Security Researchers Withheld Regin Malware Details For 'Global Security' Reasons
from the not-really-'global'-when-it's-just-the-Five-Eyes-then,-is-it? dept
Who’s going to let you know your communications and data have been compromised by state entities? Well, it seems to depend on who the state entity is. When it’s a non-‘Five Eyes’ country involved, there’s usually no hesitation. But the recent exposure of Regin malware’s NSA/GCHQ origins (which both agencies deny originates with them despite leaked documents to the contrary) came belatedly, confirming details revealed more than a year ago. The malware appears to date back nearly a decade and yet, there has been little said about it over that period of time.
Mashable looked into the malware further and received some surprising replies from security analysts as to why there’s been little to no discussion of Regin up to this point.
Symantec’s [Vikram]Thakur said that they had been investigating Regin since last year, but only felt “comfortable” publishing details of it now.
[Costen] Raiu, the researcher from Kaspersky, said they had been tracking Regin for “several years” but rushed to publish the report after a journalist contacted them last week asking for comments about Regin, indicating a competitor was about to come out with their own report.
For [Ronald] Prins [of Fox IT], the reason is completely different.
“We didn’t want to interfere with NSA/GCHQ operations,” he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to “global security.”
And so it goes. Everyone had the same suspicion as to who was behind the malware, but everyone sat on it, hoping someone else would make the first move. The NSA and GCHQ may deny their involvement, but the list of countries with verified Regin infections notably does not include any of the “Five Eyes” countries. Microsoft — whose software the malware was disguised as — has refused to comment.
It’s no surprise that companies like Microsoft are in no hurry to divulge findings about state-run malware, at least not if it involves governments it has large contracts with. But security researchers shouldn’t be acting as flacks for intelligence agencies, even if only committing sins of omission. As the ACLU’s chief technologist pointed out, there’s no faster way to “destroy” your company’s reputation as a “provider of trustworthy security consulting services.” Who’s going to want to hire someone that won’t tell you your data and communications are compromised until it feels it’s “safe” to do so?
We already know that any security holes discovered (or purchased) by intelligence agencies won’t be turned over to affected companies until they’ve been fully exploited. We also know that some of these companies have worked in concert with the NSA and others to provide backdoor access or hold off on patching software until the government gives them the go-ahead. But security researchers shouldn’t be withholding details on sophisticated malware out of deference to the intelligence agencies it believes are behind it.
At this point, we have a security ecosystem greatly skewed towards the exploitation of flaws and the distribution of malware, rather than the other way around. There’s an entire industry that does nothing but find exploits and sell them to intelligence agencies — only distinguishable from criminal enterprises by their clientele. Being silently complicit in these exploits may prevent operations from being compromised (and seems to confirm that Fox IT reached the same conclusion about the malware’s origin as others), but it has the hugely unfortunate side effect of harming thousands, if not millions, of non-terrorists around the world.