Russian cyber attackers used two unknown flaws: security company by Joseph Menn.
From the post:
(Reuters) – A widely reported Russian cyber-spying campaign against diplomatic targets in the United States and elsewhere has been using two previously unknown flaws in software to penetrate target machines, a security company investigating the matter said on Saturday.
FireEye Inc (FEYE.O), a prominent U.S. security company, said the espionage effort took advantage of holes in Adobe Systems Inc’s (ADBE.O) Flash software for viewing active content and Microsoft Corp’s (MSFT.O) ubiquitous Windows operating system.
The campaign has been tied by other firms to a serious breach at U.S. State Department computers. The same hackers are also believed to have broken into White House machines containing unclassified but sensitive information such as the president’s travel schedule.
…
Perhaps I was just tired last night but when I first read this story, I could not tell if Joseph was being sarcastic about “two unknown flaws” in Adobe Flash and MS Windows or if he was saying Abobe Flash and MS Windows were the security flaws being exploited by a “reported Russian cyber-spying campaign….”
Having slept since then, I am still not entirely sure which one Joseph meant. 😉
If State and the White House are running MS Windows with Adobe Flash on public networks, I can reliably isolate two major security flaws in their security. Adobe Flash and MS Windows. Not to knock MS Window as an OS, but with approximately fifty (50) million lines of code, it’s known to be insecure and will continue to be insecure. No surprises there.
You don’t need to abandon Windows as an OS but accept that it isn’t secure. (full stop) If you use Windows OS on a public network, you are by definition not secure. If you want greater security and to use MS Windows as an OS, move to a secure network.
Perhaps we should borrow (steal?) a term from Margaret Atwood: plebnet, to describe the Internet. The plebnet being rife with hazards, dangers, evil-deed doers, viruses, fraud, spam, advertising, and built upon, traveled and sustained by insecure software.
For a wide range of motivations, most of us would not have the plebnet be any other way. It’s also called freedom.
If the White House and State want a presence on the plebnet, it’s called assumption of risk, legally speaking.