Posted by jericho
Tue, 08 Jul 2008 03:40:02 GMT
Adam Penenberg wrote an article titled ”The Black Market Code Industry” for FastCompany in which he details his research of two HP employees that actively sold exploit code in their spare time, at least one selling exploits in HP’s own software. According to the article, HP knew about one of the employees at the time of the article and were investigating. While a neat article and fun read, it left me with a lot more questions that I hope get answered at some point (how about a ‘Part 2’ Adam?).
- Does Rigano still work for HP now that the article has been out a week?
- Did either individual have access to source code to make their exploit writing easier? If so, did they have access to edit source code in any capacity (e.g. backdoors, adding vulnerable code)?
- Did Rigano actually sell his exploits? If so, to who and for how much? Checking the Full-Disclosure list archives, he appears to have had exploits for IIS 6.0, Firefox 2.x, MSIE 7, SAP, Apache, Microsoft Office and more.
- If Rigano did sell vulnerabilities, did he vette his buyers or could he have sold them to ‘enemy’ nations or hostile countries (relative I know)?
- Why is the FBI investigating a France based employee of HP?
- Is t0t0 a current employee of HP? If not, did he leave for his exploit selling activities? The article suggests that HP is aware of one of the two sellers. What do they have to say about this article now?
Posted in Vulnerability Disclosure, Vulnerability Market/Value | 1 comment
Posted by jericho
Sun, 16 Mar 2008 19:44:14 GMT
On January 17, 2007, SnoSoft / Netragard LLC announced a new Exploit Acquisition Program designed to compete with iDefense, TippingPoint and others. Nothing special or different other than the suggestion that they would pay more for high end vulnerabilities. A little over a year later, and they announced they were shutting down the Exploit Acquisition Program. From their post:
We regret to say that its true, we’ve shut down the Exploit Acquisition Program. The reason for the shutdown was that it was taking our buyers too long to complete a single transaction and it wasn’t fair to the researchers. While we’d expect a single transaction to take no more than a month, the average transaction time for our buyer was 4 months. The last transaction that we attempted took 7 months at which point the issues were silently patched and the transaction was dead. As it stands right now, we can’t justify asking anyone to wait that long to move a single item. So until the end players learn how to move faster, the high price bug brokering market just isn’t viable.
No offense to SnoSoft / Netragard, but their competitors have proven that the market is viable. I guess the trick is how you ‘sell’ the information. For iDefense it is early warning for their customers in case the same vulnerability is being exploited by others. For TippingPoint it is early warning and IPS signatures. For WabiSabiLabi it is more like the SnoSoft program, where one buyer gets exclusive rights to the information, and it appears to be working to some degree.
Posted in Vulnerability Market/Value | no comments
Posted by jericho
Sun, 03 Jun 2007 04:34:30 GMT
Another interesting article regarding the value of 0-day vulnerabilities. Rob Lemos relates the stories of a few researchers who sold their 0-day vulnerability/exploit information for big dollars. The twist here, which is news to some, is who purchased it (the .gov) and for how much (as high as 80k). This is significantly more than vulnerability purchase shops iDefense and ZDI (3COM/Tipping Point) currently offer. The only catch? The big spenders aren’t advertising so you have to have contacts to make such a sale. The scary part? We all know how cheap the U.S. government can be.. so how much are other governments paying?
Posted in Vulnerability Market/Value | no comments
Posted by jericho
Mon, 25 Sep 2006 00:37:27 GMT
Since the debate about pay-for-disclosure started, some folks have wondered what vulnerabilities are worth. We’ve seen companies like Verisign/iDefense and Tipping Point/ZDI offer serious money for vulnerabilities in the past. Adding to the mix, matousec.com has published a purchase page with prices of some of their vulnerability research information:
- Full analysis of reviewed personal firewalls
Visit Windows Personal Firewall analysis methodology page to get information about what the full analysis is. The full analysis is preferentially offered to the product vendor. If the vendor buys the analysis it is given 30 days protection for all private information included in this analysis.
Prices:
o ZoneAlarm Pro 6.1.744.001 analysis - € 1,500 ($ 1,950)
o Kerio Personal Firewall 4.3.246 analysis - € 500 ($ 650)
o Norton Personal Firewall 2006 version 9.1.0.33 analysis - € 1,500 ($ 1,950)
o BlackICE PC Protection 3.6.cpj analysis - € 1,500 ($ 1,950)
- Single bugs of reviewed personal firewalls
Visit Windows Personal Firewall analysis methodology page to get information about what the single bug is.
