Mediaboss Marketing

Today Democratic Congressman Ted Lieu of California wrote to the NSA in an appeal for the agency to do anything in its power to stop the spread of the globalransomware (or potentially just disguised as ransomware) attack that began yesterday.

Lieu seeks to hold the NSA accountable for its leaked exploit, known as EternalBlue, which appears to have facilitated the malwares spread. Last month, the ransomware known as WannaCry also leveraged EternalBlue in order to spread between networked machines that have not been updated to protect them from the vulnerability, which Microsoft issued a patch for back in March (MS17-010).

Based on various reports, it appears these two global ransomware attacks likely occurred because the NSAs hacking tools were released to the public by an organization called the ShadowBrokers, Lieu wrote.

My first and urgent request is that if the NSA knows how to stop this global malware attack, or has information that can help stop the attack, then NSA should immediately disclose it. If the NSA has a kill switch for this new malware attack, the NSA should deploy it now.

Lieu went on to implore the spy agency to communicate more openly with major tech companies about the vulnerabilities that it discovers in their systems. In the case of EternalBlue, the NSA is believed to have known about the exploit for years. Naturally that makes one wonder what other massive exploits the agency has up its sleeve and how easily those could be exposed in a new Shadow Brokers leak.

Given the ongoing threat, I urge NSA to continue actively working with companies like Microsoft to notify them of software vulnerabilities of which the Agency is aware, Lieu said.I also urge the NSA to disclose to Microsoft and other entities what it knows that can help prevent future attacks based on malware created by the NSA.

Some things about yesterdays ransomware attack make it even nastier than its predecessor WannaCry. As IEEE Senior Member and Ulster University Cybersecurity Professor Kevin Curran explained to TechCrunch: One key difference from WannaCry is that Petya does not simply encrypt disk files but rather locks the entire disk so nothing can be executed. It does it by encrypting the filesystems master file table so the operating system cannot retrieve files.

The other big difference: WannaCry had a kill switch, even if it wasserendipitous.

It does seem to have the same deadly replication feature of WannaCry which enables it to spread quickly across an internal network infecting other machines, Curran said. It seems to also be finding passwords on each infected computer and using those to spread as well. There seems to be no kill switch on this occasion.

We reached out to the NSA with questions about its ability to stop the spread of the current ransomware and its perceived responsibility moving forward. You can read Lieus full letter, embedded below.

See the original post here:
In aftermath of Petya, congressman asks NSA to stop the attack if it knows how - TechCrunch

How to be smart about open source

Open source is everywhere in government, but many agencies still struggle with the specifics of choosing, contracting for and contributing to open-source software projects. GCN spoke with open-source advocates in government and industry, and came away with five fundamental lessons.

1. Be clear about your end goal

The most important thing when selecting a [free and open-source] project is picking one that aligns with your business goals, said Marc Jones, an attorney and longtime systems architect in state government. You do not want to pick a project and then realize you now need to invest a lot of effort into modifications to meet your needs. In that respect, it is very similar to acquiring proprietary software.

Tom Cochran, chief digital strategist and vice president for public sector at Acquia, agreed. It would be myopic for any organization to say, Were going to default to open source for everything, said Cochran, who previously worked at the State Department and the White House. Open source should be considered as part of the suite of possible solutions.... It really needs to be done on a case-by-case basis.

CivicActions CEO Henry Poole, however, argued that open source can and should be an end goal for government. Public funds are paying for the public good, he said. Having that code be publicly available, in my opinion, is the right thing to do, just from the point of view of the taxpayer.... You really want to move your acquisition strategy to paying for new technology, not paying for something that already exists.

At the White House, we actually did plant a flag in the ground saying, It had to be open source, Cochran said. Some of that was in reaction to such poor closed-source systems that we had that we didnt want to be boxed into yet another sort of bad procurement.

Avoiding vendor lock-in is a good reason to seriously consider open source, he added. Theres a massive number of small and midsize companies that can do this. And if you dont like the work or support youre getting, you dont have to re-platform.

Everyone interviewed for this article agreed, however: Each open-source solution should be viewed as a potential tool, but the agency mission must drive the decision about which tool to choose.

2. Know what a healthy open-source project looks like

First make sure the software in question is actually a free and open-source project and that all of the features you want to use are also free and open source, said Jones, who now works at CivicActions. Especially in niche markets, companies will offer what is known as open core, where the base features are FOSS, but the valuable stuff that sets them apart in the market is proprietary.

Even worse, some allegedly open-source projects carry restrictive proprietary licenses. They simply mean that you can view the source code, he said.

Once potential open-source solutions have been identified, ProudCity CEO Luke Fretwell said his firm offers a short checklist to gauge viability.

First, he asked, are there maintainers who are true leaders in the community? Brian Behlendorf and Matt Mullenweg, for example, are the highly collaborative faces of the Apache web server and WordPress, respectively. Thats one litmus test because they are banking their personas and careers on those projects.

Second, Fretwell asked, is there a sustainable business that is basing its primary business model off of this product? If there is, thats another check.

Third is use. The consumption side is important a broad user base means theres demand for continued development but what he looks for is the number of contributing software developers, both individuals and businesses.

Fretwell also said he checks to see whether the open-source project has the standard aspects of any sort of industry. Does it have annual events or local communities that are engaging? Are those active?

Poole echoed those points and stressed the need to analyze the ecosystem around the code.

For the web efforts for former President Barack Obamas White House, Cochran said, Drupal was picked largely because of the community. The bigger the support community is, thats how youre magnifying and amplifying your own engineering team.

3. Pick your vendors wisely

The first and most important thing is to have someone on staff who knows what theyre doing and what theyre talking about, Cochran said. Its even more important to have someone who knows what they dont know.

Honestly, it just comes down to relationships and finding the right people who can help you navigate whichever community it is youre trying to get into, he added.

Fretwell said a contractors qualifications boil down to two things: Show me your code, [and then] how involved are you with the community?

Any organization serious about its open-source contributions will have an active GitHub presence where that work can be examined, he added. And a firm whose employees are maintaining components of an open-source project, speaking at conferences and engaging with other contributors will have the expertise and connections to deliver for an agency.

View post:
How to be smart about open source - GCN.com