tag:theconversation.com,2011:/uk/topics/wannacrypt-38683/articlesWannaCrypt – The Conversation2017-05-23T03:47:50Ztag:theconversation.com,2011:article/779302017-05-23T03:47:50Z2017-05-23T03:47:50ZWhat are software vulnerabilities, and why are there so many of them?<figure><img src="https://images.theconversation.com/files/169999/original/file-20170518-12263-iatux6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">It's software: There's always a way in.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/elite-hacker-entering-room-through-keyhole-420468124">BeeBright via shutterstock.com</a></span></figcaption></figure><p>The recent WannaCry ransomware attack spread like wildfire, taking advantage of flaws in the Windows operating system to take control of <a href="http://www.cbsnews.com/news/cyberattack-wannacry-ransomware-north-korea-hackers-lazarus-group/">hundreds of thousands of computers worldwide</a>. But what exactly does that mean?</p>
<p>It can be useful to think of hackers as burglars and malicious software as their burglary tools. Having researched cybercrime and technology use among criminal populations for more than a decade, I know that both types of miscreants want to find ways into secure places – computers and networks, and homes and businesses. They have a range of options for how to get in.</p>
<p>Some burglars may choose to simply smash in a window or door with a crowbar, while others may be stealthier and try to pick a lock or sneak in a door that was left open. Hackers operate in a similar fashion, though they have more potential points of entry than a burglar, who is typically dependent on windows or doors.</p>
<p>The weaknesses hackers exploit aren’t broken windowpanes or rusty hinges. Rather, they are flaws in software programs running on a computer. Programs are written by humans, and are inherently imperfect. Nobody writes software completely free of errors that create openings for potential attackers.</p>
<h2>What are these flaws, really?</h2>
<p>In simple terms, a vulnerability can be an error in the way that user management occurs in the system, an error in the code or a flaw in how it responds to certain requests. One common vulnerability allows an attack called a <a href="https://secure.php.net/manual/en/security.database.sql-injection.php">SQL injection</a>. It works on websites that query databases, such as to search for keywords. An attacker creates a query that itself contains code in a database programming language called SQL.</p>
<p>If a site is not properly protected, its search function will <a href="https://www.cisco.com/c/en/us/about/security-center/sql-injection.html">execute the SQL commands</a>, which can allow the attacker access to the database and potentially control of the website. </p>
<p>Similarly, many people use programs that are supported by the <a href="https://www.codecademy.com/learn/learn-java">Java programming language</a>, such as Adobe Flash Player and various Android applications. There are <a href="https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/Oracle-JRE.html">numerous vulnerabilities in the Java platform</a>, all of which can be exploited in different ways, but most commonly through getting individuals to <a href="https://doi.org/10.1145/2901739.2901773">download “plug-ins” or “codecs” to software</a>. These plug-ins actually contain malicious code that will take advantage of the vulnerability and compromise the machine. </p>
<h2>Flaws are everywhere</h2>
<p>Vulnerabilities exist in all types of software. <a href="https://arstechnica.com/security/2017/05/wcry-is-so-mean-microsoft-issues-patch-for-3-unsupported-windows-versions/">Several versions of the Microsoft Windows operating system</a> were open to the WannaCry attack. For instance, the popular open-source web browser Firefox has had <a href="https://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452">more than 100 vulnerabilities identified in its code each year</a> since 2009. Fifteen different vulnerabilities have been identified in Microsoft Internet Explorer browser variants <a href="https://www.cvedetails.com/product/9900/Microsoft-Internet-Explorer.html?vendor_id=26">since the start of 2017</a>.</p>
<p>Software development is not a perfect process. Programmers often work on timelines set by management teams that attempt to set reasonable goals, <a href="https://blog.keen.io/how-should-deadlines-be-used-in-software-engineering-9eb23d513e8d">though it can be a challenge to meet those deadlines</a>. As a result, developers do their best to design secure products as they progress but may not be able to identify all flaws before an anticipated release date. Delays may be costly; many companies will release an initial version of a product and then, when they find problems (or get reports from users or researchers), fix them by releasing security updates, sometimes called patches because they cover the holes.</p>
<p>But software companies can’t support their products forever – to stay in business, they have to keep improving programs and selling copies of the updated versions. So after some amount of time goes by, they stop issuing patches for older programs. </p>
<p>Not every customer buys the latest software, though – so many users are still running old programs that might have <a href="https://arstechnica.com/security/2017/05/wcry-is-so-mean-microsoft-issues-patch-for-3-unsupported-windows-versions/">unpatched flaws</a>. That gives attackers a chance to find weaknesses in old software, even if newer versions don’t have the same flaws.</p>
<h2>Exploiting the weaknesses</h2>
<p>Once an attacker identifies a vulnerability, he can write a new computer program that uses that opportunity to get into a machine and take it over. In this respect, an exploit is similar to the way burglars use tools like crowbars, lock picks or other means of entry into a physical location. </p>
<p>They find a weak point in the system’s defenses, perhaps a network connection that hasn’t been properly secured. If attackers can manage to gain contact with a target computer, they can learn about what sort of system it is. That lets them identify particular approaches – accessing specific files or running certain programs – that can give them increasing control over the machine and its data. In recent years, attackers began targeting web browsers, which are allowed to connect to the internet and often to run small programs; they have many vulnerabilities that can be exploited. Those initial openings can give an attacker control of a target computer, which in turn can be used as a point of intrusion into a larger sensitive network.</p>
