Showing posts with label Exploit Broker. Show all posts

Pay-Per-Exploit Acquisition Vulnerability Programs - Pros and cons?

October 22, 2018
As ZERODIUM starts paying premium rewards to security researchers to acquire their previously unreported zero-day exploits affecting multiple operating systems software and/or devices a logical question emerges in the context of the program's usefulness the potential benefits including potential vulnerabilities within the actual acquisition process - how would the program undermine the security industry and what would be the eventual outcome for the security researcher in terms of fueling growth in the cyber warfare market segment?

In this post I'll discuss the market segment for pay-per-exploit acquisition programs and discuss in-depth the current exploit-acquisition methodology utilized by different vendors and provide in-depth discussion on various over-the-counter acquisition methodologies applied by malicious attackers on their way to monetize access to malware-infected hosts while compromising the confidentiality availability and integrity of the targeted host including an active discussion on the ongoing and potential weaponization of zero day vulnerabilities int the context of today's cyber warfare world.

Having greatly realized the potential of acquiring zero day vulnerabilities for the purpose of actively exploiting end users malicious actors have long been aware of the over-the-counter acquisition market model further enhancing their capabilities when launching malicious campaigns. Among the most widely spread myth about zero day vulnerabilities is the fact that zero day vulnerabilities arethe primary growth factor of the cybercrime ecosystem further resulting in a multi-tude of malicious activity targeting end users.

With vendors continuing to establish the foundations for active vulnerability and exploit acquisition programs third-party vendors and research organizations continue successfully disintermediating the vendor's major vulnerability and exploit acquisition programs successfully resulting in the launch and establishment of third-party services and products further populating the security-industry with related products and services potentially acquiring "know-how" and relevant vulnerability and exploit information from major vendors further launching related companies and services potentially empowering third-party researchers vendors and individuals including nation-state actors with potential weaponization capabilities potentially leading to successful target-acquisition practices on behalf of third-party researchers and individuals.
Becoming a target in the widespread context of third-party vendors and researchers might not be the wisest approach when undermining potential research and in-house research and benchmarking activities in terms of evaluating and responding to vulnerabilities and exploits. Vendors looking for ways to efficiently improve the overall security and product performance in terms of security should consider basic internal benchmarking practices and should also consider a possible incentive-based type of vulnerability and exploit reward-type of revenue-sharing program potentially rewarding company employees and researchers with the necessary tools and incentives to find and discover and report security vulnerabilities and exploits.

Something else worth pointing out in terms of vulnerability research and exploit discovery is a process which can be best described as the life-cycle of a zero day vulnerability and exploit which can be best described as a long-run process utilized by malicious and fraudulent actors successfully utilizing client-side exploits for the purpose of successfully dropping malicious software on the hosts of the targeted victims which often rely on outdated and patched vulnerabilities and the overall misunderstanding that zero day vulnerabilities and exploits are the primary growth factor of the security-industry and will often rely on the fact that end users and enterprises are often unaware of the basic fact that cybercriminals often rely on outdated and patched vulnerabilities successfully targeting thousands of users globally on a daily basis.

What used to be a market-segment dominated by DIY (do-it-yourself) exploit and malware-generating tools is today's modern market-segment dominated by Web malware-exploitation kits successfully affecting thousands of users globally on a daily basis. In terms of Web-malware exploitation kits among the most common misconceptions regarding the utilization of such type of kits is the fact that the cybercriminals behind it rely on newly discovered exploits and vulnerabilities which in fact rely on outdated and already patched security vulnerabilities and exploits for the purposes of successfully enticing thousands of users globally into falling victim into social-engineering driven malicious and fraudulent campaigns.

Despite the evident usefulness from a malicious actor's point of view when launching malicious campaigns malicious actors continue utilizing outdated vulnerabilities for the purpose of launching malicious campaigns further utilizing a multi-tude of social engineering attack vectors to enhance the usefulness of the exploitation vector. Another crucial aspect of the pay-per-exploit acquisition vulnerability model is, the reliance on outdated and unpatchted vulnerabilities for the purpose of launching malicious campaigns further relying on the basic fact that on the majority of occasions end users fail to successfully update their third-party applications often exposing themselves to a variety of successful malicious campaigns utilizing outdated and unpatched vulnerabilities.

We expect to continue observing an increase in the pay-per-exploit acquisition model with, related acquisition model participants continuing to acquire vulnerabilities further fueling growth into the market segment. We expect that malicious actors will adequately respond through over-the-counter acquisition models including the utilization of outdated and unpatched vulnerabilities. End users are advised to continue ensuring that their third-party applications are updated to build a general security awareness and to ensure that they're running a fully patched antivirus solution.

