LESSONS IN RAN­SOMWARE

India Today - - INSIDE - SU­NIL ABRA­HAM Su­nil Abra­ham is Ex­ec­u­tive Direc­tor, Cen­tre for In­ter­net and So­ci­ety

The Wan­naCry ran­somware was a de­riv­a­tive im­ple­men­ta­tion of an ex­ploit de­vel­oped at the cost of the US tax­payer hold­ing hostage mostly users of pi­rated and/ or out­dated soft­ware across the world.

Let us first un­der­stand how the US tax­payer ended up sub­si­dis­ing this global crim­i­nal op­er­a­tion. The Na­tional Se­cu­rity Agency of the US gov­ern­ment, like the in­tel­li­gence and mil­i­tary agen­cies in most other na­tion states with an of­fen­sive cy­ber­se­cu­rity pro­gramme is amass­ing zero-day vul­ner­a­bil­i­ties. Zero-day vul­ner­a­bil­i­ties are vul­ner­a­bil­i­ties in soft­ware that have not been dis­closed pub­licly. The vul­ner­a­bil­ity tar­geted by Wan­naCry was for years of strate­gic im­por­tance for the NSA. They had built an ex­ploit called Eter­nal Blue to remotely take over and con­trol com­put­ers run­ning Win­dows XP to Win­dows 2012.

In the big pic­ture, through amass­ing hun­dreds of such vul­ner­a­bil­i­ties and their as­so­ci­ated ex­ploits, agen­cies like the NSA con­trib­ute to the fragility of our global in­for­ma­tion so­ci­ety. They re­verse the tra­di­tional mar­ket in­cen­tives for fix­ing soft­ware vul­ner­a­bil­i­ties. While this strat­egy might pro­vide the NSA an ad­van­tage dur­ing cy­ber at­tacks and cy­ber war—even the NSA does not know if crim­i­nals are us­ing the very same vul­ner­a­bil­i­ties to tar­get Amer­i­can cit­i­zens. This cy­ber-se­cu­rity chal­lenge is cur­rently be­ing de­bated at many dif­fer­ent na­tional and in­ter­na­tional fo­rums. The most im­por­tant ques­tion is—should the mar­ket for zero-day vul­ner­a­bil­i­ties and ex­ploits be reg­u­lated? If it is to be reg­u­lated, how should it be reg­u­lated? Un­for­tu­nately, it is highly un­likely that there will be con­sen­sus on this is­sue and there­fore gov­ern­ments will con­tinue to con­trib­ute to the suc­cess of at­tacks like Wan­naCry in the years to come.

Why did the crim­i­nals tar­get out­dated/pi­rated soft­ware? Cor­po­ra­tions like Mi­crosoft try to dis­cour­age piracy by only pro­vid­ing patches to pay­ing cus­tomers. Mi­crosoft had re­leased patches mid-March around a month be­fore the Shadow Bro­kers re­leased the lat­est tranche of weaponised soft­ware ex­ploits from the NSA fea­tur­ing Eter­nal Blue. Ad­di­tion­ally, Mi­crosoft went out of its way to also re­lease a patch for Win­dows XP; they were not obliged to do this since they had ended sup­port for XP in April 2014. But Mi­crosoft de­cided against mak­ing th­ese patches avail­able to users of pi­rated ver­sions of their soft­ware. Of course, user ig­no­rance and poor se­cu­rity prac­tices have con­trib­uted greatly to the scale of the at­tack, but given that our gov­ern­ment knows that most In­di­ans will not be able to af­ford pro­pri­etary soft­ware, it is strange it doesn’t pro­mote Free/ Open Source Soft­ware (FOSS). The pro­mo­tion of FOSS is men­tioned in the BJP man­i­festo for 2014. This is best achieved through ven­dor neu­tral­ity in gov­ern­ment pro­cure­ment and ed­u­ca­tional in­sti­tu­tions. Oth­er­wise, the state and academia end up as the sales teams of pro­pri­etary soft­ware firms. If or­di­nary peo­ple shift to FOSS, they could, for ex­am­ple, in­stal the lat­est ver­sion of Ubuntu with­out pay­ing and also get all the lat­est se­cu­rity up­dates.

This is not to say there is no ran­somware tar­get­ing FOSS (An­droid, flavours of GNU/Linux) or FOSSbased op­er­at­ing sys­tems like Ap­ple’s OS. But their lim­ited mar­ket share re­sults in fewer crim­i­nals tar­get­ing them. With FOSS, it’s also pos­si­ble that re­sources needed to de­tect vul­ner­a­bil­i­ties and de­velop patches can be pro­vided by mul­ti­ple stake­hold­ers, in­clud­ing gov­ern­ments. How­ever, it is im­por­tant not to for­get that there is no guar­an­tee that any of this will ac­tu­ally hap­pen. There are ex­am­ples of very im­por­tant projects like Open SSL with vul­ner­a­bil­i­ties like Heart Bleed that re­mained un­de­tected and un­fixed. This was be­cause ev­ery­one was hop­ing for some­one else to do it. Economists call this the “tragedy of the com­mons”. How­ever, in de­vel­op­ing coun­tries like In­dia, gov­ern­ment pro­cure­ment can be used to shape the mar­ket, in­cen­tivis­ing an ecosys­tem of de­vel­op­ers with mar­ket in­cen­tives for con­tribut­ing to FOSS projects. This is a bet­ter way to use tax­payer money!

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.