Security News > 2006 > August > High bidders with low motives

High bidders with low motives
2006-08-09 14:25

http://www.smh.com.au/news/security/high-bidders-with-low-motives/2006/08/07/1154802814862.html By Patrick Grey August 8, 2006 Next THE 21st-century hacker has three options upon discovery of a vulnerability in popular software: sell it to a security company; give details of the bug to the company that makes the software; or sell it to the criminal underground. Legitimate security companies are bidding against criminal syndicates to buy the hackers' handiwork, experts say. Security specialist iDefense actively markets its links to independent bug hunters, offering top-dollar to hackers for information it can pass to its vulnerable customers. "If you had a serious vulnerability you may get, say, $10,000 from iDefense. I guarantee you that if it's a big enough vulnerability, someone who wants to use it for less (legitimate) purposes will give you $20,000 for it," says Steve Manzuik, a vulnerability research manager at US-based firm eEye Digital Security. "Can I say I have proof of this happening? No, but we hear the rumours." The online theft of sensitive information - anything from your online banking details to your tax file number - is a booming business. Identity theft is easy money for the unscrupulous, and the problem will become worse before it gets better, says iDefense research labs director Michael Sutton. "To me, that's a really scary scenario," Mr Sutton says. "We're going to keep seeing more and more of it because it's a business not just for us, it's a business in the (criminal) 'underground'." One underground source, speaking on condition of anonymity, says he'd been offered cash by other hackers seeking vulnerability information. He declined to sell information because "you don't know who you're dealing with" but says it's a common occurrence, with up to $US15,000 being offered. He adds he did not ask those who had sought information from him what they would use it for because he did not want to know. Although iDefense is a legitimate company, part of the Verisign group, eEye's Mr Manzuik fears its purchases of information from individual researchers foster a culture of competition between legitimate enterprise and criminals. "The purchasing of vulnerabilities kind of gives legitimacy to the underground; to guys who've always sort of done it on the sly," Mr Manzuik says. "Now you can get a legitimate bidding war between some shady dude and iDefense." The community of enthusiast, amateur hackers that formed today's legitimate debugging industry has straddled the line between transparency and secrecy for years. Independent researchers, frustrated by slow responses from vendors they had reported bugs to, would often release sensitive details of vulnerabilities to the public in an attempt to force vendors to respond. These actions were often met with threats of legal action, forcing many researchers underground. Today the fight between legitimate hackers and software vendors is increasingly open. Bugs are big business for everyone; Verisign's $US40 million acquisition of iDefense last year proved it. It is certain criminal syndicates are seeking the latest vulnerability information to drive the software they use to harvest identity information, but there are differing views about the disclosure practices of legitimate researchers. Bug hunter David Litchfield has been critical of software giant Oracle for several years. When the database maker boasted in 2001 that its software was "unbreakable", Mr Litchfield did some research and soon found 24 vulnerabilities, some critical. The 30-year-old security researcher targeted Oracle because he thought the world's biggest database vendor's ongoing "unbreakable" marketing campaign - intended to persuade customers security was a top priority - was deceptive. Oracle's chief security officer Mary Ann Davidson conceded the next year that "calling your code 'unbreakable' is like having a big bullseye on your products and your firewall". "You must admit, from a marketing standpoint, it has a punchy sound. It's a lot better than 'Pretty Darned Good Security'," she said at the time. Mr Litchfield says he is in business "to whip vendors into shape". He whipped Microsoft by reporting dozens of vulnerabilities to the company, which responded in 2003 by becoming a client of Mr Litchfield's family business, NGS Software, which has its head office in Britain and recently opened an office in Sydney. He says he is part of a movement that makes security a boardroom agenda. "I feel (I am) 0.01 per cent responsible for where Microsoft is today," says Mr Litchfield. "They are (now) the epitome of what good security procedures and processes should be for a vendor." Meantime, iDefense labs' Michael Sutton believes Oracle still has a "see no evil, hear no evil, speak no evil approach to security". "If nobody talks about a vulnerability, it doesn't exist," Mr Sutton says. "So they don't want to work with the researcher, they want to quiet you, they want to shut you up." However, Oracle has not been able to silence Mr Litchfield. In a posting to a security mailing list in February, he fired a salvo in an ongoing security war. He reported to Oracle the "application server vulnerability", which allowed normal database users to get administrator privileges. He says he was distressed that Oracle's patches did not appear to fix the flaw; Mr Litchfield circumvented each patch easily. "This email will show that after four years of