Consider going through the following related posts:
Researchers spot new Web malware exploitation kit
Web malware exploitation kits updated with new Java exploit
Which are the most commonly observed Web exploits in the wild?
Report: Patched vulnerabilities remain prime exploitation vector
Report: malicious PDF files becoming the attack vector of choice
Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit
56 percent of enterprise users using vulnerable Adobe Reader plugins
Report: third party programs rather than Microsoft programs responsible for most vulnerabilities
Report: malicious PDF files becoming the attack vector of choice
Malvertising campaigns at multiple ad networks lead to Black Hole Exploit Kit
56 percent of enterprise users using vulnerable Adobe Reader plugins
Report: third party programs rather than Microsoft programs responsible for most vulnerabilities
Report: 64% of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts
Secunia: popular security suites failing to block exploits
37 percent of users browsing the Web with insecure Java versions
Which are the most commonly observed Web exploits in the wild?
Report: Malicious PDF files comprised 80 percent of all exploits for 2009
Secunia: Average insecure program per PC rate remains high
Continue reading →

Delaying Yesterday's "0day" Security Vulnerability

May 27, 2006
I never imagined we would be waiting for the release of a "0day" vulnerability, but I guess that's what happens if you're not a customer of an informediary in the growing market for software vulnerabilities -- growth in respect to, researchers, infomediaries and security vulnerabilities. Stay tuned for "Exploit Of Windows 2000 Zero-day To Hit In June", and take your time to appreciate that it's affecting "extended support" software. From the article :



"Symantec warned its enterprise customers Thursday that an unpatched vulnerability in Windows 2000’s file sharing protocol has surfaced, with details of an exploit expected to show next month. According to the Cupertino, Calif. company’s alert, an exploit for the zero-day bug in Windows 2000’s SMB (Server Message Block) protocol has been created by Immunity Security, the makers of the CANVAS exploit-creation platform. By Immunity researcher Dave Aitel’s account, the exploit leverages a flaw in the operating system’s kernel that can be triggered through SMB, and will give an attacker full access to the PC. Aitel claimed Immunity will make the exploit public in June. "Immunity is considered to be a reliable source and we are of the opinion that this information should be treated as fact," read Symantec’s warning. "An official security update from Microsoft will likely not be in development until after June when the information is released."



Well, how can they fix in such a way, even though their "sophisticated", quality-obsessed patch management practices. When working with vulnerabilities, or updating yourself with the dailypack of new ones, don't live with the false feeling of their uniqueness, but try figuring out how to be a step ahead of the vulnerabilities management stage. If Microsoft requested from Immunity Security to look up for possible security vulnerabilities, gave them a deadline, and secured a commission in case a vulnerability is actually found, it would have perfectly fited in the scenario in a previous post "Shaping the Market for Security Vulnerabilities Through Exploit Derivatives" -- reporting a vulnerability, let's not mention web application vulnerability is for the brave these days. Moreover, "Economic Analysis of the Market for Software Vulnerability Disclosure" quotes Arora et al. on the same issue from a vendor's point of view :



"developing an economic model to study a vendor's decision of when to introduce its software and whether or not to patch vulnerabilities in its software. They compare the decision process of a social-welfare maximizing monopolistic vendot, to that of a profit-maximizing monopolistic vendor. Interestingly, they observe that the profit-maximizing vendor delivers a product that has fewer bugs, than a social-welfare maximizing vendor. Howver, the profit-maximizing vendor is less willing to patch its software than its social-welfare maximizing counterpart." - The Price of Restricting Vulnerability Publications is indeed getting higher.



Reactive, Proactive, or Adaptive - what's your current security strategy? Continue reading →

Shaping the Market for Security Vulnerabilities Through Exploit Derivatives

May 08, 2006
In a previous post "0bay - how realistic is the market for security vulnerabilities?" I gave a brief overview of the current market infomediaries and their position, listed various research I recommend you to go through, and speculated on an auction based market model.


During April, at the CanSecWest Security Conference "Groups argued over merits of flaw bounties" some quotes :

"The only economic model that does not make sense to me is the vendor's," Sutton said. "They get to know about a vulnerabilities ahead of time, but they are unwilling to pay for them." - Michael Sutton



"What I can give people who find vulnerabilities is a small amount of fame. iDefense can give them $10,000." - Darius Wiles



"As a civil rights issue, selling vulnerabilities is just fine. As a keeping-the-customers safe issue, it's junk." - Novell director of software engineering Crispin



"If I come to you and offer to sell you a vulnerability in your product, I am going to be cuffed and arrested," he told the representatives of software makers on the panel." - Matthew Murphy



And the discussion is reasonably pretty hot with a reason. Back in January Microsoft expressed their opinion on the informediaries based market model like :



"One day after iDefense, of Reston, Va., announced the bounty as part of a newly implemented quarterly hacking challenge, a spokesperson for Microsoft, based in Redmond, Wash., said paying for flaws is not the best way to secure software products. "We do not believe that offering compensation for vulnerability information is the best way [researchers] can help protect customers," the spokesperson said in a statement sent to eWEEK. "



and while Microsoft talks about responsible disclosure, that's exactly the type of model I don't really think exist anymore. Peter Mell made a good point that "I don't support this activity. Basically, it enables third parties to unfairly focus attention on a particular vendor or product. It does not help security in the industry," Mell said in an interview with eWEEK." -- but it still offers the opportunity to bring order into the chaos doesn't it?



The WMF vulnerability apparently got purched for $4000 and I among the few scenarios that I mentioned were on vendors purchasing vulnerabilities and requested vulnerabilities, or a reverse model :



"requested vulnerabilities are the worst case scenario I could think of at the moment. Why bother and always get excited about an IE vulnerability, when you know person/company X are running Y AV scanner, use X1 browser as a security through obscurity measure. That's sort of reverse model compared to current one where researchers "push" their findings, what if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that version of that software", would this become common, and how realistic is it at the bottom line?"



Coming across 0day vulnerabilities for sale, I also came across Rainer Boehme's great research on various market models, among them exploit derivatives. Have you ever though of using exploit derivatives, on the called "futures market"? I think the idea has lots of potential, and he described it as :



"Instead of trading sensitive vulnerability information directly, the market mechanism is build around contracts that pay out a defined sum in case of security events. For instance, consider a contract that pays its owner the sum of 100 EUR on say 30 June 2006 if there exists a remote root exploit against a precisely specified version of ssh on a defined platform."



The OS/Vendor/Product/Version/Deadline type of reverse model that I also mentioned is a good targeted concept if it were used by vendors for instance, and while it has potential to have a better control over the market, the lack of common and trusted body to take the responsibility to target Windows and Apple 50/50 for istance, still makes me think. The best part is how it would motivate researchers at the bottom line -- deadlines result in spontaneous creativity sometimes.

More on the topic of security vulnerabilities and commercializing the market, in a great article by Jennifer Granick (remember Michael Lynn's case?) she said that :



"I'm more concerned that commercialization, while it promotes discovery, will interfere with the publication of vulnerability information. The industry adopted responsible disclosure because almost everyone agrees that members of the public need to know if they are secure, and because there is inherent danger in some people having more information than others. Commercialization throws that out the window. Brokers that disclose bugs to their selected list of subscribers are necessarily withholding important information from the rest of the public. Brokers may eventually issue public advisories, but in the meantime, only the vendor and subscribers know about the problem."



Who should be empowered at the bottom line, the informediaries centralizing the process, or the security researchers/vulnerability diggers starting to seek bids for their reseach efforts?

On the other hand, I think that the current market model suffers from a major weakness and that is the need for achieving faster liquidity if we can start talking about such.


Basically, sellers of vulnerabilities want to get their commissions as soon as possible, which is where the lucrative underground market easily develops. While I am aware of cases where insurers are already purchasing vulnerabilities to hedge risks until tomorrow I guess, anyone would put some effort into obtaining a critical MS vulnerability given a deadline and hefty reward, but who's gonna act as a social planner here? Continue reading →

The Current State of Web Application Worms

May 04, 2006
Remeber the most recent Yahoo! Mail's XSS vulnerabilities, or the MySpace worm? I just read through a well written summary on Web Application Worms by Jeremiah Grossman, from WhiteHat Security, "Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best Defense", an excerpt :



"Samy, the author of the worm, was on a mission to be famous, and as such the payload was relatively benign. But consider what he might have done with control of over one million Web browsers and the gigabits of bandwidth at their disposal--browsers that were also potentially logged-in to Google, Yahoo, Microsoft Passport, eBay, web banks, stock brokerages, blogs, message boards, or any other web-based applications. It’s critical that we begin to understand the magnitude of the risk associated with XSS malware and the ways that companies can defend themselves and their users. Especially when the malware originates from trusted websites and aggressive authors. In this white paper we will provide an overview of XSS; define XSS worms; and examine propagation methods, infection rates, and potential impact. Most importantly, we will outline immediate steps enterprises can take to defend their websites."