Prices:
o ZoneAlarm Pro 6.1.744.001 bugs - visit ZoneAlarm Pro 6.1.744.001 - Review
o Kerio Personal Firewall 4.3.246 bugs - visit Kerio Personal Firewall 4.3.246 - Review
o Norton Personal Firewall 2006 version 9.1.0.33 bugs - visit Norton Personal Firewall 2006 version 9.1.0.33 - Review
o BlackICE PC Protection 3.6.cpj bugs - visit BlackICE PC Protection 3.6.cpj - Review
Posted in Vulnerability Market/Value | no comments
Posted by d2d
Fri, 14 Apr 2006 18:03:31 GMT
Jennifer Granick has a good article up on Wired titled ”Bug Bounties Exterminate Holes,” which talks about some of the issues raised in a panel discussion at CanSec last week. She makes some good points about commercialization of vulnerability research–pros and cons, risks and rewards, etc.
It’s well worth reading the whole article, but one small bit caught my eye…
I have advised two businesses that had plans to auction vulnerabilities to the highest bidder on eBay. (After talking with me, each decided not to take the risk.)
This is pretty disappointing. I would love an environment where software vendors are forced to pony-up cash to researchers if they want bug details, and are forced into a competitive market against “value-add” services (iDefense, ZDI, etc.), and even criminals. Some may see this as a form of blackmail, but I think it will shed some much-needed light on how vendors feel about security, and how much money they are really willing to spend to keep their customers safe. Already we see a non-profit organization (Mozilla) willing to pay $500 for the information, and multi-billion dollar companies unwilling to pay anything.
I realize there are many legal and ethical problems with auctioning vulnerabilities that need to be wrestled with (including problems with eBay), but would it really be worse than it is right now?
Posted in Vulnerability Market/Value | 1 comment
Posted by jericho
Tue, 14 Mar 2006 08:27:09 GMT
There has been a steady stream of papers and research examining the market for vulnerabilities. Countless people have blogged on it in passing and more people are starting to take interest in it for many reasons. Here are a couple papers (courtesy of Danchev’s blog) that cover the issue. When I find time, I hope to dig up links to others I have seen mentioned, as well as dig into the footnotes of these.
Vulnerability Markets: What is the economic value of a zero-day exploit?
Rainer Bohme - Dec 27, 2005
Market for Software Vulnerabilities? Think Again
Karthik Kanna, Rahul Telang - Dec 12, 2004
An Economic Analysis of Market for Software Vulnerabilities
Karthik Kanna, Rahul Telang - May 3, 2004
Posted in Vulnerability Market/Value | no comments
Posted by jericho
Mon, 13 Mar 2006 03:46:12 GMT
Jason Bergen posted to Full-Disclosure trying to sell a ”Security Vulnerability Database Company”. From that mail:
The company maintains a database of all security vulnerabilities, and the database is updated on a daily basis. The company maybe of interest to organisations who are currently licensing a vulnerability database. In addition the company has developed some software applications built upon the vulnerability database.
This is interesting on many levels, especially the approach in selling it. Why post to that mail list and not others? When asked for more details, Mr Bergen tells you ”In order to provide further information a signed NDA would be required.” You must sign a non-disclosure agreement just to find out the name of the company being sold. He also makes the following claim:
The database contains all vulnerabilities since 1988. Each entry has Bugtraq, CVE, and Nessus ids. It has developed its own vulnerability alerting system, but recently changed focus to providing OEM database licensing.
Sadly, he is not the first to make this claim. Throughout the years, many people have referred to CVE as having ”all vulnerabilities since 1988” which simply is not the case. If you ask Christey or anyone involved with CVE, they will be the first to tell you that isn’t the case. So why do people think that? CERT started releasing advisories in 1988, but only released them for serious/critical vulnerabilities. Between 1988 and 1999 (CVE inception), many vulnerabilities were never added or given a formal advisory for. In short, claims that their database has “all vulnerabilities since 1988” is extremely suspect. Had it been any year other than 1988, perhaps they took the time to go back and add them making the claim true. His wording also begs the question, what if a vulnerability doesn’t have a BID, CVE or Nessus ID to match? As much as databases try to maintain a perfect cross reference mapping, it just doesn’t happen all the time.
Posted in Vulnerability Market/Value, Vulnerability Databases | no comments
Posted by jericho
Wed, 08 Mar 2006 10:11:10 GMT
http://www.securityfocus.com/columnists/391
The value of vulnerabilities
Jason Miller, 2006-03-07
There is value in finding vulnerabilities. Yet many people believe that a vulnerability doesn’t exist until it is disclosed to the public. We know that vulnerabilities need to be disclosed, but what role do vendors have to make these issues public?
