Image
US Government pays to keep security holes open

So the cat is publicly out of the bag now, after WikiLeaks published the CIA documents. They contain proof that the CIA and NSA, which are U.S. government agencies, keep this in mind, pays software manufacturers to NOT fix exploits and keep them open. And we also learned from those documents that they successfully compromised the encryption of services like WhatsApp.

This problem is massively bigger when you think about it for a second. Maybe you begin to understand why zero day exploits have become a real market for shady security companies. The Cisco exploits for example, which were zero day exploits and went unfixed for three years, raised some eyebrows last year, but that was it. The public seemed not to care enough. But if you're a little bit more proficient in this area, you knew that this was not a coincidence, nor the only one. Non-disclosure of zero day exploits is the standard procedure, simply because you can earn millions with a good one, especially in attack surface scanning tools which test huge networks with millions of IPs for unpatched software and similar weaknesses.

And now think about this once more. Where did the CIA get the exploit from? How top secret is such an exploit really? After all, even the business transaction for keeping an exploit alive has been documented and it's now official that the U.S. government doesn't solely rely on their own agencies. Which means that this information is available outside of the agency itself, too. 

Keeping an exploit like this deliberately open is selfish, reckless and negligent to the highest degree. This turns an exploit into a security weakness which can (and in too many cases also will) get exploited by third parties. Most of those weaknesses focus on hardware implementations (the notoriously insecure Ivy Bridge architecture which Intel produces is not even a secret only insiders know anymore) and, of course, encryption implementations in standard components like openSSL.

Don't just rely on standard security procedures and algorithms only. SSL, PGP, PKI, all those standards are basic tools which should be used in basic setups, that's true. But that's all they are: basic. And basic is not enough if you have sensitive customer data, intellectual property or similar critical information you need to protect. Those tools reduce the attack surface of your enterprise, but not as much as you might think or even need.

For example, if you have sensitive data somewhere behind a web frontend or an application server, but do not encrypt your databases and filesystems with different certificates, or maybe not even this - do you really think your business is safe?
If your firewall or IDS runs on a system without advanced internal security mechanisms, or even on standard hardware with USB ports - do you really think it will do its job all the time?
Do you still have unencrypted data flows in your network?
Do you still work with IPv4 because a business-critical application doesn't support IPv6?
Do you not use IPv6, because it might turn your network into a notwork?
Do you store information at an external cloud provider like Amazon, who doesn't implement proper security and mandatory access controls on all layers of his architecture?

You shouldn't, definitely not. IT Security (aka Cybersecurity) is basically Risk Management and as long as you can measure your attack surface and still convert it into money, then the attack surface is still too visible and you're in trouble.
Security is not something which costs money.
Security is not an insurance.
Security is not an option.
Security is the air your business needs to breathe. Take it away, and your business model might run into fatal problems.

So do not rely on standard encryption methods. They only make attacks more expensive, but you don't know how big the impact on the attacker's resources will be.
They can render attacking your enterprise and your information too expensive, yes. But it's also possible that they don't.
The attacker will know. You won't.

Instead, tighten your infrastructure, your server installations, your hardware. Don't use Intel architectures for really critical data. Don't use ssh-agent. Don't use sudo. Don't use filesystems which will not be encrypted by certificates. Don't rely on standard UNIX permissions only. Don't rely on hardening only, especially when you forget to start over with it after applying a patch. Don't deploy identical security-related settings or even certificates with config management tools like puppet, every server must be secured individually.


Instead audit your servers, on-the-fly and constantly during normal operations.

Classify your information properly and ensure that only certified users, processes, storages, I/O operations, connections and devices can access them by applying Mandatory Access Controls. No, SELinux is not enough, it only addresses users and processes.

Don't even think about using Docker for applications which work with sensitive data. What you want is full container isolation on operating system and hardware level.

Don't use software or hardware which utilizes CPU caches for encrypting in multihomed or even cloud environments.

And if your operating system supplier, your hardware vendor or your cloud service provider do not support this, then don't use them for storing any data which must stay confidential or even secret. It's as simple as that. 
There is only one alternative to treat highly classified information differently: Keep it as far away from networks as possible.

Don't risk losing control over your classified data and being taken out of business. 

Source: iOS Exploits Data

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer