A site I was recently monitoring disappeared these days, so I feel it's about time I blog on this case. I have been talking about the emerging market for software vulnerabilities for quite some time, and it's quite a success to come across that the concept has been happening right there in front of us. Check out the screenshots. The International Exploits Shop I came across to looks like this :
It appears to be down now, while it has simply changed its location to somewhere else. Google no longer has it cached, and the the only info on this wisely registered .in domain, can be found at Koffix Blocker's site.
A lot of people underestimate the power of the over-the-counter(OTC), market for 0day security vulnerabilities. Given that there isn't any vulnerabilities auction in place that would provide a researcher with multiple proposals, and the buyers with a much greater choice or even social networking with the idea to possibly attract skilled HR, the seller is making personal propositions with the idea to get higher exposure from the site's visitors. Whoever is buying the exploit and whatever happens with it doesn't seem to bother the seller in this case.
As there's been already emerging competition between different infomediaries that purchase vulnerabilities information and pay the researchers, researchers themselves are getting more and more interested in hearing from "multiple parties". Turning vulnerability research, and its actual findings into an IP, and offering financial incentives is tricky, and no pioneers are needed in here!
There's been a lot of active discussion among friends, and over the Net. I recently came across a great and very recent research entitled "Vulnerability markets - what is the economic value of a zero-day exploit?", by Rainer Boehme, that's worth the read. Basically, it tries to list all the market models and possible participants, such as :
Bug challenges
- Bug challenges are the simplest and oldest form of vulnerability markets, where the producer offers a monetary reward for reported bugs. There are some real-world examples for bug challenges. Most widely known is Donald E. Knuth’s reward of initially 1.28 USD for each bug in his TEX typesetting system, which grows exponentially with the number of years the program is in use. Other examples include the RSA factoring challenge, or the shady SDMI challenge on digital audio watermarking
Bug auctions
-Bug auctions are theoretical framework for essentially the same concept as bug
challenges. Andy Ozment [9] first formulated bug challenges in the terms of auction theory,
in particular as a reverse Dutch auction, or an open first-price ascending auction. This allowed him to draw on a huge body of literature and thus add a number of eciency enhancements to the original concept. However, the existence of this market type still depends on the initiative of the vendor
Vulnerability brokers
-Vulnerability brokers are often referred to as “vulnerability sharing circles”. These clubs are
built around independent organizations (mostly private companies) who oer money for new vulnerability reports, which they circulate within a closed group of subscribers to their security alert service. In the standard model, only good guys are allowed to join the club
-Cyber Insurance
Cyber-insurance is among the oldest proposals for market mechanisms to overcome the security market failure. The logic that cures the market failure goes as follows: end users demand insurance against financial losses from information security breaches and insurance companies sell this kind of coverage after a security audit. The premium is assumed to be adjusted by the individual risk, which depends on the IT systems in use and the security mechanisms in place.
Let's try define the market's participants, their expectations and value added through their actions, if any, of course.
Buyers
-malicious (E-criminals, malware authors, competitors, political organization/fraction etc.)
-third party, end users, private detectives, military, intelligence personnel
-vendors (either through informediary, or directly themselves, which hasn't actually happened so far)
Sellers
-reputable
-newly born
-questionable
-does it matter at the bottom line?
Intermediaries
-iDefense
-ZeroDayInitiative-Digital Armaments
Society
-Internet
-CERT model - totally out of the game these days?
As iDefense simply had to restore their position in this emerging market developed mainly by them, an offer for $10,000 was made for a critical vulnerability as defined by Microsoft. I mean, I'm sort of missing the point in here. Obviously, they are aware of the level of quality research that could be sold to them.
Still I wonder what exactly are they competing with :
- trying to attract the most talented researchers, instead of having them turn to the dark side? I doubt they are that much socially oriented, but still it's an option?
- ensuring the proactive security of its customers through first notifying them, and them and then the general public? That doesn't necessarily secures the Internet, and sort of provides the clientele with a false feeling of security, "what if" a (malicious) vulnerability researcher doesn't cooperate with iDefense, and instead sells an 0day to a competitor? Would the vendor's IPS protect against a threat like that too?
- fighting against the permanent opportunity of another 0day, gaining only a temporary momentum advantage?
- improving the company's clients list through constant collaboration with leading vendors while communication a vulnerability in their software products?
A lot of research publications reasonably argue that the credit for the highest social-welware return goes to a CERT type of a model. And while this is truly, accountability and providing a researcher with the highest, both tangible, and intangible reward for them is what also can make an impact. As a matter of fact, is blackmailing a nasty option that could easily become reality in here, or I'm just being paranoid?
To conclude, this very same shop is definitely among the many other active out there for sure, so, sooner or later we would either witness the introduction of a reputable Auction based vulnerabilities market model, or continue living with windows of opportunities, clumsy vendors, and 0day mom-and-dad shops :) But mind you, turning vuln research into IP and paying for it would provide enough motiviation for an underground 0bay as well, wouldn't it?
14.03.2006
OSVDB's Blog - Where's my 0day, please?
OSVDB's Blog - Vulnerability Markets
11.03.2006
LinuxSecurity.com - Where's my 0day, please?
FIRST - Where's my 0day, please?
10.03.2006 - Sites that picked up the story :
Net-Security.org - Where's my 0day, please?
MalwareHelp.org- The International Exploits Shop: Where's my 0day, please?
Security.nl - Internationale Exploit Shop levert 0days op bestelling
WhiteDust.net - Where's my 0day, please?
Reseaux-Telecoms.net - Danchev sur l'Achat de failles
Informit Network - 0-Days for Sale
09.03.2006 - Two nice articles related to the issue appeared yesterday as well, "Black market thrives on vulnerability trading", from the article :
"Security giant Symantec claims that anonymous collusion between hackers and criminals is creating a thriving black market for vulnerability trading. As criminals have woken up to the massive reach afforded to their activities thanks to the Internet, hackers too are now able to avoid risking prison sentences by simply selling on their findings. Graeme Pinkney, a manager at Symantec for trend analysis, told us: 'People have suddenly realised that there's now a profit margin and a revenue stream in vulnerabilities... There's an element of anonymous co-operation between the hacker and criminal.'"
and "The value of vulnerabilities", a quote :
“ There are no guarantees, and therefore I think it would be pretty naive to believe that the person reporting the issue is the only one aware of its existence. That in itself is pretty frightening if you think about it. "
Technorati tags:
Security, 0day, 0bay, Vulnerabilities, Exploits, iDefense, ZeroDayInitiative, Digital Armaments
Tuesday, March 07, 2006
Where's my 0day, please?
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
The Future of Privacy = don't over-empower the watchers!
I blog a lot about privacy, anonymity and censorship, mainly because I feel not just concerned, but obliged to build awareness on the big picture the way I see it. Moreover, I find these interrelated and excluding any of these would result in missing the big picture, at least from my point of view. Some posts I did, worth mentioning are : "Anonymity or Privacy on the Internet?", "China - the biggest black spot on the Internet’s map", "2006 = 1984?", "Still worry about your search history and BigBrother?", "The Feds, Google, MSN's reaction, and how you got "bigbrothered?", "Twisted Reality", "Chinese Internet Censorship efforts and the outbreak", and the most recent one, "Data mining, terrorism and security".
Yesterday, I read a very nice essay by Bruce Schneier "The Future of Privacy" and while I feel it has been written for the general public to understand, you can still update yourself on some of the current trends he's highlighting, mostly the digital storage of our life activities, and how possible it really is.
Some comments that made me an impression though :
"The typical person uses 500 cell phone minutes a month; that translates to 5 gigabytes a year to save it all. My iPod can store 12 times that data. A "life recorder" you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video." - scary stuff, but so true!
"Today, personal information about you is not yours; it's owned by the collector." - if you were to question the practices of each and every "collector" you wouldn't be able to properly function in the 21st century.
"The city of Baltimore uses aerial photography to surveil every house, looking for building permit violations." - typical Columbian style, still applicable in here.
"In some ways, this tidal wave of data is the pollution problem of the information age. All information processes produce it. If we ignore the problem, it will stay around forever. And the only way to successfully deal with it isto pass laws regulating its generation, use and eventual disposal."
I agree on regulation, given someone follows and it's actually implemented, still, I feel it's all about balancing the powers of the public and the rulling parties. The more a government is empowered to invade privacy in one way or another, the higher the risk of them abusing their power, or even worse, having their communications infrastructure wiretap-ready for third parties.
UPDATE - this post recently appeared at LinuxSecurity.com - The Future of Privacy = don't over-empower the watchers!
Technorati tags :
Privacy, Anonymity, Censorship
Yesterday, I read a very nice essay by Bruce Schneier "The Future of Privacy" and while I feel it has been written for the general public to understand, you can still update yourself on some of the current trends he's highlighting, mostly the digital storage of our life activities, and how possible it really is.
Some comments that made me an impression though :
"The typical person uses 500 cell phone minutes a month; that translates to 5 gigabytes a year to save it all. My iPod can store 12 times that data. A "life recorder" you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video." - scary stuff, but so true!
"Today, personal information about you is not yours; it's owned by the collector." - if you were to question the practices of each and every "collector" you wouldn't be able to properly function in the 21st century.
"The city of Baltimore uses aerial photography to surveil every house, looking for building permit violations." - typical Columbian style, still applicable in here.
"In some ways, this tidal wave of data is the pollution problem of the information age. All information processes produce it. If we ignore the problem, it will stay around forever. And the only way to successfully deal with it isto pass laws regulating its generation, use and eventual disposal."
I agree on regulation, given someone follows and it's actually implemented, still, I feel it's all about balancing the powers of the public and the rulling parties. The more a government is empowered to invade privacy in one way or another, the higher the risk of them abusing their power, or even worse, having their communications infrastructure wiretap-ready for third parties.
UPDATE - this post recently appeared at LinuxSecurity.com - The Future of Privacy = don't over-empower the watchers!
Technorati tags :
Privacy, Anonymity, Censorship
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Monday, March 06, 2006
5 things Microsoft can do to secure the Internet, and why it wouldn't?
