VEP – WindowsTechs.com

The NSA knows its weapons may one day be used by its targets

Posted on May 14, 2019 by Shannon Vavra

U.S. military commanders say that when Cyber Command and the National Security Agency use a capability against targets abroad, they understand it might eventually be used by an adversary. The risk of having the NSA’s tools leaked has been an issue inside the agency for years now — former NSA contractor Edward Snowden brought the issue into the public domain when he revealed a trove of NSA programs in 2013 — but the risk of having adversaries detect, obtain or reverse engineers NSA-used tools has become especially salient in the last week. Researchers from cybersecurity firm Symantec revealed last week that a Chinese-linked hacking group had repurposed tools linked with the NSA as early as March of 2016 and used them to attack various targets around the world. Although Cyber Command’s Director of Capabilities and Resource Integration, Maj. Gen. Karl Gingrich, did not directly address this report, when asked how Cyber Command protects […]

The post The NSA knows its weapons may one day be used by its targets appeared first on CyberScoop.

Continue reading The NSA knows its weapons may one day be used by its targets→

Senators question vulnerability disclosure process after Spectre and Meltdown stumbles

Posted on July 11, 2018 by Sean Lyngaas

Shortcomings in the industry-led process for disclosing software and hardware bugs could rear their heads again, U.S. senators said Wednesday at a hearing on the Spectre and Meltdown chip flaws. “While these vulnerabilities seemed to have been patched reasonably well, what about the next one? And we might not know about it until it’s too late,” Florida Democrat Bill Nelson said at the Commerce, Science and Transportation Committee hearing. Lawmakers are pondering what can be done to improve the complex vulnerabilities disclosure process, which involves spreading enough word among vendors to address a bug but not so much as to risk leaking information before patches are ready. “We need to consider additional ways to require the federal government’s equipment suppliers to promptly notify [the Department of Homeland Security] of potential breaches or vulnerabilities that could weaken our federal systems,” Sen. Maggie Hassan, D-N.H., said at the hearing. The worry is always that foreign governments […]

The post Senators question vulnerability disclosure process after Spectre and Meltdown stumbles appeared first on Cyberscoop.

Continue reading Senators question vulnerability disclosure process after Spectre and Meltdown stumbles→

EU needs one set of vulnerability disclosure rules, says expert task force

Posted on March 13, 2018 by Shaun Waterman

Cybersecurity researchers in the European Union need legal certainty and consistent standards across its 28 member states if they are to hunt for software vulnerabilities, according to a blue-ribbon commission established by the Center for European Policy Studies. “What we should avoid is that there are 27 or 28 different [legal] frameworks for coordinated vulnerability disclosure and also that there are different definitions being used — of hacking or vulnerability or disclosure — so that this again creates uncertainty for people working in the field,” said European Parliament member Marietje Schaake, chair of the CEPS Task Force on Software Vulnerability Disclosure. Only three of 28 member states currently have a policy on responsible disclosure, although 13 are in the stages of developing one, she told a recent roundtable at the European Parliament. Each member-state has been taking their own approach to vulnerability disclosure, Schaake said, “ranging from sophisticated thinking … […]

The post EU needs one set of vulnerability disclosure rules, says expert task force appeared first on Cyberscoop.

Continue reading EU needs one set of vulnerability disclosure rules, says expert task force→

Experts ask: Why does the VEP cut out health care agencies?

Posted on November 16, 2017 by Shaun Waterman

The U.S. government’s policy for disclosing freshly discovered software vulnerabilities effectively sidelines a small but vital slice of the global IT ecosystem, critics charge — flaws in the computer programs that run medical devices, hospital equipment and digital health records systems. The Vulnerabilities Equities Process (VEP) sets out how the government decides whether to secretly retain a new vulnerability — called a zero day — for use in spying operations, or disclose it to the manufacturer so the software can be fixed or patched. The process’s details were released Wednesday by the White House. The Equities Review Board, the body which discusses vulnerabilities and makes decisions under the VEP, is made up of representatives from 10 federal agencies and departments, including the Department of Defense, Department of Homeland Security and the Office of the Director of National Intelligence. But there’s no representative from the Department of Health and Human Services. When asked […]

The post Experts ask: Why does the VEP cut out health care agencies? appeared first on Cyberscoop.

