Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Bug Brokers: eBay-like Bug Site Doomed



 By: Lisa Vaas
2007-07-10
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Bug Brokers: eBay-like Bug Site Doomed
  2. ' When Disclosure Works Against '
  3. ' The Ethics of Selling '

Rate This Article:
Poor Best
Bug Brokers: eBay-like Bug Site Doomed
( Page 1 of 3 )

News Analysis: The key problem with eBay-like auction site Wabisabilabi is that you can't reveal details about a vulnerability without tipping off researchers on how to find it.

Claiming that security researchers are dissatisfied with current remuneration—white-hat chump change or the potential of black-hat broken kneecaps—a Swiss company has launched the first non-black-market auction site for zero-day vulnerabilities.

The eBay-like bug market, called Wabisabilabi, launched July 3. Security researchers and vulnerability brokers like the concept of selling vulnerabilities for fair market price just fine, but they also say the auction site has some serious flaws: lack of transparency (just who, exactly, is running this thing?); lack of ethics in selling vulnerabilities as opposed to just getting vendors to fix their products ASAP and thereby getting users protected ASAP; and lastly, the fact that you cant reveal details about a vulnerability without tipping off researchers on how to find it.

That, in fact, has already happened with one of Wabisabilabis items, a command-execution PoC (proof of concept) for a vulnerability in Squirrelmail GPG Plugin that researchers believe they nailed after a mere 10 minutes of pondering the code and the flaw description.

Thus far, the auction sites listings page contains four flaws up for bid: a PoC for a local Linux kernel memory leak, not remotely exploitable, with one bid, now going for 600€; the vulnerability in Squirrelmail GPG Plugin, also up to 600€ in spite of having likely been uncovered elsewhere; a remotely exploitable SQL Injection vulnerability in MKPortal for which nobodys bidding; and the pièce de résistance: a PoC for a gleaming, zero-day, Yahoo Messenger 8.1 remote buffer overflow on Windows XP, remotely exploitable by—get this—any user in the victims address book (although some interaction from the victim is required).

Resource Library:
Arbitrary code execution possible but non-trivial.

All for a paltry minimum bid of 2,000€.

Actually, compared with prices reportedly paid by vulnerability brokers or on the black market, 2,000€—thats $2,725.30 in U.S. dollars—is paltry. Open-source software maker The Mozilla Foundation may only reward security researchers with $500 and a T-shirt for a reported flaw, but black-market prices reportedly range into six digits.

H.D. Moore, founder of the Metasploit Project, has been offered between $60,000 and $120,000 by a private buyer for each client-side vulnerability found in Internet Explorer, for example.

Granted, the marketplace is young. It could be that Wabisabilabi hasnt yet vetted many buyers or sellers. Or, as pointed out by Terri Forslof, manager of security response for 3Coms TippingPoint division, vulnerability sellers or buyers may be hesitant to give it a try, as they were when TippingPoint launched its own ZDI (Zero-Day Initiative).

Nobodys bidding at Wabisabilabi, her thinking goes, since they dont see anybody else bidding, and they have no clue how much to bid anyway. TippingPoints ZDI buys vulnerabilities from researchers, notifies the affected product vendor, and protects its own customers from zero days through its intrusion prevention technology.

And yet the idea behind Wabisabilabi is to get security researchers a fair price for their findings and "ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals," according to the companys launch press release.

"We strongly believe … researchers [who are] … doing their job and researching security … these guys need to be brought into legitimate revenue with legitimate reward for what theyre doing," said Herman Zampariolo, CEO of WSLabi, in an interview with eWEEK.

"Theyre between the [frying] pan and the fire. … We all know theres a fraction of them that are black hat. But an astonishing majority are just looking to make a reward for what theyre discovering. Legally, technologically, weve been doing research for how can we reward these people. Think of pharmaceuticals. … You develop your own intellectual property, sell it, theres no problem."

There is nothing new in the idea of buying vulnerabilities; flaw brokers include TippingPoint, iDefense Labs, Immunity and Netragard.

Wabisabilabis name combines the Japanese word "Wabisabi," made up of the words wabi and sabi that together represent an aesthetic of imperfect, impermanent or incomplete beauty, with the German word for laboratory: Labi.

The new company is notable only for brokering vulnerabilities via an auction format. WSLabi pledges to verify vulnerability research by analyzing and replicating it in its independent labs and to then package it up with a PoC that will be sold on the marketplace via one of three ways: an auction with a predefined starting price; a sale to as many buyers as possible at a fixed price; or an exclusive sale to one buyer.

That may indeed sound good to researchers who are tired of pouring umpteen hours of work into research only to hand over their findings to product vendors for free, which is the white-hat approach to security research, wherein virtue and fame constitute a researchers reward.

