Attacks/Breaches
10/5/2012
12:34 PM
Connect Directly
RSS
E-Mail
50%
50%

Weaponized Bugs: Time For Digital Arms Control

Thriving trade in zero-day vulnerabilities means dangerous bugs get sold to the highest bidder, and that puts everyone else at risk.

By many accounts, however, bug-selling remains a relatively exclusive arena, meaning it shouldn't be tough to regulate. Furthermore, that's unlikely to change, as it's difficult to turn zero-day millionaire, given fierce competition from other bug hunters, as well as the risk that a vendor might already have discovered a zero-day vulnerability, and have a fix in development.

Still, the price paid for some vulnerabilities suggests that ethically speaking, sellers might be up to no good. As Microsoft threat analyst Terri Forslof has said, "If I'm paying $50,000 for a vulnerability, what am I doing with it? I'm likely not trying to get it patched."

Vulnerabilities are hot in part because they can be weaponized and put to work quite quickly. "It doesn't take much time at all to commoditize a vulnerability into an exploit," said Sean Sullivan, security advisor at F-Secure Labs, in a blog post. For example, he found that the Adobe Flash Player security update (CVE-2012-1535) released Aug. 14, 2012, was followed the very next day by the appearance of in-the-wild attacks that used Microsoft Office Word documents with embedded exploits of the Flash vulnerability. Interestingly, one of the decoy Word documents that employed the Flash exploit was apparently targeting people interested in atomic weapons programs. And by Aug. 17, the exploit was part of the open-source Metasploit vulnerability testing toolkit.

Given the shift from bug bounties to vulnerabilities being used to power digital espionage or offensive operations, why not regulate the sale of dangerous bugs? Of course, new government regulations aren't the solution to every problem. But most governments do regulate the sales of arms so average Joes can't buy rocket launchers or fighter attack jets, unless, of course, they are Larry Ellison. Furthermore, because "cyber warfare" is meant to be the new military frontier, there's no reason not to regulate the buying and selling of zero-day vulnerabilities, at least to ensure they're not being used for nefarious purposes.

Currently, there are no laws against the buying or selling of bugs. "It's important to realize that, however much of an unpleasant taste this might or might not leave in your mouth, none of these people are acting illegally," says Graham Cluley, senior technology consultant at Sophos, in a blog post. "They've worked hard, using their skills to discover vulnerabilities in software systems. They are not exploiting these security holes themselves, and they aren't breaking the law."

What vexes many security experts is that the details of the bug remain hidden to all but the buyer, thus potentially putting everyone else at risk. Furthermore, what if an unscrupulous third party or foreign government gets its hands on the zero-day and begins using it to attack American businesses or government systems?

According to Soghoian, vulnerability sellers argue that the buying and selling of vulnerabilities should be left to free-market forces. But as he said in his keynote, once other governments begin snapping up zero-days and using them to attack the United States, the U.S. government might suddenly find itself arguing for regulating bug sales on the grounds of self defense. For consumers and businesses that rely on PCs and who don't want to find themselves at the receiving end of an undetectable, zero-day-driven targeted attack, that would be welcome news.

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2014-2640
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-2641
Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.