In my previous post on Internet security, I was just scratching the surface of "How to secure the Internet", and emphasized that plain text communications, insecure by design, and our inability to measure the costs of cybercrime, are among the things to keep in mind.
Now, If I were asked about monocultures, "ship it now, patch it later" attitudes or slow reactive approaches, I would quickly ask is it Microsoft you're talking about? It's a common weakness to blame the most popular or richest companies before rethinking the situation, or even worse, waiting for someone else to secure you, instead of you trying to figure out how to achieve the balance. Is Linux, or, OS X more secure than Microsoft's Windows, or they are just not popular enough to achieve the scale of vulnerabilities, even interest in exploiting their weaknesses?
Important questions arise as always :
- Are Microsoft's products insecure by default, or what is insecure in this case?
- Should Microsoft's number of known vulnerabilities act as a benchmark for commitment towards security, quality of the software, or should this be totally excluded given the tempting target Microsoft's products really are?
- Should a vendor be held liable for not releasing a patch in a timely fashion, and what are the acceptable timeframes, given how quickly malware authors take advantage, and "worm the vulnerability"?
These and many other points led me to the idea of brainstorming on what Microsoft could do to secure the Internet as a whole, and contribute to the social welfare of the society(a $100 laptop powered by a hand crank, is so much better than a smartphone, given it's education, and not entertainment you're looking for! ). This is not an anti-microsoft oriented post, they've got enough anti-trust legislations and Vista issues to deal with, yet, it's a summary of my thoughts while going through Slashdot's chat with Mike Nash VP of security, and some Microsoft's comments on today's state of the market for software vulnerabilities.
1. Think twice before reinventing the security industry
What is the first thing that comes across your mind when you picture Microsoft as a security vendor? A worst case scenario for the Internet as a whole? Just kidding, but still, with such a powerful brand, BETA products, and their legal monopoly from my point of view, is quite a good foundation besides constant acquisitions. Microsoft is a software company, software innovation is among their core competencies. Yet, today’s fast growing information security market opens up many more profitable opportunities. Though, I’d rather they stick to their current OEM licensing agreements by the time they actually come up with something truly unique. Acquiring companies indeed improves competitiveness, but is it just me seeing the irony of entering the security industry without first dealing with the idea internally? The introduction of a OS build-in firewall, and bi-directional and fully working with IPSec for Vista would immediately provide Microsoft with a great opportunity to start serving certain market segments, while it would leave them in experimental mode while MS is gaining the experience.
Why it wouldn’t?
Because the information security market is growing so steadily, that if Microsoft doesn’t take a piece of the pie, it would be a totally flawed business logic. And they want to do it as independently, thus more profitably, as possible. The recent FBI’s 2005 Computer Crime Survey indicated that the majority of security dollars are spent on antivirus, antispyware, and perimeter based security solutions, no one would miss that opportunity. While you can acquire competitive advantage, and actually buy yourself an anti virus vendor, you cannot do the same with core competencies, moreover, I once said "less branding, but higher preferences", and you might end up making the right decision for the time being. Moreover, to operate in today’s anti virus market you need a brand name and if you don’t have it, there’s a great chance you wouldn’t be able to gain any market share, of course if you you don’t somehow capitalize on a niche, and introduce innovative competitive features. The rest is all about OEM agreements and licensing technologies or the opportunity to provide a service, still, it's Microsoft's brand and market development practices to worry about. Passport, Trustworthy Computing, InfoCard it's all under Microsoft's Brand umbrella.
2. Become accountable, first, in front of itself, than, in front of the its stakeholders
What is accountability in this case anyway? Releasing a patch given a vulnerability is known within a predefined timeframe? Set, report and improve its own benchmark on a fast response towards a security threat? Overall commitment as a whole? You cannot simply say “hold on” when the entire world is waiting for you to release a patch, any excuse in such a situation should be considered as lack of responsibility. And given that no vendor has been held liable for not releasing a patch in a timely manner, why would they bother to be the benchmark? I think the problem isn’t the lack of resources, but understanding the importance of it. Microsoft is so huge and powerful that’s its clumsiness is in direct proportion with this fact, isn't it. Can Elephants Indeed Dance in this case? Microsoft’s VP of Security Mike Nash, made a lot of comments for a Slashdot interview that made me an impression, such as :
“Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time.” – I can argue that nothing has changed since then, can you?
Why it wouldn’t?
Mainly because of the actual commitment, though I feel Microsoft could evolve if it manages to find the balance between being a software company with ambitions in the security industry. First, the clear benefits should be understood, and they obviously aren’t. I greatly feel that until a customer, or a legal party doesn’t start questioning various practices, this self-regulation is not getting us anywhere. Gratefully, the are independent researchers out there that have a point way faster than the vendor itself. I think exchanging information in a way that satisfies both parties would be the best thing to do. Employees training without successful evaluation of the progress is useless, and while seeking accountability from a programmer has been greatly discussed, I feel that outsourcing the auditing is always an option worth keeping in mind. Would confidentiality of the ultra-secret Microsoft’s code be breached? I doubt so given they implement close activities monitoring and the Manhattan project style operations and cooperation between teams.
