Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/30/2012
04:59 AM
50%
50%

How The Sale Of Vulnerabilities Will Change In 2013

Bug-hunting mercenaries changing the vulnerability-buying marketplace

The market for the sale of zero-day vulnerabilities fundamentally shifted this year and, heading into 2013, bug hunters will increasingly play by a set of new rules, vulnerability experts say. As the sale of black market zero-day exploits continues to take off and new gray market players make a fortune selling information about exploit techniques and unpatched vulnerabilities to corporations and nation states, vulnerability researchers are starting to pull the punches on how much public disclosure they offer about their discoveries.

In years past, researchers would freely explain their exploit techniques and methods for bypassing specific security mitigations within targeted software when disclosing a vulnerability, says Brian Gorenc, manager of TippingPoint DVLabs at HP, which through the Zero Day Initiative (ZDI) pays researchers for responsibly disclosing vulnerabilities. ZDI is one of the early leaders in the vulnerability white market, paying bounties for bugs and facilitating disclosure and eventual patching by the affected software vendors. But that spirit of openness about exploit techniques is starting to go the way of the dodo, he says.

[Which applications and vendor dominated the vulnerability and exploit headlines in 2012? See The Vulnerability 'Usual Suspects' Of 2012.]

"I have a feeling that in the coming years that those techniques are going to come out less and less because of the value that is placed upon them," he says. "Because finding the vulnerability, for some of these guys, isn't the hard part. It's working around the mitigations once they've found it."

As he explains it, as security measures in operating systems and software improves and these mitigation bypass methods become more difficult, researchers are considering them a key differentiator so that "the techniques they're using to actually do exploitation are tightly held secrets for them." It is no wonder, considering that these exploits sold on the free market are fetching big sums of cash.

And it is not just worth money to the purely black market players selling to any takers, criminal or not. There are those who occupy a shadowy gray market, selling information to nation states and corporations interested in using it for spy work, offensive security, and also simply just bolstering their protections through improved visibility into the threat landscape.

Regardless of who the customer is, the overarching commonality among researchers willing to sell their vulnerabilities outside the traditional white market is that disclosure to a vendor means an eventual patch, which inevitably cuts off the revenue stream for that golden nugget of technical knowledge. And considering that the ultimate goal of players like ZDI is to eventually get the vulnerabilities they pay researchers for disclosed to the vendor for patching, many researchers are forgoing the easy cash of a vendor bounty for bugs in favor of trying their luck hawking flaws on the open market.

"When you look at the motivations for the people in the black market, they want to keep vulnerabilities unpatched, right?" Gorenc says. "Same for the gray market when they're selling information about zero days there. Once those zero days are patched, that information's not as valuable as it was when it was unpatched."

It's why research firm Vupen, which sells exploit and vulnerability information on a subscription basis to customers, told Forbes earlier this year that it wouldn't share its exploit techniques with Google "for even $1 million." The comment was in reference to an incident last March where Vupen went head-to-head with Google over the search giant's request that as a competitor in the CanSecWest Conference Pwn2Own competition, Vupen turn over all of its exploit technique information. Vupen refused, conference organizers backed up the decision, and Google eventually pulled its sponsorship of the event, a contest that HP stepped in to back and Vupen eventually won. In a similar turn of events on the disclosure side, Vupen recently announced that it found some of the first ways to get around Windows 8 security mitigations and went on the record to state it wouldn't be disclosing the vulnerabilities to Microsoft.

For its part, Vupen says it doesn't sell its vulnerability information to cybercriminals or oppressive governments, sticking primarily with corporate customers and what it deems the more cuddly variety of nation states. But many in the market are far more mercenary, says Frank Artes, research director for NSS Labs, a research and testing firm that often buys zero-day vulnerabilities to use for testing the effectiveness of heuristics in endpoint and network security products.

"They'll sell to whomever offers the money for the product that they're looking to sell, and they'll often sell it to several people at once," he says. "It's not an exclusive thing unless, of course, ironically enough, in the terms and conditions of the sale they are actually selling variants of the attack that they have committed not to sell to somebody else."

While this kind of attitude will continue to grow in 2013, Gorenc predicts, he also believes there's still room in the world for researchers willing to make a smaller amount of cash while helping the public good through responsible disclosure to vendors.

"We're definitely seeing the marketplace become more complex, but there's always room for the people operating in the white market. Not everybody's a bad guy," he says. "Not everybody's weaponizing and using the vulnerabilities for evil. There's always going be people out there who want to do that research, want to be compensated well for that researchm and get the bugs fixed and improve the overall security posture of the industry."

Nevertheless, the new dynamics posed by black market and grey market premiums on secrecy has changed the vulnerability-buying game. The pressure is making it such that many zero days have a life cycle where they may first hit the black market or grey market and then gain new legs being sold as a "new" vulnerability on the white market some time later.

"It's not uncommon to see the life cycle of these zero days being sold first within the black market and then surfacing afterward and being resold again to like the HPs of the world or Sourcefires and so forth and then, of course, eventually into groups like us," Artes says. "It's an interesting blur because the people that we do watch we know sell to government agencies and every once in a while will throw us a bone or allow us to bid on something."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
12/7/2012 | 12:22:25 PM
re: How The Sale Of Vulnerabilities Will Change In 2013
-Really insightful article and very
important issue you approached in this article! I personally agree with Gorenc
predicts and I believe that while this kind of attitude will continue to grow
in 2013, there's still room in the world for researchers willing to help the
public good through responsible disclosure to vendors. Also, I would like to
add that since most large organizations rely on a mix of COTS hardware, 3rd
party software applications, communication technologies, and custom code to run
their IT infrastructure, itGs difficult to apply a single security assessment
solution to ensure adequate coverage and protection.- If organizations want to better understand
where they are most vulnerable, they need to view their systems
holistically.- To better understand what
I mean, I recommend this article: http://blog.securityinnovation....
Hope you enjoy it!
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12928
PUBLISHED: 2019-06-24
The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
CVE-2019-12929
PUBLISHED: 2019-06-24
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
CVE-2019-12936
PUBLISHED: 2019-06-23
BlueStacks App Player 2, 3, and 4 before 4.90 allows DNS Rebinding for attacks on exposed IPC functions.
CVE-2019-12937
PUBLISHED: 2019-06-23
apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.
CVE-2019-12935
PUBLISHED: 2019-06-23
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.