By Andrew Paulette
1.) PATCH ACT CALLS FOR VEP REVIEW BOARD (May 18, 2017)
Summary: The U.S. government took the first steps toward codifying the Vulnerabilities Equities Process into law yesterday through the introduction of the Protecting Our Ability to Counter Hacking (PATCH) Act of 2017.
The VEP is the internal process by which the government decides which software vulnerabilities in its possession it will disclose to vendors, and which it will hold on to and exploit for the purposes of intelligence gathering and supporting national security operations.
Why it matters: The idea of this legislation to formalize the Vulnerabilities Equities Process is a good one, and if implemented correctly, can establish a clear understanding of how intelligence agencies weigh and communicate the risks of certain vulnerabilities to the public against the need for these agencies to conduct their respective missions in intelligence gathering.
2.) There’s new evidence tying WCry ransomware worm to prolific hacking group (May 22, 2017)
Summary: Researchers have found more digital fingerprints tying this month’s WCry ransomware worm to the same prolific hacking group that attacked Sony Pictures in 2014 and the Bangladesh Central Bank last year.
Why it matters: With growing evidence that WannaCry was the work of a North Korean Cyber Actor, the Lazarus Group, the question of how to respond to these attacks becomes much more perplexing. For these actors, there is little to no risk for the damage they caused, meaning that even if they only end up making a modest sum from the ransoms, it will be worth it to them. As any chance of extradition for their crimes is practically nonexistent, there is no real way to punish these individuals, unless near-conclusive evidence comes forward linking these actions to North Korea directly.
3.) US politicians think companies should be allowed to ‘hack back’ after WannaCry (May 23, 2017)
Summary: US politicians are drafting a bill that – if approved – could allow companies and individuals to “hack back”, allowing victims of a hack to “access without authorization the computer of the attacker… to gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network.”
Why it matters: “Hacking back” to gain intelligence on command and control servers can quickly go wrong, and should not be placed in the hands of any organization to execute – the potential to strike a command and control server under the control of an “innocent bystander” are almost certain, and could lead to serious incidents as well as impede the work of law enforcement. Even in the wake of WannaCry, this article’s rebuttals against policy allowing for hacking back ring true.
4.) YAHOO RETIRES IMAGEMAGICK AFTER BUGS LEAK SERVER MEMORY (May 23, 2017)
Summary: Yahoo has exorcised itself of the troublesome ImageMagick image processing software after it learned of vulnerabilities in an outdated version of the open source tool it was running could be exploited to steal secrets from Yahoo servers.
Researcher Chris Evans, formerly of Google, privately disclosed the issue to Yahoo and earned a $14,000 bounty that he donated to charity (Yahoo matched Evans’ donation). Evans reported a new bug and demonstrated how he also used a previously known vulnerability in a separate proof-of-concept attack.
Why it matters: After a serious bug in ImageMagick was found in May 2016 (https://arstechnica.com/security/2016/05/easily-exploited-bug-exposes-huge-number-of-sites-to-code-execution-attacks/), this move by Yahoo to completely cease using the program in their environment after another vulnerability was discovered was a wise move.