It provides an overview of Cross-Site Scripting (XSS), Methods of Propagation, comments on the First XSS Worm, a worst case scenario, and of course protection methods, nice graphs and overview of this emerging trend. In my "Future Trends of Malware" research I indeed pointed out on its emergence :



"How would a malware author be able to harness the power of the trust established between, let’s say, ComScore’s top 10 sites and their visitors? Content spoofing is the where the danger comes from in my opinion, and obvious web application vulnerabilities, or any bugs whose malicious payload could be exposed to their audiences. In case you reckon, a nasty content spoofing on Yahoo!’s portal resulted in the following possibility for driving millions of people at a certain URL, if I don’t trust what I see on Yahoo.com or Google.com, why bother using the Net at all is a common mass attitude of course. Any web property attracting a relatively large number of visitors should be considered as a propagation vector, for both, malware authors, and others such as phishers, or botnet brokers for instance."



Monetizing mobile malware is among the other trends I also indicated, and the RedBrowser seems to be the most recent example of this as it randomly chooses a premium-rate number from the following list, and sends a SMS message generating revenue for the attacker : 08293538938, 08001738938, 08180238938, 08229238938, 08441238938, 08287038938, 08187938938, 08189038938, 08217838938, 08446838938.



I summarized the key points back than as :

"The number and penetration of mobile devices greatly outpaces that of the PCs. Malware authors are actively experimenting and of course, progressing with their research on mobile malware. The growing monetization of mobile devices, that is generating revenues out of users and their veto power on certain occasions, would result in more development in this area by malicious authors. SPIM would also emerge with authors adapting their malware for gathering numbers. Mobile malware is also starting to carry malicious payload. Building awareness on the the issue, given the research already done by several vendors, would be a wise idea."



Among the first folks to discuss the topic of web application malware was Robert from CGISecurity.com in his "Anatomy of Web Application Worm" paper back in 2002, and with the easy and speed of discovering web application vulnerabilities in major portals it's up to the imagination of the attacker -- as the paper points out Samy only wanted to make 1 million friends, what if he wanted to do something else?



"Cross-Site Scripting Worms and Viruses - The Impending Threat and the Best Defense" also argues on Samy being the fastest worm, though single-packet UDP worms, according to a research on the "Top Speed of Flash Worm" by "Simulating a flash version of Slammer, calibrated by current Internet latency measurements and observed worm packet delivery rates, we show that a worm could saturate 95% of one million vulnerable hosts on the Internet in 510 milliseconds. A similar worm using a TCP based service could 95% saturate in 1.3 seconds. The speeds above are achieved with flat infection trees and packets sent at line" rates.



Is it the speed or the size of the infected targeted group that matters, and what if Web 2.0 worms can achieve exactly the two of these?



More resources on the topic in case you are interested :
Web-based Malware & Honeypots - phpBB bots/worms
New MySpace XSS worm circulating
Description of a Yahoo! Mail XSS vulnerability
Evolution of Web-based worms
The Latest in Internet Attacks: Web Application Worms
Web Application Worms : Myth or Reality?
Analysis of Web Application Worms and Viruses
Paros - for web application security assessment Continue reading →

"Successful" communication

March 17, 2006
You know Dilbert, don't you? I find this cartoon a very good representation of what is going on in the emerging market for software vulnerabilities, and of course, its OTC trade practices -- total miscommunication and different needs and opinions. While different opinions and needs provoke quality discussion and I understand the point that everyone is witnessing that something huge is happening, "so why shouldn't I?", but at the bottom line, it's so obvious that there isn't any sort of mission or social welfare goal to be achieved, that everyone is commercializing what used to be the "information wants to be free" attitude.



Weren't software vulnerabilities supposed to turn into a commodity given the number of people capable and actually discovering them, where "windows of opportunities" get the highest priority as a con? That is, compared to commercializing vulnerability research, empowering researchers to the skies, and turning vulnerabilities into an IP, totally decentralizing the current sources of information, and fueling the growth of underground models, as it's obvious that for the time being vulnerabilities and their early acquirement seems to be where the $ is. What do you think?



Technorati tags :
, , , , Continue reading →

Where's my 0day, please?

March 07, 2006
A site I was recently monitoring disappeared these days, so I feel it's about time I blog on this case. I have been talking about the emerging market for software vulnerabilities for quite some time, and it's quite a success to come across that the concept has been happening right there in front of us. Check out the screenshots. The International Exploits Shop I came across to looks like this :



It appears to be down now, while it has simply changed its location to somewhere else. Google no longer has it cached, and the the only info on this wisely registered .in domain, can be found at Koffix Blocker's site.



A lot of people underestimate the power of the over-the-counter(OTC), market for 0day security vulnerabilities. Given that there isn't any vulnerabilities auction in place that would provide a researcher with multiple proposals, and the buyers with a much greater choice or even social networking with the idea to possibly attract skilled HR, the seller is making personal propositions with the idea to get higher exposure from the site's visitors. Whoever is buying the exploit and whatever happens with it doesn't seem to bother the seller in this case.