Where do vulnerabilities come from? [..]
The value in vulnerabilities [..]
The ethics of vulnerabilities [..]
Why we need responsible, public disclosure [..]
Posted in Vulnerability Market/Value | no comments
Posted by jericho
Thu, 08 Dec 2005 20:13:05 GMT
A couple days ago, “fearwall” created an eBay listing for a “Brand new Microsoft Excel Vulnerability”. I have mirrored a screenshot in case the listing is removed, which I expect it to be. One has to wonder if companies like iDefense or Tipping Point will bid, since they (and others) purchase vulnerabilities. Full text of the auction:
The lot: One 0-day Microsoft Excel Vulnerability
Up for sale is one (1) brand new vulnerability in the Microsoft Excel application. The vulnerability was discovered on December 6th 2005, all the details were submitted to Microsoft, and the reply was received indicating that they may start working on it. It can be assumed that no patch addressing this vulnerability will be available within the next few months. So, since I was unable to find any use for this by-product of Microsoft developers, it is now available for you at the low starting price of $0.01 (a fair value estimation for any Microsoft product).
A percentage of this sale will be contributed to various open-source projects.
Vulnerability De ion (read carefully, this is what you bid on).
Microsoft Excel does not perform sufficient data validation when parsing document files. As a result, it is possible to pass a large counter value to msvcrt.memmove() function which causes critical memory regions to be overwritten, including the stack space. The vulnerability can be exploited to compromise a user’s PC. It is feasible to manipulate the data in the document file to get a code of attacker’s choice executed when malicious file is opened by MS Excel. The exploit code is not included in the auction. You must have very advanced skills if you want to further research this vulnerability.
What will be delivered (at no extra charge):
The winning bidder must provide an e-mail address that accepts .xls attachments. Two xls files will be mailed to this e-mail address: one file is the original Microsoft Excel document, the other one is a copy of the same document modified to demonstrate the vulnerability. The demonstration merely triggers the exception causing Excel to crash. It does not do anything malicious. A detailed de ion of the vulnerability will be provided in the message body. At that time you can claim youself to be THE ONLY ONE IN THE WORLD possessing the knowledge about the vulnerability. Wow! Imagine that! (Well, not counting Microsoft, but I really doubt that they’ll share it with anyone.) It is up to you what to do with it, but you may not use it for malicious purposes - see terms and conditions below.
Special offers:
Microsoft representatives get 10% off the final price. To qualify, you MUST provide @microsoft.com e-mail address and MUST mention discount code LINUXRULZ during checkout.
Terms and conditions of the sale:
Your bid indicates that you agree to the following:
1. You may not use this information for malicious or illegal purposes. The information you receive is for educational and
research purposes only.
2. The seller reserves the right to refuse delivery to anyone (a full refund will be issued).
3. The seller will accept no responsibility for anything you do with this information.
4. The seller cannot be held liable under any circumstances.
5. Absolutely no refunds will be provided except for the reason mentioned above.
Disclaimers:
1. All trademarks are the property of their respective owners.
2. No proprietary software products were decompiled or reverse engineered.
3. All information advertised here was used and is to be used to promote the importance and advance the knowlegde in the field of the information security.
4. The seller does not encourage any illegal activity.
Even if this one is a joke, what is to stop this model of vulnerability selling and disclosure from occuring more often in the future? As MadSaxon joked about over two years ago, registering a 0-bay domain might be a fun business to start.
Posted in Vulnerability Market/Value | 9 comments
Posted by jericho
Fri, 21 Oct 2005 10:52:01 GMT
Several years ago, iDefense started purchasing vulnerabilities from freelance researchers, and created its Vulnerability Contributor Program. Find a vulnerability, disclose it to iDefense under mutual NDA, and they would act as a mediator between you and the vendor for disclosure. After a patch was available, iDefense releases an advisory and pays you. Ignoring the fact that they would sit on the information for up to a year before disclosing it to the vendor, this program rewarded people for finding and disclosing vulnerabilities.
Months back, David Endler left iDefense to join Tipping Point, a division of 3Com. Shortly after, TP announced its “zero day initiative”. Like iDefense, the ZDI would pay for vulnerabilities, but also created a ‘loyalty’ program for continuing to disclose vulnerabilties through them (wonder if they give out keychain thingies like my grocery store does?).
Now, Digital Armaments is also offering a “pay for vuln” program. Instead of just offering cash for 0-day, they also offer trade-in credit so you can receive other 0-day in return for your own. This deviates off the path of “responsible disclosure” (questionable under the other two models) quite a bit.
Posted in Vulnerability Market/Value | no comments
