Could WannaCry attack have been avoided?
There’s a code among whitehat hackers and cybersecurity experts alike, whether they’re professionals on Google’s Project Zero team or just a guy with some know-how working out of his basement: when you discover a bug, you contact the software developer and give them a chance to make it right. Project Zero’s established guidelines specifically state that they will sit on the information until the manufacturer comes up with a patch, lest any bad guys want to exploit it. If ninety days has passed and the developer has yet to come up with a solution, only then will the researchers inform the public so they can at least take preventive action.
Wouldn’t it be nice if everyone was so ethical when it comes to security flaws and hacking? Wouldn’t it be even nicer if the government wasn’t sitting on information concerning bugs in order to exploit it for their own purposes, sometimes for years?
A new report by CNet shares Microsoft’s anger over government secrecy surrounding bugs, a practice the tech company directly blames for the recent wave of attacks. They allege that last week’s WannaCry attack exploited a flaw that the US government knew about and chose not to disclose, an identical situation to the Heartbleed virus that the National Security Administration knew about for around two years before researchers discovered it and announced it to the public.
Government agencies criticized
As CNet states: “Microsoft is criticizing government agencies for hoarding software flaws and keeping them secret, calling a massive, new ransomware attack a ‘wake-up call’ to this problem. Brad Smith, Microsoft’s chief counsel, said Sunday in a company blog post that by keeping software vulnerabilities secret from vendors, governments open up users to attacks like Friday’s WannaCry — or WannaCrypt/WanaCrypt — hack in which malware locked down computers worldwide while demanding hefty sums for freedom.”
WannaCry flooded computers around the world with ransomware, locking up those networks until a specified amount was paid. Some of the hardest hit computers were in healthcare providers across the UK, which can potentially lead to loss of life due to interrupted patient care.