In theory, the open market should benefit researchers interested in fair remuneration. In practice, though, Wabisabilabi has already proved that a cat out of the bag isnt worth bubkus.

Next Page: When disclosure works against security researchers.





  Reader Comments: Bug Brokers: eBay-like Bug Site Doomed
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


xv VQfG)^tR/ٖc[ޖYZ I)R|Iy oВ/L;i["BPU( 7~vv~/IMsל۔䧮9[y"I͝7o,34r#GgRSrĠt Egiu;Az&|8 \?g3Q,Q H5K&O|kMF^2F .hvL⎲IlG5tuK%yHCu)pgEQ6'k[fm: \'|w*UnSp{ca_ʞz5"h4"j;^7[zn;B 18oaTKgpHkMmWVekVl"4r9ȹ׳07dcl#205b$)V,"&3Ýе:s z08Jej-jfO-=K;O=k\w=jP?bA2xư!$ne$DJHn6,uQj9g?-I p\.ܪn?AW}= :ԍ={we$%NXEo~cn>LjXvL<:jCY͂aF3l˸)84 VSzZ(NrwwWӽm˙[8NϿΔirp޻|̑GA mkh[Nv^׵vCq9}r>;{+rHǂ |+oLZ.JXOL0h5& :~XB^,9:GFI?j|%rP:(jV׊ Kn$Y3)2, uGҾ路.:6鷏?]uڧ>ߘecfy3ժ?TRJw3B~ Vק'םuvISCV=BCj`BӹciueUo~vO|wSR& :aZ+jIͽCf{|&޺xt9&9IDz|?!|蟟Cj ݖEB_,X_KŗG)HY03ǚ -2ɔSHzPN@S ZPĿ G/<@'D3ncfM5r,eg{05@M)61tv!fByᮦſ%/^(Pe!P샖_. jFTwYQQ#{̌_"ʥcc^IcGsQ 4lj\GCtW9Q] K\M}0EяzZRpx3n[Wһ^޷aUb}ƺƻ EhYf7-$ ꨦU+{2,%xQ9Po+r/LLf[ԑplP)utvnL>mNRG}:)51'4}t>჎$ticšwh4?XnL,rӇt!LZ~;ݣn]=&tnYXŞ+LRi`I l"]LR}>l8d $n)ssLn-)`@#` V>< 2/?Cn@ }S(}9g)nвc@q^i.;[@ſLg˺z+fYT]^ӛA/- B[+ M 2L%kZԕ1%/D4$B]`8W "CɣQHl - $ml{:=F0_ܰ큡[*+'#SV+kV^Ϛa+ L 4 `*w`b\0OaNcwAsmf~guw@~vP9G &Pt @I55} o _׆K Ìgе3Kwaﴽ.J-&jFd>j 'L[!BD+ه0`,E=}6:HySI_)+EUI$[b"ud\6˰@e9ִ &;rm۽& zfdy a(Jk6CZ&3G΀4uD8[-OAU4$qzS0uXQƮ< [>:fc `+z\qgI оhʰeZh`Zzu6$KD(Oܥx&\3atS3&יmE4`D ڸ/S" @548~x} *O$BR--UŨN=I) x X\>L* 78~Ò?DFQcG=ܴ>?CU^oVxw,"jXUcjxSCjZ/j7;|&9ˆc F  Nl2{w/Le6Z^Sz3gn-%s㑏3\V`QƖ]4FXXH]-'H̎GO\NR?!4`;W.P95fj flZ/YQSfca "7>j֐jvdݤS,Hɘ-qVCYw7䚢#?݀ލlF'FA\=!< &`QtEa:Ni7H·lr ?֊k[SGsGť5 ,ć;i#f MaFž.nJVTK{9i`7,mCc$ D!