waiting for Oracle to try to get it right, I eventually decided to take matters into my own hands," he wrote. "(I want to) provide Oracle customers with more help than Oracle is currently doing. Oracle - shame on you." Last year Oracle started issuing critical patches every three months, and recently began using code scanning analysis software. Oracle defended its security approach in April. "Oracle's top priority is to protect its customers," the company said. "We are continually evaluating our security development processes, as well as looking at ways to further strengthen our overall product security." Last month Oracle rolled out its second-quarter batch of bug fixes for 65 vulnerabilities; more than two dozen for its flagship database software. The fixes cover Oracle Database, E-Business Suite, Application Server, and several for the software acquired when it bought software rivals PeopleSoft and JD Edwards. Steve Manzuik puts it simply: "I'd definitely say Oracle is the worst" vendor for security fixes. Contrasting with the pariah status of Oracle, is Microsoft, a company cursed in the 1990s for its lax attitude to security. The company has reformed, says iDefense's Mr Sutton. "Microsoft has taken it very seriously," he says. "I agree that they do have things that they need to improve, and they always will. But they are working very hard, they have people dedicated to it and have money dedicated to it. And they're working very hard to work with the researchers. What a 180-degree turn from where they used to be." But resentment lingers between Microsoft and the hacker community. On complaints from Microsoft delegates, Mr Manzuik says organisers of a recent security conference threatened to cancel his speaking credentials after he installed the Firefox Web browser on computers at the Microsoft stand. On reflection he says it was childish and unprofessional: "I wouldn't have been happy if someone messed with an eEye booth." These experts are unified on one front: beyond threats to server and operating system software,the biggest emerging threat to internet commerce is with the applications run on desktops, they say. "Finding those (application) bugs is a lot easier because that's where the vulnerabilities have moved to," Mr Manzuik says. Consider the computer worm Mdropper spreading through a malicious Microsoft Word document. The Word file arrives in an email inbox and, if opened, the trojan Ginwui.C would be installed using an undocumented security flaw in the word processor. There was no fix for the flaw when the worm was released. TODAY's most worrisome viruses don't disrupt PCs as the Blaster and Code Red did. Like Mdropper, they allow criminals to siphon information such as internet banking passwords, says Mr Manzuik. Armed with an application flaw, the virus writer has only to trick users into opening a file or visiting a malicious website. It was once common to issue a proof-of-concept to illustrate the vulnerability; anyone with the code could use it against real targets on the internet. Researchers fear that such code will fall into the wrong hands. "We don't need more proof-of-concept code. If we look at historical data on this, most large exploits that have been turned into (worms) have come from proof-of-concept code," Mr Manzuik says. Often security researchers released the code as a confrontational strategy to get software makers to take action, Mr Manzuik says. And it alerted tardy administrators to install security patches. Now, there's a fraternity between the groups; everyone's on the same team. "Vendors receive tremendous value from vulnerabilities; they're the only ones that receive a benefit, but they don't pay for it," Mr Sutton says. "(That's) never going to change until vulnerability discovery moves earlier in the software-development lifecycle." Developers and quality assurance researchers working in house at software companies should be looking for security vulnerabilities, he says. Microsoft encourages its coders to write secure software, rather than get the product out the door as fast as they can, Mr Sutton says. "They're switching to a model where their developers are getting dinged on vulnerabilities that are found," he says. "In the end, money talks. If my bonus is based on vulnerabilities in my software, all of a sudden I'm going to wake up and go 'Oh, I actually need to learn this and pay attention'." However, Mr Litchfield says even that approach has its problems. "The danger with that of course is you don't want to swing to the other extreme where you inhibit innovation," he says. "(Where) developers are fearful of doing something interesting simply because they're fearful of retribution from their company." Mr Litchfield says the status quo - security bug hunters unveiling flaws that are later patched by vendors - actually works. "Patch and fix does work and eventually what you get left with is a bloody secure product," he says. "Take SQL Server 2000 for an example. When was the last time a bug was found in that product? Probably 2003, or maybe early 2004?" Pressure from the research community is what drives product improvements, he argues. "It depends on when the product is released and how much scrutiny it gets from the research community, and eventually you get left with a secure product." -- Additional reporting Nick Miller _________________________________ Visit the InfoSec News store! http://www.shopinfosecnews.org


News URL

http://www.smh.com.au/news/security/high-bidders-with-low-motives/2006/08/07/1154802814862.html