The weapons pact threatening IT security research

We speak to infosec experts worried by treaty changes


Analysis The US government has rewritten chunks of an obscure weapons trade pact between itself, Europe, Russia, and other nations – a pact that is now casting its shadow over today's computer security tools.

Dubbed the Wassenaar Agreement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, the treaty limits who can buy the really nasty and secret stuff that makes tanks, planes and ships so effective in combat.

Over the past decade, the agreement has been widened to include computer technology. The latest revision of the text, which is now up for discussion prior to approval, has people in the IT security industry severely worried.

The US Commerce Department, via its Bureau of Industry and Security (BIS), is proposing a blanket ban on the export of:

Software 'specially designed' or modified to avoid detection by 'monitoring tools,' or to defeat 'protective countermeasures,' of a computer or network-capable device, and performing any of the following:

(a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (b) The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Taken in its broadest sense, it may cover a multitude of legitimate software tools, including basic things like antivirus packages, that cannot be exported without a government-approved license, if that's even possible.

And by exported, we mean, downloaded anywhere outside its country of origin, or installed on a laptop and taken abroad.

Security researchers are worried that the programming, debugging and reverse-engineering utilities they rely on will be export-controlled, preventing them from using the software unless a government grants them permission.

So what exactly has happened to cause these changes?

Good intentions backfire

The primary reason given for the changes is to stop repressive regimes around the world from buying sophisticated software that can be used to spy on political opponents and others.

This snoop-ware usually exploits security vulnerabilities in the targets' computers to silently and secretly install itself. Companies like Gamma International and the Italian-based Hacking Team will sell surveillance software to almost all comers.

The updated language tries to crack down on this trade of vulnerability-exploiting super-spyware; as a result, it puts a significant crimp in the sale and exchange of information about exploitable software security flaws.

The market for zero-day vulnerabilities can be a lucrative one; the new language bans the sale of details of unpatched flaws to anyone other than one's own government.

"There is a policy of presumptive denial for items that have or support rootkit or zero-day exploit capabilities," said Randy Wheeler, director of the information technology controls division of BIS, during a conference call discussing the new rules.

But as Nate Cardozo, staff attorney for the Electronic Frontier Foundation, explained to The Register, those rules could be taken to mean that tools that spot zero-day attacks and craft proof-of-concept code to prove that vulnerabilities can be exploited by bad guys. And while keeping spyware out of the hands of repressive regimes is admirable, the proposed rules go way too far, we're told.

"This was drafted by someone who doesn't understand security research and the effect of its implementation, not just on researchers but the general public as well: It's ludicrous," Cardozo said.

"These implementations will do nothing to keep surveillance software out of the hands of the worse actors and will harm those who are seeking to limit their use."

Under the terms of the agreement, if researchers wanted to use commercial software named by the US Department of Commerce, an export license is needed, he explained. This is an arduous process, and requires a huge amount of form filling and hiring an export specialist lawyer, and those folks don't come cheap.

That's not a problem if you're a defense giant like Boeing or Lockheed Martin, but if you're a single researcher then the costs are hideous, and will cause major problems. But there's an additional problem – you need to be a legal adult to do so.

Kids today, eh

"Security research is increasingly a young person's game," Katie Moussouris, chief policy officer for vulnerability disclosure specialists HackerOne, told El Reg.

"The soldiers we are enlisting in the security fight are under draftable age. Setting up further hoops for them to jump through will drive people into underground markets."

Moussouris is an expert in this field, having convinced Microsoft to set up a bug bounty program while employed at Redmond, and who now spends time analyzing the market for security researchers and vulnerabilities. She's convinced that the new rules will do more harm than good.

The new rules were devised in conjunction with defense contractors and privacy experts, each of whom have their own agendas. The security industry wants a level of regulation that will squeeze out smaller companies, she suggested, while privacy experts want the zero-day market shut down.

Chris Soghoian, principal technologist for the ACLU, would certainly be happy for the market in zero-days to be killed off, and – while he wasn't available for interview – appeared to defend the new rules and blame researchers for bringing this on themselves.

But Moussouris said that the new rules were going too far, and said her fears were that the US government is heading into a fight while not understanding the core issues. Other researchers in the field share her concern.

Jonathan Zdziarski, a prominent security expert who has trained law enforcement across the US in computer forensics, said that if the proposed Wassenaar rules were in place back in 2008, he wouldn't be in business right now.

"The tools and techniques I have developed are by no means 'intrusion' tools, however due to the excessively broad nature of the Wassenaar proposal, they would fall under its regulations as they bypass security mechanisms of devices and collect information from them," he commented.

"This proposal stands to only damage those looking to contribute to a better and more secure community. Wassenaar has a deterrent component, and at the heart of security research are many independent researchers like myself who will simply stop contributing if there is a fear of prosecution simply for sharing knowledge in the form of code." ®

Similar topics

Broader topics


Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading

Biting the hand that feeds IT © 1998–2022