Don’t get me wrong, Microsoft’s software will always be blamed for being insecure, but instead I feel its defacto position as an OS turns it into an exciting daily research topic, whereas its anti-trust compliance practices such as sharing technical details so that competitors could – puts them in a very unfavourable $279.83B market capitalization position. Security shouldn’t be something to live with as if it’s normal, instead it should be provoked by means of active testing and proactive solutions. I feel what they are missing is a legal incentive to promptly comply with patch releases, while on the other hand can you picture the outcome of a minor tax deduction in case a milestone in the release of proactive security vulnerabilities is reached, and watch them securing!
3. Reach the proactive level, and avoid the reactive, in respect to software vulnerabilities
Have you even imagined Microsoft releasing proactive patches to fix 0day vulnerabilities it has managed to find out though third-party code auditing practices, or within its internal quality assurance departments? Sounds too good to be true, but reaching the proactive level is an important step, so hold your breath, the did it with Vista already! Still, their practices with dealing with the reactive response are questionable, and as it often happens, the window of opportunity due to their efforts to testing and localizing the patches for all their customers(the entire world) is causing windows of opportunities that I could argue drive the security industry.
Why it wouldn’t?
Resources and commitment, though the first can be successfully outsourced. What I greatly feel the company is missing is a clear strategy towards understanding the benefits, and eventually the commitment to do it. Microsoft isn’t insanely obsessed with the idea to provide bugs free software, but features rich one. And the way MSN is not going to get more allocated budget compared to MS Office, it’s going to take a while by the time they realize the importance and key role they play as being on the majority of PC and servers worldwide. Some comments again :
"I often get asked the question, "who has been fired for shipping insecure code at Microsoft?" My usual answer here is that we are still learning a lot about security at Microsoft and that most of the security issues that we deal with don't come as a result of carelessness or disregard for the process, but rather new vectors of attack that we didn't understand at the time."
4. Introduce an internal security oriented culture, or better utilize its workforce in respect to security
Google’s 70/20/10 rule is an example, and while Microsoft tends to position itself as THE software company, to some it may be competing with other major software vendors, or the Open Source threat, it actually competes on IQ basis. Flame them, talk whatever you want, they are still able to attract the smartest people on Earth to work for them. My point is, that introducing a Google style culture, where engineers and anyone from their employees spend 10% of their time on personal projects, this time towards security, it would inevitable make an impact on finding the balance between usability and security on any of its products. Devoting any percentage of work time towards security related projects and initiatives would.
Why it wouldn't?
They pretend they have their own corporate citizenship methods, and moreover, they hate Google with a reason. Or is it about the culture, spending time on security/hacking cons to find out that's driving the industry, or basically stop shipping products with the majority of features turned on by default with the idea to "show off" their features?
5. Rethink its position in the security vulnerabilities market
Would this mean there would be more monopolistic sentiments? I’m just kiddin’ of course though it’s still questionable. Would a Microsoft’s initiative to recruit outstanding vulnerability researchers and actually purchase their research have any effect at all? It would definitely help them I cannot actually imagine Microsoft paying for 0day IE vulnerabilities, but I can literally see them catching up with week delay on the WMF vulnerability. But the usefulness and the potential of this approach are enormous, and the intelligence gathered will provide them with unique business development opportunities, given they actually take advantage of them.
Microsoft has stated numerous time that it doesn’t agree with the practice of buying security vulnerabilities, and while I also don’t agree that commercializing the current state of the process of discovering, exploiting, and patching is the smartest thing to do, picture a $250k bounty for information leading to the arrest of virus writers being spent on secure code auditing, or push/pull software vulnerabilities approach with reputable researchers only – it would make a change for sure.
Why it wouldn't?
Because the biggest problem of a 800 pound gorilla is its EGO with capital letters. We are not interested in pulling intelligence from you, we are interested in pushing you the final results branded with Microsoft’s logo. Is it profitable? It is. Is it realistic in today’s collective intelligence dominated Web? It isn’t, and the whole concept has to go beyond Live.com from my point of view. Until, then, let’s still say a big thanks for playing such a vital role in our society’s progress, but no one seems to tolerate the security trade-offs anymore, that’s a fact.
To conclude, as I’ve said I think it isn’t the lack of resources, but understanding the importance of the issue. What do you think, what else can Microsoft do, and why it wouldn’t? :)
Technorati tags :
Security, Microsoft
Now, If I were asked about monocultures, "ship it now, patch it later" attitudes or slow reactive approaches, I would quickly ask is it Microsoft you're talking about? It's a common weakness to blame the most popular or richest companies before rethinking the situation, or even worse, waiting for someone else to secure you, instead of you trying to figure out how to achieve the balance. Is Linux, or, OS X more secure than Microsoft's Windows, or they are just not popular enough to achieve the scale of vulnerabilities, even interest in exploiting their weaknesses?
Important questions arise as always :
- Are Microsoft's products insecure by default, or what is insecure in this case?
- Should Microsoft's number of known vulnerabilities act as a benchmark for commitment towards security, quality of the software, or should this be totally excluded given the tempting target Microsoft's products really are?
- Should a vendor be held liable for not releasing a patch in a timely fashion, and what are the acceptable timeframes, given how quickly malware authors take advantage, and "worm the vulnerability"?
