{"id":224,"date":"2017-05-19T14:26:15","date_gmt":"2017-05-19T14:26:15","guid":{"rendered":"http:\/\/securitycurve.com\/?p=224"},"modified":"2017-05-19T14:26:15","modified_gmt":"2017-05-19T14:26:15","slug":"patch-act-no-more-phat-lootz","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=224","title":{"rendered":"PATCH Act: No More Phat Lootz?"},"content":{"rendered":"<p><a href=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/05\/phat-out-fat-hit-ifference-when-a-sneaky-dm-says-2558652.png\"><img decoding=\"async\" class=\"alignright size-medium wp-image-227 lazyload\" data-src=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/05\/phat-out-fat-hit-ifference-when-a-sneaky-dm-says-2558652-300x203.png\" alt=\"\" width=\"300\" height=\"203\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 300px; --smush-placeholder-aspect-ratio: 300\/203;\" \/><\/a>It would be an understatement to say that people were upset about\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/EternalBlue\">EternalBlue<\/a>. \u00a0Microsoft apparently was <a href=\"https:\/\/www.forbes.com\/sites\/thomasbrewster\/2017\/05\/14\/microsoft-just-took-a-swipe-at-nsa-over-wannacry-ransomware-nightmare\/#6cedee3e3585\">already upset about it<\/a>\u00a0before\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/WannaCry_ransomware_attack\">WannaCry<\/a>, but was even more upset afterwards, calling for a &#8220;Digital Geneva Convention.&#8221;<\/p>\n<p>If you haven&#8217;t been following the story, here&#8217;s\u00a0the background:<\/p>\n<ul>\n<li>EternalBlue is an exploitation vector (<a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-0144\">CVE-2017-0144<\/a>, CVSS 9.3) that impacts SMB (file sharing) implementations in Microsoft Windows<\/li>\n<li>Microsoft Windows addressed that issue in <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\">MS17-010<\/a>\u00a0published in March of 2017<\/li>\n<li><del>The NSA<\/del>\u00a0A group generally referred to as the &#8220;Equation Group&#8221;, very likely a state-run cyberwarfare outfit apparently\u00a0new about the issue since 2013<\/li>\n<li>The\u00a0issue was not disclosed to the community at large or to Microsoft upon discovery<\/li>\n<li>The exploit was incorporated into an Equation Group toolkit released (for reasons unknown) by <del>Russia<\/del> another group calling itself (arguably more interestingly because of the <a href=\"http:\/\/masseffect.wikia.com\/wiki\/Shadow_Broker\">Mass Effect reference<\/a>)\u00a0the Shadow Brokers<\/li>\n<li>WannaCry exploited this and wreaked havoc on the world<\/li>\n<\/ul>\n<p>This has a lot of people fired up. \u00a0Why? \u00a0Because if it is the case that the &#8220;Equation Group&#8221; is the NSA [<em>note: has this been confirmed? \u00a0operating under the assumption that it hasn&#8217;t been, but the PATCH act certainly seems to imply that at least US lawmakers think it is<\/em>], that would mean that a government entity knew about &#8211; and left undisclosed &#8211; a critical issue (among others by the way) that literally put people&#8217;s lives at risk. \u00a0If the issue were to have been disclosed to Microsoft (and therefore patched) when it was initially discovered, there would likely be no WannaCry (or, if there were, one with drastically reduced impact) and therefore the much of the consequences would have been avoided.<\/p>\n<p>Of course, there is another side to the story. \u00a0If the issue were to have been patched when it was discovered (let&#8217;s say in 2012), it would have limited its utility as a cyberwarfare tool beyond the time which it would have been patched &#8211; certainly by 2013 and onward. \u00a0In fact, one might argue that, were a state-sponsored outfit like the Equation Group to follow a true\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Responsible_disclosure\">responsible disclosure<\/a> paradigm, there&#8217;s really not much reason for them to have a vulnerability research capability at all. \u00a0Why do it if you can&#8217;t use what you find for very long? \u00a0Unlike researchers in the private sector, the purpose isn&#8217;t &#8220;marketing&#8221; but instead actual offensive capability &#8211; capability that goes away once the issue is patch-able.