It is not enough to simply point out the many flaws in security software that could allow hackers to bypass security measures in a matter of hours, as the National Security Agency did this week.
In an op-ed for the Washington Post, security expert Michael McVoy and others point out that security vulnerabilities are the primary reason why businesses and individuals should be wary of using software from vendors such as Symantec and Trend Micro that are commonly used by the public.
The latest issue of “SecurityWeekly” highlighted the vulnerabilities of a software called “WannaCry” which first surfaced in the wild last week, infecting a wide variety of businesses and government organizations, and which the NSA has been able to exploit in the past few weeks.
Affected organizations are not only vulnerable to the threat of a massive ransomware attack, but also to being caught in a “reverse-exploitation” campaign, where malicious software exploits the weaknesses in the software to gain unauthorized access to data and files.
It is worth noting that the NSA was able to “reverse engineer” WannaCry, a process which takes months and often involves more than one “exploiter,” according to McVay.
“The NSA and its contractors have exploited this vulnerability in ways that have left our companies, government and citizens vulnerable,” McVoys op-eds read.
He also points out that the company is not alone in this.
The FBI and other law enforcement agencies have also been able in recent weeks to successfully “reverse engineering” the malware that has infected more than 100,000 businesses and agencies.
McVoy also points to the fact that this is the first time that Symantech has been identified as a company with a vulnerability, which is a testament to how serious the situation is.
Symantec has already patched the vulnerabilities and has released patches to its customers.
And, McVays op-dedits points out, the NSA did not only “reverse engineers” the WannaCysts code, it “exploit[ed] it in ways not seen before, and this is what allowed it to be able to steal more than $5 million from U.K. and U.A.E. government accounts.”
While McVoit points out the fact of this attack, he points out there are many other companies out there that do the same thing.
For example, security firm Mandiant is using the same tools and techniques to reverse engineer the code of a number of companies, including Microsoft, Google, Apple, Adobe and Cisco.
Mandiant found a vulnerability in one of those companies that allowed them to exploit a flaw in the operating system, but the exploit did not work for others.
However, there are also other companies that do reverse engineering and other types of research on the same code, McSweeney writes.
The NSA did the same when it “reverse engineered” the code for the Stuxnet virus.
As the Washington Examiner noted, this is not the first instance where the NSA and a number other intelligence agencies have exploited vulnerabilities in code.
The agency used a vulnerability to find vulnerabilities in an operating system to allow them to bypass antivirus software and compromise computers, as well as exploit flaws in encryption algorithms.
This is not an isolated incident, however, as McVOY points out.
There have been reports that the National Intelligence Council has also used reverse engineering tools on code, as has the NSA.
That’s because the agencies are still working on their own exploits.
But McVoyer points out how important it is to keep a “list of those who are actively using and exploiting these tools” and how that can be used to detect and prevent vulnerabilities before they become a problem.
While the government is not using these tools in this instance, it is certainly not the last time the NSA or others have used them.
What do you think?
Did the NSA exploit a vulnerability or not?
Share your thoughts in the comments section below.