Attacks/Breaches
10/5/2012
12:34 PM
50%
50%

Weaponized Bugs: Time For Digital Arms Control

Thriving trade in zero-day vulnerabilities means dangerous bugs get sold to the highest bidder, and that puts everyone else at risk.

By many accounts, however, bug-selling remains a relatively exclusive arena, meaning it shouldn't be tough to regulate. Furthermore, that's unlikely to change, as it's difficult to turn zero-day millionaire, given fierce competition from other bug hunters, as well as the risk that a vendor might already have discovered a zero-day vulnerability, and have a fix in development.

Still, the price paid for some vulnerabilities suggests that ethically speaking, sellers might be up to no good. As Microsoft threat analyst Terri Forslof has said, "If I'm paying $50,000 for a vulnerability, what am I doing with it? I'm likely not trying to get it patched."

Vulnerabilities are hot in part because they can be weaponized and put to work quite quickly. "It doesn't take much time at all to commoditize a vulnerability into an exploit," said Sean Sullivan, security advisor at F-Secure Labs, in a blog post. For example, he found that the Adobe Flash Player security update (CVE-2012-1535) released Aug. 14, 2012, was followed the very next day by the appearance of in-the-wild attacks that used Microsoft Office Word documents with embedded exploits of the Flash vulnerability. Interestingly, one of the decoy Word documents that employed the Flash exploit was apparently targeting people interested in atomic weapons programs. And by Aug. 17, the exploit was part of the open-source Metasploit vulnerability testing toolkit.

Given the shift from bug bounties to vulnerabilities being used to power digital espionage or offensive operations, why not regulate the sale of dangerous bugs? Of course, new government regulations aren't the solution to every problem. But most governments do regulate the sales of arms so average Joes can't buy rocket launchers or fighter attack jets, unless, of course, they are Larry Ellison. Furthermore, because "cyber warfare" is meant to be the new military frontier, there's no reason not to regulate the buying and selling of zero-day vulnerabilities, at least to ensure they're not being used for nefarious purposes.

Currently, there are no laws against the buying or selling of bugs. "It's important to realize that, however much of an unpleasant taste this might or might not leave in your mouth, none of these people are acting illegally," says Graham Cluley, senior technology consultant at Sophos, in a blog post. "They've worked hard, using their skills to discover vulnerabilities in software systems. They are not exploiting these security holes themselves, and they aren't breaking the law."

What vexes many security experts is that the details of the bug remain hidden to all but the buyer, thus potentially putting everyone else at risk. Furthermore, what if an unscrupulous third party or foreign government gets its hands on the zero-day and begins using it to attack American businesses or government systems?

According to Soghoian, vulnerability sellers argue that the buying and selling of vulnerabilities should be left to free-market forces. But as he said in his keynote, once other governments begin snapping up zero-days and using them to attack the United States, the U.S. government might suddenly find itself arguing for regulating bug sales on the grounds of self defense. For consumers and businesses that rely on PCs and who don't want to find themselves at the receiving end of an undetectable, zero-day-driven targeted attack, that would be welcome news.

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!