<p>Sometimes the vulnerabilities are discovered by the software developers themselves, or users or researchers who alert the company that a fix is needed. But other times, hackers or government spy agencies figure out how to break into systems and <a href="https://theconversation.com/should-spies-use-secret-software-vulnerabilities-77770">don’t tell the company</a>. These weaknesses are called “zero days,” because the developer has had no time to fix them. As a result, the software or hardware has been compromised until a patch or fix can be created and distributed to users. </p>
<p>The best way users can protect themselves is to <a href="https://theconversation.com/why-installing-software-updates-makes-us-wannacry-77667">regularly install software updates</a>, as soon as updates are available.</p><img src="https://counter.theconversation.com/content/77930/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Thomas Holt does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>It can be useful to think of hackers as burglars and malicious software as their burglary tools. Both types of miscreants want to find ways into secure places and have many options for entry.Thomas Holt, Associate Professor of Criminal Justice, Michigan State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/777702017-05-19T01:02:23Z2017-05-19T01:02:23ZShould spies use secret software vulnerabilities?<figure><img src="https://images.theconversation.com/files/170032/original/file-20170518-12257-625y70.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">When is it okay for the government to keep a secret?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/whispering-words-145530742">sharpshutter via shutterstock.com</a></span></figcaption></figure><p>The 2017 WannaCry ransomware attack <a href="http://www.cbsnews.com/news/cyberattack-wannacry-ransomware-north-korea-hackers-lazarus-group/">infected about 300,000 computers in 150 countries</a>, and cost computer users <a href="http://www.nbcnews.com/tech/security/total-paid-malware-ransom-how-exploit-spread-n759531">thousands of dollars in ransom money</a> and <a href="http://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/">billions in lost productivity</a>. </p>
<p>The attack took advantage of a vulnerability in the Windows operating system that the federal government had been aware of for years but had chosen not to tell Microsoft about until just months before the WannaCry attack began. That history and the potential for <a href="https://www.engadget.com/2017/05/16/shadow-brokers-nsa-june/">more releases in the coming weeks</a> have intensified the debate around how governments and spy agencies should act when they discover weaknesses in computer software. </p>
<p>It’s a choice of how best to protect the public: <a href="https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html">Exploit software vulnerabilities to collect intelligence information</a> that may help keep people safe? Or disclose the flaw, letting the software company fix it and <a href="https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/">protect millions of regular computer users from malicious attacks</a> by hackers?</p>
<h2>Exposing WannaCry</h2>
<p>For years, <a href="https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html">the U.S. National Security Agency used a flaw in the Windows operating system</a>, nicknamed “EternalBlue,” to spy on intelligence targets, gathering information from their computer files and electronic communications. But the NSA didn’t tell Microsoft about the flaw in the company’s software until early 2017. The company <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">quickly issued a fix</a> users could download and install. <a href="https://theconversation.com/why-installing-software-updates-makes-us-wannacry-77667">Many people didn’t</a>, though.</p>
<p>In April, a hacking group called the <a href="https://www.engadget.com/2017/04/14/shadow-brokers-dump-windows-zero-day/">Shadow Brokers reported that it had breached the network</a> of, and stolen information from, computers used by the Equation Group, which has not identified itself but is <a href="http://www.reuters.com/article/us-usa-cyberspying-idUSKBN0LK1QV20150216">widely believed to be part of the NSA</a>. The Shadow Brokers revealed <a href="https://theconversation.com/after-the-nsa-hack-cybersecurity-in-an-even-more-vulnerable-world-64090">information about extremely sophisticated digital tools</a> for attacking military, political and economic targets worldwide. One of those tools was “EternalBlue.”</p>
<p>In May, a hacker or hacking group released a piece of malicious software using “EternalBlue” to hijack computers, encrypt the data on them and charge victims a ransom to restore access to their information. </p>
<p>If the NSA had told Microsoft about the flaw five years ago, things could have unfolded differently. In particular, users could have had much more time to update their software – which would have <a href="https://theconversation.com/why-installing-software-updates-makes-us-wannacry-77667">substantially increased the number of people protected</a> against the vulnerability.</p>
<h2>Using ‘zero days’</h2>
<p>The most serious cyberattacks are those that use previously unknown vulnerabilities. They are called “zero day” exploits because the developers had no time to fix it before trouble began, and nobody is protected. The NSA may know of <a href="https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process">hundreds, or even thousands, of them</a>. Spy agencies of other countries, including <a href="https://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html?_r=1">China, Russia, Iran and North Korea</a>, are also working to find zero-day vulnerabilities.</p>
<p>Using these vulnerabilities can be effective. For instance, the NSA used four zero-day vulnerabilities as part of a series of cyberattacks on Iran’s nuclear enrichment sites. That effort, officially code-named “Olympic Games,” created the program known to the public as “<a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">Stuxnet</a>,” which damaged about 1,000 centrifuges and <a href="https://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html?_r=1">may have helped force Iran to negotiate</a> with the U.S. about its nuclear program.</p>
<h2>Should they keep the secret?</h2>
<p>By not telling software companies about newly identified vulnerabilities, government agencies such as the NSA and CIA serve their own purposes of finding ways to gather intelligence undetected. But they also <a href="https://fcw.com/articles/2017/03/13/zero-day-stockpile-carberry.aspx">endanger critical systems of governments and regular users alike</a>. </p>
<p>The U.S. does not have strong and clear policies with which to handle this problem. In January 2014, the <a href="https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process">Obama administration ordered spy agencies</a> to <a href="https://www.wired.com/2014/04/obama-zero-day/">disclose weaknesses they find</a> – but with a significant loophole: If a software flaw has “a clear national security or law enforcement” use, the government can <a href="http://www.reuters.com/article/us-apple-encryption-review-idUSKCN0WW2OL">keep the flaw secret</a> and exploit it.</p>
<p>These are <a href="http://dx.doi.org/10.1080/01972243.2016.1177764">complex trade-offs</a> involving many questions: What might spies learn by exploiting the vulnerability? How likely is it that adversaries could find it? What might happen if they use it? <a href="https://www.wired.com/2017/05/governments-wont-let-go-secret-software-bugs/">Can the secret be kept securely and reliably</a>? Regardless of the <a href="http://dx.doi.org/10.1145/2535813.2535818">ethics questions</a> about how these agencies should best carry out their duty of protecting the public, the decision will likely end up as a political one, about <a href="https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process">how the government should use its power</a>.</p><img src="https://counter.theconversation.com/content/77770/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>What’s the best way for spy agencies to protect the public: secretly exploit software flaws to gather intelligence, or warn the world and avert malicious cyberattacks?Nir Kshetri, Professor of Management, University of North Carolina – GreensboroLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/777452017-05-17T12:42:30Z2017-05-17T12:42:30ZHere’s how the ransomware attack was stopped – and why it could soon start again<figure><img src="https://images.theconversation.com/files/169775/original/file-20170517-24350-u0klak.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>The ransomware cyber attack that has so far affected around <a href="https://www.ft.com/content/74ae2600-39a3-11e7-ac89-b01cc67cfeec">300,000 computers in 150 countries</a> could have been much worse. In fact, it still could be. The spread of the malicious software (malware), nicknamed <a href="https://docs.microsoft.com/en-us/msrc/customer-guidance-for-wannacrypt-attacks">WannaCry or WannaCrypt</a>, has been halted several times by researchers who have identified flaws in the program known as kill switches. But cybercriminals are already fighting back by altering the code, leading to a game of cat and mouse as researchers then have to hunt for a new kill switch.</p>
<p><a href="https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx">Ransomware is a type of malware</a> that blocks access to a computer until money is paid to release it. It is normally spread as an attachment on an email but WannaCry is different because it can spread through a local network on its own. </p>
<p>It looks for other computers running a file and printer sharing protocol called <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa365233(v=vs.85).aspx">Server Message Block</a> (SMB), which is found in older operating systems such as Windows XP that no longer receive routine security updates. It then uses a flaw in SMB to spread to other computers without their users having to download the file. This explains why more computers have been affected than is typical with this kind of malware.</p>
<p>The Achilles heel of malware is the need to call home to its operator. For ransomware, there has to be a mechanism for the program’s operator to collect the ransom money and unlock the data. These communications can provide a way for law enforcement to track down the cybercriminals, so they often build into their malware something called a kill switch.</p>
<p>Generally, a kill switch is a mechanism for turning off a device or a piece of software remotely – and abruptly – in an emergency, such as when it has been stolen or accessed without authorisation. In malware, a kill switch is a way for the operator to terminate their connection to the software to prevent authorities from discovering their identity.</p>
<p>One kill switch method is to redirect the malware’s communications to a “sinkhole” server, which can render it ineffective. Investigators can study the malware and look for such a kill switch or a way to take over the software.</p>
<p>A sophisticated piece of malware will often run its control communication across multiple unregistered internet domains. By periodically changing the domain it uses, the software can thwart attempts to understand or neutralise it. This means investigators need to constantly adapt and register any new domains the malware may try to use to make the sinkhole effective.</p>
<h2>Accidental death</h2>
<p>In the case of WannaCry, a researcher using the pseudonym MalwareTech ended up <a href="https://www.ncsc.gov.uk/blog-post/finding-kill-switch-stop-spread-ransomware-0">accidentally activating the kill switch</a> when he tried to create a sinkhole in order to study the software. WannaCry included code that looked to check if a specified domain had been registered. If it received a response from the domain, it shut down. If not, it continued to work. So when MalwareTech registered the domain, it effectively activated the kill switch.</p>
<p>This kill switch was probably inserted to prevent investigators studying the software in a closed virtual environment <a href="stackoverflow.com/questions/2126174/what-is-sandboxing">called a “sandbox”</a>. These typically respond to all communication attempts by the malware with signals from registered domains. So when WannaCry received a response from the domain, it was tricked into thinking it was in a sandbox and shut down to protect itself.</p>
<p>The problem is that modifying WannaCry’s code so it looks for a different unregistered domain will allow new versions of the software to continue running. In fact, one new variant of the malware has <a href="https://qz.com/983569/a-second-wave-of-wannacry-infections-has-been-halted-with-a-new-killswitch/">already been stopped</a> after researchers registered the new domain, activating the related kill switch.</p>
<p>An interesting paradox is that WannaCry was developed using a surveillance tool called EternalBlue created by the US National Security Agency (NSA) and leaked by a group of hackers known by the pseudonym Shadow Brokers. They are now claiming to have further harmful source code for WannaCry and are <a href="http://indianexpress.com/article/technology/tech-news-technology/wannacry-ransomware-shadow-brokers-hacker-group-threatens-to-sell-code-4659765/">threatening to release it into the wild</a> for anyone to modify freely. Based on the history of previous similar malware, copycats are extremely likely. With major modifications to the source code, the recent updates made to anti-malware software will become futile as the the cycle begins again. </p>
<p>Researchers are even questioning why WannaCry’s kill switch existed at all given that it was so easy to discover and execute. The danger is that WannaCry was just a test to illicit the response of defenders so deadlier variants can be unleashed later.</p><img src="https://counter.theconversation.com/content/77745/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Adrian Winckles receives funding from iCure/DCMS for Cyber Security Innovation
Member of Open Web Application Security PRoject European Board & Cambridge Chapter Leader
BCS Vice Chair Cybercrime Forensics Special Interest Group
UK Cyber Security Forum - Cambridge Cluster Chair</span></em></p>Things might not be over for the WannaCry malware.Adrian Winckles, Senior Lecturer in Cyber Security, Anglia Ruskin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/778022017-05-16T15:06:54Z2017-05-16T15:06:54ZAre public sector organisations more at risk from cyber-attacks on old computers?<p><a href="https://www.theguardian.com/society/2017/may/12/global-cyber-attack-nhs-trusts-malware">Hospitals across Britain</a> were crippled by the <a href="https://theconversation.com/nhs-ransomware-cyber-attack-was-preventable-77674">recent ransomware cyber-attack</a>, making the country’s National Health Service one of the most high-profile victims of the global incident. </p>
<p>The government has been criticised for <a href="http://www.dailymail.co.uk/news/article-4503522/Government-scrapped-support-NHS-two-years-ago.html">cutting IT support</a> for the health service and <a href="https://theconversation.com/nhs-ransomware-cyber-attack-was-preventable-77674">failing to replace</a> old computer systems. Meanwhile, ministers <a href="http://www.telegraph.co.uk/news/2017/05/14/nhs-repeatedly-warned-improve-security-defence-secretary-says/">hit out</a> at NHS bosses for not improving cybersecurity, amid reports that an upgrade that could have prevented the attack was <a href="http://news.sky.com/story/nhs-cyberattack-trusts-were-told-about-security-patch-last-month-10878700">made available a month ago</a>.</p>
<p>This story doesn’t feel too surprising. Anyone who regularly deals with public services in person will probably have seen government employees struggling with outdated computer systems. Certainly, other major state-run organisations have also been <a href="http://money.cnn.com/2017/05/15/technology/ransomware-whos-been-hit/">hit by the ransomware</a>, including German railway company Deutsche Bahn and the US Department of Homeland Security. But is the public sector really any worse than the private sector at keeping its IT security up to date and avoiding cybercrime?</p>
<p>The recent “WannaCry” attack was made possible by a flaw in the 15-year-old Windows XP operating system. Software manufacturers often provide updates or patches to their products after they discover such a flaw, to prevent cyber-criminals from exploiting it. However, Microsoft <a href="https://www.microsoft.com/en-gb/windowsforbusiness/end-of-xp-support">stopped routinely updating XP</a> in 2014, and those still using it have to pay for custom support to receive any further patches.</p>
<p>Once the company became aware of the WannaCry flaw, it was quick to release a patch back in March. But because many customers were still using unsupported versions of XP, WannaCry rapidly infected a large number of systems when it emerged in May. Microsoft then <a href="https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/">made its patch available</a> to all XP users but many of those who didn’t update immediately were caught out. This is exactly what happened within the NHS.</p>
<p>The government has long acknowledged the need to update its old IT systems. When public XP support ended in 2014, <a href="https://www.theguardian.com/technology/2014/apr/07/uk-government-microsoft-windows-xp-public-sector">the government said</a> it expected the majority of its machines to be upgraded within a year. It then ended NHS funding for custom XP support, <a href="http://uk.businessinsider.com/why-the-uk-government-stopped-paying-for-windows-xp-2017-5">reportedly in an attempt to encourage</a> health service bosses to upgrade their systems. But a <a href="http://www.computerweekly.com/microscope/news/450404337/Citrix-channel-needs-to-give-NHS-some-TLC">report at the end of 2016</a> suggested that 90% of NHS trusts still had at least one XP system.</p>
<p>The most likely reason that out-of-date systems are still being used is the cost of upgrading them. In most cases, a new version of Windows or another operating system would also need a new computer that was powerful enough to run it, and potentially new bespoke hardware and software to enable the organisation to do its job. For example, a hospital X-ray department using an XP-based machine might need a new version of the software that controls its X-ray machines.</p>
<p>Public sector agencies also have a luxury in the form of highly-skilled government experts from the likes of the <a href="https://www.ncsc.gov.uk/">National Cyber Security Centre</a> who are available to ensure that critical services, such as the NHS, are kept operational. So even if the recent ransomware attack acts as a necessary wake-up call, there’s still a perceived safety net.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/169558/original/file-20170516-11966-1kq1u01.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Small firms don’t have IT departments to protect them.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<h2>Private problem</h2>
<p>However, WannaCry didn’t just affect the public sector. Around <a href="http://uk.businessinsider.com/europol-said-there-are-200000-cyberattack-victims-and-the-number-will-go-up-2017-5">200,000 victims</a> in 150 countries have been affected, according to EU police force Europol, many of them businesses including major corporations such as <a href="http://money.cnn.com/2017/05/15/technology/ransomware-whos-been-hit/">Nissan, FedEx and Hitachi</a>. <a href="https://netmarketshare.com/">One source</a> suggests that more than 10% of all desktop PCs run Windows XP, and a significant portion of those victims will likely be small businesses. In general, there is no specific evidence that public sector organisations suffer cyber-attacks disproportionately.</p>
<p>Although the NHS is clearly under tight financial constraints, governments have significant resources to mitigate cyber-threats and can raise large amounts of money if politicians choose to do so. In the UK, the National Cyber Security Centre alone has a £1.9 billion investment. </p>
<p>It is a completely different picture for small companies that don’t have easy access to cash for upgrades or access to the highly-skilled resources of government experts or even IT departments. Often they don’t even have the awareness that there’s a problem to begin with. There are government-backed initiatives to help small companies with cybersecurity, such as the UK’s <a href="https://www.cyberaware.gov.uk/cyberessentials/">Cyber Essentials</a>, but these don’t have the scale to reach everyone or even identify and help those most in need. We can certainly question whether they are having much impact given the scale of the recent Ransomware attack.</p>
