Overhaul Wassenaar or ruin next Heartbleed fix, top policy boffin says

Stop crooks, not 100 cross-border collaboration during crises

Kiwicon Additional exemptions to the much-feared Wassenaar Arrangement will do nothing to protect far-flung security professionals critical to crushing dangerous Heartbleed-esque bugs, according to infosec policy-buff Katie Moussouris.

The Hacker One chief policy officer is spearheading the security industry's global response to the Wassenaar Arrangement, a global agreement to limit the movement of weaponry that is being extended to cover security vulnerabilities, software, and exploits.

Moussouris (@k8em0) is the globe-trotter among a cadre of security types who are lobbying signature countries to ensure the Arrangement does not needlessly hinder the complex world of security vulnerability discovery and remediation.

Hackers fear the Arrangement will crimp vital security research and have lobbied signature countries to consider the ramifications of becoming signatories.

Speaking at the Kiwicon security confab in Wellington today, Moussouris said the Arrangement will, in its current form, severely hinder the identification and repair of major software security flaws that affect scores of people occur on a daily or weekly basis.

Katie Moussouris . Photo: Darren Pauli / The Register.

She said the Arrangement requires an overhaul, adding that so-called emergency exemptions that allow controlled goods to be quickly deployed – such as radar units to the 2010 Haiti earthquake – will not apply to globally-coordinated security vulnerability research that occurs daily.

"Multivendor vulnerability research are situations where you won't know who the coordination partners are ahead of time – there was something 100 partners in the case of Heartbleed," Moussouris says.

"Are they (Wassenaar officials) prepared to grant emergency exemptions like nine times a day for multi-vendor coordination? They didn't have a good answer."

“There are places where the exemptions just won't work and that means we have to go back and change Wassenaar – we have to get that piece removed that says intrusion software technology which is a drag net.”

Moussouris says even those countries that have to date managed to make Wassenaar largely compatible with their local industries are still at risk of butting heads with critical research should the US bork its implementation and not address the fallibility of exemptions.

She met with Australian defence officials last week ahead of Kiwicon and told Vulture South Canberra is on “the same page” with her concern over exemptions.

Moussouris says supply chain development is also under threat due to the global distribution of developers who could unbeknown to researchers be located in Wassenaar controlled countries.

Exemptions can work in some areas of the Arrangement; she has proposed fixes to remove a mind-blowing intra-company rules that could prevent staff from discussing vulnerabilities based on an employee's country of origin.

The complexities of Wassenaar coupled with industry fear-mongering has resulted in some competent but un-named researchers no longer disclosing vulnerabilities for fear of prosecution.

Indeed some hackers did not attend the recent mobile pwn2own competition at PacSecWest since they would be carrying exploit material to the Tokyo event.

Canberra will meet later this month to discuss the latest proposals including Moussouris' work and will move to set amendments in stone early next year. ®

Similar topics

Other stories you might like

  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • Cisco EVP: We need to lift everyone above the cybersecurity poverty line
    It's going to become a human-rights issue, Jeetu Patel tells The Register

    RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.

    "It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote. 

    "This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said. 

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022