Saturday, July 7, 2007

Selling security exploits

The biggest fear of software makers, application system makers and the like (Microsoft, Adobe, Apple, and numerous other big entities) is coming true. Ever since software holes and bugs started to come into existence, there was always the pressure between the software company trying to release a patch, and hackers trying to exploit this defect. In the past, software makers would try to apply pressure on the defect finders to keep it quiet till the patch is released. If the patch was found by a big company, they would normally respond to pressure from the likes of Microsoft and not release into the public domain.
However, this was not happening more and more, with the security companies releasing their findings independently of the software makers. Some of them would even sell these to people who would exploit them for nefarious purposes. As an example, review the number of botnets that exist in the internet today, with millions of computers being hacked into and controlled. The situation was literally demanding a market-place for such bugs:


An eBay-like auction site that sells vulnerabilities will improve security by ensuring researchers get a fair price for their work, its founders say. "The existing business model to reward researchers is a failure," said Herman Zampariolo, chief executive of WSLabi, and the man behind the WabiSabiLabi auction site. A tiny minority of vulnerabilities currently get patched, he said, because IT experts aren't paid for their work in uncovering them.
"As long as vulnerabilities are bought and sold privately, the value can't be the right one," Zampariolo said. "Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cybercriminals," he added.
So far, no bids have been posted, possibly because of delays in identifying the buyers, each of whom must use snail mail or fax to deliver proof of their identity and their bank account--electronic currencies are not accepted on the site. Around 20 buyers have been registered so far, as well as 30 sellers, who have provided another batch of flaws that should be on the site next week.


In this case, the intention may be genuine; however, where is the control mechanism to ensure that these sales are happening to the right people. If we are just dependent on the operators of the exchange, then there is no guarantee. Later, if the number of such buyers increases, it would be very easy for the cyber-criminals to pretend to be a genuine buyer and get access to top-notch holes on a very quick basis.

No comments: