Attacks/Breaches
10/5/2012
12:34 PM
50%
50%

Weaponized Bugs: Time For Digital Arms Control

Thriving trade in zero-day vulnerabilities means dangerous bugs get sold to the highest bidder, and that puts everyone else at risk.

By many accounts, however, bug-selling remains a relatively exclusive arena, meaning it shouldn't be tough to regulate. Furthermore, that's unlikely to change, as it's difficult to turn zero-day millionaire, given fierce competition from other bug hunters, as well as the risk that a vendor might already have discovered a zero-day vulnerability, and have a fix in development.

Still, the price paid for some vulnerabilities suggests that ethically speaking, sellers might be up to no good. As Microsoft threat analyst Terri Forslof has said, "If I'm paying $50,000 for a vulnerability, what am I doing with it? I'm likely not trying to get it patched."

Vulnerabilities are hot in part because they can be weaponized and put to work quite quickly. "It doesn't take much time at all to commoditize a vulnerability into an exploit," said Sean Sullivan, security advisor at F-Secure Labs, in a blog post. For example, he found that the Adobe Flash Player security update (CVE-2012-1535) released Aug. 14, 2012, was followed the very next day by the appearance of in-the-wild attacks that used Microsoft Office Word documents with embedded exploits of the Flash vulnerability. Interestingly, one of the decoy Word documents that employed the Flash exploit was apparently targeting people interested in atomic weapons programs. And by Aug. 17, the exploit was part of the open-source Metasploit vulnerability testing toolkit.

Given the shift from bug bounties to vulnerabilities being used to power digital espionage or offensive operations, why not regulate the sale of dangerous bugs? Of course, new government regulations aren't the solution to every problem. But most governments do regulate the sales of arms so average Joes can't buy rocket launchers or fighter attack jets, unless, of course, they are Larry Ellison. Furthermore, because "cyber warfare" is meant to be the new military frontier, there's no reason not to regulate the buying and selling of zero-day vulnerabilities, at least to ensure they're not being used for nefarious purposes.

Currently, there are no laws against the buying or selling of bugs. "It's important to realize that, however much of an unpleasant taste this might or might not leave in your mouth, none of these people are acting illegally," says Graham Cluley, senior technology consultant at Sophos, in a blog post. "They've worked hard, using their skills to discover vulnerabilities in software systems. They are not exploiting these security holes themselves, and they aren't breaking the law."

What vexes many security experts is that the details of the bug remain hidden to all but the buyer, thus potentially putting everyone else at risk. Furthermore, what if an unscrupulous third party or foreign government gets its hands on the zero-day and begins using it to attack American businesses or government systems?

According to Soghoian, vulnerability sellers argue that the buying and selling of vulnerabilities should be left to free-market forces. But as he said in his keynote, once other governments begin snapping up zero-days and using them to attack the United States, the U.S. government might suddenly find itself arguing for regulating bug sales on the grounds of self defense. For consumers and businesses that rely on PCs and who don't want to find themselves at the receiving end of an undetectable, zero-day-driven targeted attack, that would be welcome news.

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2188
Published: 2015-02-26
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0594
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in the help pages in Cisco Common Services, as used in Cisco Prime LAN Management Solution (LMS) and Cisco Security Manager, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq54654 and CSCun1...

CVE-2015-0632
Published: 2015-02-26
Race condition in the Neighbor Discovery (ND) protocol implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service via a flood of Router Solicitation messages on the local network, aka Bug ID CSCuo67770.

CVE-2015-0651
Published: 2015-02-26
Cross-site request forgery (CSRF) vulnerability in the web GUI in Cisco Application Networking Manager (ANM), and Device Manager (DM) on Cisco 4710 Application Control Engine (ACE) appliances, allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo99753.

CVE-2015-0882
Published: 2015-02-26
Multiple cross-site scripting (XSS) vulnerabilities in zencart-ja (aka Zen Cart Japanese edition) 1.3 jp through 1.3.0.2 jp8 and 1.5 ja through 1.5.1 ja allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, related to admin/includes/init_includes/init_sanitize.php an...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.