These and many other points led me to the idea of brainstorming on what Microsoft could do to secure the Internet as a whole, and contribute to the social welfare of the society(a $100 laptop powered by a hand crank, is so much better than a smartphone, given it's education, and not entertainment you're looking for! ). This is not an anti-microsoft oriented post, they've got enough anti-trust legislations and Vista issues to deal with, yet, it's a summary of my thoughts while going through Slashdot's chat with Mike Nash VP of security, and some Microsoft's comments on today's state of the market for software vulnerabilities.
1. Think twice before reinventing the security industry
What is the first thing that comes across your mind when you picture Microsoft as a security vendor? A worst case scenario for the Internet as a whole? Just kidding, but still, with such a powerful brand, BETA products, and their legal monopoly from my point of view, is quite a good foundation besides constant acquisitions. Microsoft is a software company, software innovation is among their core competencies. Yet, today’s fast growing information security market opens up many more profitable opportunities. Though, I’d rather they stick to their current OEM licensing agreements by the time they actually come up with something truly unique. Acquiring companies indeed improves competitiveness, but is it just me seeing the irony of entering the security industry without first dealing with the idea internally? The introduction of a OS build-in firewall, and bi-directional and fully working with IPSec for Vista would immediately provide Microsoft with a great opportunity to start serving certain market segments, while it would leave them in experimental mode while MS is gaining the experience.
Why it wouldn’t?
Because the information security market is growing so steadily, that if Microsoft doesn’t take a piece of the pie, it would be a totally flawed business logic. And they want to do it as independently, thus more profitably, as possible. The recent FBI’s 2005 Computer Crime Survey indicated that the majority of security dollars are spent on antivirus, antispyware, and perimeter based security solutions, no one would miss that opportunity. While you can acquire competitive advantage, and actually buy yourself an anti virus vendor, you cannot do the same with core competencies, moreover, I once said "less branding, but higher preferences", and you might end up making the right decision for the time being. Moreover, to operate in today’s anti virus market you need a brand name and if you don’t have it, there’s a great chance you wouldn’t be able to gain any market share, of course if you you don’t somehow capitalize on a niche, and introduce innovative competitive features. The rest is all about OEM agreements and licensing technologies or the opportunity to provide a service, still, it's Microsoft's brand and market development practices to worry about. Passport, Trustworthy Computing, InfoCard it's all under Microsoft's Brand umbrella.
2. Become accountable, first, in front of itself, than, in front of the its stakeholders
What is accountability in this case anyway? Releasing a patch given a vulnerability is known within a predefined timeframe? Set, report and improve its own benchmark on a fast response towards a security threat? Overall commitment as a whole? You cannot simply say “hold on” when the entire world is waiting for you to release a patch, any excuse in such a situation should be considered as lack of responsibility. And given that no vendor has been held liable for not releasing a patch in a timely manner, why would they bother to be the benchmark? I think the problem isn’t the lack of resources, but understanding the importance of it. Microsoft is so huge and powerful that’s its clumsiness is in direct proportion with this fact, isn't it. Can Elephants Indeed Dance in this case? Microsoft’s VP of Security Mike Nash, made a lot of comments for a Slashdot interview that made me an impression, such as :
“Four years ago, I used to have to have frequent conversations with teams who would tell me that they couldn't go through the security review process because they had competitive pressures or had made a commitment to partners to ship at a certain time.” – I can argue that nothing has changed since then, can you?
Why it wouldn’t?
Mainly because of the actual commitment, though I feel Microsoft could evolve if it manages to find the balance between being a software company with ambitions in the security industry. First, the clear benefits should be understood, and they obviously aren’t. I greatly feel that until a customer, or a legal party doesn’t start questioning various practices, this self-regulation is not getting us anywhere. Gratefully, the are independent researchers out there that have a point way faster than the vendor itself. I think exchanging information in a way that satisfies both parties would be the best thing to do. Employees training without successful evaluation of the progress is useless, and while seeking accountability from a programmer has been greatly discussed, I feel that outsourcing the auditing is always an option worth keeping in mind. Would confidentiality of the ultra-secret Microsoft’s code be breached? I doubt so given they implement close activities monitoring and the Manhattan project style operations and cooperation between teams.
Don’t get me wrong, Microsoft’s software will always be blamed for being insecure, but instead I feel its defacto position as an OS turns it into an exciting daily research topic, whereas its anti-trust compliance practices such as sharing technical details so that competitors could – puts them in a very unfavourable $279.83B market capitalization position. Security shouldn’t be something to live with as if it’s normal, instead it should be provoked by means of active testing and proactive solutions. I feel what they are missing is a legal incentive to promptly comply with patch releases, while on the other hand can you picture the outcome of a minor tax deduction in case a milestone in the release of proactive security vulnerabilities is reached, and watch them securing!
3. Reach the proactive level, and avoid the reactive, in respect to software vulnerabilities
Have you even imagined Microsoft releasing proactive patches to fix 0day vulnerabilities it has managed to find out though third-party code auditing practices, or within its internal quality assurance departments? Sounds too good to be true, but reaching the proactive level is an important step, so hold your breath, the did it with Vista already! Still, their practices with dealing with the reactive response are questionable, and as it often happens, the window of opportunity due to their efforts to testing and localizing the patches for all their customers(the entire world) is causing windows of opportunities that I could argue drive the security industry.
