If you’ve been in the security sector for any length of
time, you’ve come across bugs in products. And if
you’re like me, you’ve encountered some significant
flaws in widely used commercial products.
One is then forced to wonder how the heck the code tree is
controlled at these places, especially since most of these problems
seem to reappear after new releases. No matter, you are excited at
the prospect of reporting your findings so you gear up to prepare a
report. Because you are honest and you’d hate to see your
organization or anyone else fall victim to an exploit, you go
through the normal process, careful to operate within the fine
lines that etiquette dictates.
But wait, something is wrong.
The vendor isn’t reacting the way you had expected.
Incredibly, the company never responds. Puzzled, you try again and
again. Finally you receive a notice that states your findings are
not a problem, rather, the product works as designed. Furious, you
release your findings to any and all of the popular bug tracking
mailing lists.
Forty-eight hours later, the very same company releases a
critical update to their product with zero mention of you.
Sound familiar? Of course it does.
This hypothetical scenario has turned many a mild mannered
security researcher into a salty, cussing buccaneer. Wouldn’t
it be nice if you could actually get some kind of recognition for
your efforts? Even better, how about a cash reward?
Fresh Exploits, Get Yer Exploits Here!
Today, that pipe dream has become reality thanks to the folks at
Switzerland-based WabiSabiLabi (WSLabi). In the spirit of Ebay, you
can now go to their site, create an account and buy and sell
exploits. Of course you’ll have to go through a vetting
process, which requires you to submit a copy of your ID before you
can complete an auction. But hey, if you have eight bucks, you can
be anyone you like. Perfect!
For the legitimate researcher, this may break open a new revenue
stream while at the same time, open a fast track of attack vectors
via a supermarket of exploit code available to crime groups and
various other shady individuals. Most security experts agree that
this new auction approach to exploit code is dangerous. Many of the
experts I’ve spoken to believe that the site will do nothing
more than provide a way for extortionists to make money.
“In any other venue, people would be up in arms over
this.” said one computer security professional. “We
know that most legitimate security researchers do not do it for the
money while we also know that most criminal researchers are out
looking for a payday. This site provides yet another revenue stream
for criminals.”
Even with all of the press on WSLabi, right now there are only
four live auctions on the site with one bid on a kernel exploit.
The amount of that bid is 550 Euros which is just a touch over
$750.
WSLabi states, “Both researchers and buyers will have to
identify themselves to WSLabi to ensure they are legitimate.
Researchers cannot submit security research material which comes
from an illegal source or activity. Buyers will also be carefully
vetted before being granted access to the auction platform so that
the risk of selling the right stuff to the wrong people is
minimized.”
One has to ask, “How will you know if research material
comes from an illegal source or activity?”
Unlike tangible goods that have serial numbers, research
materials are next to impossible to validate. Interestingly, the
only mention of validation is how WSLabi will make sure that the
proof-of-concepts actually work. “WSLabi will then verify the
research by analyzing and replicating it at their independent
testing laboratories. They will eventually then package the
findings with a Proof of Concept; this can then be sold to the
marketplace via three methods from the marketplace
platform…”
So there you have it folks. It remains to be seen if this new
marketplace will actually take off but one thing is for sure, even
if this venture fails, the black market for exploits is still
teeming with life.
If you can’t sell your exploits at WSLabi or any other
venue of the like, there is no shortage of shady characters willing
to lay down cash for your discoveries. And this will not change
anytime soon.
Article courtesy of Enterprise IT Planet
