In its own version of “responsible disclosure” Wikileaks has offered to share software vulnerabilities referenced in the Vault 7 report exclusively with tech companies, such as Apple and Google, so the flaws can be patched.
If you stopped reading right there, it appears that WikiLeaks is trying to do the “right” thing. One might argue that sharing the vulnerabilities exclusively with the relevant parties fulfills the goal of improving security. You might say that WikiLeaks is trying to wear a “white hat,” seemingly for the first time ever.
However, there’s a lot to be skeptical about. Primarily, WikiLeaks has never been too keen on censorship. In other words, expect that these vulnerabilities will be made public sooner than we would like.
The critical thing to remember here is that WikiLeaks is essentially communicating WEAPONS in the form of software vulnerabilities. The timing of this communication is absolutely critical considering that these weapons could easily get into the wrong hands. And, if the vulnerabilities do get into the wrong hands, security will be compromised instantly.
As soon as attackers know that a new vulnerability is available they will use it – within 24 hours – on a mass scale. Even if patches are created, if they not been widely deployed, devices around the world will become instantly compromised.
Based on previous history, I expect WikiLeaks to make these vulnerabilities public immediately after tech companies create a patch. If they follow this route, the disclosure really only benefits one organization – WikiLeaks.
I’m challenging WikiLeaks to prove me wrong here. If they want to be truly “responsible” (and I use that term very loosely) WikiLeaks should be giving organizations enough time – say 90 days after the patch is available – BEFORE releasing the vulnerabilities publicly. This 90-day window will give the security community a target to shoot for in making sure that patches are deployed by EVERYONE.
The vast majority of data breaches are the result of out-of-date software. Put another way, consumers (and most businesses) are often very bad about keeping their software up to date, even when patches are available. If WikiLeaks does not give the security community enough time to deploy these patches ubiquitously, global security is severely weakened.
In a press conference streamed live from the Ecuadorian Embassy in London, where he has been holed up since 2012, WikiLeaks founder Julian Assange said: “We have decided to work with [the manufacturers] to give them some exclusive access to the additional technical details that we have, so that fixes can be developed and pushed out, so that people can be secure.”
If there’s any hope suggesting that WikiLeaks might follow true responsible disclosure, it’s in the phrase “and pushed out.” Patches are useless if they have not been widely deployed. There’s a lot of room for interpretation in that phrase, though. The timing is critical.
So, when deciding for yourself how “responsible” WikiLeaks is being here, you need only ask yourself one question: “How long will WikiLeaks hold out before making the vulnerabilities public to the world?”
If WikiLeaks past behavior offers any indication as to what they might do, you might be as skeptical as I am. I fear these vulnerabilities will be made public long before patches have been widely deployed.
I’m challenging WikiLeaks to prove me wrong.
To learn how to defend your organization from non-malware attacks, join us at the upcoming webinar: “Beyond AV Webinar: Cb Defense in 20 Minutes.”