[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Security breakdown


By Sean Hargrave
The Guardian,
January 17 2008

This year computer users will be more exposed to cybercriminals than 
ever before. It's not just because online crime is so attractive to 
identity theft gangs but, ironically, because the computer security 
industry that is supposed to protect users has deteriorated - from one 
which shared everything about newly discovered weaknesses to what some 
within it now call a "protection racket".

It may sound alarmist, but researchers such as Paul Henry, 
vice-president of technology at Secure Computing, are using exactly that 
language to describe a move by a small minority of security companies 
now paying hackers for exclusive access to newly discovered 
vulnerabilities. This ensures their customers are protected while the 
software vendor works out a solution and rolls out a patch, a process 
that can take weeks.

"The security industry is fast becoming a protection racket. There's no 
other word for it," Henry says. "The tradition has always been for 
vendors to share information on vulnerabilities so we can all protect 
our customers. Now you've got hackers being given a so-called legitimate 
route of selling vulnerabilities to a single company who then protect 
their own.

"It's not only wrong, because it only protects one company's customers, 
it also gives a lucrative market for hackers. They don't have to run the 
risk of going to jail any more by actually using a vulnerability, they 
can just threaten you with it and they get paid. It's extortion."

Growing weaknesses

The number of flaws that can be exploited in software is growing fast: 
last year alone the US National Vulnerability Database (nvd.nist.gov), a 
clearing house, noted 6,680 new ones across a huge range of products and 
operating systems. That represented a dramatic slowing of growth after 
two years in which it had grown from just 1,281 in 2003. A forecast by 
analysts Gartner suggested that the security industry would be worth 
$9.1bn (4.6bn) in 2007, up by 10 per cent from the $8.2bn of 2006 
(tinyurl.com/yvjxgl). The rewards for getting an edge are therefore 

Henry claims he does understand how the market for selling 
vulnerabilities on an exclusive basis has come about, blaming well-known 
software companies for not treating security researchers better.

"There have been cases where people reporting vulnerabilities to 
software companies have been treated terribly and threatened with legal 
action because the vendors just don't want to look stupid," he says. 
"Security researchers that have found a vulnerability won't get paid by 
a vendor, and if they think they actually might end up talking to their 
lawyers and being threatened, then it's hardly surprising they end up 
selling vulnerabilities to security companies. It's just a shame as it's 
opened the door for extortion."

The two companies that spring to mind when executives like Henry talk 
about extortion are Tipping Point and WabiSabiLabi. The former is the 
most notable security company paying "security researchers" for 
exclusivity on vulnerabilities and its patches, while the latter is 
unashamedly set up as an auction house for vulnerabilities. Security 
researchers - though others may prefer to call them hackers - can go to 
WabiSabiLabi to report a vulnerability they have found: it is then 
auctioned to the highest bidder. The site takes what is believed to be a 
5% cut.

According to Yuval Ben-Itzhak, chief technology officer of San Francisco 
security company Finjan, this approach of buying or auctioning 
vulnerabilities goes against everything responsible security businesses 
should believe in.

"I really don't like this paying hackers strategy. It rewards them and 
it leaves computer users more vulnerable," he says. "Responsible 
companies share information, they build up trust over years and have 
routes to share vulnerabilities, always acknowledging where the first 
report has come from, so that company or researcher concerned is 
applauded for their help. To my mind, you can't trust hackers, so if 
you're a responsible company you spend money on research rather than 
handing it over to extortionists."

The middleman

Terri Forslof, manager of security response at Texas-based Tipping 
Point, defends the company's strategy, pointing out that it means 
security researchers can report vulnerabilities and be rewarded without 
being tempted to sell their knowledge to criminals - who can pay a lot 
more. "When you've got security researchers fearing they'll be 
threatened with legal action if they report vulnerabilities, it's not 
surprising they come to us," she says.

"We can deal with the software vendor for them and ensure they get 
rewarded for their vulnerability. The software vendor is informed of any 
vulnerabilities we buy and we do not release details of what we have 
bought to the outside world. It's true that our customers get protection 
from the problem before the software vendor rolls out a patch for the 
issue, but we don't see how that is a problem for our customers.

"We are an option that allows security researchers to be rewarded for 
their efforts without having to go to the dark side of criminality, 
which has to be good for everyone. We also believe that if the people 
coming to us don't find those vulnerabilities than someone else will, so 
it's better that they get reported to us than be sold to criminals."

However, to security companies based around sharing information, the 
argument does not carry much weight. Mary Landesman, senior security 
researcher at ScanSafe and a former security expert at Microsoft, 
believes those who do not share vulnerabilities are deluding themselves.

"Do they really know that Hacker A is not also somewhere else selling a 
vulnerability calling himself Hacker B?" she asks. "Do they know they're 
not paying for something that hasn't been discussed with another hacker 
who could go on to exploit the vulnerability and damage the vast 
majority of computer users that won't have protection?

"They talk about security researchers being harshly dealt with, but I 
can assure you at the hacker conferences they are well wined and dined. 
Software vendors only get angry when vulnerabilities are irresponsibly 
released to the public before they've had a chance to work on them. If a 
security researcher wants to report a vulnerability as an altruistic 
gesture they can do, but if they're motivated by money, blaming the 
software vendors is an easy excuse for selling the exploit rather than 
giving it away."

Geoff Sweeney, chief technology officer of the Australian global 
security business Tier 3, agrees and points out that the security 
researcher market is far more clouded than the likes of Tipping Point 
would like to make out. "They talk about white- and black-hat 
researchers but there's a lot of grey in between," he says.

"I think there's some truth in the software vendors making a rod for 
their own back by treating researchers badly, prompting them to sell the 
vulnerabilities they uncover; but it's still extortion, it's paying 
someone to hand over something they're threatening computer users with. 
Plus, if money is their priority over reporting it to the software 
vendor, why offer them money? You can't compete with what the black 
market offers anyway, so why legitimise it so it looks OK to find 
vulnerabilities and sell them to security companies as exclusives?"

Although the chief executive of WabiSabiLabi failed to keep to several 
interview slots to answer the claims against his Swiss-based company, a 
spokesperson insisted that the company was simply offering security 
researchers an alternative to selling on the black market. The spokesman 
did not agree that WabiSabiLabi has a conflict of interest doubling up 
as an auction house for vulnerabilities as well as marketing itself as a 
security consultancy which would, by definition, mean it were the only 
consultancy with access to details of undisclosed vulnerabilities which 
other companies have paid to have exclusive access to.

Subscribe to InfoSec News