As there's been already emerging competition between different infomediaries that purchase vulnerabilities information and pay the researchers, researchers themselves are getting more and more interested in hearing from "multiple parties". Turning vulnerability research, and its actual findings into an IP, and offering financial incentives is tricky, and no pioneers are needed in here!



There's been a lot of active discussion among friends, and over the Net. I recently came across a great and very recent research entitled "Vulnerability markets - what is the economic value of a zero-day exploit?", by Rainer Boehme, that's worth the read. Basically, it tries to list all the market models and possible participants, such as :



Bug challenges
- Bug challenges are the simplest and oldest form of vulnerability markets, where the producer offers a monetary reward for reported bugs. There are some real-world examples for bug challenges. Most widely known is Donald E. Knuth’s reward of initially 1.28 USD for each bug in his TEX typesetting system, which grows exponentially with the number of years the program is in use. Other examples include the RSA factoring challenge, or the shady SDMI challenge on digital audio watermarking



Bug auctions
-Bug auctions are theoretical framework for essentially the same concept as bug
challenges. Andy Ozment [9] first formulated bug challenges in the terms of auction theory,
in particular as a reverse Dutch auction, or an open first-price ascending auction. This allowed him to draw on a huge body of literature and thus add a number of eciency enhancements to the original concept. However, the existence of this market type still depends on the initiative of the vendor


Vulnerability brokers
-Vulnerability brokers are often referred to as “vulnerability sharing circles”. These clubs are
built around independent organizations (mostly private companies) who oer money for new vulnerability reports, which they circulate within a closed group of subscribers to their security alert service. In the standard model, only good guys are allowed to join the club


-Cyber Insurance
Cyber-insurance is among the oldest proposals for market mechanisms to overcome the security market failure. The logic that cures the market failure goes as follows: end users demand insurance against financial losses from information security breaches and insurance companies sell this kind of coverage after a security audit. The premium is assumed to be adjusted by the individual risk, which depends on the IT systems in use and the security mechanisms in place.



Let's try define the market's participants, their expectations and value added through their actions, if any, of course.



Buyers
-malicious (E-criminals, malware authors, competitors, political organization/fraction etc.)
-third party, end users, private detectives, military, intelligence personnel
-vendors (either through informediary, or directly themselves, which hasn't actually happened so far)



Sellers
-reputable
-newly born
-questionable
-does it matter at the bottom line?



Intermediaries
-iDefense
-ZeroDayInitiative-Digital Armaments



Society
-Internet
-CERT model - totally out of the game these days?



As iDefense simply had to restore their position in this emerging market developed mainly by them, an offer for $10,000 was made for a critical vulnerability as defined by Microsoft. I mean, I'm sort of missing the point in here. Obviously, they are aware of the level of quality research that could be sold to them.


Still I wonder what exactly are they competing with :



- trying to attract the most talented researchers, instead of having them turn to the dark side? I doubt they are that much socially oriented, but still it's an option?



- ensuring the proactive security of its customers through first notifying them, and them and then the general public? That doesn't necessarily secures the Internet, and sort of provides the clientele with a false feeling of security, "what if" a (malicious) vulnerability researcher doesn't cooperate with iDefense, and instead sells an 0day to a competitor? Would the vendor's IPS protect against a threat like that too?



- fighting against the permanent opportunity of another 0day, gaining only a temporary momentum advantage?



- improving the company's clients list through constant collaboration with leading vendors while communication a vulnerability in their software products?



A lot of research publications reasonably argue that the credit for the highest social-welware return goes to a CERT type of a model. And while this is truly, accountability and providing a researcher with the highest, both tangible, and intangible reward for them is what also can make an impact. As a matter of fact, is blackmailing a nasty option that could easily become reality in here, or I'm just being paranoid?



To conclude, this very same shop is definitely among the many other active out there for sure, so, sooner or later we would either witness the introduction of a reputable Auction based vulnerabilities market model, or continue living with windows of opportunities, clumsy vendors, and 0day mom-and-dad shops :) But mind you, turning vuln research into IP and paying for it would provide enough motiviation for an underground 0bay as well, wouldn't it?



14.03.2006

OSVDB's Blog - Where's my 0day, please?
OSVDB's Blog - Vulnerability Markets



11.03.2006

LinuxSecurity.com - Where's my 0day, please?
FIRST - Where's my 0day, please?



10.03.2006 - Sites that picked up the story :

Net-Security.org - Where's my 0day, please?
MalwareHelp.org- The International Exploits Shop: Where's my 0day, please?
Security.nl - Internationale Exploit Shop levert 0days op bestelling
WhiteDust.net - Where's my 0day, please?
Reseaux-Telecoms.net - Danchev sur l'Achat de failles
Informit Network - 0-Days for Sale



09.03.2006 - Two nice articles related to the issue appeared yesterday as well, "Black market thrives on vulnerability trading", from the article :



"Security giant Symantec claims that anonymous collusion between hackers and criminals is creating a thriving black market for vulnerability trading. As criminals have woken up to the massive reach afforded to their activities thanks to the Internet, hackers too are now able to avoid risking prison sentences by simply selling on their findings. Graeme Pinkney, a manager at Symantec for trend analysis, told us: 'People have suddenly realised that there's now a profit margin and a revenue stream in vulnerabilities... There's an element of anonymous co-operation between the hacker and criminal.'"



and "The value of vulnerabilities", a quote :



“ There are no guarantees, and therefore I think it would be pretty naive to believe that the person reporting the issue is the only one aware of its existence. That in itself is pretty frightening if you think about it. "



Technorati tags:
, , , , , , , Continue reading →

How to win 10,000 bucks until the end of March?

February 17, 2006
I feel that, in response to the recent event of how the WMF vulnerability got purchased/sold for $4000 (an interesting timeframe as well), iDefense are actively working on strengthening their market positioning - that is the maintain their pioneering position as a perhaps the first company to start paying vulnerability researchers for their discoveries.


The company recently offered $10,000 for the submission or a vulnerability that gets categorized as critical in any of Microsoft's Security Bulletins. In the long-term, would vulnerability researchers be able to handle the pressure put on them through such financial incentives, and keep their clear vision instead of sell their souls/skills? What if someone naturally offers more, would money be the incentive that can truly close the deal, and is it just me realizing how bad is it to commercialize the not so mature vuln research market, namely how this would leak all of its current weaknesses?



Consider going through some of my previous thoughts on the emerging market for software/0day vulnerabilities as well and stay tuned for another recent discovery a dude tipped me on, thanks as a matter of fact!



Technorati tags:
, Continue reading →

A timeframe on the purchased/sold WMF vulnerability

February 15, 2006
The WMF vulnerability and how it got purchased/sold for $4000 was a major event during January, at least for me as for quite some time the industry was in the twilight zone by not going through a recently released report. But does this fact matters next to figuring out how to safeguard the security of your network/PC given the time it took the vendor to first, realize that it's real, than to actually patch it? Something else that made me an impression is that compared to the media articles and my post, was I the only one interested in who bought, instead of who sold it?

So here's a short timeframe on how it made it to to the mainstream media :
January 27 - Kaspersky are the first to mention the "purchase" in their research
January 30 I've started blowing the whistle and friends picked it up (even the guy that got so upset about it!)
January 31 Meanwhile, someone eventually breached AMD's forums and started infecting its visitors!
February 2 Microsoft Switzerland's Security blog featured it
February 2 LinuxSecurity.com republished it
February 2 DSLReports.com picked it up
February 2 Appeared at Slashdot
February 3 OSIS.gov(an unclassified network serving the intelligence community with open source intelligence) picked it up :)

What's the conclusion? Take your time and read the reports thoroughly, cheer Kaspersky's team for their research? For sure, but keep an eye on the Blogosphere as well!

Technorati tags :
Continue reading →

Was the WMF vulnerability purchased for $4000?!

January 30, 2006
Going through Kaspersky's latest summary of Malware - Evolution, October - December 2005, I came across a research finding that would definitely go under the news radar, as always, and while The Hackers seem to be more elite than the folks that actually found the vulnerability I think the issue itself deserves more attention related to the future development of a market for 0day vulnerabilities.

Concerning the WMF vulnerability, it states :

"It seems most likely that the vulnerability was detected by an unnamed person around 1st December 2005, give or take a few days. It took a few days for the exploit enabling random code to be executed on the victim machine to be developed. Around the middle of December, this exploit could be bought from a number of specialized sites. It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000. Interestingly, the groups don't seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public."

Two months ago, I had a chat with David Endler, director of Security Research at TippingPoint, and their ZeroDayInitiative, that is an alternative to iDefense's efforts to provide money as a incentive for quality vulnerabilities submissions. The fact that a week or so later, the first vulnerability appeared on Ebay felt "good" mainly because what I was long envisioning actually happened - motivated by the already offered financial rewards, a researcher decided to get higher publicity, thus better bids. I never stopped thinking on who gains, or who should actually gain, the vendor, the end user, the Internet as a whole, or I'm just being a moralist in here as always?