Why it wouldn’t?
Resources and commitment, though the first can be successfully outsourced. What I greatly feel the company is missing is a clear strategy towards understanding the benefits, and eventually the commitment to do it. Microsoft isn’t insanely obsessed with the idea to provide bugs free software, but features rich one. And the way MSN is not going to get more allocated budget compared to MS Office, it’s going to take a while by the time they realize the importance and key role they play as being on the majority of PC and servers worldwide. Some comments again :
"I often get asked the question, "who has been fired for shipping insecure code at Microsoft?" My usual answer here is that we are still learning a lot about security at Microsoft and that most of the security issues that we deal with don't come as a result of carelessness or disregard for the process, but rather new vectors of attack that we didn't understand at the time."
4. Introduce an internal security oriented culture, or better utilize its workforce in respect to security
Google’s 70/20/10 rule is an example, and while Microsoft tends to position itself as THE software company, to some it may be competing with other major software vendors, or the Open Source threat, it actually competes on IQ basis. Flame them, talk whatever you want, they are still able to attract the smartest people on Earth to work for them. My point is, that introducing a Google style culture, where engineers and anyone from their employees spend 10% of their time on personal projects, this time towards security, it would inevitable make an impact on finding the balance between usability and security on any of its products. Devoting any percentage of work time towards security related projects and initiatives would.
Why it wouldn't?
They pretend they have their own corporate citizenship methods, and moreover, they hate Google with a reason. Or is it about the culture, spending time on security/hacking cons to find out that's driving the industry, or basically stop shipping products with the majority of features turned on by default with the idea to "show off" their features?
5. Rethink its position in the security vulnerabilities market
Would this mean there would be more monopolistic sentiments? I’m just kiddin’ of course though it’s still questionable. Would a Microsoft’s initiative to recruit outstanding vulnerability researchers and actually purchase their research have any effect at all? It would definitely help them I cannot actually imagine Microsoft paying for 0day IE vulnerabilities, but I can literally see them catching up with week delay on the WMF vulnerability. But the usefulness and the potential of this approach are enormous, and the intelligence gathered will provide them with unique business development opportunities, given they actually take advantage of them.
Microsoft has stated numerous time that it doesn’t agree with the practice of buying security vulnerabilities, and while I also don’t agree that commercializing the current state of the process of discovering, exploiting, and patching is the smartest thing to do, picture a $250k bounty for information leading to the arrest of virus writers being spent on secure code auditing, or push/pull software vulnerabilities approach with reputable researchers only – it would make a change for sure.
Why it wouldn't?
Because the biggest problem of a 800 pound gorilla is its EGO with capital letters. We are not interested in pulling intelligence from you, we are interested in pushing you the final results branded with Microsoft’s logo. Is it profitable? It is. Is it realistic in today’s collective intelligence dominated Web? It isn’t, and the whole concept has to go beyond Live.com from my point of view. Until, then, let’s still say a big thanks for playing such a vital role in our society’s progress, but no one seems to tolerate the security trade-offs anymore, that’s a fact.
To conclude, as I’ve said I think it isn’t the lack of resources, but understanding the importance of the issue. What do you think, what else can Microsoft do, and why it wouldn’t? :)
Technorati tags :
Security, Microsoft
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Data mining, terrorism and security
I've been actively building awareness on what used to feel like an unpopular belief only - Cyberterrorism, and also covered some recent events related to Cyberterrorism in some of my previous posts.
Last week, The NYTimes wrote about "Taking Spying to Higher Level, Agencies Look for More Ways to Mine Data", and I feel that avoiding the mainstream media for the sake of keeping it objective is quite useful sometimes. From the article :
"On the wish list, according to several venture capitalists who met with the officials, were an array of technologies that underlie the fierce debate over the Bush administration's anti-terrorist eavesdropping program: computerized systems that reveal connections between seemingly innocuous and unrelated pieces of information. The tools they were looking for are new, but their application would fall under the well-established practice of data mining: using mathematical and statistical techniques to scan for hidden relationships in streams of digital data or large databases."
Interest in harnessing the power of data mining given the enormous flow of information from different parties would never cease to exist. What's more to note in this case, is the Able Danger scenario as a key indicator for usefulness of outdated information, given any has been there at the first place. Conspiracy theorists would logically conclude that the need for evidence of the power of data mining for tracking terrorists would inevitably fuel more investments in this area. So true, and here's a recent event to keep the discussing going - "Suit airs Able Danger claims: Two operatives in secret program say their lawyers were barred at hearings"
While on one hand wars are getting waged with the idea to eradicate terrorist deep from its roots, and sort of building "local presence" thus improving assets allocation and intelligence gathering, I feel the fact that a reliable communication channel could be estalibshed by a terrorist network over the Net is already gaining a lot of necessary attention. However, TIA's ambitions have always been desperately megalomaniac, what about some marginal thinking in here folks, you cannot absorb all the info and make sense out of it, and who says it has to be all of it at the first place?!
