Monday, January 30, 2006

Was the WMF vulnerability purchased for $4000?!

Going through Kaspersky's latest summary of Malware - Evolution, October - December 2005, I came across a research finding that would definitely go under the news radar, as always, and while The Hackers seem to be more elite than the folks that actually found the vulnerability I think the issue itself deserves more attention related to the future development of a market for 0day vulnerabilities.

Concerning the WMF vulnerability, it states :

"It seems most likely that the vulnerability was detected by an unnamed person around 1st December 2005, give or take a few days. It took a few days for the exploit enabling random code to be executed on the victim machine to be developed. Around the middle of December, this exploit could be bought from a number of specialized sites. It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000. Interestingly, the groups don't seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public."

Two months ago, I had a chat with David Endler, director of Security Research at TippingPoint, and their ZeroDayInitiative, that is an alternative to iDefense's efforts to provide money as a incentive for quality vulnerabilities submissions. The fact that a week or so later, the first vulnerability appeared on Ebay felt "good" mainly because what I was long envisioning actually happened - motivated by the already offered financial rewards, a researcher decided to get higher publicity, thus better bids. I never stopped thinking on who gains, or who should actually gain, the vendor, the end user, the Internet as a whole, or I'm just being a moralist in here as always?

This very whole concept seemed flawed from the very beginning to me, and while you wish you could permanently employ every great researcher you ever came across to, on demand HR and where necessary seems to work just fine. But starting with money as an incentive is a moral game where "better propositions" under different situations could also be taken into consideration. Researchers will always have what to report, and once ego, reputation and publicity are by default, it comes to the bottom line - the hard cash, not "who'll pay more for my research?", but "who values my research most of everyone else?". And when it comes to money, I feel it's quite common sense to conclude that the underground, have plenty of it. I am not saying that a respected researcher will sell his/her research to a illegal party, but the a company's most serious competitors are not its current, but the emerging ones, I feel quite a lot of not so publicly known folks have a lot to contribute..

Possible scenarios on future vulnerability purchasing trends might be :

- what if vendors start offering rewards ($ at the bottom line) for responsibly reported vulnerabilities to eliminate the need of intermediaries at all, and are the current intermediaries doing an important role of centralizing such purchases? I think the Full Disclosure movement, both conscious or subconscious :) is rather active, and would continue to be. Now, what if Microsoft breaks the rules and opens up its deep pocketed coat?

- how is the 0day status of a purchased vulnerability measured today? My point is, what if the WMF vulnerability was used to "nail down" targeted corporate customers, or even the British government as it actually happened , and this went totally unnoticed due to the lack of mass outbreaks, but the author sort of cashed twice, by selling the though to be 0day to iDefense, or ZeroDay's Initiative? What if?

- requested vulnerabilities are the worst case scenario I could think of at the moment. Why bother and always get excited about an IE vulnerability, when you know person/company X are running Y AV scanner, use X1 browser as a security through obscurity measure. That's sort of reverse model compared to current one where researchers "push" their findings, what if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that version of that software", would this become common, and how realistic is it at the bottom line?

Some buddies often ask me, why do I always brainstorm on the worst case scenario? I don't actually, but try to brainstorm on the key factors and how the current situation would inevitably influence the future. And while I'm not Forrester Research, I don't charge hefty sums for 10 pages report on the threats posed by two-factor authentication or e-banking, do I? Still, I'm right on quite some occasions..

At the bottom line, ensure $ isn't the only incentive a researcher is getting, and don't treat them like they are all the same, because they aren't, instead sense what matters mostly to the individual and go beyond the financial incentive, or you'll lose in the long term.

What are you thoughts on purchasing vulnerabilities as far as the long term is concerned? What is the most effective compared to the current approaches way of dealing with 0day vulnerabilities? Might a researcher sell his findings to the underground given he knows where to do it? What do you think?

How we all get 0wn3d by Nature at the bottom line?

I just came across a clip courtesy of NASA that can be described as a beautiful devastation, still it reminds me of how insecure we are at the bottom line. And no, I don't see how you will distribute a signature for this, or can you? :)

Technorati tags :
,

Twisted Reality

I looked up the definition of Evil today, and I found it, I tried to play a Google War and came across 256 million occurrences of it, still there's a hope for all of us I guess. On the 17th of January I blogged on how China turned into the biggest black spot on the Internet's map, to find out that I even have activists commenting in my blog :)

Google has agreed to "remove certain sensitive information from our search results" you all know it by now, what you perhaps don't know is how what used to be the old Google still has its marks on the web. Google's Information for Webmasters still states that :

"Google views the comprehensiveness of our search results as an extremely important priority. We're committed to providing thorough and unbiased search results for our users."

I guess Chinese users should print this and stick it on their walls to remind them of the past as it says exactly the same. They have also removed their "censored notice" from "older removals", how come, and for what reason? Lack of accountability for when "local laws, regulations, or policies" were removing "sensitive information" before the date?! Google is my benchmark for disruption, but I guess its actions and "do no evil" motto were simply too pure for the business world, which on the majority of occasions is capable of destroying morale, even individuals..

Welcome in a "Twisted Reality" where one event looks like an entirely different one - on request, and the list is getting bigger!

But what is actually filtered in china these days, what are the topics of interest? Four years ago, a great initiative brough more insights into what's deemed "sensitive information", and while of course the list is changed on-the-fly, it is important to know how it blocks the top results, as this is where all the traffic goes.

Recently, CNET did a nice research on which sites are blocked by which search engine, I ever saw Neworder in there :)

The best thing about China's backbone is how centralized it really is and the way researchers are finding common censorship patters that could prove useful for future research. Is TOR with its potential applicable in China, and would initiatives such as the the Anonymous OS, or even TorPark, an USB extension of the idea, the future?

Meanwhile, in case they are interested parties reading this post, consider taking a look at the "Handbook for Bloggers and Cyber-Dissidents" courtesy of Reporters Without Borders.

Technorati tags :
, , , , , ,