This very whole concept seemed flawed from the very beginning to me, and while you wish you could permanently employ every great researcher you ever came across to, on demand HR and where necessary seems to work just fine. But starting with money as an incentive is a moral game where "better propositions" under different situations could also be taken into consideration. Researchers will always have what to report, and once ego, reputation and publicity are by default, it comes to the bottom line - the hard cash, not "who'll pay more for my research?", but "who values my research most of everyone else?". And when it comes to money, I feel it's quite common sense to conclude that the underground, have plenty of it. I am not saying that a respected researcher will sell his/her research to a illegal party, but the a company's most serious competitors are not its current, but the emerging ones, I feel quite a lot of not so publicly known folks have a lot to contribute..

Possible scenarios on future vulnerability purchasing trends might be :

- what if vendors start offering rewards ($ at the bottom line) for responsibly reported vulnerabilities to eliminate the need of intermediaries at all, and are the current intermediaries doing an important role of centralizing such purchases? I think the Full Disclosure movement, both conscious or subconscious :) is rather active, and would continue to be. Now, what if Microsoft breaks the rules and opens up its deep pocketed coat?

- how is the 0day status of a purchased vulnerability measured today? My point is, what if the WMF vulnerability was used to "nail down" targeted corporate customers, or even the British government as it actually happened , and this went totally unnoticed due to the lack of mass outbreaks, but the author sort of cashed twice, by selling the though to be 0day to iDefense, or ZeroDay's Initiative? What if?

- requested vulnerabilities are the worst case scenario I could think of at the moment. Why bother and always get excited about an IE vulnerability, when you know person/company X are running Y AV scanner, use X1 browser as a security through obscurity measure. That's sort of reverse model compared to current one where researchers "push" their findings, what if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that version of that software", would this become common, and how realistic is it at the bottom line?

Some buddies often ask me, why do I always brainstorm on the worst case scenario? I don't actually, but try to brainstorm on the key factors and how the current situation would inevitably influence the future. And while I'm not Forrester Research, I don't charge hefty sums for 10 pages report on the threats posed by two-factor authentication or e-banking, do I? Still, I'm right on quite some occasions..

At the bottom line, ensure $ isn't the only incentive a researcher is getting, and don't treat them like they are all the same, because they aren't, instead sense what matters mostly to the individual and go beyond the financial incentive, or you'll lose in the long term.

What are you thoughts on purchasing vulnerabilities as far as the long term is concerned? What is the most effective compared to the current approaches way of dealing with 0day vulnerabilities? Might a researcher sell his findings to the underground given he knows where to do it? What do you think?

Continue reading →

0bay - how realistic is the market for security vulnerabilities?

December 12, 2005
In Issue 19 (July, 2005) of the Astalavista Security Newsletter that I release on a monthly basis, I wrote an article entitled "Security Researchers and your organization caught in between?" whose aim was to highlight a growing trend, namely the monetization of vulnerability research, who benefits and who doesn't.

A recent, rather significant event at least for me covering and monitoring this issue for quite some time now, was an Ebay listing for a "brand new Microsoft Excel vulnerability". A bit ironical, but I had a chat with Dave Endler, director of security research at TippingPoint, and the issue of their future position as bidders for someone else's research were discussed a week before the Ebay's listing in Issue 23 (November, 2005) of Astalavista's Security Newsletter.


Two of today's most popular, and at least public commercial entities paying hard cash for security vulnerabilities are : iDefense, and the ZeroDayInitiative (TippingPoint).

But what is the need for creating such a market? Who wins and who loses? What are the future global implications for this trends, originally started by iDefense?

In any market, there are sellers and buyers, that's the foundation of trade besides the actual exchange of goods/services and the associated transaction. What happens when buyers increase, is that sellers tend to increase as well, and, of course, exactly the opposite. Going further, every economy, has its black/underground or call it whatever you want variation. And while some will argue a respected researcher will contribute to the the development of even more botnets, who says it has to be respected to come with a vulnerability worth purchasing?! It's a Metasploit world, isn't it?!

Going back to the market's potential. Sellers get smarter, transparency is build given more buyers join seeking to achieve their objectives in this case, provide proactive protection to their clients only, and build an outstanding, hopefully loyal researchers' database. These firms, to which I refer as buyers have happened to envision the fact that there are thousands of skilled vulnerability researchers', who are amazingly capable, but aren't getting a penny out of releasing their vulnerabilities research. Ego is longer important, and getting $ for research on a free will basis is a proven capitalistic approach. What these companies(and I bet many more vendors will open themselves for such a service) didn't take into consideration in my opinion, is that, starting to work with people giving $ as the ultimate incentive will prove tricky in the long-term.