<p>Cyber-attacks on the scale of WannaCry may remind organisations about the need to maintain their IT security. Getting people to understand how is still a serious challenge. Public sector organisations might too often rely on outdated computer systems but at least they’re better placed than much of the private sector to do something about it.</p><img src="https://counter.theconversation.com/content/77802/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Simon Parkinson does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Small businesses are the forgotten casualties of the recent WannaCry ransomware attack.Simon Parkinson, Senior Lecturer in Informatics, University of HuddersfieldLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/777032017-05-16T06:15:07Z2017-05-16T06:15:07ZWhat the underground market for ransomware looks like<figure><img src="https://images.theconversation.com/files/169460/original/file-20170516-11956-1jeph5f.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The market for exploiting software vulnerabilities can be traced back to the 90s where "phreaking" - modifying telecommunications technology - was popular.</span> <span class="attribution"><span class="source">Jennifer/Flickr</span>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>The attack of ransomware “WannaCry” has put governments and businesses around the world on edge, but in fact the underground market for exploit or software vulnerabilities bugs like this has been an existence at least since the 1990s.</p>
<p>Informal sharing of these vulnerabilities goes back to the dawn of computing - notably phone “phreaking” - tinkering with telecommunication devices and the <a href="http://www.worldcat.org/title/hackers-heroes-of-the-computer-revolution/oclc/10605060">Massachusetts Model Railway Club</a> credited with the early fostering of a hacker sub-culture from the 1960s onwards. </p>
<p>From here it slowly <a href="http://www.econinfosec.org/archive/weis2012/papers/Anderson_WEIS2012.pdf">developed into a global market</a> in the sale of exploits and exploit kits. This included hacking tools such as Blackhole, Zeus and Spyeye – sometimes known as “script kiddies” because the programming skills required are basic and the hacks more or less delivered via a menu-driven program. </p>
<p>The Russian carding market, which developed in the 1990s as online forums for the sale of stolen credit cards and identities, morphed into a sophisticated business enterprise. It mimicked online legal markets such as eBay. In short these criminals industrialised.</p>
<p>The <a href="http://www.aic.gov.au/publications/current%20series/tandi/521-540/tandi526.html">Australian Communication Media Authority’s Spam Intelligence Database</a> showed that spam-distributed malware, with the capability of locking data-files on an exposed computer system, begun to appear in 2012 with many cases reported in 2013 onwards.</p>
<h2>The modern malware market</h2>
<p>The industrialisation of the cybercrime market developed rapidly with the advent of virtual private networks (VPNs) and <a href="https://theconversation.com/au/topics/tor-7466">The Onion Router or “Tor” for short</a> in the mid-2000s. The <a href="https://www.unodc.org/documents/organized-crime/UNODC_CCPCJ_EG.4_2013/UNODC_CCPCJ_EG4_2013_2_E.pdf">UNODC’s 2013 Comprehensive Report on Cybercrime</a> flagged the importance of these markets in the spread of monetised hacking tools. </p>
<p><a href="http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf">The RAND corporation’s report on the Hacker’s Bizarre in 2014</a> notes:</p>
<blockquote>
<p>These black markets are growing in size and complexity. The hacker market — once a varied landscape of discrete, ad hoc networks of individuals initially motivated by little more than ego and notoriety — has emerged as a playground of financially driven, highly organized, and sophisticated groups….Black and gray markets for hacking tools, hacking services, and the fruits of hacking are gaining widespread attention as more attacks and attack mechanisms are linked in one way or another to such markets.</p>
</blockquote>
<p>The <a href="https://www.acsc.gov.au/publications/ACSC_Threat_Report_2015.pdf">Australian Cyber Security Centre’s 2015 Threat report</a>
highlights the emergence of cybercrime as a service, introducing new business models to cybercriminals, and increasing their spread and sophistication. The FBI’s Cybercrime Division prosecutor, Gavin Corn, observed that networking among criminal groups has been greatly enhanced by the emergence of new encrypted applications:</p>
<blockquote>
<p>Cybercrime wasn’t even a part of organized crime before, and now it’s the epitome of it. </p>
</blockquote>
<p>The evolution of the internet has also seen the rapid take up of encrypted and anonymous technology.</p>
<p>The value of this underground market today is guessed to be in the hundreds of millions. Some vulnerabilities have been reportedly <a href="https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/">sold for as much US$900,000 recently</a>. Higher prices are paid for the more secure systems such Apple iOS – iphones and so on, but lower fees for older legacy operating systems like Windows XP. </p>
<p>The market operates in an orderly way with testing and evaluation prior to purchase. It’s similar to the carding business in that it seeks to create a stable reliable service encouraging repeated use. </p>
<h2>Don’t just blame the black market</h2>
<p>When it comes down to the effectiveness of the products - malware, ransomware - where the underground market drops off, businesses with lax security are most at risk.</p>
<p>Legitimate penetration testing by cyber-security companies as well as national security agencies wanting to improve cyber arsenals for offensive purposes also have had a role in boosting the value of exploits. The secret acquisition of exploits leaves many users unaware of the “bug” and thwart legitimate bug bounty projects.</p>
<p>In reality, any enterprise in e-commerce or dependent on the internet should also be a security company. Intrusions that target confidential data or service delivery are now common and can devastate trust in the business. </p>
<p>A stand out problem is the presence of legacy computing systems or applications with old operating systems that are no longer supported by the vendor. The Windows XP operating system is a good example and exploits frequently target these older systems. </p>
<p>It’s estimated that half of all web pages still run on the old unsecure http script, rather than the more secure https, now the industry standard. This legacy of older web page formats, leaves everyone exposed to the risk of being compromised by cybercriminals. These criminals hijack websites and create fake website addresses to redirect victims to such sites in order to unwittingly download a virus such as a Trojan or other malware. </p>
