Paranoid Technology All things cybersecurity


Wanna Cry?!!! We do…

The cyber-attack that happened earlier this week reminded us of the questions posed in our March post – Initial Thoughts on Wikileaks Vault 7 Leak Series:

This wikileak points to increasing erosion of public safety - despite having these tools at hand, world governments (US, UK, Germany) continue to push for encryption back doors. Equation Group’s leak (NSA) late 2016 and this latest CIA leak once again prove all organizations have their OpSec issues - the three letter agencies are themselves at risk; backdoors, once discovered, work just as well for foreign spies, cyber-criminals and script kiddies.  Who is protecting the innocent? “

Apparently no one… Is the NSA going to step up and accept responsibility? Maybe if hell freezes over – “Cannot either deny or confirm the existence of these weapons…” Well, everybody else did – who cares if you do or don’t?!!

Interestingly, even Chinese state media called for the NSA to take some responsibility, how ironic… Like they should be talking…

We think there are a number of lessons to be learned from this week’s cyber-attacks:

For governments:

  1. Operational security is as major a concern for the 3 letter agencies as it is for the rest of us
  2. Cyber weapons should have accountability associated with them – they should be inventoried and accounted for – super secret or not so secret…
  3. Governments should work with software and hardware vendors instead of hoarding 0-day exploits; things are now fairly static compared to when we get to the full IoT era – there will be tangible impacts on human life.
  4. Backdoors are backdoors – there cannot be a special backdoor for the government, it works just as well for the other nation states and cyber criminals.

For the rest of us:

  1. For F… sake – stop clicking on links in phishing e-mails…. According to Verizon DBIR - “in a typical company (with 30 or more employees), about 15% of all unique users who fell victim once, also took the bait a second time. 3% of all unique users clicked more than twice, and finally less than 1% clicked more than three times.”
  2. Get a Firewall - just because you can buy a server doesn’t mean you should be exposing it on the Internet; be smart about it – if you do not know what to do, get professional help. It is a sad finding, but a quick search in io shows that 859,435 hosts that have SMB exposed.

There may be more variants of this attack, and regardless of whether it happens a mindset change is needed on the government side and in the private sector – there is accountability for gun ownership, if you hurt someone with your gun the law comes after you.

If cyber weapons are really weapons, there should be similar legislation that holds people and agencies accountable… You should not be able to lose weapons and have someone hurt as a result and not accept responsibility…  Military regulation should be applied to cyber weapons. Otherwise this sets a bad precedent and fuels a Wild West environment of cyber weapons proliferation; not due to  the governments, but to cyber criminals that take advantage of operational security issues of government agencies.

In our opinion cyber weapons proliferation will not be regulated, but disclosure of vulnerabilities to hardware and software vendors can be required within national boundaries.

A government’s business should be protecting its citizens not hoarding and exploiting backdoors to hack them….

Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.