Continue reading Experts ask: Why does the VEP cut out health care agencies?→

White House Releases VEP Disclosure Rules

Posted on November 16, 2017 by Tom Spring

The White House released a charter document on Wednesday outlining how the U.S. government will disclose cyber security flaws and when it will keep them secret. Continue reading White House Releases VEP Disclosure Rules→

White House unveils process behind disclosing software vulnerabilities

Posted on November 15, 2017 by Greg Otto

The White House has released a charter that will give more clarity and bring more transparency to the vulnerabilities equities process, the course by which the U.S. government determines to either withhold or disclose information to tech companies about flaws in their software. The charter lays out the core considerations taken into account by the U.S. government when a vulnerability is in its possession, weighing “the benefit to national security and the national interest when deciding whether to disclose or restrict knowledge of a vulnerability.” “Vulnerability management requires sophisticated engagement to ensure protection of our people, the safeguarding of critical infrastructure, and the defense of important commercial and national security interests,” reads the charter, which was released Wednesday. “The new VEP Charter balances those interests in a way that is repeatable and defensible, and its publication will bolster the confidence of the American people as we continue to carry out […]

The post White House unveils process behind disclosing software vulnerabilities appeared first on Cyberscoop.

Continue reading White House unveils process behind disclosing software vulnerabilities→

Trump administration will shine light on VEP with public charter

Posted on October 4, 2017 by Chris Bing

The Trump administration plans to launch a “public charter” to add transparency and clarity to the Vulnerabilities Equities Process (VEP), a policy that guides when and if the U.S. government will tell a software vendor about digital flaws they’ve discovered in their products that could be otherwise used for espionage or intelligence operations. “We are in the process of a policy decision-making group that’s reviewing it, endorsing it, and then we will be able to push it out,” Joyce said Wednesday at the Cambridge Cyber Summit about the charter. “What we’re trying to carefully weigh is having those capabilities, to be able to use them for national security, while at the same time making sure that it’s not a major liability for our economy, for the international community, for our national security.” In an interview with CyberScoop, Joyce said the public charter would provide some new information concerning the number […]

The post Trump administration will shine light on VEP with public charter appeared first on Cyberscoop.

Continue reading Trump administration will shine light on VEP with public charter→

Responsible vulnerability disclosure is becoming an international norm

Posted on September 22, 2017 by Shaun Waterman

More and more countries are joining the United States in adopting a policy of weighing the pros and cons of responsible vulnerability disclosure, as the public calls for more clarity regarding intelligence agencies and their supposed hoarding of previously undiscovered software flaws. The U.S. started using its own Vulnerability Equities Process in 2010, according to declassified documents, although it didn’t reveal the VEP publicly until 2014 — to help allay suspicions that the National Security Agency might have secretly known about the massive HeartBleed vulnerability. Now, other democracies are following suit, but it’s not clear if this will put pressure on “bad actor” nations to follow other countries’ lead. Just this month, the Canadian national broadcaster CBC reported for the first time that the country’s equivalent of the NSA, the Communications Security Establishment (CSE), had a comparable process to the VEP — although it is not public and the agency wouldn’t even say what it’s called. “CSE has […]

The post Responsible vulnerability disclosure is becoming an international norm appeared first on Cyberscoop.

Continue reading Responsible vulnerability disclosure is becoming an international norm→

Senators want spies to disclose more about secret zero-day policy

Posted on August 24, 2017 by Chris Bing

The Senate Intelligence Committee hopes to learn more about how American spies handle the disclosure of software vulnerabilities continuously discovered by the U.S.’ 16 spy agencies, which are occasionally used as a weak point to hack into computer networks, according to the recently released 2018 Intelligence Authorization Act. While the law calls for greater transparency, former senior U.S. officials say it begs the wrong questions. The specific provision, which is just one part of the Senate committee’s annual legislative agenda, comes in the aftermath of multiple leaks of classified information; providing in some cases the computer code behind a toolbox of outdated NSA and CIA hacking capabilities. These exposures have already led to the adoption of several different, U.S. government-linked hacking tools by cyber criminals and foreign spy powers. The proliferation of this code was responsible for a recent, global outbreak of ransomware that subsequently caused millions of dollars in […]

The post Senators want spies to disclose more about secret zero-day policy appeared first on Cyberscoop.

Continue reading Senators want spies to disclose more about secret zero-day policy→

Black Hat attendees are very vocal about the VEP

Posted on July 27, 2017 by Shaun Waterman

As Black Hat USA is in full swing, Las Vegas buzzed with questions about the government’s process for disclosing newly discovered software vulnerabilities, even as the government is working to change the way the process works. At issue: What can fresh data examining zero days tell the public about whether the U.S. government secretly retains a new software vulnerability or reveals it to the manufacturer so it can be fixed. Retained vulnerabilities can be used to spy on U.S. adversaries, but — if rediscovered by foreign spies, cybercriminals or other hackers — they could also be used to wreak havoc on systems both inside and outside the U.S. “I’m gonna light it up,” cybersecurity researcher Katie Moussouris told CyberScoop about a planned debate on the subject. Because of the nature of the global software market — people and companies all over the world use the same programs — a high chance of rediscovery […]

The post Black Hat attendees are very vocal about the VEP appeared first on Cyberscoop.

Continue reading Black Hat attendees are very vocal about the VEP→