Why Hoarding Zero Days Is Bad Public Policy
This week Microsoft patched a zero day bug that affected Microsoft Word users. Microsoft was alerted to the bug by the FireEye security firm several months ago.
What we did not know until today is that this bug was being exploited for at least several months. WHO was exploiting it is less clear because hackers don’t always sign their names to the work, but it appears that both hackers and governments may have been exploiting the bug.
FireEye is saying that perhaps the hacker who discovered the flaw sold it to both other hackers and government actors. Rarely is there any agreement from hackers to only sell a hack to one party, so if they did that, it is not really surprising.
It is also possible that two different people independently discovered the bug at around the same time. That doesn’t seem as likely to me.
Hackers used different Word documents to entice folks to open the email attachments. One was a military manual written in Russian, another was a document referencing the Russian Ministry of Defense and the third was a document that promised to reveal “top 7 hacker chicks”. Seriously.
If people fell for it and opened the document they would get infected with the malware FinSpy made by the hacking firm FinFisher. It is certainly possible that FinFisher, who makes spy tools and sells them to governments (and likely “others” for the right price) also bought the zero day.
As a testament to the international flavor of hacking, some of the servers hosting this delicious treat were in Italy while others were in Romania.
What is less clear is when our government became aware of this zero day. Assuming they became aware of it, say, a year ago and decided to keep it secret, that is within the operating parameters of DoJ rules.
IF – and we don’t know if this is true – the government – our government – was keeping this zero day secret and hackers were, at the same time, using this hack against our businesses, that seems like a problem.
But that is a challenge the intelligence community and law enforcement face every day.
Do we tell? Do we keep it secret? Do we even know what is happening? Do we want to watch the bad guys because we do know what is happening? Do we not want to let the bad guys know we are watching them? Life is not simple. It would be nice if it were a little more simple, but it is not.
What does seem clear is that we can’t COUNT on the government to spill the beans, even if American businesses are being compromised by hackers. Just warning you.
Information for this post came from Motherboard.