Tag Archives: Zero Days

Bill Aims to Remove Fox From Hen House Guard Duty

The NSA has two roles in life – OFFENSIVE cyber and DEFENSIVE cyber.  The NSA spends, according to some estimates, 90% of its cyber budget on offensive cyber.

NSA, in its alter ego Cyber Command, is charged with defensive cyber.

What this means is that when NSA finds a bug like the one that was exploited in WannaCry, it has to make a decision as to whether it should disclose it to the vendor (and further its defensive mission) and therefore not be able to use it to further its offensive mission or keep it secret and be able to continue to use it.

The only problem is what happens if someone else discovers the bug and uses it against American companies. That is the conundrum.

Under President Obama the intelligence community was supposed to use something called the vulnerabilities equities process to decide whether to disclose or keep secret any vulnerabilities that they find.  That process was voluntary.  After WannaCry, Congress is kind of wondering whether the process is not working.

The bill, called the PATCH (Protecting our Ability To Counter Hacking) Act, is designed to take the control of the decision making process away from the NSA exclusively and create a review board including the FBI, Homeland Security, CIA, Director of National Intelligence, Commerce and NSA.  State, Treasury, Energy and the FTC would be involved when needed.  Homeland Security will chair the board.

That does not mean that the spies are going reveal every bug they find, but it may mean that the review process will be more balanced.

Since this bill was just introduced, it has a long way to go before it may become a law.

Information for this post came from The Register.

Microsoft Battles Google – Can You Believe It?

OK, that subject, while true, was really just to catch your attention.

Here is the rest of the story (and sorry, this is a bit of a rant).

Google has a team that researches security vulnerabilities in all kinds of software.  The team, founded in 2014, is called Project Zero. While I am sure it finds bugs in Google’s own software (it does!), it seems to, frequently, find bugs in competitor’s software.  That usually includes Microsoft and Adobe, among others.

Google has a database of the vulnerabilities that it finds and it has a very strict protocol for disclosing these vulnerabilities.

Part of what Google wants to have happen is for the industry to fix vulnerabilities quickly.  To be honest, the industry as a whole has a horrible track record for fixing bugs quickly.

Part of the “battle” if you will, is that companies like Microsoft have software that they have to create, test on hundreds of different configurations, package and distribute and users have to download, test and install – think Windows, Office, Adobe Flash and others.  Google, on the other hand, is almost exclusively web based.

Web based offerings are inherently easier to patch.  Google controls every single server that their software runs on.  They know what the hardware looks like and if the software does not work on a particular brand or model of hardware they don’t use it.  In fact, Google BUILDS their own servers.  Companies like Microsoft can only dream about that.

Microsoft USED to release patches at random.  It drove system administrators crazy.  As a result, they now only release patches once a month and it usually takes them two or three months to get a fix through that release cycle.

Needless to say – and this is part of Google’s point – the hackers don’t have to follow that model.  As a result, the hackers win most of the time.

So what are Google and Microsoft battling about this week?

Google disclosed a flaw that it found October 21st (that is about 10 days ago) in Windows.  On that same day, Google also found a bug in Adobe Flash.  Adobe has fixed their bug.  Microsoft has not.

Google would normally give Microsoft at least 60 days to fix the bug (and sometimes adds extensions) before they announced the bug to the world, but in this case, Google says, the bug is ACTIVELY being exploited in the wild.  So Google had two choices – be quiet for three months while people’s systems were being attacked and allow Microsoft to work through it’s process or, alternatively, warn people and let Microsoft be a tad bit displeased with them.

The bug is a privilege escalation attack which allows a hacker to escape the Windows sandbox and do things that they should not be able to do.

Microsoft COULD have told people that there was a problem and provide them with workarounds or a possibly a temporary fix but they chose not to.  They did say, now, that users should upgrade to Windows 10 and use the Edge browser.  That doesn’t help the tens of millions of users of Windows 7 and Windows 8.

Instead Microsoft said that Google’s disclosure of hacker’s attacking Microsoft’s customer’s systems in the real world was irresponsible.  What would have been responsible, Microsoft says, is to keep people in the dark while attackers compromise their systems.    Somehow I have a problem with Microsoft’s reasoning.

Microsoft said that they are the ONLY platform committed to investigating security issues and providing updates as soon as possible.  While those of you who read this column know that I am not much of an Adobe Flash fan, I do give them a LOT of credit for releasing fixes sometimes the next day after a bug is found when hackers are exploiting it, so I think Microsoft’s claim is a bit self serving.

The bottom line here is that the industry – and it doesn’t matter whether we are talking Windows, Mac, Linux, Android, iPhone, Web, whatever – needs to be more aggressive at identifying and fixing bugs.  Not just the kind of bugs that we usually think of but also issues like the attack on DYN last week that took out Twitter and hundreds of other sites.

Attackers don’t care about collateral damage and they don’t care about following the rules.  WE as an industry need to get more effective about fixing problems.

At least that is the way that I see it.

Information for this post came from CSO Online.

Google’s Project Zero has its own Wikipedia page, found here.