or follow him on Twitter.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Is writing your own A/V really meaning that you're weak?
Just writing your own A/V doesn't mean that you have not understood or implemented a defense in depth approach. Or did the sources also state that they create their own O/S, firewalls and so on.
half of the story
Are they gonna bann Windows aswell?
Maybe, Probably
1) There actually is/was a conspiracy to leave some vulnerability in place or to secretly disclose any new ones and perhaps leave them unpatched for a period of time until publicly disclosed
2) In the process of doing this, you develop a better solution that nobody has thought of, i.e. a paradigm shift, which is how every business and technology revolution happens
3) The value of uncertainty/obscurity, at least in the short term (which is all that really matters in the case of Iran), enables a heightened catch rate, since the bad guys, whomever they are, may not know everything you are doing.
Iran may or may not achieve better results this way. My hunch is that they will not, but I gave up underestimating Iran a long time ago - both in good and bad ways.
Iran is saying (in easy word).
Well I love this..
Iranian Security Software
1. Can anyone doubt that the USA & other cyber nations are also developing confidential in-house protection?
2. Can anyone doubt that open-market security software, good as it may be, is automnatically superior to in-house software; or that it may not be subject to undisclosed trapdoors?
RE: subject to undisclosed trapdoors?
See my reply below to 'dhays' as I explore this point.
Iran
Again, lack of proofreading makes this article harder to read. One has to guess at the proper word.
"of is the move" is presume to mean or not of, "may results in complexities " should read result not results, as results is confusing tense.
At present, it sounds like much ado about nothing, just speculation, nothing more.
RE: Iran
Why would any nation state, [u]whose infrastructure has been the subject of attack[/u], not want to protect those assets against actors with nefarious intent? Any rational, objective observation would require you to 'protect' those assets. Whether it is nuclear centrifuges, or electric grids, strategic assets must be protected.
If you [b]can not trust[/b] that some nation state has used its resources to install back doors in commercially available software; then you must create your own. Critical infrastructure here in the US is being probed all the time, and, in no small thanks to stupid, clueless `bean counters`, much of it is entrusted to off the shelf (OTS) Microsoft products.
From the Iranian POV, they can not trust that the commercially available AV software doesn't have NSA and Israeli sponsored backdoors; just like we (the USA) have every reason to be suspicious of hardware that is made in China. We most certainly [b]do not want[/b] backdoors in equipment used by the military, now would we???? Nor, would the Iranians, or any other nation.
Thus, the idea, that Iran has decided to 'outlaw' OTS AV products be regarded as "dumb" or "stupid", or fails to recognize the cyber security implications, is mistaken in itself. They may fully realize that they are quite exposed, and are not comfortable with it. No doubt, in the aftermath of the damage inflicted on their facilities, some heads may have rolled. I know, that if I were in such a situation, and that sort of s--- happened `under my watch`, I would "get top the bottom of it". Now, on the surface, it looks like they are putting plans in place to prevent, or diminish the potential for a re-occurrence of another intrusion. Time for the "home grown" solution, or so we are led to believe.
[i]Just because that have made this statement publicly,[/i] doesn't mean that it is not [u]disinformation[/u]. What is the first rule of being a great magician? [i]Distract your audience, while you pull off the 'trick'.[/i]
Who knows what the Iranians are up to.
[b]Governments LIE, all the time!!!!![/b]
EDIT: typo, damn, do I HATE this keyboard!!!!
Iran or not
Gee look at this way, if they start making or creating thier own A/V protection, won't that make them a center of other hackers and security people to test it out, curiosity killed the cat ?
re: curiosity killed the cat
Practise&Therory
Just because they ban foreign AV it doesn't mean people won't be using it anyway.
Easy
Iran is only trying to reduce the export currency. That they are desperate to do. It's not like they can defend against the Script Kiddies.
As such things go, this is an easy situation of NSA or any of it's international rivals.
Iran and security software
Questionable content
Questionable content
Well..
They may be using this to control their population but it could seriously backfire on them -- because a dissident in their own country could uncover such vulnerabilities too.
what about supply side security motives?
Spyware