Vulnerabilities / Threats

2/19/2015
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Our Governments Are Making Us More Vulnerable

Stuxnet opened Pandora's box and today state-sponsored cyber security policies continue to put us at risk. Here are three reasons why.

I’m generally not a “the government is out to get me” kind of guy, and I suspect that in most democracies, government officials actually want to help their country and their citizens. That said, I think many of the decisions governments are making about information security (otherwise known as “cyber”) are making their citizens—and ultimately themselves—much more vulnerable.

It’s clear that “cyber” security has finally hit the global front stage, and has become a top issue for governments around the world. From the Estonian DDoS attacks, to Stuxnet and Regin, and now (allegedly) the Sony Pictures breach, we’ve seen nation states launching offensive network attacks. Governments are investing heavily in “red teams’—groups whose job is to carry out computer and network attacks. Recently, President Obama even declared he wants to ramp up the U.S.’s cyber security arsenal with a budget increase to $14 billion a year.

I’m not naïve. I recognize that in some situations nation-states may need to carry out espionage, or—in the worst case—use force (physical or digital) to protect their countries. However, I also believe that some of the steps governments have taken under the guise of improving their cyber arsenal will do more harm than good in the long run. Frankly, Stuxnet opened Pandora’s box, and in many case the ends don’t justify the means with these network attacks.

[Read the latest news about how a Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet.]

Let me be more specific. Here are three ways our governments are making us less secure:

Government malware accelerates the evolution of criminal malware.
Though some have recently argued that criminal malware is more advanced than some suspect, Stuxnet—a state sponsored threat—was vastly superior than any previously seen malware. Stuxnet leveraged multiple zero days to spread, exploited sophisticated evasion techniques to hide, and even used stolen digital certificates to make the installation process smooth, and interaction free. Once Stuxnet leaked to the security community, researchers decompiled it and shared their results. While such research is necessary for defense, it also tipped off criminals to all Stuxnet’s neat tricks. Criminals are nothing, if not opportunistic. Shortly after Stuxnet got dissected, criminal bot herders started copying its sophisticated techniques and exploits in malware like Zeus.

This has and will continue to happen. If criminals see a neat new trick that makes nation state malware more effective, they will copy it and use it in their private attacks. For instance, I expect more malware to start using tricky staged loading processes to get past host based antivirus (AV), as seen in suspected nation state threats like Regin. In short, when the sophisticated techniques used by nation-state malware go public, it accelerates the evolution in criminal malware, making it more advanced, and harder to defend against for the average target. Private businesses—small and large—are getting hit with much more targeted and advanced attacks then ever before.

Governments have fortified zero day vulnerability black markets.
I personally appreciate vulnerability researchers—especially ones that disclose responsibly (even if they share exploit code). However, I am sickened by the new zero day vulnerability market that has cropped up lately. I don’t mind the organizations that buy zero day exploits, and disclose them to the software vendors to fix. However, there is a more shady market that auctions zero day to the highest bidder, with no plans to disclose the flaws to anyone else. After all, if the buyer wants to weaponize these vulnerabilities, it’s not to their advantage to fix them.

Unfortunately, governments are one of the primary customers supporting these zero day vulnerability markets. This means the flaw, which is typically in commercial software everyone uses, does not get fixed, making us ALL more vulnerable. I don’t understand why governments don’t think that other attackers might not find that same flaw themselves, and use it to. If a government buys zero day and doesn’t disclose it, not only do they make their own citizens less secure, but they are likely also putting their own resources at risk somewhere as well. Rather than hording zero day, shouldn’t governments help fix them?

Governments try to restrict/backdoor/break encryption.
Everyone in a free society has the right to encryption to protect their privacy. Even if you never do anything wrong, you have a right to keep some things secret like your passwords or banking communications. Yet, governments—even so-called democratic and free ones—are trying to limit or weaken encryption. Recently, the director of the FBI has argued that Apple and Google need to leave holes in smartphone encryption for law enforcement. The British Prime Minister wants to decrypt IMs and other Internet communication.

This is ludicrous. I realize that bad guys may also use encryption to communicate, but that doesn’t mean law enforcement should have enough access to blanket surveillance. Furthermore, if you put backdoors or weaknesses in everyone’s encryption, others will find them. It’s only a matter of time. Weakening private encryption in tools everyone uses does more to expose a government’s citizens than it does to help them find criminals.

As much as I don’t like some of the governments’ current “cyber” policies, I don’t think they have nefarious goals in mind, and I think that we can help them fix this problem. So what should you do? Get involved!

If you’re reading this, chances are you’re an information security professional. You’re the expert governments rely on and listen to when considering network and computer security issues. Share your thoughts with your congressperson. Join InfraGuard and have your voice heard. Write about these issues and speak out publicly. Personally, I believe governments should focus much more on defending themselves and their citizens from “cyber” attack than they do on offensive campaigns. If they plug all our holes, they leave nothing for enemies to attack. If you believe the same, let them know.

Finally, my last tip is to up your defenses. Our governments’ current “cyber” policies have put us at risk, and increased the sophistication of today’s attacks. If you haven’t updated your defenses lately, by adopting new solutions such as advanced threat protection, now’s the time to do so. Governments certainly aren’t doing it for you.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/23/2015 | 11:06:20 AM
Re: presumption of privilege
" ... it's up to all of us as individuals & citizens to make sure that our private and public leaders are up to the task -- and held to the fire when they are not ..."

In my opinion, the entire problem is laid bare in that statement. The biggest issue is that those so-called leaders are not really up to the task. Elected officials tend to grant important positions to political allies, or to those with whom they have had long associations. Very little consideration is given to the person's ability to actually perform the task given to them. In a political environment, politics rule decision making processes and that, in and of itself, almost rules out selection of the best qualified individual. In many instances, those leaders aspire to expand their empire and sphere of influence much more than to actually perform their assigned tasks. As far as the "held to the fire" part, that is usually an even worse scenario. I'm reminded of the old saying "if a person screws up, promote them". Political environments tend to glaze over mistakes with regularity, and with little consequence. We need only look at the various scandals and security issues in the federal government for examples, and it gets even worse as you start looking at state and local levels where those events get very little press. I hate to sound so cynical about this whole thing; I would love to hear what other people think about this.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/23/2015 | 10:12:00 AM
Re: presumption of privilege
..necessary to place all government under the rule of law and to enforce same by means of education, freedom of the press, and the jury box and the ballot box.
@macker490, this covers our Constitutional checks and balances, but it's up to all of us as individuals & citizens to make sure that our private and public leaders are up to the task -- and held to the fire when they are not.
macker490
50%
50%
macker490,
User Rank: Ninja
2/23/2015 | 8:57:18 AM
presumption of privilege
people in governemnt acquire the belief that they are responsible for regulating the behavior of the people in their jurisdiction. from this they arogate to themselves a presumption of privilege -- to do whatever is necessary to carry out their obligation

these these run the gamut from the blundering bloke to the conspiring crook, and the occasional superlative leader. given the risks involved in government then it is necessary to place all government under the rule of law and to enforce same by means of education, freedom of the press, and the jury box and the ballot box.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/22/2015 | 10:23:26 AM
Re: Insecurity always
I agree. The only ways governments can justify surveillance on their citizens are around "bad guys will get you otherwise".
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/22/2015 | 10:21:13 AM
Re: Insecurity always
Not only that but also holes in harddisks firmware. Would would be worse, we all use those harddisks, we are all vulnerable basically.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/22/2015 | 10:18:31 AM
Re: Insecurity always
I agree, Thomas. It is part of "being in control" instead of "being secure". They do not get ultimate goal right at this point.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/22/2015 | 10:15:31 AM
Backdoors
As we all know it very well, any backdoor for government is potential opportunity for hackers. Governments should be enforcing rules and regulations in ways that systems are designed in secure manners, not with backdoors.
pporter531
50%
50%
pporter531,
User Rank: Apprentice
2/21/2015 | 9:25:34 PM
2 additional ways our government (USA) is making us more vulnerable
1. Creatng websites like Healthcare.gov

2. Not properly securing citizens PII at the IRS
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
2/20/2015 | 6:21:39 PM
Re: Insecurity always
I gotta tell ya, Thursday's news of NSA and GCHQ stealing SIM keys from a private company, given them the power for blanket surveillance, just adds wood to the fire of this article.
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
2/20/2015 | 6:20:08 PM
Re: Insecurity always
Yes. As much as I think Infosec is an important topic, and I want governments to consider it... I feel like they might be using it like "weapons of mass destruction" to get more money and relevance.
Page 1 / 2   >   >>
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.