<p>The mass distribution of the “WannaCry” ransomware signals the shift of ransomware intrusion techniques from a specialist or individually tailored mode of cybercrime, to one capable of simultaneously targeting many vulnerable computer systems or networks. Coupled with the creation of large scale botnets (a network of computers that can be controlled remotely), often designed to deliver mass-spam emails or social media messages, the scale of these events grows. </p>
<p>At best attacks on this scale have been described as “weapons of mass annoyance” – disruptive but not fatal. The emergence of campaign style attacks is now common place. </p>
<p>They are capable of delivering well designed social engineered messages that trick users into visiting a compromised webpage and inadvertently downloading an executable file that locks up data. In other attacks, hidden programs that log keystrokes or manipulate the computer’s operating system can be implemented via unpatched bugs in many older systems.</p>
<p>The notion of the “digital divide”, where some have access to certain technology and others don’t, has the additional dimension of security as well. Consumers and enterprises constantly reviewing the trustworthiness of their online exchanges becomes more difficult than ever, as cybercriminals can easily duplicate perfect examples of well known trusted enterprises.</p><img src="https://counter.theconversation.com/content/77703/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Roderic Broadhurst does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The underground market for software vulnerabilities has been growing steadily since the 1990s, so the latest WannaCry could be a sign of things to come.Roderic Broadhurst, Chair professor, Australian National UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/776672017-05-15T20:37:53Z2017-05-15T20:37:53ZThe Petya ransomware attack shows how many people still don’t install software updates<figure><img src="https://images.theconversation.com/files/169396/original/file-20170515-7005-1kosyny.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">People don't want to be interrupted to update their software.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-vector/woman-working-on-internet-using-computer-553675984">irin73bal via Shutterstock.com</a></span></figcaption></figure><p>A new global ransomware attack, called “Petya” or “<a href="https://twitter.com/kaspersky/status/879749175570817024">NotPetya</a>,” <a href="https://www.wired.com/story/petya-ransomware-outbreak-eternal-blue/">exploits the same vulnerability</a> as the “WannaCry” attack back in May. As <a href="https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html">Petya spreads across Europe</a>, it’s becoming clear how few people and companies – <a href="https://www.usatoday.com/story/tech/news/2017/06/27/large-cyberattack-hits-europe-disrupts-power-grid-banks/103226268/">including major corporations</a> – actually update their software, even in the wake of major cyberattacks.</p>
<p>WannaCry <a href="https://www.washingtonpost.com/news/worldviews/wp/2017/05/15/the-era-of-cyber-disaster-may-finally-be-here/">could have been avoided</a>, or at least made much less serious, if people (and companies) kept their computer software up to date. The WannaCry attack demonstrated how <a href="https://www.nytimes.com/2017/05/14/world/europe/cyberattacks-hack-computers-monday.html?_r=0">hundreds of thousands of computers in more than 150 countries</a> are running outdated software that leaves them vulnerable. The victims included <a href="http://pix11.com/2017/05/15/wannacry-virus-spreads-to-asia-experts-warn-of-new-wave/">Britain’s National Health Service, logistics giant FedEx, Spanish telecom powerhouse Telefonica and even the Russian Interior Ministry</a>.</p>
<p>As WannaCry spread, media outlets, technology firms and cybersecurity companies around the world <a href="https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/">recommended people update their computer systems immediately</a> if they hadn’t already. The Petya attack targets computers that weren’t updated, despite those very clear public alerts.</p>
<p>The security flaw that allowed both attacks to occur was <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">fixed by Microsoft in March</a>. But only people who keep their computers updated were protected. Details of the flaw were <a href="https://news.vice.com/story/hackers-used-stolen-nsa-tools-to-launch-a-cyberattack-on-more-than-70-countries">revealed to the public in April by the Shadow Brokers</a>, a group of hackers who said they had stolen the information from the U.S. National Security Agency.</p>
<p>Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it. Our human tendencies and corporate policies worked against us. Research, including my own, tells us why, and offers some suggestions for how to fix it before the inevitable next attack.</p>
<h2>Updating is a pain</h2>
<p>All people had to do to stay safe from Petya and WannaCry was update their software. But people often don’t, for a number of specific reasons. In 2016, researchers from the University of Edinburgh and Indiana University asked 307 people to discuss their <a href="http://dx.doi.org/10.1145/2858036.2858303">experiences of installing software updates</a>.</p>
<p>Nearly half of them said they had been frustrated updating software; just 21 percent had a positive story to tell. Researchers highlighted the response of one participant who noted that Windows updates are available frequently – <a href="https://technet.microsoft.com/en-us/security/bulletins.aspx">always the second Tuesday of every month</a>, and occasionally in between those regular changes. The updates can take a long time. But even short updates can interrupt people’s regular workflow, so that study participant – and doubtless many others – avoids installing updates for “as long as possible.” </p>
<p>Some people may also be concerned that updating software <a href="https://twitter.com/__apf__/status/863961744204472322">could cause problems with programs they rely on regularly</a>. This is a particular concern for <a href="https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/9d6a8704-764f-46df-a41c-8e9d84f7f0f3/mjpg-encoded-media-type-is-not-available-for-usbuvc-webcameras-after-windows-10-version-1607-os?forum=mediafoundationdevelopment">companies with large numbers of computers</a> running specialized software.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"863961744204472322"}"></div></p>
<h2>Is it necessary?</h2>
