#darkside

dredmorbius@joindiaspora.com

ProPublica's criticism of Bitdefender on the Darkside ransomware attacks is seriously unhinged

There's a piece circulating by ProPublica suggesting that notifying targets of DarkSide's ransomeware cybercrime attacks and the methods used was folly. It's ProPublica who are erring badly:

The Colonial Pipeline Ransomware Hackers Had a Secret Weapon: Self-Promoting Cybersecurity Firms

By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”

“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”

https://www.propublica.org/article/the-colonial-pipeline-ransomware-hackers-had-a-secret-weapon-self-promoting-cybersecurity-firms

The question of how to address vulnerabilities and disclosure is a continuing one. Full disclosure, in which threats are fully and openly described, has been a long-standing, strongly-defended, and effective norm.

Full disclosure means identifying a specific systemic vulnerability to the extent necessary to identify and neutralise it. It does not mean revealing specific actions or strategies in use by specific actors, not otherwise related to such attacks. As such, your examples really don't apply.

Information security is generally associated with the intended and actual function of systems as concerns the confidentiality, integrity, and availability (CIA) of systems. Another mnemonic is STRIDE, which indicates the threats of Spoofing, Tampering, Repudiation, Information disclosure (privacy breach or data leak),
Denial of service, and Elevation of privilege (authorised users operating outside their assigned / intended scopes of access).

An information security vulnerability fails on one or more of these points.

There are cases in which disclosures are intentionally limited in specificity or notification (the latter for a time) due to the degree to which such information might enable attacks. I'm not aware of any concerns of tipping off attackers --- once they start encountering patched systems widely, that cat's out of the bag.

The fact that Darkside then employed further vulnerabilities ... is largely a pointer that Bitdefender's tactics worked. And that MS Windows is a target-rich environment.

One example of this was the 2008 Kaminsky DNS hack (the late Dan Kaminsky discovered it, he didn't exploit it). The problem was considered so severe that not only could it not be announced, but the fix itself was targeted well outside the domain in which the attack itself was made possible. Kaminsky discusses that process in this presentation: https://youtube.com/watch?v=B0dHDD9fFM4

Various Intel-architecture CPU memory-exfiltration bugs (Heartbleed, Sceptre, Rowhammer, etc.) have seen similar treatment.

There are even cases where tipping ones hand as to strategy or tactics can be advantageous. The US did give prior intimations of its intentions to Japan prior to the events of 6 August 1945. That's a case in which weapons may be seen as sufficiently demoralising that advance advertisement is considered advantageous to the attacker. Flamethrowers, used in WWI, WWII, and later engagements, are similar. Poor bloody infantry have it bad enough without knowing they are to be burnt alive, and even the notoriously surrender-averse Japanese would often give up battle when faced with same. (Not always, but often. The tactic was more effective in the WWII European theatre against German troops.)

I'm a fan of ProPublica. But this narrative is simply stupid.

#ProPublica #BitDefender #DarkSide #ransomware #FullDisclosure #InfoSec