Friday, July 06, 2007

Zero Day Vulnerabilities Auction

Theory and speculation, both finally materialize - an 0bay auction for security vulnerabilities was recently launched, aiming to reboot the currently not so financially favorable for researchers full disclosure model, and hopefully, create a win-win-win solution for Wabisabilabi, the vendors and the researchers themselves :

"We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited. Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals."

As I've been covering the topic of commercializing vulnerability research since I've started blogging, and my second post was related to 0bay or "How Realistic is the Market for Security Vulnerabilities?" I'll briefly summarize the key points and let you deepen your knowledge into the topic by going through the previous posts related to buying and selling vulnerabilities, even requesting ones on demand -- which is perhaps the most sound market model in my opinion at least in respect to relevance.

Back in December, 2005, the infamous WMF vulnerability got sold for $4000 to be later on injected into popular sites, and embedded whereaver possible. The idea behind this attack? Take advantage of the window of opportunity by the time a patch by Microsoft is released, but instead of enjoying the typical advantage coming from full disclosure exploit and vulnerabilities sites, the attackers went a little further, they also wanted to make sure that the vulnerability wouldn't even appear there at the first place. And while it later became a commodity, WMF DIY generators got released for the script kiddies to generate more noise and the puppet masters to remain safe behind a curtain of the click'n'infect kiddie crowd.

Several months later, hinted by a person whose the perfect representation of the phrase "Those who talk know nothing, those who don't talk they know" tipped me on a zero day shop site -- The International Exploits Shop -- that was using a push-model that is a basic listing of the vulnerabilities offered and the associated prices, even taking advantage of marketing surveys to figure out the median price customers would be willing to pay for a zero day vulnerability.

Commercializing vulnerability research the way the company is doing it, will inevitably demonstrate the lack of communication and incentives model between all the parties in question. Moreover, if you think that a push-model from the researcher compared to a pull one, even on demand is better think twice - it isn't. If I'm a vendor, I'd request a high profile vulnerability to be found in my Internet browser in the next two months and offer a certain financial incentive for doing so, compared to browsing through listings of vulnerabilities in products whose market share is near the 1%. For the computer underground, or an information broker, there's no such thing as a zero day vulnerability because they understand the idea that in times when everyone's fuzzing more effectively than the vendors themselves, or transparency and social networking has never been better, a zero day to some is the last month's zero day to others.

Questions remain :

- how do you verify a vulnerability is really a zero day, when infomediaries such as iDefense, Zero Day Initiative or Digital Armaments delay "yesterday's" security vulnerability or keep you in a "stay tuned" mode? How can you be sure you as an infomediary are not part of a scheme that's supplying zero days to both the underground and you?

- why put an emphasis on something's that's a commodity, but forgetting that closing a temporarily opened up window of opportunity posed by today's zero day will lose its value in less than a minute by the time an IDS signature takes care of it while a patch is released? In exactly the very same fashion of malicious economies of scale, a stolen personal and financial information is lossing value so that the attackers are trying to get rid of it as soon as possible, by the time it value doesn't decrease to practically zero. Stay tuned for a zero day vulnerabilities cash bubble.

- how do you put a value on a vulnerability and what is your criteria? Of course, monocultural OSs get a higher priority, but does this mean that a zero day in MAC would get more bids because of the overall perception that it's invincible and the verification of such vulnerability would generate endless media echo effect, while someone's checking your current zero day propositions to see if the one he came across is still not listed there? For instance, Wabisabilabi have posted a Call for iPhone vulnerabilities in the first days of their launch.

Theoretically, if everyone starts selling zero day vulnerabilities they find, there will be people who will superficially increase a zero day's value by holding it back and keeping quiet for as long as someone doesn't find it as well. Here's an interview I took from David Endler at the Zero Day Initiative you may find informative, and more opinions on the topic - Computerworld; Dark Reading; Slashdot; The Register; TechTarget; Heise Security; Techcrunch, and an interesting quote from a BBC article that the initiative is aiming to limit the flow of vulnerabilities to the underground :

"By rewarding researchers, the auction house aims to prevent flaws getting in to the hands of hi-tech criminals."

It would have absolutely zero effect on the flow of vulnerabilities in computer underground circles, mostly because if someone likes the idea of getting a one time payment for its discovery, others would get a revenue stream for months to come by integrating it into the underground ecosystem. Even the average MPack attack kit, compared to others I've seen showcases the reality - a huge number of people are infected and no zero day vulnerabilities are used but ones for which patches are available for months. Moreover, they don't just buy stockpiles of zero day vulnerabilities, but are actively discovering new ones as well and holding them back for as long as possible as I've already mentioned.

And another one from CNET :

"WSLabi is backed by about 5 million euros ($6.8 million) from individual investors, and hopes to float on a stock exchange (probably London's AIM or a similar exchange in Oslo) in around 18 months."

Is this for real, and if so, it makes it yet another investment in the information security market to keep an eye on in the very same fashion I've been following and speculating on SiteAdvisor's eventual, now real acquisition. But WSLabi's road to an IPO would be a very, very bumpy one. Everyone's excluding the obvious, namely that the biggest and most targeted vendors could ruin WSLabi's entire business model by starting to offer financial incentives let's call them for zero day vulnerabilities, or perhaps keep it pragmatic, namely ignore the fact that someone's trading with zero days regarding their products mainly because the vendors cannot be held liable for not providing patches in a timely manner or not reacting to the threat.

Two projects worth considering are the ElseNot one, listing exploits for every Microsoft vulnerability ever, and eEye's Zero Day Tracker, keeping track of unpatched vulnerabilities. Make sure what you wish for, so it doesn't actually happen.