Hacker News new | ask | show | jobs
by phlo 3281 days ago
Sometimes, a bit of obscurity will improve security. To get something like WannaCry to work from a security patch, you'd have to do the following:

  1. Analyze the update, determining what parts of the system it changes
  2. Analyze how the system behaved before the update (i.e. find the vulnerability)
  3. Find suitable parameters for the vulnerability to reliably work
  4. Build a proof of concept exploit
  5. Integrate it into your ransomware
Getting a working proof of concept from a leak saves you 4 out of 5 steps. If you are a financially motivated cyber criminal (and if you are distributing ransomware, you are), that can mean the difference between a waste of your time and a juicy return on investment.
1 comments
willstrafach 3281 days ago
Slippery slope though, tools like Metasploit are extremely important for security auditing and are generally regarded as a good thing for that reason, but your logic would apply to it as well.
link
phlo 3279 days ago
Metasploit is a bit like a knife. You can use it to chop vegetables or stab people, and depending on who wields it, and in what circumstances, either of the outcomes is more likely.

I'm not arguing against the development on Metasploit though, and neither do I want to make an argument against vulnerability research. Every time Tavis Ormandy takes a shower, an AV vendor runs for cover; and on Christmas each year, Karsten Nohl cancels the vacations for some legacy system developers. That's a good thing, because those guys report their findings. They push vendors to fix the vulnerabilities, and they improve the security of systems we all depend on, every day.

Governments should do the same thing. I am all in favor of investing more in vulnerability research, but we need a process of disclosure. Stockpiling vulnerabilities puts everyone at risk, with little benefits.

Circling back to Metasploit: Yes, it makes work easier for cybercriminals. But even just the knowledge that a vulnerability will be available as a module quickly may be enough to make some vendors think twice about not reacting to a disclosure email, whether it's from Project Zero, independent researchers, or (hopefully more often) government CERTs.

link