The Malware Industrial Complex 32
holy_calamity writes "MIT Technology Review reports that efforts by U.S. government agencies and defense contractors to develop malware to attack enemies is driving a black market in zero-day vulnerabilities. Experts warn that could make the internet less secure for everyone, since malicious code is typically left behind on targeted systems and often shows up on untargeted ones, providing opportunities for reverse engineering. '"On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices," says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.'"
What is particularly insane... (Score:5, Insightful)
What is especially crazy about promoting a less secure environment for everyone, just so that you can hack your enemies, is that the US is among the more dependent on hackable IT systems...
Sure, neither computers nor good hackers are free; but they are cheap and broadly available enough that more or less any country that isn't starving to death in its own filth(and some that are) can trivially afford some. Even relatively petty gangs can run a profit by fielding a few. Vulnerability, though, is something that you accrue as your society becomes increasingly dependent on electronic communications and finance, SCADA-controlled industrial base, etc.
So, if you reduce security overall, you increase your own vulnerability to every last hellholistani intelligence service, nationalist script kiddie, and slimy pin-skimmer gang, in order to infiltrate the systems of people who probably depend less on computers than you do.
Genius, really.
Re: (Score:2)
Re: (Score:1)
The government just doesn't understand how computers work besides checking their email and watching youtube...
It's like a high speed arms race (Score:5, Interesting)
On one hand, your enemies can use those same vulnerabilities against you.
But on the other hand, since you know about them first, you can get your systems protected from those vulnerabilities. But if the fix is propagated too quickly, then you've just immunized your enemy.
A logical way to fix the vulnerability is to have more sophisticated detection at the border gateways into your private network. Like an intrusion detection and prevention system at the router. That way you don't actually release the fix, at least not too soon, to the whole world. The knowledge of the zero day exploit is only in the code to attach your enemy and in your border defenses. But not in the OSes, not in the browsers and whatever other general purpose software is being exploited.
If your friends, say the power grid people, need protection, you can provide it to them, without disclosing what the vulnerabilities are, by providing them with the same border defenses you use. Eventually, whenever you deem necessary, you can disclose the vulnerabilities to the vendors and let them fix it directly in the affected software.
A side effect of all this is to generally improve the security situation for everyone, eventually. Assuming there are not an infinite number of vulnerabilities, and that after the low hanging fruit is picked, the vulnerabilities get fewer and more difficult to exploit, then everyone's system, including your enemy's has become pretty secure.
If the security situation becomes bad enough, it might forcibly change the way we approach writing software. Just like when type safety was introduced into languages decades ago, our very programming languages may make it harder to have security flaws. Preventing programming errors must have some overlap with preventing security flaws. If your language doesn't allow direct access to pointers, had garbage collection (to prevent double delete, memory leaks, reference after delete), doesn't allow array index out of bounds (preventing lots of problems), you have excluded some types of vulnerabilities that had been common in the past. The language cannot fix all security problems, just some of the most basic ones.
Some work could be done in the language to help the libraries prevent certain classes of attacks. Introduce a new kind of type checking where you have, say, Html-Safe strings and must go through some function to convert Unsafe String into an Html-Safe strings. They are not assignment compatible. Similarly you could have another type of Sql-Safe strings. If the language mechanism were extensible, then you (or your library designer) could introduce other types like JavaScript-Safe strings, or XML-Safe strings, or Postscript-Safe strings, just to make up a few examples. In short you would have to go through well defined functions to convert from an unsafe string. You couldn't pass an Unsafe String to the format string parameter of, say, printf() so you would eliminate accidental format string attacks, just as you would prevent rendering an Unsafe string on an ASP/JSP/PHP or whatever you call it page that has embedded scripts. Widgets in your active pages could not accept unsafe strings from the "controller" objects. The language, api's and libraries would work together to prevent accidental "assignment" of the wrong kind of strings, just as decades ago they prevented assigning integers to strings.
Re: (Score:2)
A logical way to fix the vulnerability is to have more sophisticated detection at the border gateways into your private network.
That sort of functionality has seemed like a no-brainer to me for about a decade. I desperately want something that runs on my home router that monitors all connections, in and out, with both real-time in a user-friendly interface (not just a eyeball destroying table of ip addresses and port numbers but some sort of graphical summary) and generates reports on a hourly/daily/weekly basis. It should also incorporate a nice high-level way to kill off some behaviours - don't make me manually write a bunch of
Re: (Score:3)
Snort and associated tools aren't too bad, and should run on most Linux/BSD-based custom firmwares if the hardware has enough juice. A Cisco ASA with an IDS module is less good, but servicable. You'd need to use ASDM for monitoring unless you want to buy a super expensive monitoring suite.
The main issue is the amount of processing power and RAM required, especially if you're pumping through a lot of traffic. I run pfSense in ESXi on a little HP Microserver as my router. Using default settings with Snort, pu
Re: (Score:2)
But that cost may not matter if the goal is to protect against vulnerabilities that YOU know about, but that you wish to keep secret -- and also possibly have a secret way to offer a box to your friends to protect them too, while maintaining the secrecy of the vulnerability.
Blowback (Score:2)
I think the main effect will be that the free malware market gets hold of the malware products made by your national security organisations and uses them to upgrade all their projects, making your enemies the least of your worries.
Re: (Score:1)
Not sure having more zero day vulnerabilites *known* is a less secure environment.
It'll force everyone to do updates on software/OS/etc.
There will be no more blind 'I didn't know' excuses. Everything will have holes and everything will have to have those holes patched.
a proper superpower (Score:4, Funny)
would just mandate secret backdoors built into the OS/ browser/ plugin by the company that builds the OS/ browser/ plugin
Re: (Score:3)
Re: (Score:3)
Either that, or they could put in a "Copyright, United States Government" in the malware. That would stop those reverse engineering freetards.
Seen first hand (Score:4, Interesting)
Posting A/C and being more vague than I would like... sigh... A certain company I used to work for based their whole product on the ability to install what was essentially a rootkit. My role was to pull data off the network. I didn't have too much problem with that, since if you're porn surfing on company or government networks, or leaking info, you sort of get what you deserve. Say what you will about Bradley Manning, but he had to know what he was getting into. OTOH, they wanted to push me around in various ways I didn't like, and the thought of persuing a career there where my work would be less about legitimate protection of the network, and more about ubiquitous surveillance... it just left a bad taste in my mouth. I thought I might end up working on the rootkit, and the whole idea stuck in my craw, not only because of the increasing fascist tone of the US approach; but because of the inherently fucked up approach to security. I mean, if we can do this to their computers, they can do it to ours.... the whole thing, just more and more sour. My career has yet to recover, because I was pretty much groomed to be a military-industrial coder at that point, and wanted nothing to do with it. It's pretty much impossible to transfer over to the happy-bouncy-fun world of phone apps in your 40s, and all of that stuff is morphing into surveillance anyway. One of these days I might just unplug all the computers and chuck 'em.
Re: (Score:3)
Hey, man, good on you for having some fucking scruples.
Too rare among government employees these days, and the fact that your having decent morals caused you to lose your quite lucrative career is a sad sign of how royally fucked up the government 'Of the People, By the People, and For the People' has become.
he has neither scruples nor decent morals (Score:2)
He is failing to serve his country. He'd rather let all the success go to lovely bastions of freedom and rightousness like China, Russia, North Korea, and Iran.
Re: (Score:1)
Yeah... as we've pushed increasingly towards centralization of the whole communications infrastructure, we've also encouraged the "surveillance state" for computing. I'm more a sysadmin than a software coder, but also in my 40's now, and definitely feel the "souring" at every turn. Back when I poured most of my waking hours into running and building the best local bulletin board system I could come up with, I think most of us felt nothing but excitement for the future of connected computing. Computers (plus
Re: (Score:2)
Not necessarily true. Some people actually like it.
conflict of interest: obDilbert (Score:2)
One of my favorite Dilbert cartoons ever treated this situation (20 years ago):
http://dilbert.com/strips/comic/1995-11-13/ [dilbert.com]
This will be a nice new revenue stream for software developers.
After the Gold Rush (Score:1)
This is a classic Gold Rush scenario. There's only a fixed number of zero days, and the gold rush to find them is in full swing.
More eyes find more bugs; this is going to eliminate them quicker. This is a good thing in the long run.
Re: (Score:2)
Fixed number!? Only if the software is never updated.
Re: (Score:2)
*example: like the cost of colonizing Mars today. It's not impossible, it's just too costly.
Re: (Score:2)
There seems to be a fresh supply of "low-hanging fruit" in the JRE with every update...IE, Flash and Adobe Reader have all been bountiful as well.
Re: (Score:2)
Creating an economy (Score:2)
Doing this they are promoting the creation of entire industries based on finding, and "renting" zero day vulnerabilities. Once you knew it, until it get fixed, you could eventually take more advantages from it, just maybe not in a public way. Its the way the corporate world works after all, in the end what matter is maximizing benefits. If somehow that finding gets filtered to people that uses it against US companies and individuals, would be an "uh, we got hacked", and shut up about the increase in your ba