Vulnerabilities / Threats

2/19/2015
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Our Governments Are Making Us More Vulnerable

Stuxnet opened Pandora's box and today state-sponsored cyber security policies continue to put us at risk. Here are three reasons why.

I’m generally not a “the government is out to get me” kind of guy, and I suspect that in most democracies, government officials actually want to help their country and their citizens. That said, I think many of the decisions governments are making about information security (otherwise known as “cyber”) are making their citizens—and ultimately themselves—much more vulnerable.

It’s clear that “cyber” security has finally hit the global front stage, and has become a top issue for governments around the world. From the Estonian DDoS attacks, to Stuxnet and Regin, and now (allegedly) the Sony Pictures breach, we’ve seen nation states launching offensive network attacks. Governments are investing heavily in “red teams’—groups whose job is to carry out computer and network attacks. Recently, President Obama even declared he wants to ramp up the U.S.’s cyber security arsenal with a budget increase to $14 billion a year.

I’m not naïve. I recognize that in some situations nation-states may need to carry out espionage, or—in the worst case—use force (physical or digital) to protect their countries. However, I also believe that some of the steps governments have taken under the guise of improving their cyber arsenal will do more harm than good in the long run. Frankly, Stuxnet opened Pandora’s box, and in many case the ends don’t justify the means with these network attacks.

[Read the latest news about how a Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet.]

Let me be more specific. Here are three ways our governments are making us less secure:

Government malware accelerates the evolution of criminal malware.
Though some have recently argued that criminal malware is more advanced than some suspect, Stuxnet—a state sponsored threat—was vastly superior than any previously seen malware. Stuxnet leveraged multiple zero days to spread, exploited sophisticated evasion techniques to hide, and even used stolen digital certificates to make the installation process smooth, and interaction free. Once Stuxnet leaked to the security community, researchers decompiled it and shared their results. While such research is necessary for defense, it also tipped off criminals to all Stuxnet’s neat tricks. Criminals are nothing, if not opportunistic. Shortly after Stuxnet got dissected, criminal bot herders started copying its sophisticated techniques and exploits in malware like Zeus.

This has and will continue to happen. If criminals see a neat new trick that makes nation state malware more effective, they will copy it and use it in their private attacks. For instance, I expect more malware to start using tricky staged loading processes to get past host based antivirus (AV), as seen in suspected nation state threats like Regin. In short, when the sophisticated techniques used by nation-state malware go public, it accelerates the evolution in criminal malware, making it more advanced, and harder to defend against for the average target. Private businesses—small and large—are getting hit with much more targeted and advanced attacks then ever before.

Governments have fortified zero day vulnerability black markets.
I personally appreciate vulnerability researchers—especially ones that disclose responsibly (even if they share exploit code). However, I am sickened by the new zero day vulnerability market that has cropped up lately. I don’t mind the organizations that buy zero day exploits, and disclose them to the software vendors to fix. However, there is a more shady market that auctions zero day to the highest bidder, with no plans to disclose the flaws to anyone else. After all, if the buyer wants to weaponize these vulnerabilities, it’s not to their advantage to fix them.

Unfortunately, governments are one of the primary customers supporting these zero day vulnerability markets. This means the flaw, which is typically in commercial software everyone uses, does not get fixed, making us ALL more vulnerable. I don’t understand why governments don’t think that other attackers might not find that same flaw themselves, and use it to. If a government buys zero day and doesn’t disclose it, not only do they make their own citizens less secure, but they are likely also putting their own resources at risk somewhere as well. Rather than hording zero day, shouldn’t governments help fix them?

Governments try to restrict/backdoor/break encryption.
Everyone in a free society has the right to encryption to protect their privacy. Even if you never do anything wrong, you have a right to keep some things secret like your passwords or banking communications. Yet, governments—even so-called democratic and free ones—are trying to limit or weaken encryption. Recently, the director of the FBI has argued that Apple and Google need to leave holes in smartphone encryption for law enforcement. The British Prime Minister wants to decrypt IMs and other Internet communication.

This is ludicrous. I realize that bad guys may also use encryption to communicate, but that doesn’t mean law enforcement should have enough access to blanket surveillance. Furthermore, if you put backdoors or weaknesses in everyone’s encryption, others will find them. It’s only a matter of time. Weakening private encryption in tools everyone uses does more to expose a government’s citizens than it does to help them find criminals.

