US Security Services May 'Have Moles Within Microsoft,' Says Researcher 228
Barence writes "U.S. government officials could be working under cover at Microsoft to help the country's cyber-espionage programme, according to one leading security expert. According to Mikko Hypponen, chief research officer at security firm F-Secure, the claim is a logical conclusion to a series of recent discoveries and disclosures linking the U.S. government to 2010's Stuxnet attack on Iran and ties between Stuxnet and the recent Flame attack. 'It's plausible that if there is an operation under way and being run by a U.S. intelligence agency it would make perfect sense for them to plant moles inside Microsoft to assist in pulling it off, just as they would in any other undercover operation,' he said. 'It's not certain, but it would be common sense to expect they would do that.'"
When did /. become Infowars? (Score:5, Informative)
They THINK there MIGHT be moles inside Microsoft. ("Definitive proof!" says Alex on his radio show.) That's nice. I think their might be moles inside everybody's backyards..... I haven't actually seen any, but let's publish it anyway and scare everyone.
1. Publish some random guy
2. Spin it to make it sound factual "evidence"
3. $profit$
Re:Ockham's razor (Score:5, Informative)
Or they just paid former microsoft employees with technical positions to come work for the government.
Didn't the NSA offer to help 'secure' windows 7 (http://www.computerworld.com/s/article/9141105/NSA_helped_with_Windows_7_development), they could just offer to help with 'collaboration' and then provide some security fixes and use some of the loopholes they find before anyone else does.
Now the israeli's. They have spies at microsoft. The US government probably not directly, at least not in the US, there are enough cheaper no risk ways to get what they want.
Sigh. (Score:5, Informative)
You don't need a big gun to get the MS source code. It isn't some big fucking secret like all the ./ers seem to think. It isn't GPL, but plenty of institutions have copies. Basically any government that uses Windows does, huge surprise there. Also a lot of research universities. One such university I know that has it is ASU. Then there are copies in the hands of partners for better debugging/integration of their products.
Just because the source isn't on Sourceforge, doesn't mean it is some massive secret. A bit of Google would get you http://www.microsoft.com/en-us/sharedsource/default.aspx [microsoft.com] which is MS's page on their source sharing.
No. (Score:3, Informative)
Read more about what actually happened. Microsoft was using some keys with md5 hashing that weren't properly set to prohibit their use for code signing and those keys were signed by the Microsoft root. Using a collision attack they created a copy of a signed key and used that to sign their code.
Brief Explanation:
http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx
Detailed Explanation:
http://blogs.technet.com/b/srd/archive/2012/06/06/more-information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx
Hotfix MS just published to speed up the revocation process:
http://blogs.technet.com/b/pki/archive/2012/06/12/announcing-the-automated-updater-of-untrustworthy-certificates-and-keys.aspx
http://support.microsoft.com/kb/2677070
Re:not only operating systems (Score:2, Informative)
Don't forget that the US Department of Homeland Security maintains a giant list of security flaws. It's called the Common Vulnerabilities Enumeration [mitre.org].
Check the fine print at the bottom of the page: "CVE is co-sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security."
So that means the government doesn't even need to go looking for holes - security companies send them to the government directly to be listed!
No mole required, just a "friendly" email informing them that they're going to keep silent for a bit and "forgetting" to post the alert publicly.
CVE doesn't work that way. From the FAQ:
Isn’t CVE just another vulnerability database?
No. CVE is not a vulnerability database. CVE is designed to allow vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and services. As such, CVE does not contain information such as risk, impact, fix information, or detailed technical information. CVE only contains the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories.
The project arose because different vendors were assigning different names and ids to vulnerabilities and generally just confusing the hell out of everyone. CVE just provides a standard id that all of the different security researchers can use to refer to the same issue.
In practice, researchers typically contact MITRE or other software vendors participating in the program to obtain a CVE ID, possibly before the assessment of the vulnerability is complete. Then they announce it themselves with the CVE ID and send a note to MITRE letting them know that the vulnerability is now public. MITRE then updates the CVE website with information about the vulnerability. If the government did want to restrict information about a security vulnerability they'd need to convince the security researcher not to announce it at all, just omitting it from the database wouldn't be enough.