Jared DeMott is getting out of the vulnerability sales
business. He has had enough of trying to sell information
aboutsecurity flawsto companies who do not
seem interested. DeMott, a security professional who started
US-based security assessment firm VDA Labs, found a security flaw
in a popular social networking site's toolbar that could allow
attackers to take over a PC. DeMott says he tried to sell the
vulnerability to the company, but got no response, so he went
public with the information. The affected firm patched the
vulnerability within a day.
"What else were we going to do? We wanted to move on," says
DeMott. Too many suppliers refuse to cooperate when approached with
information about
vulnerabilities in their products, he says.
If researchers find a major bug in a popular product, they can
often sell that information easily to the provider of that product
or to a security product supplier that will roll the information
into its own tools. But it can be more difficult to sell
information on less popular products such as business reporting
tools, he says.
"We have found a number of flaws in products like that, and they
are hard to unload," he says, adding that some suppliers will
accuse researchers of extortion. "It is hard to find a legitimate
buyer."
It is not hard to find illegitimate ones, however. "We have seen
people paying hundreds of thousands of dollars in some of the
underground markets," says Greg Day, security analyst for
McAfee.
"Discussions will be conducted through
Internet Relay Chat (IRC) and locked or encrypted channels,"
says Dean Turner, senior manager of security response at
Symantec.
When people first began to understand that security in computing
was going to be a problem, information about vulnerabilities and
the exploits that used them spread slowly. They were exchanged
among niche communities of hackers, as they are today, but the
commercial internet was in its infancy, and the world was a much
larger place. Now, a zero day attack can infect large swathes of
the internet in hours.
A good example is the .ani zero day exploit that targeted
Windows users in the spring. Malicious website operators quickly
exploited the vulnerability in the operating system's animated
cursor handling system, and were able to cause a buffer overflow
when Internet Explorer users visited their sites.
In the worst cases, attackers were able to take complete control
of a system. By 2 April, just a few days after the exploit had been
released, security firm WebSense was reporting more than 100 sites
using it, mainly in China. A week later, a day before Microsoft
released a patch, the same company reported more than 2,000 sites
getting in on the action, including some in Eastern Europe.
No wonder zero day exploits are such big business. As with most
markets for valuable resources, it was only a matter of time before
someone attempted to formalise the arrangement and introduce more
liquidity.
Enter WabiSabiLabi, an auction site for vulnerability
information that commenced business this summer.
Researchers can sell information about the vulnerabilities that
they have discovered in various ways. They can conduct an auction
with a predefined starting price, eBay style, or they can sell it
to as many buyers as possible for a fixed price. It is also
possible to arrange a private sale with a single customer.
Researchers submit their vulnerability information to the
company, which then verifies the information in its own labs. If
they pass the test, they can be sold. Researchers choosing not to
sell exclusively to a private customer can also gather points for
vulnerabilities as part of the company's Vulnerability Sharing
Club, which assigns a score based on a vulnerability's maximum
selling price.
These points can then be redeemed for further cash payments
later on, in a process that Herman Zampariolo, CEO of the site's
operating company WSLabi, calls "squeezing the lemon twice".
"It is growing very fast and we are overwhelmed. There are 10
new vulnerabilities per day being submitted," says Zampariolo.
But not everyone is convinced that auctioning off vulnerability
information is a good idea. Terri Forslof is one of them. Forslof
is manager of the security response team at Tipping Point, which
operates a zero day initiative of its own.
The company buys vulnerabilities from researchers and uses them
to enhance zero day protection in its own security products. It
also passes those on to the software suppliers that own the
vulnerable products, Forslof says. "It takes away from researchers
having to work a deal with the product suppliers," she says. "We do
the legwork for them."
Forslof worries that an auction site will be open to hackers who
will then use purchased vulnerability information for their own
illegitimate purposes. "If we were to see these vulnerabilities
selling for large sums, you would have to make the assumption that
there is going to be a return on investment to the buyer," she
warns.
However, Zampariolo says that he is offering a legitimate
alternative. "The black market for vulnerabilities already exists.
We are not changing the existence of that market," he says. The
company also has checks and balances in place, he argues. Those
wishing to bid on vulnerabilities must present company
certificates. Personal documents and a landline must also be
provided.
"We screen both sides of the market in a way that not even Swiss
banks are doing," he argues. However, one wonders whether such
measures will be strong enough to ward off criminals who are often
experts at identity theft and impersonation.
Emerson Tan is fundamentally opposed to the idea of anyone
selling vulnerabilities. Tan is one of the people behind Packet
Storm, a community of security researchers that publicly posts all
vulnerabilities it finds as part of its zero tolerance policy on
security flaws. The only exception to its full disclosure policy
would be an internet-killing vulnerability that would take down the
entire global network.
"Imagine that there was a set of circumstances where your car
would burst into flames, killing you and your family in a cheerful,
fiery inferno," he says, likening the vulnerability market to
blackmail. "Now imagine that a person says, 'I know the set of
circumstances in which your car will explode, but if you want to
know, you will have to pay me. Oh and by the way, it is an
auction'. How would you feel about that?"
Tan's question is a timely one. For the past few years, the
argument has focused on whether researchers should publish
information about security flaws straightaway, or whether they
should give them to the suppliers to deal with at their leisure.
"That argument is kind of dead in my mind," says DeMott. "This is
the new question: is it okay to publicly trade
vulnerabilities?"
However, Tan argues that, "Vulnerability information and the
research that goes into it is a public good, in the same way that
making sure kettles do not spontaneously explode is a public
good."
He suggests that the real flaws lie in the law. "Somehow, via
licence agreements, the software makers have managed to get out of
this altogether. All the liability is passed on to the user."
Looking at the average software end-use licence agreement, which
essentially absolves the software supplier of any responsibility,
it is difficult to disagree with him.
However, that may change if the House of Lords has its way. Its
Science and Technology Committee's inquiry into personal internet
security, published in early August, made several recommendations,
but one of the most contentious was that European legislators
should move to make product suppliers liable for security flaws.
Should that occur, it would shake up the market considerably, and
potentially make some suppliers more willing to pay researchers for
their efforts.
The problem is that software suppliers have not always excelled
at software security. So it could be argued that researchers
provide a valuable independent resource that can help make products
more secure. However, they do not spend hours picking through
source code for free.
But there is yet another problem facing people trying to
formalise the market for vulnerabilities. Publish too little
information about the flaw and you may have difficulty gathering
interest. Publish too much, and you may tip off hackers to reverse
engineer an exploit purely from the description.
Zampariolo says that WSLabi has been experimenting with issues
such as these in its early days, and at least one flaw had to be
taken down because a patch was released within a few days of the
listing.
Already, on some security forums, one individual philosophically
opposed to WSLabi's operating model is publishing what he claims
are fully engineered exploits for vulnerabilities listed on the
auction site. The message attached to his posts reads: "End hacker
oppression, destroy WabiSabiLabi!"
And while researchers have to eat, it is easy to see how trying
to glean the largest payment possible for information about a
vulnerability could be seen as extortion. "It assumes that all
researchers wear white hats, but it is not taking into account that
a lot of researchers are in it for the money," says Turner.
The approach taken by some firms such as the Mozilla Foundation,
which offers £250 and a T-shirt under its bug bounty program, might
catch many bugs. But will it catch the ones offered by unscrupulous
researchers to higher-paying black market operators?
In an environment where the product is information, and where
there is no known way to protect that information as intellectual
property, anyone trying to formalise the market is playing a
dangerous game. The business model that made eBay so successful may
not apply when transferred to the darker regions of the
internet.