Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

8/14/2015
09:00 AM
Sara Peters
Sara Peters
Slideshows
Connect Directly
Twitter
RSS
E-Mail

View From The Top: Government’s Role In Cybersecurity

At the DarkReading News Desk, live from Black Hat, industry experts Dan Kaminsky, Richard Bejtlich, Katie Moussouris, Paul Kurtz, and Rod Beckstrom talked about how government is hurting and could be helping infosec.
5 of 6

Katie Moussouris

On the topic of how the proposed updates to the Wassenaar Arrangement -- that limit the export of 'intrusion software' -- would inhibit the security professionals who need to protect against zero-day exploits, but fail to inhibit those who create such exploits, Katie Moussouris, chief policy officer of HackerOne said: 

'Hacking Team was such a treasure trove of information. But what is especially interesting in terms of export controls is that they have lawyers, they did consult with their lawyers, they have a means to apply for export licenses in their own country, and there are a number of ways they could legally obtain export licenses for their software or use resellers that reside in other countries.

'So the folks that were targeted, who were making the software that was targeted by this regulation, have multiple means of getting around it, whereas the defense end of things and the folks who are not building this type of software but unfortunately are caught in that language dragnet really are the ones that are suffering, and as a result, defense of the Internet as a whole is suffering.'

(See also Moussouris' blog on Dark Reading, 'Mad World: The Truth About Bug Bounties,' a response to Oracle CSO Mary Ann Davidson's short-lived rant about reverse engineering and vulnerability disclosure.)

Katie Moussouris

On the topic of how the proposed updates to the Wassenaar Arrangement -- that limit the export of "intrusion software" -- would inhibit the security professionals who need to protect against zero-day exploits, but fail to inhibit those who create such exploits, Katie Moussouris, chief policy officer of HackerOne said:

"Hacking Team was such a treasure trove of information. But what is especially interesting in terms of export controls is that they have lawyers, they did consult with their lawyers, they have a means to apply for export licenses in their own country, and there are a number of ways they could legally obtain export licenses for their software or use resellers that reside in other countries.

"So the folks that were targeted, who were making the software that was targeted by this regulation, have multiple means of getting around it, whereas the defense end of things and the folks who are not building this type of software but unfortunately are caught in that language dragnet really are the ones that are suffering, and as a result, defense of the Internet as a whole is suffering."

(See also Moussouris' blog on Dark Reading, "Mad World: The Truth About Bug Bounties," a response to Oracle CSO Mary Ann Davidson's short-lived rant about reverse engineering and vulnerability disclosure.)

5 of 6
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/24/2015 | 4:52:29 PM
Katie Moussouris
I had the pleasure of seeing Katie Moussouris speak on a cybersecurity panel at an event in Boston in November.  She is definitely all about reducing restrictions (legal and otherwise) that disincentivize white-hat hackers -- and had a lot to say about how companies can improve their security posture by welcoming security researchers who discover exploits in their software with open arms (citing her former employer, Microsoft, as a great example of this in how the company handled hacking group Last Stage of Delirium's exploitation of the Blaster worm (the company hired them)).
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
CVE-2021-3420
PUBLISHED: 2021-03-05
A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.
CVE-2020-29020
PUBLISHED: 2021-03-05
Improper Access Control vulnerability in web service of Secomea SiteManager allows remote attacker to access the web UI from the internet using the configured credentials. This issue affects: Secomea SiteManager All versions prior to 9.4.620527004 on Hardware.