#2z p[kh0h'v*㻏3܁c:P=H(T\g7gMEH]ac6U{z@n)Z'/ǗvhTJE867=Oor9yn2$8z0JL;%95$_ۂ3Jo鸙 D hyrUM+'zf28҃F28c=[us0XSf~k`p1\An#>ҍL>yUc{6~zzi0bNQx` fzlhUKKHU,UU$~U;{Rn?mVPVW`Zd&{\%\{si0o(Q멋AfDmR/)+nQ/ ~ewmS?PG }&7 ug5Yx\'v ˽'jD@KYJ7eFVځ*\$X+JjYtn:0nɘُYD[8tpL\'eM=J皽6D72DHv4|w΅{ֽGsіXKփ u;R%9!hUHv*<fSڌ7M,#zzǎ ^Cښҽ:i_qfiZ ^Uc z A0k:]?vVfax!wl08D@ISJ&M(IZ[`beanKlx8eN)tJȓ3'C8 z>RB'T5˓$/IYO)Eqjhd꒐~~(i&'ءXҡԛ].6'8 $O krisq/Ps~%h dgKe 3 KqkP q,+ ` ;|E?RJ[L>XkI-jշΫ؉|@s`cVAkv ,x\=[<,Mw[v1CN'~.>?&Gm_ |1$ߓ[С[#|$~!ݫ[]}/j 2'|qF.X{v~P1hQ<_KR~o'[ ?--8c]!OKSϑ$٘NBERPUuln(rYpJEOVr;ld+N$^d1Ws0d&'q=K=#tz=f1vi_g~U㛟to42]awmB%uo~6{ȳҲ(r/J\ -"PnǸZ^|:W%0.5<d/ h3\Iscy‡i'KmxΙx <v4.ݍnL M A;"J ­[4 2UCnuk#Ǭ§u,'iƟ/!IFܱSo-*_1;jTŗ̈́3S7Op&5;W)&5ŗxpIM{fr+ 7~#vɸ!y%F#߂8ttj9J[~vːu9:ń>`eݦ^0 3g"`\IΗcs1;D!I'.Ϧ,Rq'08$P H=F0YHôhJ|·ް-I_+oPU%_U2E{:[멕J|rc`/}`/DxAK{: R-UjH$g6@R .Z6ͲKx^^\!Ms!lŮJZ|EvR˄yo*k(JB d1rx6?c5JKSw$J=Dg Ǚ3Qu2Q[EK' |]g.ݰmijj2GřLԓN\{z#vBJ)gbL.Z6.yQBzlO֯U}q^\3Bu֜ŏ/ԛa=Sl9h0{X IoO'LH'ӡ7]Q3V,k\*Nd!oooo/j|l^kR۾K7qTҥ}4c(sؠIHw˙l7xLL& aYb~^?`SL/ICߐ^̍ێԛX 7K@/.|A:/]5R/ekn}Wj̸x!ieX0SCKM- asǚB |z5 bC,6c )g:TZ=Lx&_jEe4H`JXle!H" qXG T(|\ Gx~I[ݷniM"쐄"؜Ha > L5_̆\bbt(a$wl*0?ln x=\ dykzܸꆜPyutl^rebx4GOP҅HmqHPʲKZZop$ s]# I vpϧY06s'J9@ )?k@!tn]hLyNz@Љ !]c0r!|} yߣno536|ׁ5eu\hщRr]6^ز`+ `D) i4QWK8p`љ1wDFBVxVo!w9>8zS3nX#~;Zxxw~gL[]A=@%"<"'5cʒOP2aRDKopC@ljp<,ҝ5~~yc&>&ܺ@Q黹^/m#О=8c:>̫꿕$yocn9fZ,C$&Hm޼xz1LrD}[[҅nYy|W7w- ̰4'"z`_j es^I7>kE_A-ɴjgϡ6 %f,fTRuطzw.=DrF/3, dNdVurfSx k fa :u&߮[yD'?KD)PG%|]C3 t'^œ~ jah!IuYW mX3CvN r{!*{kn'7.#j\Ѓjs"[hrbFyA y!Fvw;Kb+J7Q;$qpj+jj5fA^ ÆLckZrD,?t$E/]A|$~8. dR /*_Z61`{aͰ>FSYh9i!11\R{lr\}K ZkKXYw9]dDopugLHk̘xcs4vlNa<::BME7TCh|^3Hsr3#mz^C GJk&p]Vy [k+mLx\8Ow| 􄼥޼vw6iB(ͪND`h*z 1z1[TvXj K\m6wf!lAR?d_jGR.gI*A4`]"nR%24¯VV৮Z=0|/]YiJUT0=je=vn&ȕFp~ Փ>-,^kOuζy)HeTUR=o#fx kH1fg0Y>GV$(c؛ AzʏG>a 8+}l4ܵt_uxrAgJ\di k 㽽՘m$5DX#eGNNI^aci*qwM[.{5YJ-h>#4Ή cĞjucl2,9+Yd0̊ۼeU&d[htowA)J\#%'0Awtc0݇d4 ?R)!o$:*=W"гAܳFܞVk*Q jbbD+ )m2FwG#ˠOW1hclӘC c  Ƅ)RUfwܠ~z*ڟOse^?[!