Exploit hunter ponders ethical hacking

LIKE SPIES in a John LeCarré novel, network security professionals inhabit an ethically shadowy world.

Gunter Ollman, Director of Security Strategy for IBM Internet Security Systems recently posted a blog entry discussing some of the ethical dilemmas faced by security services vendors in dealings with software vulnerability brokers.

After prefacing his remarks with the disclaimer that "what I'm about to say doesn't necessarily reflect the views, opinions or corporate stance of IBM Internet Security Systems", he undertakes to dispel a myth and propose a few solutions.

Noting the recent proliferation of vulnerability purchasing programs, specifically VeriSign's iDefense Vulnerability Contributor Program and 3Com's TippingPoint Zero Day Initiative as well as the Swiss auction site WabiSabiLabi, Ollman complains that these don't seem to have benefited the security community, but have instead created new problems. He writes:

"Sure, they all make claims about how they make valuable contributions to the community – but let’s face it, the net result is more vulnerability disclosures with more money going in to the coffers of anonymous bug-hunters – and without any real accountability."

We're not sure how accountability applies when one's dealing with nameless software ferrets extorting money with the implied threat to sell fresh exploits to malware authors if not bought off, but let's leave that aside for now.

One problem Ollman sees is an unintended consequence of security vendors including in their products pre-disclosure signatures of the exploits acquired by their vulnerability purchase programs. These, he says, can be extracted by penetration test services in order to discover vulnerabilities in client systems for which exploits don't even exist yet in the wild. These might be useful to black hat hackers, too, perhaps decreasing the time before real exploits appear.

He also takes 3Com's TippingPoint Zero Day Initiative to task about its justifications for distributing pre-disclosure exploit signatures. TippingPoint claims that it gives advance notice of new exploits to other security vendors and that this helps protect all end users until the software vendors provide patches.

Ollman calls these justifications a myth, "a load of bollocks", since he's pretty sure that ISS has never been given advanced notice by TippingPoint and can't recall meeting anyone working at any of the other security vendors being given advanced notice either.

Ollman also points out that some exploit brokers collect money from the security vendors, then turn around and disclose those vulnerabilities to gain recognition, in effect both having their cake and eating it too. The solutions he proposes to the industry are:

1. Don’t acknowledge a “vendor” that serves as a broker or purchaser of third-party vulnerability information within your alerts or advisories.
2. Don’t acknowledge a “researcher” as being the discoverer of a vulnerability if it was sold or irresponsibly disclosed to any vendor.
3. Don’t acknowledge an alias or pseudonym for any researcher that discloses a vulnerability - even if they came to you directly. Use real names only.

Alternatively, these security services vendors could exercise some restraint and keep their defences against new exploits in reserve until they appear in the wild. They could even offer fast response services to update their clients' systems immediately upon a report of a known vulnerability vector first being reported as having been actually, er, exploited.

Of course, the security vendors don't share the new exploits they purchase from anonymous sources. After all, they each pay good money for those, bung them into their proprietary security services as fast as they can, and promote them to their clients as market differentiators.

Instead, if they insist on purchasing exploits on the open market, why don't they share the costs? All of these security vendors could periodically meet up in the back room of some backstreet café in a suitable central European city and compare emailed blackmail purchase instructions and wire transfer records, divide up their payouts and exchange all their latest exploit signatures.

A lot like a John LeCarré novel. Sounds like a plan. µ