Home Open Sauce Security firms still using WannaCry to push their wares

Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Security firms still using WannaCry to push their wares

Security firms are continuing to use last month's WannaCry ransomware attack to shamelessly plug their wares, with McAfee the latest to do so, warning the Australian Government that cyber crime is becoming more and more sophisticated.

Not taken into account by the company, which is now majority owned by investment firm TPG, is the fact that even blind Freddie knows this.

But in their rush to cash in and use the fear generated by such outbreaks — for which one must proffer thanks to Microsoft — the vendors display a level of cynicism that is breath-taking.

While many security firms, as mentioned, have sought to push their wares, others have been quick to take action to guard their flanks against what they see as moves that could end up burning them.

The best example of this was provided by Dave Aitel, the head of Immunity, a security firm that is not seen much in the news on mainstream tech sites, but nevertheless is one that has a fearsome reputation and rakes in the moolah.

make more money.

Soon after WannaCry had lost its steam, there were calls from some that the way the US government handles vulnerabilities discovered by its agencies — the Vulnerability Equities Process — should be changed.

Microsoft, for example, was quick to blame the NSA for the whole affair, with its president Brad Smith saying, "this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem".

And he added: "This is one reason we called in February for a new 'Digital Geneva Convention' to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them."

Aitel probably smelt danger: his business model is for him and his researchers to provide clients with inside knowledge of vulnerabilities they find and to keep this information from the vendor of the software in question.

There has also been debate about the NSA's retention of vulnerabilities which ultimately were leaked and used to attack businesses and other organisations. This runs contrary to published US government policy.

Hence Aitel found a willing outlet to ventilate his point of view, that there should be no change in the government's policy on exploits found by its agencies.

In an article headlined, "Why reforming the Vulnerability Equities Process would be a disaster," Aitel argued that while WannaCry had been turbo-charged by stolen NSA exploits, it was not the worst case scenario for the Vulnerability Equities Process.

There was one reason for writing the article: if the US mandated that vulnerabilities which could cause major problems should be disclosed by its agencies, then no doubt it would be a short step from that to making it mandatory for private companies to follow the same practice.

Which would, in effect, kill Aitel's business. But he did not provide this perspective to readers.

Instead he used the article to talk about everything else:

"if you enforce sending vulnerabilities which are not public to vendors via a law, we will lose our best people from the NSA, and they will go work for private industry.

"If we cannot protect our second party partner’s technology they will stop giving it to us.

"If we give bought bugs to vendors, they will stop selling them to us. Not just that one exploit vendor. Once the U.S. government has a reputation for operating in this way, word will get out and the entire pipeline will dry up causing massive harm to our operational capability.

"We need that technology because we do need to recover our capability in this space for strategic reasons."

Somehow the picture that came to mind was of a stockbroker in the film The Corporation, talking about how, when he saw the planes crashing into the World Trade Centre towers, his first thought was what stocks he could buy for his clients so that they could make a killing.

LEARN NBN TRICKS AND TRAPS WITH FREE NBN SURVIVAL GUIDE

Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?

DOWNLOAD NOW!

Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.