<\/p>\n<p>So how do you balance these two things? \u00a0A thorny problem.<\/p>\n<p>Some lawmakers, in an attempt to put some parameters around this, have recently proposed the\u00a0<a href=\"https:\/\/www.schatz.senate.gov\/imo\/media\/doc\/BAG17434_FINAL%20PATCH.pdf\">Protecting Our Ability to Counter Hacking (PATCH) Act<\/a>. \u00a0I&#8217;d suggest you go read it, but the TLDR is that is establishes a &#8220;review board&#8221; to systematically review and make recommendations about criteria for when vulnerabilities should be disclosed. Who&#8217;s on the board? \u00a0Heads of various federal entities (e.g. DHS, FBI, NIA, CIA, etc.) as well as\u00a0&#8220;ad hoc&#8221; members (to include heads of other stuff &#8211; Treasury, FTC, other members of the security council, etc.) It also establishes a disclosure mechanism and a reporting framework that includes (among others) civil liberties and procedural oversight.<\/p>\n<p>So I&#8217;m not sure how I feel about this. \u00a0Frankly, before WannaCry, I was encouraged when I initially saw the Equation Group toolset. \u00a0I worked (briefly) in the federal space back in the day. \u00a0I won&#8217;t mention specifically which groups I worked with while I was there, but my general takeaway was that the US offensive cyber capability &#8220;stinks on ice&#8221;. \u00a0Meaning, there wasn&#8217;t a high degree of competence that I witnessed firsthand during my experience. \u00a0So when I saw the relative sophistication of the Equation Group toolset, it suggested that at least one group had some real skill &#8211; was better than I thought it was. \u00a0Not only was this toolset on par with other state-sponsored groups (which, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Stuxnet\">stuxnet <\/a>excepted, I hadn&#8217;t seen evidence of), but it was actually leading the pack! \u00a0Since I&#8217;m sure they&#8217;ve advanced since 2013, they likely still are.<\/p>\n<p>I do have some criticisms of the PATCH Act specifics though. \u00a0The language suggests to me that these folks aren&#8217;t just establishing the criteria for when a vulnerability should be released, they are actually reviewing specific issues. \u00a0For example, the bill says, <em>&#8220;The head of each Federal agency shall, upon obtaining information about a vulnerability that is not publicly known&#8230;&#8221; \u00a0<\/em>So a group of folks with little-to-no understanding of technology are making decisions about what to disclose? \u00a0One of two things must be true: either they do it in an informed way (and thereby need some serious technically-astute support staff to make that happen) or they do it in ignorance (which would be a cluster). \u00a0I&#8217;m assuming this will be like other government activities and it&#8217;ll be up to staffers &#8211; in which case, the necessary apparatus is likely to be fairly large. \u00a0Lots of folks to review and make these decisions &#8211; with the potential for beans-spilling.<\/p>\n<p>Other than that, I guess we&#8217;ll see if this passes &#8211; and if it does, what the procedures and policy they come up with are. \u00a0Either way, it&#8217;s interesting to me that the full disclosure discussion is now being conducted in congress. \u00a0I don&#8217;t think I could have seen that coming.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It would be an understatement to say that people were upset about\u00a0EternalBlue. \u00a0Microsoft apparently was already upset about it\u00a0before\u00a0WannaCry, but was even more upset afterwards, calling for a &#8220;Digital Geneva Convention.&#8221; If you haven&#8217;t been following the story, here&#8217;s\u00a0the background: EternalBlue is an exploitation vector (CVE-2017-0144, CVSS 9.3) that impacts SMB (file sharing) implementations in [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[48,52,87,97,126],"class_list":["post-224","post","type-post","status-publish","format-standard","hentry","category-security","tag-eternalblue","tag-exploits","tag-patch-act","tag-redteam","tag-vulnerability-research"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=224"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/224\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}