Concerning the
WMF vulnerability, it states :
"It
seems most likely that the vulnerability was detected by an unnamed
person around 1st December 2005, give or take a few days. It took a few
days for the exploit enabling random code to be executed on the victim
machine to be developed. Around the middle of December, this exploit
could be bought from a number of specialized sites. It seems that two or
three competing hacker groups from Russian were selling this exploit
for $4,000. Interestingly, the groups don't seem to have understood the
exact nature of the vulnerability. One of the purchasers of the exploit
is involved in the criminal adware/ spyware business, and it seems
likely that this was how the exploit became public."
Two months ago, I had a
chat with
David Endler, director of Security Research at
TippingPoint, and their
ZeroDayInitiative, that is an alternative to
iDefense's efforts to provide money as a incentive for quality vulnerabilities submissions. The fact that a week or so later, the
first vulnerability appeared on Ebay felt "good" mainly because what I was
long envisioning
actually happened - motivated by the already offered financial rewards,
a researcher decided to get higher publicity, thus better bids. I never
stopped thinking on who gains, or who should actually gain, the vendor,
the end user, the Internet as a whole, or I'm just being a moralist in
here as always?
This very whole concept seemed flawed from the
very beginning to me, and while you wish you could permanently employ
every great researcher you ever came across to, on demand HR and where
necessary seems to work just fine. But starting with money as an
incentive is a moral game where "better propositions" under different
situations could also be taken into consideration. Researchers will
always have what to report, and once ego, reputation and publicity are
by default, it comes to the bottom line - the hard cash, not "who'll pay
more for my research?", but "who values my research most of everyone
else?". And when it comes to money, I feel it's quite common sense to
conclude that the underground, have plenty of it. I am not saying that a
respected researcher will sell his/
her
research to a illegal party, but the a company's most serious
competitors are not its current, but the emerging ones, I feel quite a
lot of not so publicly known folks have a lot to contribute..
Possible scenarios on future vulnerability purchasing trends might be :
-
what if vendors start offering rewards ($ at the bottom line) for
responsibly reported vulnerabilities to eliminate the need of
intermediaries at all, and are the current intermediaries doing an
important role of centralizing such purchases? I think the Full
Disclosure movement, both conscious or subconscious :) is rather active,
and would continue to be. Now, what if Microsoft breaks the rules and
opens up its deep pocketed coat?
- how is the 0day status of a
purchased vulnerability measured today? My point is, what if the WMF
vulnerability was used to "nail down" targeted corporate customers, or
even the British government as it actually
happened
, and this went totally unnoticed due to the lack of mass outbreaks,
but the author sort of cashed twice, by selling the though to be 0day to
iDefense, or ZeroDay's Initiative? What if?
- requested
vulnerabilities are the worst case scenario I could think of at the
moment. Why bother and always get excited about an IE vulnerability,
when you know person/company X are running Y AV scanner, use X1 browser
as a security through obscurity measure. That's sort of reverse model
compared to current one where researchers "push" their findings, what if
it turns into a "pull" approach, "I am interested in purchasing
vulnerabilities affecting that version of that software", would this
become common, and how realistic is it at the bottom line?
Some
buddies often ask me, why do I always brainstorm on the worst case
scenario? I don't actually, but try to brainstorm on the key factors and
how the current situation would inevitably influence the future. And
while I'm not Forrester Research, I don't charge hefty sums for 10 pages
report on the
threats posed by two-factor authentication or e-banking, do I? Still, I'm right on quite some occasions..
At
the bottom line, ensure $ isn't the only incentive a researcher is
getting, and don't treat them like they are all the same, because they
aren't, instead sense what matters mostly to the individual and go
beyond the financial incentive, or you'll lose in the long term.
What
are you thoughts on purchasing vulnerabilities as far as the long term
is concerned? What is the most effective compared to the current
approaches way of dealing with 0day vulnerabilities? Might a researcher
sell his findings to the underground given he knows where to do it? What
do you think?
RSS Feed