The Total Information Awareness program was prone to be abused in one way or another, like pretty much any data mining system from my point of view. And while it's supposidely down due to budget deficits and privacy violations outbreak, government legislation and ensuring key networks remain wiretaps-ready seems to be a valuable asset for any future data mining projects. TIA is still up and running folks, or even if it's not using the same name, the concept is still in between the lines of DHS's budget for 2006 and would always be, and with the majority of corporate sector's participants are opening up their networks to comply with "legal requirements", the lines between privacy and the war against terrorism, and what to exchange for what, seems to be getting even more shady these days.
In my previous posts, I also mentioned about the power of the Starlight project as existing initiative to data mine data from different and media-rich sources alltogether, and most importantly, visualize the output. If you fear BigBrother, don't fear the Eye, but fear the Eyeglasses :)
More resources on Data Mining and Terrorism :
Data Mining : An Overview
Data Mining and Homeland Security : An Overview (updated January 27, 2006)
Using data mining techniques for detecting terror-related web activities
Data mining and surveillance in the post-9.11 environment
The Dark Web Portal: Collecting and Analyzing the Presence of Domestic and International Terrorist Groups on the Web
Workshop on Data Mining for Counter Terrorism and Security
TRAKS: Terrorist Related Assessment using Knowledge Similarity
The Multi-State Anti-Terrorism Information Exchange (MATRIX)
A Knowledge Discovery Approach to Addressing the Threats of Terrorism - w00t
Gyre's Data Mining section
Eyeballing Total Information Awareness
Able Danger blog
EPIC's TIA section
EFF's TIA section
Technorati tags : Security, Terrorism, Cyberterrorism, Data Mining, TIA
Last week, The NYTimes wrote about "Taking Spying to Higher Level, Agencies Look for More Ways to Mine Data", and I feel that avoiding the mainstream media for the sake of keeping it objective is quite useful sometimes. From the article :
"On the wish list, according to several venture capitalists who met with the officials, were an array of technologies that underlie the fierce debate over the Bush administration's anti-terrorist eavesdropping program: computerized systems that reveal connections between seemingly innocuous and unrelated pieces of information. The tools they were looking for are new, but their application would fall under the well-established practice of data mining: using mathematical and statistical techniques to scan for hidden relationships in streams of digital data or large databases."
Interest in harnessing the power of data mining given the enormous flow of information from different parties would never cease to exist. What's more to note in this case, is the Able Danger scenario as a key indicator for usefulness of outdated information, given any has been there at the first place. Conspiracy theorists would logically conclude that the need for evidence of the power of data mining for tracking terrorists would inevitably fuel more investments in this area. So true, and here's a recent event to keep the discussing going - "Suit airs Able Danger claims: Two operatives in secret program say their lawyers were barred at hearings"
While on one hand wars are getting waged with the idea to eradicate terrorist deep from its roots, and sort of building "local presence" thus improving assets allocation and intelligence gathering, I feel the fact that a reliable communication channel could be estalibshed by a terrorist network over the Net is already gaining a lot of necessary attention. However, TIA's ambitions have always been desperately megalomaniac, what about some marginal thinking in here folks, you cannot absorb all the info and make sense out of it, and who says it has to be all of it at the first place?!
The Total Information Awareness program was prone to be abused in one way or another, like pretty much any data mining system from my point of view. And while it's supposidely down due to budget deficits and privacy violations outbreak, government legislation and ensuring key networks remain wiretaps-ready seems to be a valuable asset for any future data mining projects. TIA is still up and running folks, or even if it's not using the same name, the concept is still in between the lines of DHS's budget for 2006 and would always be, and with the majority of corporate sector's participants are opening up their networks to comply with "legal requirements", the lines between privacy and the war against terrorism, and what to exchange for what, seems to be getting even more shady these days.
In my previous posts, I also mentioned about the power of the Starlight project as existing initiative to data mine data from different and media-rich sources alltogether, and most importantly, visualize the output. If you fear BigBrother, don't fear the Eye, but fear the Eyeglasses :)
More resources on Data Mining and Terrorism :
Data Mining : An Overview
Data Mining and Homeland Security : An Overview (updated January 27, 2006)
Using data mining techniques for detecting terror-related web activities
Data mining and surveillance in the post-9.11 environment
The Dark Web Portal: Collecting and Analyzing the Presence of Domestic and International Terrorist Groups on the Web
Workshop on Data Mining for Counter Terrorism and Security
TRAKS: Terrorist Related Assessment using Knowledge Similarity
The Multi-State Anti-Terrorism Information Exchange (MATRIX)
A Knowledge Discovery Approach to Addressing the Threats of Terrorism - w00t
Gyre's Data Mining section
Eyeballing Total Information Awareness
Able Danger blog
EPIC's TIA section
EFF's TIA section
Technorati tags : Security, Terrorism, Cyberterrorism, Data Mining, TIA
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Anti Phishing toolbars - can you trust them?
A lot of recent phishing events occured, and what should be mentioned is their constant ambitions towards increasing the number of trust points between end users and the mirror version of the original site. The use of SSL and the ease of obtaining a valid certificate for to-be fraudelent domain is a faily simple practice. Phishing is so much more than this, and it even has to do with buying 0day vulnerabilities to keep itself competitive.
How should phishing be fought? Educating the end user not to trust that he/she's on Amazon.com, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building? As far as trends are concerned, according to the AntiPhishingGroup's latest report :
• Number of unique phishing reports received in December: 15244
• Number of unique phishing sites received in December: 7197
• Number of brands hijacked by phishing campaigns in December: 121
• Number of brands comprising the top 80% of phishing campaigns in December: 7
• Country hosting the most phishing websites in December: United States
• Contain some form of target name in URL: 51 %
• No hostname just IP address: 32 %
• Percentage of sites not using port 80: 7 %
• Average time online for site: 5.3 days
• Longest time online for site: 31 days
In case you haven't came across to this research "Do Security Toolbars Actually Prevent Phishing Attacks?" you'll find that it has very good points and actual evidence. Antiphishing filters and toolbars protection are gaining popularity, and many popular companies are fighting for market share of the end users'
desktop, but keep in mind that :
"We conducted two user studies of three security toolbars and other browser security indicators and found them all ineffective at preventing phishing attacks. Even though subjects were asked to pay attention to the toolbar, many failed to look at it; others disregarded or explained away the toolbars’ warnings if the content of web pages looked legitimate. We found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be."
The topic of phishing and fighting the problem has been again greatly extended by the researcher Min Xu, while writing the thesis "Fighting Phishing at the User Interface" and introducing a solution that measures a site's reputation and trustfulness. While, this is among the simplest ways Google uses to while assigning PageRank's, I find this a common sense warning. Still, with the constant flood of Web 2.0 companies, does it matter? :) Check out some screenshots from this outstanding thesis, and get the point :
Localizing the attacks, taking advantage of the momentum, or a software vulnerability within a popular browser or site itself, as well as taking advantage of malware, are among the most common practices these days. Moreover, I feel that fighting phishing the wrong way could erode the end user's trust in the Web on the other hand, so do your homework on the social impact on anything you do. NetCraft's Anti Phishing toolbar, whatsoever, is my favorite combination of them all, still, awareness and lack of naivety when it comes to transactions or authentication is the perfect tool, what about yours?
Some resources worth mentioning are :
Candid's “Phishing in the middle of the stream” Today’s threats to online banking
Know your Enemy : Phishing
Phishing attacks and countermeasures
The Phishing Guide
Distributed Phishing Attacks
Phishiest Countries
MailFrontier Phishing IQ Test
Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures
Technorati tags :
Security, Phishing, Toolbar, AntiPhishing Group
How should phishing be fought? Educating the end user not to trust that he/she's on Amazon.com, when he just typed it, or enforcing a technological solution to the problem of digital social engineering and trust building? As far as trends are concerned, according to the AntiPhishingGroup's latest report :
• Number of unique phishing reports received in December: 15244
• Number of unique phishing sites received in December: 7197
• Number of brands hijacked by phishing campaigns in December: 121
• Number of brands comprising the top 80% of phishing campaigns in December: 7
• Country hosting the most phishing websites in December: United States
• Contain some form of target name in URL: 51 %
• No hostname just IP address: 32 %
• Percentage of sites not using port 80: 7 %
• Average time online for site: 5.3 days
• Longest time online for site: 31 days
In case you haven't came across to this research "Do Security Toolbars Actually Prevent Phishing Attacks?" you'll find that it has very good points and actual evidence. Antiphishing filters and toolbars protection are gaining popularity, and many popular companies are fighting for market share of the end users'
desktop, but keep in mind that :
"We conducted two user studies of three security toolbars and other browser security indicators and found them all ineffective at preventing phishing attacks. Even though subjects were asked to pay attention to the toolbar, many failed to look at it; others disregarded or explained away the toolbars’ warnings if the content of web pages looked legitimate. We found that many subjects do not understand phishing attacks or realize how sophisticated such attacks can be."
The topic of phishing and fighting the problem has been again greatly extended by the researcher Min Xu, while writing the thesis "Fighting Phishing at the User Interface" and introducing a solution that measures a site's reputation and trustfulness. While, this is among the simplest ways Google uses to while assigning PageRank's, I find this a common sense warning. Still, with the constant flood of Web 2.0 companies, does it matter? :) Check out some screenshots from this outstanding thesis, and get the point :
Localizing the attacks, taking advantage of the momentum, or a software vulnerability within a popular browser or site itself, as well as taking advantage of malware, are among the most common practices these days. Moreover, I feel that fighting phishing the wrong way could erode the end user's trust in the Web on the other hand, so do your homework on the social impact on anything you do. NetCraft's Anti Phishing toolbar, whatsoever, is my favorite combination of them all, still, awareness and lack of naivety when it comes to transactions or authentication is the perfect tool, what about yours?
Some resources worth mentioning are :
Candid's “Phishing in the middle of the stream” Today’s threats to online banking
Know your Enemy : Phishing
Phishing attacks and countermeasures
The Phishing Guide
Distributed Phishing Attacks
Phishiest Countries
MailFrontier Phishing IQ Test
Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures
Technorati tags :
Security, Phishing, Toolbar, AntiPhishing Group
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Posts (Atom)