Monday 15 May 2017

Microsoft blasts spy agencies for hoarding security exploits

Microsoft is hopping mad that leaked NSA exploits led to the "WannaCry" (aka "WannaCrypt") ransomware wreaking havoc on computers worldwide. Company President Brad Smith has posted a response to the attack that roasts the NSA, CIA and other intelligence agencies for hogging security vulnerabilities instead of disclosing them to be fixed. There's an "emerging pattern" of these stockpiles leaking out, he says, and they cause "widespread damage" when that happens. He goes so far as to liken it to a physical weapons leak -- it's as if the US military had "some of its Tomahawk missiles stolen."

To Smith, this is a "wake-up call." Officials ought to treat a mass of exploits with the same caution that they would a real-world weapons cache, he argues. Microsoft had already floated the concept of a "Digital Geneva Convention" that required governments to report security holes, but the idea has gained a new sense of urgency in light of the recent ransomware chaos. Will the NSA and other agencies listen? Probably not -- but Microsoft at least some has some evidence to back up its claims.

Smith's write-up also calls for a greater sense of "shared responsibility" in fighting online threats. While Microsoft makes its own efforts by rushing out patches and sharing concerns with other companies, it also chastises customers who could have closed the WannaCry hole two months earlier but didn't. If they don't get updates quickly, Smith contends, they're "fighting the problems of the present with tools from the past." He's being a bit unrealistic -- it's not so simple for companies to upgrade to the latest versions of Windows, especially if budgets are tight or there's must-have software that could break. At the same time, it's hard to escape the reality that many WannaCry victims are running outdated software.

Workers might not have to wait for their IT departments to get into gear, at least. Rendition Infosec as introduced a stopgap TearSt0pper tool that can thwart WannaCry without requiring a patch. You need to launch it every time you boot your PC (provided you're allowed to run apps like this), but it could mean the difference between a productive day or explaining why your system is out of commission.

Source: Microsoft on the Issues, Rendition Infosec

Read the full article here by Engadget

No comments: