Gunnar Assmy - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Microsoft calls for independent body to address cyber attribution

In a move to support the development of global cybersecurity norms, Microsoft calls for improved cyber attribution to identify cyberattack perpetrators.

In an effort to create "cybersecurity norms" for governments and the global information and communications technology industry, Microsoft is proposing the creation of a public-private forum to address the issue of cyber attribution as well as an independent organization to investigate cyberattacks.

In a white paper titled "From Articulation to Implementation: Enabling Progress on Cybersecurity Norms," Microsoft pointed out that international laws apply to the internet, but they do not always translate well to the cyber dimension -- and rushing to write and apply new laws before generally accepted cybersecurity norms are developed would be risky.

"We recognize that cybersecurity norms are unlikely to be effective as a policy tool without further development of cyberattack attribution processes," Scott Charney, corporate vice president for trustworthy computing at Microsoft and lead author of the white paper, wrote in a blog post announcing the white paper. "Accordingly, our paper outlines the current challenges surrounding attribution of cyberattacks, and we propose a public-private forum to address attribution of severe cyberattacks that would involve a globally-diverse group of technical experts, subject to peer review. Indeed, the development of cybersecurity norms will require new forms of cooperation and new mechanisms to surmount challenges that are unique to cyberspace. New models for public-private partnership -- on a global scale -- will be essential."

The white paper authors acknowledge the challenges of establishing an independent authority to investigate attacks and determine cyber attribution. "Governments in particular may be reluctant to empower an independent organization to make findings that may be both politically important and politically charged," the paper states. "To address these concerns, the organization must be structured in a way that promotes global acceptance." As a result, Microsoft said such an independent body must have strong technical expertise, diverse geographic representation, peer review and, finally, a narrow scope that focuses only on severe cyberattacks.

Microsoft's call for improved cyber attribution comes in the wake of questions about who breached the Democratic National Committee, as well as the call by the Defense Advanced Research Projects Agency (DARPA) for proposals for research on cyber attribution.

DARPA's goal for enhanced attribution is the development of mechanisms for generating operational and tactical information about concurrent malicious cyber campaigns run by threat actors, but Microsoft's proposed cyber attribution effort is meant to support the development of cyber norms by identifying the actors responsible for a cyberattack.

Microsoft wrote that "states should refrain from attacking critical infrastructures; and states should refrain from impairing the work of CERTs." The key to holding an actor responsible for a cyberattack clearly depends on the ability to identify the actor behind an attack on critical infrastructures.

"Even though governments have acknowledged that international laws apply to the internet, such laws are static and binding and do not necessarily address well new cyberspace scenarios," Microsoft wrote in the white paper. "Greater experience with such scenarios is important and, therefore, stakeholders in cyberspace have advocated for the development and implementation of norms before creating new laws. There is great risk in moving hastily to apply new laws to cyberspace. Moreover, drafting them is inadvisable because the impact of such laws, in part due to the lack of scenario experience, may be problematic. Accordingly, stakeholders in cyberspace should endeavor to develop and implement norms before they are codified."

In other news

  • SQLite, which claims to be "the most widely deployed database in the world," has patched a permissions vulnerability that is most notable for being so widely distributed. The open source library SQLite implements "a self-contained, serverless, zero-configuration, transactional SQL database engine." It is incorporated in many products and open source projects including Android, iOS, OS X and Windows 10; browsers including Firefox, Chrome and Safari; also, set-top boxes, automotive media systems and more. The vulnerability was reported by security firm KoreLogic Security in Annapolis, Md. According to the vulnerability report, the versions of SQLite with the vulnerability reject potential temporary directory locations if they are not readable, falling back to the root directory. "Thus, SQLite will favor e.g. using cwd for tempfiles on such a system, even if cwd is an unsafe location. Notably, SQLite also checks the permissions of '.', but ignores the results of that check." KoreLogic referred to the vulnerability as "only a POLA (Principle of Least Astonishment) violation that may cause unexpected failures," but added that "this might in turn cause software that uses SQLite libraries to behave in unsafe ways, leaking sensitive data, opening up SQLite libraries to attack by deliberately corrupted tempfiles, etc." SQLite released a patch for the flaw in May, though its wide distribution in third-party software means it may take some time for the patch to be applied to all systems using SQLite.
  • Sophos researcher Graham Chantry reported on an old bug in Microsoft products that attackers keep teaching new tricks. The vulnerability, CVE- 2012-0158, was publicly reported in April 2012 -- and patched by Microsoft. Chantry wrote: "Arguably one of the most exploited vulnerabilities of the last decade, the story behind CVE- 2012-0158's longevity is one of constant adaptation; somewhat a modern day embodiment of Charles Darwin's On the Origin of Species. In this paper we will dissect all aspects of the vulnerability: how it works, why it's been so popular, how it's changed form, who it's most commonly utilized against and what the future holds for it." While the vulnerability was initially widely exploited in spam campaigns, in the four years since it was patched, Chantry wrote that "the number of computers still vulnerable to CVE-2012-0158 is as low as 15% in Europe and North America and less than 40% worldwide. This would go some way to explaining why we rarely see CVE-2012-0158 used in spam campaigns as, if you're targeting randomly, there's nearly an 85% chance the exploit will fail if the victim is in Europe." However, over 50% of Windows systems in Asia, Russia and Ukraine are still vulnerable to the flaw; Chantry also noted that the vulnerability is being used in targeted attacks as well.
  • A vulnerability in Lenovo system BIOS code may be more widespread than first thought. After an uncoordinated disclosure of a zero-day privilege escalation/code execution flaw in Lenovo ThinkPad firmware, dubbed ThinkPwn by security researcher Dmytro Oleksiuk, Lenovo released an advisory. Lenovo stated that the BIOS vulnerability is located in System Management Mode (SMM) code that the computer manufacturer had acquired from "at least one" of their Independent BIOS Vendors (IBVs). IBVs, Lenovo wrote, "are software development firms that specialize in developing the customized BIOS firmware that is loaded into the PCs of original equipment manufacturers, including Lenovo." Oleksiuk reported that the vulnerable code seemed to originate in reference code provided by Intel, and following the initial disclosure, the vulnerable code has been found to affect computers from Dell, Fujitsu, HP and possibly others.
  • "HummingBad" isn't a tone-deaf bird, but rather an Android malware program that reportedly generates $300k every month in fraudulent ad revenue for its runners, according to Check Point Mobile Research Team. The malware, which Check Point reported is currently infecting as many as 10 million devices, "establishes a persistent rootkit on Android devices, generates fraudulent ad revenue, and installs additional fraudulent apps." Check Point linked the HummingBad malware campaign to Yingmob, a group of Chinese cybercriminals. "Yingmob runs alongside a legitimate Chinese advertising analytics company, sharing its resources and technology. The group is highly organized with 25 employees that staff four separate groups responsible for developing HummingBad's malicious components."

Next Steps

Find out more about the methods used to attribute the attack on the Democratic National Committee.

Read about how cyberattackers apply anti-forensics techniques to evade detection.

Learn more about whether it is more important to stop an attack or find out who is behind it.

Dig Deeper on Real-time network monitoring and forensics