What will happen of the Swiss cheese of software(yet the one that dominates 95% of the OS market today) Microsoft starts bidding for security vulnerabilities in its products? Bankruptcy is not an option, while I doubt they will ever take this into consideration, mainly because it would seriously damage a market sector, the information security one. Imagine, just for a sec. that Microsoft decides to seriously deal with all its vulnerabilities? But today's lack of accountability for software vendors' actions related to vulnerabilities is making it even worse. If MS doesn't get sued for not releasing a patch in any time frame given, why should we, the small compared to MS vendor care?

Howard Schmidt, former White House cybersecurity adviser, once proposed that programmers should be held responsible for releasing vulnerable code. I partly agree with him, you cannot cut costs in order to meet product/marketing deadlines while hiring low skilled programmers who do not take security into consideration, which opens another complex discussion on what should a developer focus on these days - efficiency or security, and where's the trade-off?

I originally commented on this event back then :
The position of Schmidt prompts him to address critical issues and look for very strategic solutions which may not be favored by the majority of the industry as I’m reading through various news comments and blogs. I personally think, he has managed to realize the importance of making a distinction in how to tackle the vulnerabilities problem,who’s involved, and who can be influenced, where the ultimate goal is to achieve less vulnerable and poorly coded software. Software vendors seek profitability, or might actually be in the survival stage of their existence, and as obvious as it may seem, they facts huge costs, and extremely capable coders or employees tend to know their price! 

What’s the mention are the tech industry’s “supposed to be” benchmarks for vulnerabilities management, picture an enterprise with the “IE is the swiss cheese in the software world in terms of vulnerabilities, and yet no one is suing Microsoft over delayed patches” – lack of any incentives, besides moral ones, in case there’re clear signs and knowledge that efficiency is not balanced with security. And that’s still a bit of a gray area in the development world.

Vulnerabilities simply cannot exist, and perhaps the biggest trade-off we should also face is the enormous growth of interactive applications, innovation approaches for disseminating information, with speeds far outpacing the level of attention security gets. Eventually, we all benefit out of it, web application vulnerabilities scanners and consultants get rich, perhaps the (ISC)² should take this into consideration as well :-)

 Even though you could still do the following :
- build awareness towards common certifications addressing the issue
- ensure your coders understand the trade-offs between efficiency and security and are able to apply certain marginal thinking, whereas still meet their objectives
- as far as accountability is concerned, do code auditing with security in mind and try figure out who are those that really don’t have a clue about security, train them
- constantly work on improving your patch release practices, or fight the problem from another point of view

 But unless, coders, and software vendors aren’t given incentives, or obliged under regulations (that would ultimately result in lack of innovation, or at least a definite slow down), you would again have to live with uncertainly, and outsource the threats posed by this issue. M icrosoft’s “Improving Web Application Security: Threats and Countermeasures” book, still provides a very relevant information.

Slashdot’s discussion

What also bothers me, is how is the virginity of the vulnerability identified? I mean, what if I have already found it, developed an exploit for it, sold it to the underground, and cashed with the industry as well, and no one came across it on his/her :) honeyfarm? The researcher's reputation is a benchmark, but in the long-term, the competitive market that's about to appear, will force the buyers to start working on a mass basis. There's a definitely a lot to happen!

Welcome to the wonderful world of purchasing 0-day security vulnerabilities! Have an enemy, bid for his ownage, have a competitor, own them without having to attract unnecessary attention, I'm just kiddin' of course, although the possibilities are disturbing.

What I really liked about this important moment in vulnerability research, was that it was about time the security researchers wanted to see how valued their research is in terms of the only currency that matters in the process - the hard one. In my point of view, monetizing the vulnerabilities research market wasn't the best strategic approach on fighting 0-day vulnerabilities, in this case, ensure you have the most impressive minds on your side, and that your clients get hold of the latest vulnerabilities before the public does.

So - who's the winner - it's...Symantec who first realized the long-term importance of security vulnerabilities, and where, both researchers and actual vulnerabilities are - Bugtraq/SecurityFocus, by acquiring it for US$75 million in cash, back in 2002, and later one integrating its joys into the DeepSight Analyzer - remarkable. Both from a strategic point of view, and mainly because that, by the time any post on any of the associated mailing lists doesn't get approved, it's Symantec's staff having first look at what's to come for the day of everyone.

SecurityFocus is running a story about the Ebay vulnerability listing, and so is eWeek, Slashdot also picked up the story. It was about time for everyone, given it actually happened during the weekend :-)


 
Technorati tags :
Continue reading →
Subscribe to: Comments (Atom)