ʽVS{V7>B2zC.EeRW0Fw_ 6f^FZQ1IG^>xIni4"&s'؏pKS'"΀௅o VIz# ,@ Eꊍ\DQ+yB p7h_~V EYLO0wē8[βyC(4x0Lߣ@w6$EuE)d wM–2&.V<?ra):ᘭ#!+^bΑ,_~wc4?_]aHE> `8.pgj9UtK$L*2&Bs869||tv$!"&Lma@\ &#ϝF$EhD1fװÞ1;dSGGɧn璉1J \-B@ebqy <}̯@D@Q:EU 7T,G,(!Lz)%D7UI,iT/x` 3 l :Lma`t.t?Ogq7]g :UJ0͇S+tf)3N5/P}:ςQغ9P&U͈ɵ?ѝh]^}&+"W6}<_u.9jup+4>VuO>w/?v.ڗW~yjy0calL_d,g6OFYufvʜPN{:cͅfU/Y284$/J>M`/yx#U6e5DM@*:[ RO!~iԊkm8Gj:ٙ%֌fySMa`1D*'M&7bQ>kIk&5+:v<(((-VFyʻ'@vF1/?f=>\Cg}y$d~ ?ӹ(;5eYs1c|Ρ?Y=gs <f'(UѿO@Or 3ڿ\'I2u S.ry/ 苬 OY射8(? }VQ<_`fktsge{9̭L_;ݓBX\jzr+^e5viAF۸/6R^a/ ^ؤ<̂z. 3l?V\[[,Oнۺ{ϊJݓs+z`Oc1پWߕ\~UnE+t"LkXE)9 8Gc_%[n3'c|(c#h cHO8=\-c#maL((W.v)sK(s%>| SG09nsOkr>u%bxvY^]Y;\;Yo-P/YCIkge@\d0(P[LԸGpoQV" #5 䚌XV+q3lc}k?;}u:\޷Cg>m'[*8 ߚYu8%7o,RK|c ,(_hz衜~54]M4pGsn`',@$ ͇Ri% J\$WHdN1'"2tfDdU.Ur 0X\^9Q(Fuo*K0nj=q̐ga1V1 !hlգ{h9ı:t ܷl1@Щ>ɹ>K&Dr&ߢ)tO U/AD[eI+|?s˸ [2FlX jXJr 9;9!Vɱz?[`>s/+r:=bՇ." (luy9M".hpz7x[,0GI1i!nf9}+wjIc פ`Dݝ]3&2 Ɗ|J 1-ljƠ}֝D#iZ#Xnƀ_@n=,N7"fG=/5kx6,x"(݄ۀZj,mc6Hm\wrlC|%qgB?xR Hv2'.gBl&SO"chƋrd{Kom]*|?Oe Lwt8?n90kn>Q$L{x r:Y 96%O-  `⎈Me6qژDR*,Dl'f , ~sf_O;>Ba2\HGx kyf#ŧSW<߶nJP'jdV@8l6ږ?Y c/1+$~Il=bu{-Wr 1e~8Şi#l}@ =(ۊnfة `y%K@4z qS`hwq#1tVB\ (ct!L?Q1?cumnJQXƺa#¶u4mщ/߉n^Qa[_gvC%=\s.&tĵa=eS1C7@n0\|1H d[H^مt.x C/YH~! fr*r*]xD4[NbŠa;9]D٣uo,+}viS#켱Fd7/4A |ݫC>-tX|_X-fZ4r?wy`Dϝ7fYx/E5(ևDrTo uG8#`y;(1LdoNxsx _AJ!onu^btf`7_cρwPy oaOX u&kk^'=^ 8i}C@c7 Xw˱#QosRo @  m)_aQjЁj~jx@ KRH,!T+ pzN6->(BtmX u'%s=1A6#z.jnB..VSyg>R/OH6, u!z!҄IĊDPA*M~/-C( tI',~,,}0 /6i~[G<@|=..7b 뻴G8quhenebBj0g v ޑ<0G,||ǘn7sl7lz#-hX6l(!11 uCCd6`m T4ݡ{O}AT.vϱ9 N.v7z͑ǂܾ}k1;EiNӉ4 LRpp7wᔊ_yTV Ja](i9YNpx -H~vD" +\v$ƞ=@v7G"jM@'-77vwPG#S .en0=iu!$J{q9X`68S;[pϐB6up?Q ϛؼۤjĠ$k;!Zc dY2/ﭒ0+J8<盅9)Lpzj $U*j=MVL4u z,^~+:$7=aϸ$c0\]_>.D]ܝ|],DR#i|=ɱu;y_HGQIθ"(ȅ#4)h&@/^bS&"hS>'*#R]t5<|lLR0$ւ4:Tɜ;jPjgY)s|V3I7-zFd1$uFTTqՊUrޕpX-DjFLfp8v8mMja.uD)mקLc숡xq T&ޡkK.qeW|!X}@Dkatɾ?W~݋t:}>Z<ׇ0W=~}%D!6[vY0eW~