<p>It can also be very hard to tell whether a new update is truly necessary. The software that fixed the Petya/WannaCry vulnerability came out in a regular second-Tuesday update, which may have made it seem more routine. Research tells us that <a href="http://aisel.aisnet.org/icis2014/proceedings/ISSecurity/28/">people ignore repeated security warning messages</a>. Consequently, these monthly updates may be especially easy to ignore.</p>
<p>The companies putting out the updates don’t always help much, either. Of the 18 updates Microsoft released on March 14, including the Petya/WannaCry fix, half were rated “critical,” and the rest were labeled “important.” That leaves users with little information they could use to prioritize their own updates. If, for example, it was clear that skipping a particular update would leave users vulnerable to a dangerous ransomware attack, people might agree to interrupt their work to protect themselves.</p>
<p>Even security experts struggle to prioritize. The day the fix was released, Microsoft watcher Chris Goettel <a href="https://redmondmag.com/articles/2017/03/14/march-2017-security-updates.aspx">suggested prioritizing four of the 18 updates – but not the one fixing Petya and WannaCry</a>. Security company Qualys also failed to include that specific update in its <a href="https://blog.qualys.com/laws-of-vulnerabilities/2017/03/14/massive-security-update-from-microsoft-for-march">list of the most important March updates</a>. </p>
<h2>Security pros, and everyone else</h2>
<p><iframe id="76Jwt" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/76Jwt/3/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<p>The most common recommendation is to update everything immediately. People just don’t do that, though. A 2015 survey by Google found that more than one-third of security professionals don’t keep their systems current. Only <a href="https://www.usenix.org/system/files/conference/soups2015/soups15-paper-ion.pdf">64 percent of security experts update their software automatically</a> or immediately upon being notified a new version is available. Even fewer – just 38 percent – of regular users do the same.</p>
<p>Another research project <a href="http://www.umiacs.umd.edu/%7Etdumitra/papers/OAKLAND-2015.pdf">analyzed software-update records from 8.4 million computers</a> and found that people with some expertise in computer science tend to update more quickly than nonexperts. But it’s still slow: From the time an update is released, it takes an average of 24 days before half of the computers belonging to software engineers are updated. Regular users took nearly twice as long, with 45 days passing before half of them had completed the same update.</p>
<h2>Making updates easier</h2>
<p>Experts might be quicker at updating because they understand better the potential vulnerabilities updates might fix. Therefore, they might be more willing to suffer the annoyances of interrupted work and multiple restarts. </p>
<p>Software companies are working on making updates more seamless and less disruptive. Google’s Chrome web browser, for example, <a href="https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en">installs updates silently and automatically</a> – downloading new information in the background and making the changes when a user quits and then reopens the program. The goal is for the user not to know an update even happened.</p>
<p>That’s not the right choice for all kinds of updates, though. For example, the Windows update needed to protect against the Petya/WannaCry attack requires the computer to restart. Users won’t tolerate their computers shutting down and restarting with no warning.</p>
<h2>Getting the message out</h2>
<p>So computer companies must try to convince us – and we must convince ourselves – that updates are important. My own research focuses on doing just this, by <a href="https://www.internetsociety.org/doc/can-edutainment-change-software-updating-behavior">producing and evaluating entertaining and informative videos</a> about computer security.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/muvwozXpyx4?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">An entertainment-education video about software updating produced by researchers at the University of Maryland.</span></figcaption>
</figure>
<p>In our first experiment evaluating the video, we conducted a month-long study to compare our video with an article of advice from security firm McAfee. The video was effective for more of our participants than the McAfee article was. Our video was also equally or more effective, overall, at improving people’s updating practices. Trying new approaches to teaching security behaviors such as our edutainment video, or even <a href="http://securitycartoon.com/index.php?comic=20070416&tag=malware">security comics</a>, may be a first step toward helping us stay safer online.</p>
<p><em>Editor’s note: This article was updated on June 27, 2017, to add discussion of the Petya/NotPetya ransomware attack.</em></p><img src="https://counter.theconversation.com/content/77667/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Elissa Redmiles receives funding from the National Science Foundation, Facebook, and the Department of Defense. She is on the editorial board of Data4America a nonpartisan data journalism nonprofit. </span></em></p>People don’t want to endure the interruptions and inconveniences of keeping their computer software up to date. Research tells us why, and how we might fix the problem – and protect ourselves.Elissa M. Redmiles, Ph.D. Student in Computer Science, University of MarylandLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/777172017-05-15T07:16:27Z2017-05-15T07:16:27ZAfter ‘WannaCrypt’, should governments stockpile software vulnerabilities? Experts respond<p><em>The “WannaCrypt” malware has disrupted vital infrastructure in almost <a href="https://www.theguardian.com/technology/2017/may/12/global-cyber-attack-ransomware-nsa-uk-nhs">100 countries</a> so far. Security analysts are concerned it may be part of <a href="https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/">a dump</a> of security flaws a group called the Shadow Brokers claims to have stolen from the United States’ National Security Agency.</em></p>
<p><em><a href="https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0000tah8jnrokd6ovxx2mwc3nsz3a">In a blog post</a> Sunday, Microsoft’s president and chief legal officer, Brad Smith, decried government stockpiling of software vulnerabilities.</em></p>
<p><em>“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” he wrote. “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”</em></p>
<p><em>We asked a panel of experts to weigh in: Should governments be allowed to stockpile exploits, or should they be made to disclose them to vendors, including Microsoft?</em></p>
<hr>
<h3>Greg Austin, professor, Australian Centre for Cyber Security, University of New South Wales</h3>
