Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

2/3/2015
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

3 Disturbing New Trends in Vulnerability Disclosure

Who's winning and who's losing the battle of the bugs? While security pros and software companies fight amongst themselves, it looks like black hats are winning and users are losing.

Vulnerability disclosure has always been prone to melodrama.

Arguments about what really is "responsible" disclosure. Web security researchers being dragged off in handcuffs for "knocks on the door," while software security researchers gleefully post proof-of-concept exploits publicly. Vulnerability researchers rallying to the cry of "no more free bugs," while software vendors waffle between "sure, we'll pay you," "no, but we'll send you a nice thank-you," and "that's extortion."

Over the years, the security and software industries have developed some better ways to work together: software bug bounty programs and corporate policies authorizing third parties to hunt for vulnerabilities in their websites, for example.

It hasn't all been forward progress, though. Recent events show that there's still a ways to go; will these be isolated incidents or new trends remains to be seen.

 Public Spats Between Tech Giants

Jan. 11, Google's Project Zero publicly disclosed an unpatched vulnerability in Microsoft software.  They'd privately disclosed it to Microsoft and given them 90 days to patch it. When Microsoft passed that 90 days, Project Zero published the vulnerability, complete with proof-of-concept code, instead of agreeing to Microsoft's request for a two-day extension that would give them until Patch Tuesday. This was the second time in two weeks that Project Zero had released an unpatched Microsoft vulnerability.

Microsoft was displeased. In a blog post, senior director of the Microsoft Security Response Center Chris Betz wrote: "Although following through keeps to Google's announced timeline for disclosure, the decision feels less like principles and more like a 'gotcha,' with customers the ones who may suffer as a result."

Google responded by publishing yet another unpatched Microsoft vulnerability less than a week later.

Javvad Malik explained the whole sordid affair in hilarious fashion in the video below, concluding "the security industry needs to just mature and grow up and find ways that they can find stuff quicker and better, together":

 

 

Paying Known Cyber-Criminals

Last week, a fraud detection firm reported that a hacker named "Mastermind" was advertising on the black market, looking for buyers for 20 million user records he (or she) had stolen from Russia-based dating site Topface.

So, Topface tracked Mastermind down, and offered him a sweet deal. They got Mastermind to agree to cease selling the stolen data, and in return, as Topface chief executive Dmitry Filatov told Reuters, "We have paid him an award for finding a vulnerability and agreed on further cooperation in the field of data security." 

Filatov did not disclose the sum they paid to Mastermind. Regardless, Topface's largesse is surprising, especially considering that they say the thief only took email addresses, not passwords or message content. (But it might have -- the fraud detection firm reported that the cache of stolen data included 20 million "credentials" -- including 7 million from Hotmail accounts and 2.5 million from Yahoo and Google main accounts.)

There's certainly an argument to be made for trying to convert black hats into white hats. There are even arguments to be made for paying ransoms to criminals who request them (which this criminal did not). However, offering a criminal cash and consulting work still sets a dangerous precedent. Especially if Mastermind does not stick to the agreement.

Yet, Filatov is confident that he will. From Reuters: "But Filatov noted that the ads have already been removed and Topface has agreed not to pursue charges against the unidentified individual. 'As we made an agreement with him we do not see any reason for him to break it,' said Filatov."

 Even More Complicated Laws

Jan. 20, President Obama announced new proposed cybersecurity legislation that is well-intentioned, but misguided. Among other things, it calls for expansions to the Computer Fraud and Abuse Act's definition of "exceeding authorized access," which could further stifle the work of vulnerability researchers.

As Jeremiah Grossman, of web security research firm WhiteHat Security, told DarkReading's Ericka Chickowski, "What the proposed legislation would do is criminalize professional routine security research that’s been crucial in protecting companies and citizens at large. This outcome would be disastrous."

Added Jonathan Cran, vice president of operations at the bug bounty program firm Bugcrowd, "If passed, it will have a broad chilling effect on security researchers while the courts sort out the definition."

What do you think? Will arguments between Google and Microsoft, bonuses to cybercriminals, and broader legislation improve infosecurity for everyone, or just make the entire security industry look bad? Let us know in the comments below.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/8/2015 | 2:50:08 AM
Re: Cybersecurity legislation
@Marilyn: Indeed; on a related note, I'm wary of Chairman Wheeler's net neutrality proposal until I get a chance to read it personally...but I can't read it personally yet because they won't allow the public to read it until February 26 -- the day of the vote.  All we know so far is that it's well over 300 pages long as at least one Commissioner has a lot of strong criticisms of it.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/8/2015 | 2:43:19 AM
Re: All about the $
@Sara: That is very a good point.  The extortion scheme of variously screwing and unscrewing with a company's system then contacting them and saying, "Hey, I just so happen to be a security researcher who found this bug in your program and I'd be happy for you to contract my company for us to fix it at the modest cost of $50,000," is pretty common.

And, of course, if it is extortion, game theory dictates that you never pay the blackmailer because there's nothing to stop them from continuing to blackmail you.

OTOH, an organization may find itself in an emergency situation where it needs a brief respite before it can get a total handle on things.  If they have a cyberinsurance policy that covers extortion, so much the better.
Saylor Frase
50%
50%
Saylor Frase,
User Rank: Apprentice
2/6/2015 | 2:54:35 PM
Re: All about the $
@sarapeters We are in agreement, Sara. Leveling with hackers and cybercriminals only intensifies the issue: the more successful black hat hackers are, the more they continue on their path, persuading others to join the ride.  

In regard to the President's proposed legislation, I agree the proposal would likely do little to prevent an attack, and may also stifle critical research. The one good thing newly proposed regulations are doing though, is bringing us one step closer to a national standard that makes all companies more responsible for the customer data they host.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/5/2015 | 11:51:42 AM
Cybersecurity legislation
I'm all for legislation that makes it harder for hackers but the devil is in the details. Not to  mention the question of whether our political leaders are capable of regulating technologies that so few of them understand.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/4/2015 | 10:52:14 AM
Re: All about the $
@JoeStanganelli  I don't know, Joe, paying someone who's actively trying to sell your data sounds dangerous, no matter how little they spent on it. It's kind of a weird way for attackers to effectively collect ransoms without even using ransomware. And as we know, loads of cybercriminals demanding ransoms are good for their word -- you pay, they release your stuff -- but plenty aren't.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/4/2015 | 2:09:08 AM
All about the $
Missing is the amount paid to the hacker.  It was probably insignificant enough to the company to be written off if it doesn't pan out, but it's definitely worth it if it results in a conversion, better security, and possibly additional intel on the black hat community that allows the company to be better prepared.
andregironda
50%
50%
andregironda,
User Rank: Strategist
2/3/2015 | 6:10:40 PM
Who was wrong
Microsoft, not Google
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...