Vulnerabilities / Threats
8/19/2013
10:39 AM
Mike Rothman
Mike Rothman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Prohibition For 0-Day Exploits

The monetization of exploits has been a divisive discussion in the security community for years. Now as governments emerge as the largest market for attack code, will there be a move to regulate the sale of 0-day attacks?

Unless you've been playing Rip Van Winkle, the ability for security researchers to monetize exploits is nothing new -- it arguably was started by TippingPoint's ZDI group buying 0-days in 2005 so it could build IPS signatures ahead of everyone else. The idea of buying exploits then branched to a different path where software vendors would offer a "bug bounty" to learn of holes in their products. Google has paid big money during the past few years on its bug-bounty program, and recently announced a large increase in what it'll pay for each bug. Microsoft and a number of other vendors also have spent on their bug-bounty programs to broaden their efforts to protect their software. This has been a net positive, both allowing researchers to pay their bills, as well as improving vulnerable software.

But according to The New York Times, no one is spending bigger than governments to acquire and control attacks they can then use as part of offensive, intelligence-gathering campaigns. Pollyannas may welp at this reality, but it's not really different than advanced arms research or any other investments made to advance military activities.

The U.S spends billions on advanced military research and on shiny toys like ray guns and scanners for bioweapons, among other programs. Why wouldn't governments spend some money on tools that could result in a game-changing attack such as Stuxnet? Of course they would, and they do. Many may dispute the concept of "cyberwar," but clearly the folks holding military purse strings believe their is a cybercomponent to future warfare ,and they are investing to gain that advantage.

Moreover, you don't have to read the latest Vince Flynn novel to see how cyber-\intel improves the effectiveness of spycraft, and any advantage can save military and intelligence lives. At least, that's how the power brokers are going to justify it.

Yet, would governments at some point decide the best approach would be to regulate the market for exploits? Maybe trying derail it? Chris Borgen wrote about the issues of regulating the purchase of these 0-day exploits, and it's a fascinating read. He goes through a history of how governments got involved in the trade and how they are using the exploits. But then he gets into how some regulators are trying to figure out how to regulate the sale of these munitions, given that evil regimes can buy 0-days and wreak havoc. OK, maybe not havoc, but can certainly cause heartburn.

Chris' points revolve around the perverse incentives developing on the regulatory front. Initially, there was a disincentive to regulating the exploits, since governments like to buy things out of the public (and regulators') visibility. But as these governments continue to invest in their own research capabilities to develop their own attacks, the need for externally sourced exploits wanes. At that point, they may be more interested in regulation, if only to take these alternative sources of exploits, potentially selling exploits to adversaries, out of play. Or at least make it harder for them to do business. So Chris hopes for no regulation because he wants to "keep the world safe for exploits." Yes, it's very counterintuitive, but so is most of the security business.

Personally, I don't think regulatory efforts on 0-day attacks will go very far because folks are equating software code to free speech -- even code intended to steal something from you. You have to love lawyers. But all the same, even if something does get passed to regulate and/or try to prevent the sale of exploits, exploits will still be sold, most likely to the governments that have regulated their sale. Yes, that's a pretty cynical way of looking at things, but it's reality. There was a market for exploits before any regulation, and there will be a market should any regulation come into play.

If you don't believe it, just bust out your history books and go back to the 1920s. The U.S. government banned the sale of alcohol during Prohibition, but it certainly didn't stop the production or consumption of alcohol. What it did was create a thriving black market for booze. How does this situation end any differently? Yeah, it probably doesn't. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pmisner
50%
50%
pmisner,
User Rank: Apprentice
8/27/2013 | 7:50:32 PM
re: Prohibition For 0-Day Exploits
The problem with attacking zero day attacks has been the approach. Coming up with signatures, or trying to recognize behaviors of a potential attack only succeed in the continuance of "whack a mole". My company is working on a new approach, which essentially creates an "AirGap" between the browser and the OS. The browser itself is, for the want of a better term, "virtualized" to the client, from the DMZ. All the components and protocols are hardened along the way.

If an attack does succeed, it doesn't really have any consequences. Kill the browser, and in less than 5 seconds, be back running with a new, fresh, and attack free browser. The attack doesn't enter the network, and the payload never touches the user's OS.
Dave F
50%
50%
Dave F,
User Rank: Apprentice
8/27/2013 | 5:49:59 PM
re: Prohibition For 0-Day Exploits
With apologies to the NRA, viruses don't cripple systems, hackers cripple systems.
It seems to me that a segment involved in the production and sale of 0 day exploits is not very responsive to regulation. And those people are already criminals, so I'm not sure I understand where the potential gain will come from.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/23/2013 | 10:30:44 PM
re: Prohibition For 0-Day Exploits
Regulation doesn't sound like it would be very effective. I think it's best to leave the exploits market alone.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
8/23/2013 | 2:24:55 PM
re: Prohibition For 0-Day Exploits
The feds writing laws to ban the sale of exploits would probably raise the value of exploits on the 'black market' - talk about perverse incentives.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.