<p>Vulnerabilities in commercially available software provide an easy way in for spy agencies and criminals to access adversary computer systems. I agree with <a href="https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0000tah8jnrokd6ovxx2mwc3nsz3a">the Microsoft proposition</a> that the refusal of US agencies to publicise vulnerabilities can be compared with the US armed forces losing a Tomahawk Cruise missile. There are circumstances where it could be that serious. </p>
<p>Of course, our cyber intelligence agency, <a href="https://www.asd.gov.au/">Australian Signals Directorate</a>, may also be using vulnerabilities in software that Australian citizens rely on. So we need to ask the government about its policy in this regard. I doubt we will stop that practice in the current climate of global cyber escalation. But, in the medium term, Australia must commit to new “highly secure” systems instead of using inherently vulnerable software and machines. </p>
<p>We must also commit to diplomatic agreement on the disclosure of vulnerabilities in commercially available systems. Countries with <a href="http://globalstudy.bsa.org/2016/index.html">high levels of pirated software</a>, like China and Russia, are vulnerable because patches sent by Microsoft to repair vulnerabilities only go to registered IP addresses with a licensed copy of the software. If a user has installed an unlicensed pirated version, they never get the patches.</p>
<p>The Australian government needs to have a more mature conversation with its citizens about what is really going on in cyber space. So far we have not had it, even though the Turnbull government deserves credit for starting down that path with its <a href="https://cybersecuritystrategy.dpmc.gov.au/">cyber security strategy</a>.</p>
<hr>
<h3>Monique Mann, lecturer, School of Justice, Faculty of Law, Crime and Justice Research Centre, Queensland University of Technology</h3>
<p>In an <a href="http://theconversation.com/as-surveillance-gets-smart-hackers-get-smarter-62773">escalating cryptowar</a> with widespread uptake of end-to-end encryption, <a href="https://obamawhitehouse.archives.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities">governments contend</a> that they cannot always disclose cyber security vulnerabilities. This is because they use <a href="http://www.pctools.com/security-news/zero-day-vulnerability/">zero-day vulnerabilities</a> to spy.</p>
<p>But state-sponsored programs of cyber warfare go beyond stockpiling vulnerabilities. Countries are actively developing digital weapons to hack into, infect, monitor and disrupt computer systems. </p>
<p>The <a href="https://wikileaks.org/ciav7p1/">Vault 7 disclosures</a>, published by WikiLeaks in March, revealed both the extent of the Central Intelligence Agency’s hacking capabilities and its inability to keep them secure. An arsenal of malware, viruses, trojans and zero day exploits was taken and leaked. </p>
<p>Now Wikileaks says it wants to <a href="https://www.wired.com/2017/03/assange-wikileaks-will-help-tech-giants-stop-cia-snooping/">work with technology companies</a> to address vulnerabilities and disarm these digital weapons. Yet, these could also <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2706199">have been sold</a> or used for sinister purposes. </p>
<p>Digital weapons can fall into the wrong hands. The consequences, <a href="https://www.itnews.com.au/news/wannacrypt-ransomware-what-you-need-to-know-461717">like “WannaCrypt”</a>, can be disastrous.</p>
<p>Governments should be promoting cyber security rather than undermining it. Failing to disclose and address vulnerabilities weakens cybersecurity. There should also be limits on the development and deployment of digital weapons. </p>
<p>It is time for a <a href="https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/#sm.0000eype9fh58dtoxrh2cd8lji6rc">digital Geneva Convention</a> to protect the internet: the critical infrastructure and the citizens who depend on it. </p>
<hr>
<h3>Robert Merkel, lecturer in software engineering, Monash University</h3>
<p>I’ve <a href="https://theconversation.com/iphone-hack-attack-shows-why-we-need-to-rein-in-the-trade-in-spyware-65348">argued previously</a> that Western governments should be far more careful with their use and distribution of stockpiled vulnerabilities in commercial software. But I wouldn’t hold my breath for it to happen.</p>
<p>For better or worse, intelligence agencies seem to have persuaded governments that the intelligence they gain from exploiting such vulnerabilities outweighs the risks when those exploits leak. Whether they are right is something only historians will be able to answer, given the decades it will take for contemporary intelligence operations to be declassified. </p>
<p>Even if Western intelligence agencies were required to cease stockpiling vulnerabilities and instead report them to vendors, their counterparts in Russian and Chinese intelligence agencies seem unlikely to follow suit. They face little domestic political pressure to behave ethically.</p>
<p>Indeed, while the vulnerability used by the “WannaCrypt” ransomware is thought to have come originally from the National Security Agency, the public disclosure of the vulnerabilities <a href="https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html">is believed by some US officials</a> to have been the work of the Russian intelligence services. </p>
<p>Russian IT systems <a href="https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20">were among</a> the most heavily affected by “WannaCrypt”. If the release was in fact the work of Russian intelligence, the blowback, in terms of inconvenience and expense for Russian companies and other branches of the Russian government, has been substantial. It was also foreseeable – and they did it anyway.</p>
<p>While Microsoft’s call for governments to think harder about the real-world costs of their espionage techniques is admirable, it’s hard to imagine it actually happening any time soon.</p><img src="https://counter.theconversation.com/content/77717/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Monique Mann is a director of the Australian Privacy Foundation. While at the Australian Institute of Criminology, she consulted for the Australian Criminal Intelligence Commission on information systems and cybercrime. The views expressed here are those of the author and do not represent the views of any Commonwealth agency.</span></em></p><p class="fine-print"><em><span>Greg Austin and Robert Merkel do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>“It is time for a digital Geneva Convention to protect the internet.”Greg Austin, Professor, Australian Centre for Cyber Security, UNSW SydneyMonique Mann, Lecturer, School of Justice, Faculty of Law, Crime and Justice Research Centre, Queensland University of TechnologyRobert Merkel, Lecturer in Software Engineering, Monash UniversityLicensed as Creative Commons – attribution, no derivatives.