Home Open Sauce Security firms still using WannaCry to push their wares

Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Security firms are continuing to use last month's WannaCry ransomware attack to shamelessly plug their wares, with McAfee the latest to do so, warning the Australian Government that cyber crime is becoming more and more sophisticated.

Not taken into account by the company, which is now majority owned by investment firm TPG, is the fact that even blind Freddie knows this.

But in their rush to cash in and use the fear generated by such outbreaks — for which one must proffer thanks to Microsoft — the vendors display a level of cynicism that is breath-taking.

While many security firms, as mentioned, have sought to push their wares, others have been quick to take action to guard their flanks against what they see as moves that could end up burning them.

The best example of this was provided by Dave Aitel, the head of Immunity, a security firm that is not seen much in the news on mainstream tech sites, but nevertheless is one that has a fearsome reputation and rakes in the moolah.

make more money.

Soon after WannaCry had lost its steam, there were calls from some that the way the US government handles vulnerabilities discovered by its agencies — the Vulnerability Equities Process — should be changed.

Microsoft, for example, was quick to blame the NSA for the whole affair, with its president Brad Smith saying, "this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem".

And he added: "This is one reason we called in February for a new 'Digital Geneva Convention' to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them."

Aitel probably smelt danger: his business model is for him and his researchers to provide clients with inside knowledge of vulnerabilities they find and to keep this information from the vendor of the software in question.

There has also been debate about the NSA's retention of vulnerabilities which ultimately were leaked and used to attack businesses and other organisations. This runs contrary to published US government policy.

Hence Aitel found a willing outlet to ventilate his point of view, that there should be no change in the government's policy on exploits found by its agencies.

In an article headlined, "Why reforming the Vulnerability Equities Process would be a disaster," Aitel argued that while WannaCry had been turbo-charged by stolen NSA exploits, it was not the worst case scenario for the Vulnerability Equities Process.

There was one reason for writing the article: if the US mandated that vulnerabilities which could cause major problems should be disclosed by its agencies, then no doubt it would be a short step from that to making it mandatory for private companies to follow the same practice.

Which would, in effect, kill Aitel's business. But he did not provide this perspective to readers.

Instead he used the article to talk about everything else:

"if you enforce sending vulnerabilities which are not public to vendors via a law, we will lose our best people from the NSA, and they will go work for private industry.

"If we cannot protect our second party partner’s technology they will stop giving it to us.

"If we give bought bugs to vendors, they will stop selling them to us. Not just that one exploit vendor. Once the U.S. government has a reputation for operating in this way, word will get out and the entire pipeline will dry up causing massive harm to our operational capability.

"We need that technology because we do need to recover our capability in this space for strategic reasons."

Somehow the picture that came to mind was of a stockbroker in the film The Corporation, talking about how, when he saw the planes crashing into the World Trade Centre towers, his first thought was what stocks he could buy for his clients so that they could make a killing.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



Ransomware attacks on businesses and institutions are now the most common type of malware breach, accounting for 39% of all IT security incidents, and they are still growing.

Criminal ransomware revenues are projected to reach $11.5B by 2019.

With a few simple policies and procedures, plus some cutting-edge endpoint countermeasures, you can effectively protect your business from the ransomware menace.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Popular News




Sponsored News