I recently came across to a research on "Modeling the Vulnerability Discovery Process" discussing :
"A few models for the vulnerability discovery process have just been published recently. Such models will allow effective resource allocation for patch development and are also needed for evaluating the risk of vulnerability exploitation. Here we examine these models for the vulnerability discovery process. The models are examined both analytically and using actual data on vulnerabilities discovered in three widely-used systems. The applicability of the proposed models and significance of the parameters involved are discussed. The limitations of the proposed models are examined and major research challenges are identified."
A handy summary of the report emphasises on how :
"The Alhazmi-Malaiya Logistic model has already seen success in its predictions:
-- In 2005, it predicted the number of vulnerabilities discovered in Windows XP would grow rapidly. It has indeed grown from 88 in January 2005 to 173 by the latest count, making the vulnerability density of XP comparable to that of earlier version of Windows.
-- The model predicted that very few new vulnerabilities will be found in Red Hat Linux 6.2, and the number has stayed unchanged at 117.
-- It predicted that the number of vulnerabilities of Windows 2000 will eventually range from 294 to 410. At that time of the prediction, the number was 172; it now is 250, and vulnerabilities are still being found."
Remember the U.S DHS's $1.24M bug hunt funding, that came up with a single X11 vulnerability? Money well spent for sure.
HD Moore who's obviously getting efficient, the potential of contests, futures market models, and my speculation on "every day there's a new 0day in the wild" ruin the effect of any model. Assuming no external factors influence the process, and the rest remain static -- while they rarely do -- it's a great initiative, still, more of a scientifically shooting into the dark one, given the great deal of uncertanties, and decentralized model of discovering, reporting, using and abusing vulnerabilities. If historical performance matters and can act as a key indicator for predicting the future, I wonder would MACs lack of vulnerabilities continue to generate hype, it's more of a "lack of incentives to find some" type of issue. Today's vibrant vulnerability research intrigue is indeed capable of ruining any model.
I also came across to a great point, indicating that :
"After the first week of flaws were released, one online miscreant from Russia shot off an e-mail to Moore, complaining that he had outed a vulnerability the Russian had been exploiting, Moore said.
"The black hats don't like that the fact that this is public because they have been using these bugs," Moore said. "By dumping out the bugs on the community, I'm clearing the air and letting the good guys know what others are doing."
From my point of view, the existence and usefulness of Metasploit is precisely the same type of dilema whether citizens should be allowed to carry guns for self-protection or blindly rely on 500 police officers for 500,000 people. Hopefully, with initiatives like the Month of the Browser bug ones, we would inevitably break through the "yet another 0day, where's my patch dude? type of security issues to deal with. At the bottom line that's a single, efficient security researcher who's definitely working on building more awareness on what the corporate trolls are ignoring for the sake of their product portfolio diversification.
It's also interesting to mention on the emerging underground 0bay model for selling 0day vulnerabilities :
"Cyber crooks are not hesitant to make such open declarations of illicit intent because of the anonymity offered by the Internet. Some have had the gall to try and peddle their information on popular online auction sites such as eBay. Last December eBay pulled an ad that was selling vulnerability information about Microsoft's spreadsheet program Excel. That was a bold, if foolhardy, move on the part of the seller, because eBay is hardly blackmarket at all, said Ross Armstrong, senior analyst at technology consultancy firm Info-Tech Research Ltd. in London, Ont."
and its corporate form, on which Sergio Hernando was kind enough to point me to. The VulnDisco Pack Professional :
- contains more than 80 exploits
- each month about 5-10 new exploits are made available in the form of updates
- VulnDisco Pack Professional licenses are not limited to a number of seats
and you can actually see an OpenLDAP 0day exploit in action for yourself.
Metasploit image courtesy of Metasploit's blog.
Related resources and posts:
Vulnerabilities
0day
Was the WMF vulnerability purchased for $4000?!
0bay - how realistic is the market for security vulnerabilities?
Where's my 0day, please?
Delaying Yesterday's "0day" Security Vulnerability
Shaping the Market for Security Vulnerabilities Through Exploit Derivatives
Getting paid for getting hacked
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Sunday, July 16, 2006
Scientifically Predicting Software Vulnerabilities
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment