Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/19/2015
10:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Our Governments Are Making Us More Vulnerable

Stuxnet opened Pandora's box and today state-sponsored cyber security policies continue to put us at risk. Here are three reasons why.

I’m generally not a “the government is out to get me” kind of guy, and I suspect that in most democracies, government officials actually want to help their country and their citizens. That said, I think many of the decisions governments are making about information security (otherwise known as “cyber”) are making their citizens—and ultimately themselves—much more vulnerable.

It’s clear that “cyber” security has finally hit the global front stage, and has become a top issue for governments around the world. From the Estonian DDoS attacks, to Stuxnet and Regin, and now (allegedly) the Sony Pictures breach, we’ve seen nation states launching offensive network attacks. Governments are investing heavily in “red teams’—groups whose job is to carry out computer and network attacks. Recently, President Obama even declared he wants to ramp up the U.S.’s cyber security arsenal with a budget increase to $14 billion a year.

I’m not naïve. I recognize that in some situations nation-states may need to carry out espionage, or—in the worst case—use force (physical or digital) to protect their countries. However, I also believe that some of the steps governments have taken under the guise of improving their cyber arsenal will do more harm than good in the long run. Frankly, Stuxnet opened Pandora’s box, and in many case the ends don’t justify the means with these network attacks.

[Read the latest news about how a Newly Discovered 'Master' Cyber Espionage Group Trumps Stuxnet.]

Let me be more specific. Here are three ways our governments are making us less secure:

Government malware accelerates the evolution of criminal malware.
Though some have recently argued that criminal malware is more advanced than some suspect, Stuxnet—a state sponsored threat—was vastly superior than any previously seen malware. Stuxnet leveraged multiple zero days to spread, exploited sophisticated evasion techniques to hide, and even used stolen digital certificates to make the installation process smooth, and interaction free. Once Stuxnet leaked to the security community, researchers decompiled it and shared their results. While such research is necessary for defense, it also tipped off criminals to all Stuxnet’s neat tricks. Criminals are nothing, if not opportunistic. Shortly after Stuxnet got dissected, criminal bot herders started copying its sophisticated techniques and exploits in malware like Zeus.

This has and will continue to happen. If criminals see a neat new trick that makes nation state malware more effective, they will copy it and use it in their private attacks. For instance, I expect more malware to start using tricky staged loading processes to get past host based antivirus (AV), as seen in suspected nation state threats like Regin. In short, when the sophisticated techniques used by nation-state malware go public, it accelerates the evolution in criminal malware, making it more advanced, and harder to defend against for the average target. Private businesses—small and large—are getting hit with much more targeted and advanced attacks then ever before.

Governments have fortified zero day vulnerability black markets.
I personally appreciate vulnerability researchers—especially ones that disclose responsibly (even if they share exploit code). However, I am sickened by the new zero day vulnerability market that has cropped up lately. I don’t mind the organizations that buy zero day exploits, and disclose them to the software vendors to fix. However, there is a more shady market that auctions zero day to the highest bidder, with no plans to disclose the flaws to anyone else. After all, if the buyer wants to weaponize these vulnerabilities, it’s not to their advantage to fix them.

Unfortunately, governments are one of the primary customers supporting these zero day vulnerability markets. This means the flaw, which is typically in commercial software everyone uses, does not get fixed, making us ALL more vulnerable. I don’t understand why governments don’t think that other attackers might not find that same flaw themselves, and use it to. If a government buys zero day and doesn’t disclose it, not only do they make their own citizens less secure, but they are likely also putting their own resources at risk somewhere as well. Rather than hording zero day, shouldn’t governments help fix them?

Governments try to restrict/backdoor/break encryption.
Everyone in a free society has the right to encryption to protect their privacy. Even if you never do anything wrong, you have a right to keep some things secret like your passwords or banking communications. Yet, governments—even so-called democratic and free ones—are trying to limit or weaken encryption. Recently, the director of the FBI has argued that Apple and Google need to leave holes in smartphone encryption for law enforcement. The British Prime Minister wants to decrypt IMs and other Internet communication.

This is ludicrous. I realize that bad guys may also use encryption to communicate, but that doesn’t mean law enforcement should have enough access to blanket surveillance. Furthermore, if you put backdoors or weaknesses in everyone’s encryption, others will find them. It’s only a matter of time. Weakening private encryption in tools everyone uses does more to expose a government’s citizens than it does to help them find criminals.

As much as I don’t like some of the governments’ current “cyber” policies, I don’t think they have nefarious goals in mind, and I think that we can help them fix this problem. So what should you do? Get involved!

If you’re reading this, chances are you’re an information security professional. You’re the expert governments rely on and listen to when considering network and computer security issues. Share your thoughts with your congressperson. Join InfraGuard and have your voice heard. Write about these issues and speak out publicly. Personally, I believe governments should focus much more on defending themselves and their citizens from “cyber” attack than they do on offensive campaigns. If they plug all our holes, they leave nothing for enemies to attack. If you believe the same, let them know.

Finally, my last tip is to up your defenses. Our governments’ current “cyber” policies have put us at risk, and increased the sophistication of today’s attacks. If you haven’t updated your defenses lately, by adopting new solutions such as advanced threat protection, now’s the time to do so. Governments certainly aren’t doing it for you.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
2/19/2015 | 6:13:23 PM
Insecurity always
Governments are never more appreciated than at times of insecurity. Hence insecurity is a permanent state. It would have to be invented if it weren't so easy to come by.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15596
PUBLISHED: 2020-08-12
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a &quot;fake&quot; DLL file.
CVE-2020-15868
PUBLISHED: 2020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
CVE-2020-17362
PUBLISHED: 2020-08-12
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
CVE-2020-17449
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS via the error_log file.
CVE-2020-17450
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS on the preview page.