Study: Zero days rediscovered much faster

New research from Harvard suggests that the freshly discovered software flaws called zero day vulnerabilities are independently rediscovered much faster than previously thought. The rediscovery rate has big implications for U.S. cybersecurity policy because it would change the calculation officials make when deciding whether to reveal zero days discovered by U.S. agencies so they can be fixed, or keep them secret so they can be used to spy on foreign adversaries and in other cyber-operations. “If the rediscovery rate is this high, the number of vulnerabilities [secretly retained] for operational use should be lower or subject to more aggressive scrutiny,” said Trey Herr a post-doctoral fellow at the Belfer Center at Harvard. Herr, along with security guru Bruce Schneier and Christopher Morris, a research assistant from the Harvard school of engineering, published their findings this week after a lengthy peer-review process, and will present them at the Black Hat USA conference in Las Vegas next week. […]

The post Study: Zero days rediscovered much faster appeared first on Cyberscoop.

Continue reading Study: Zero days rediscovered much faster

Why reforming the Vulnerability Equities Process would be a disaster

When the authors of WannaCry turbo-charged their ransomware with NSA exploits leaked by the Shadow Brokers, people thought it was the Vulnerability Equities Process’ worst-case scenario. It’s really not. The VEP is the policy process the U.S. government undertakes when one of its agencies finds a new software vulnerability. It’s how the government decides whether to tell the manufacturer about the bug, so they can patch it and keep all their customers safe; or to keep it secret and stealthily employ it to spy on foreign adversaries who use that software. In the wake of Shadow Brokers dumping several sets of highly advanced NSA hacking tools online — many using previously unknown vulnerabilities — there have been rising demands for reform of the VEP. Lawmakers have got in on the act, pledging to legislate the process with the Protecting Our Ability to Counter Hacking, or PATCH Act of 2017. But […]

The post Why reforming the Vulnerability Equities Process would be a disaster appeared first on Cyberscoop.

Continue reading Why reforming the Vulnerability Equities Process would be a disaster

Should the government stockpile zero day software vulnerabilities?

Storm clouds are rising over the U.S. government’s policy on software flaw disclosure after the massive WannaCry infection spread using a cyberweapon developed by the NSA, and even former agency leaders say it might be time to take a fresh look at the Vulnerability Equities Process. Under the VEP, U.S. officials weigh the benefits of disclosing a newly discovered flaw to the manufacturer — which can issue a patch to protect customers — or having the government retain it for spying on foreign adversaries who use the vulnerable software. The process has always had a bias toward disclosure, former federal officials said. “We disclose something like 90 percent of the vulnerabilities we find,” said Richard Ledgett, who retired April 28 as the NSA’s deputy director. “There’s a  narrative out there that we’re sitting on hundreds of zero days and that’s just not the case,” he told Georgetown University Law Center’s annual cybersecurity law institute. […]

The post Should the government stockpile zero day software vulnerabilities? appeared first on Cyberscoop.

Continue reading Should the government stockpile zero day software vulnerabilities?

Zero day exploits are rarer and more expensive than ever, Symantec says

It’s basic economics: When supply drops but demand keeps rising, price goes up. It’s no different for pieces of information that give cyberattackers big advantages. The number of zero day exploits revealed in the wild fell for a third straight year in 2016, pushing the prices for them skyward and driving attackers to use alternative tactics, according to new research from Symantec. The total number of zero days exploited — a “zero day” is a software vulnerability that hasn’t been disclosed to the vendor and thus hasn’t been patched — dropped to 3,986 in 2016, Symantec said. That number was as high as 4,985 in 2014. Meanwhile, demand for zero days is as high as it’s ever been. Zero days discovered by security researchers are purchased by a wide variety of parties including militaries, intelligence agencies, law enforcement, software vendors, cybercriminals and military contractors. Their intentions also vary widely: Some buyers want to fix and defend software, others want to mount […]

The post Zero day exploits are rarer and more expensive than ever, Symantec says appeared first on Cyberscoop.

Continue reading Zero day exploits are rarer and more expensive than ever, Symantec says

Threatpost News Wrap, April 21, 2017

Mike Mimoso and Chris Brook discuss the news of the week, including last Friday’s ShadowBrokers dump – how Microsoft learned of the vulnerabilities, how they were patched by Oracle, along with Microsoft ditching passwords, and a new car dongle hack. Continue reading Threatpost News Wrap, April 21, 2017

Shadow Brokers latest leak a gold mine for both criminals and researchers

As information security enthusiasts continue to pour over the Shadow Brokers latest dump, the alleged cache of NSA tools is turning out to be a treasure trove for both researchers and criminals. Ransomware known as “AES-NI” has been updated with a so-called “NSA Exploit Edition” that the malware’s developer claims  is now using EsteemAudit and EternalBlue exploits to infect machines, encrypt files and demand ransom for release.  EsteemAudit and EternalBlue were two tools dumped in last week’s leak. A rash of forum posts show several ransomware victims running old, unpatched or unsupported Windows servers that have been infected. There has been no independent confirmation on how the new ransomware works, but the malware’s author claimed to CyberScoop that they are using NSA exploits. “We use SMB [Server Message Block] and RDP [Remote Desktop Protocol] exploits: Esteemaudit, Eternalblue,” the developer said. “They all are in public now.” Liam O’Murchu, the director of Symantec’s security […]

The post Shadow Brokers latest leak a gold mine for both criminals and researchers appeared first on Cyberscoop.

Continue reading Shadow Brokers latest leak a gold mine for both criminals and researchers

Government Hackers Used Microsoft Word Zero-Day to Install Spyware on Russian Targets

The hackers exploited the unknown vulnerability to install spyware made by the infamous surveillance company FinFisher. Continue reading Government Hackers Used Microsoft Word Zero-Day to Install Spyware on Russian Targets