Security Researchers Withheld Regin Malware Details For 'Global Security' Reasons

from the not-really-'global'-when-it's-just-the-Five-Eyes-then,-is-it? dept

Who's going to let you know your communications and data have been compromised by state entities? Well, it seems to depend on who the state entity is. When it's a non-'Five Eyes' country involved, there's usually no hesitation. But the recent exposure of Regin malware's NSA/GCHQ origins (which both agencies deny originates with them despite leaked documents to the contrary) came belatedly, confirming details revealed more than a year ago. The malware appears to date back nearly a decade and yet, there has been little said about it over that period of time.

Mashable looked into the malware further and received some surprising replies from security analysts as to why there's been little to no discussion of Regin up to this point.
Symantec's [Vikram]Thakur said that they had been investigating Regin since last year, but only felt "comfortable" publishing details of it now.

[Costen] Raiu, the researcher from Kaspersky, said they had been tracking Regin for "several years" but rushed to publish the report after a journalist contacted them last week asking for comments about Regin, indicating a competitor was about to come out with their own report.

For [Ronald] Prins [of Fox IT], the reason is completely different.

"We didn't want to interfere with NSA/GCHQ operations," he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to "global security."
And so it goes. Everyone had the same suspicion as to who was behind the malware, but everyone sat on it, hoping someone else would make the first move. The NSA and GCHQ may deny their involvement, but the list of countries with verified Regin infections notably does not include any of the "Five Eyes" countries. Microsoft -- whose software the malware was disguised as -- has refused to comment.

It's no surprise that companies like Microsoft are in no hurry to divulge findings about state-run malware, at least not if it involves governments it has large contracts with. But security researchers shouldn't be acting as flacks for intelligence agencies, even if only committing sins of omission. As the ACLU's chief technologist pointed out, there's no faster way to "destroy" your company's reputation as a "provider of trustworthy security consulting services." Who's going to want to hire someone that won't tell you your data and communications are compromised until it feels it's "safe" to do so?

We already know that any security holes discovered (or purchased) by intelligence agencies won't be turned over to affected companies until they've been fully exploited. We also know that some of these companies have worked in concert with the NSA and others to provide backdoor access or hold off on patching software until the government gives them the go-ahead. But security researchers shouldn't be withholding details on sophisticated malware out of deference to the intelligence agencies it believes are behind it.

At this point, we have a security ecosystem greatly skewed towards the exploitation of flaws and the distribution of malware, rather than the other way around. There's an entire industry that does nothing but find exploits and sell them to intelligence agencies -- only distinguishable from criminal enterprises by their clientele. Being silently complicit in these exploits may prevent operations from being compromised (and seems to confirm that Fox IT reached the same conclusion about the malware's origin as others), but it has the hugely unfortunate side effect of harming thousands, if not millions, of non-terrorists around the world.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: malware, regin, security, security research
Companies: fox it, kaspersky, symantec

Reader Comments

Subscribe: RSS

View by: Thread

  1. identicon
    Rich Kulawiec, 2 Dec 2014 @ 7:46am

    If your security strategy relies on AV software...

    ...then you are doomed, because AV software is guaranteed to fail when you'll need it the most. Like, say, when a new virus that it's never seen before -- and which has been vetted against every AV product on the planet -- shows up.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.