As much as I don’t like some of the governments’ current “cyber” policies, I don’t think they have nefarious goals in mind, and I think that we can help them fix this problem. So what should you do? Get involved!

If you’re reading this, chances are you’re an information security professional. You’re the expert governments rely on and listen to when considering network and computer security issues. Share your thoughts with your congressperson. Join InfraGuard and have your voice heard. Write about these issues and speak out publicly. Personally, I believe governments should focus much more on defending themselves and their citizens from “cyber” attack than they do on offensive campaigns. If they plug all our holes, they leave nothing for enemies to attack. If you believe the same, let them know.

Finally, my last tip is to up your defenses. Our governments’ current “cyber” policies have put us at risk, and increased the sophistication of today’s attacks. If you haven’t updated your defenses lately, by adopting new solutions such as advanced threat protection, now’s the time to do so. Governments certainly aren’t doing it for you.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
2/23/2015 | 11:06:20 AM
Re: presumption of privilege
" ... it's up to all of us as individuals & citizens to make sure that our private and public leaders are up to the task -- and held to the fire when they are not ..."

In my opinion, the entire problem is laid bare in that statement. The biggest issue is that those so-called leaders are not really up to the task. Elected officials tend to grant important positions to political allies, or to those with whom they have had long associations. Very little consideration is given to the person's ability to actually perform the task given to them. In a political environment, politics rule decision making processes and that, in and of itself, almost rules out selection of the best qualified individual. In many instances, those leaders aspire to expand their empire and sphere of influence much more than to actually perform their assigned tasks. As far as the "held to the fire" part, that is usually an even worse scenario. I'm reminded of the old saying "if a person screws up, promote them". Political environments tend to glaze over mistakes with regularity, and with little consequence. We need only look at the various scandals and security issues in the federal government for examples, and it gets even worse as you start looking at state and local levels where those events get very little press. I hate to sound so cynical about this whole thing; I would love to hear what other people think about this.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/23/2015 | 10:12:00 AM
Re: presumption of privilege
..necessary to place all government under the rule of law and to enforce same by means of education, freedom of the press, and the jury box and the ballot box.
@macker490, this covers our Constitutional checks and balances, but it's up to all of us as individuals & citizens to make sure that our private and public leaders are up to the task -- and held to the fire when they are not.
macker490
50%
50%
macker490,
User Rank: Ninja
2/23/2015 | 8:57:18 AM
presumption of privilege
people in governemnt acquire the belief that they are responsible for regulating the behavior of the people in their jurisdiction. from this they arogate to themselves a presumption of privilege -- to do whatever is necessary to carry out their obligation

these these run the gamut from the blundering bloke to the conspiring crook, and the occasional superlative leader. given the risks involved in government then it is necessary to place all government under the rule of law and to enforce same by means of education, freedom of the press, and the jury box and the ballot box.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/22/2015 | 10:23:26 AM
Re: Insecurity always
I agree. The only ways governments can justify surveillance on their citizens are around "bad guys will get you otherwise".
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/22/2015 | 10:21:13 AM
Re: Insecurity always
Not only that but also holes in harddisks firmware. Would would be worse, we all use those harddisks, we are all vulnerable basically.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/22/2015 | 10:18:31 AM
Re: Insecurity always
I agree, Thomas. It is part of "being in control" instead of "being secure". They do not get ultimate goal right at this point.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/22/2015 | 10:15:31 AM
Backdoors
As we all know it very well, any backdoor for government is potential opportunity for hackers. Governments should be enforcing rules and regulations in ways that systems are designed in secure manners, not with backdoors.
pporter531
50%
50%
pporter531,
User Rank: Apprentice
2/21/2015 | 9:25:34 PM
2 additional ways our government (USA) is making us more vulnerable
1. Creatng websites like Healthcare.gov

2. Not properly securing citizens PII at the IRS
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
2/20/2015 | 6:21:39 PM
Re: Insecurity always
I gotta tell ya, Thursday's news of NSA and GCHQ stealing SIM keys from a private company, given them the power for blanket surveillance, just adds wood to the fire of this article.
CNACHREINER981
50%
50%
CNACHREINER981,
User Rank: Author
2/20/2015 | 6:20:08 PM
Re: Insecurity always
Yes. As much as I think Infosec is an important topic, and I want governments to consider it... I feel like they might be using it like "weapons of mass destruction" to get more money and relevance.
Page 1 / 2   >   >>
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.