informa
Commentary

Disclosure Helps Bad Guys -- But Not The Way You'd Think

When publicly disclosing new attack techniques or simplifying older ones, many researchers -- including myself -- have been accused of indirectly assisting the bad guys by schooling them in their evil ways. Admittedly, we can never really be sure we're not helping them, but at the same time, we can't be certain the bad guys don't already know what we do.
When publicly disclosing new attack techniques or simplifying older ones, many researchers -- including myself -- have been accused of indirectly assisting the bad guys by schooling them in their evil ways. Admittedly, we can never really be sure we're not helping them, but at the same time, we can't be certain the bad guys don't already know what we do.Neither can we ensure sensitive details would remain exclusively under good-guy control even if we agreed not to disclose them. I have a hard time believing any researcher is the smartest person in the world.

So I find it preferable to share attack-related discoveries openly with the defense side so they can improve their readiness. This can happen only by democratizing the information so the good guys have equal opportunity to take action, or not, based on their needs and what is currently known. The alternative is researchers keeping knowledge to themselves, leaving the good guys to blindly fend for themselves. Personally, I'm under no illusions that the bad guys are anxiously awaiting our disclosures so they can then attack systems and monetize the next day.

One commonly asked question is, "Have the bad guys ever made threats against you for making their lives harder by exposing these secrets?" I've heard rumors about this happening to others, but fortunately I haven't had to deal with it. One reason for those threats could be that when a new attack technique hits the Web security scene (found by the good or bad guys), there's a window of time when only a limited few with the necessary skills can extract value. Script kiddies, conversely, must wait until tools are made available.

As a newly found threat becomes better understood, scripts are released so that anyone can use them, boosting overall negative business impact, increasing competition among the bad guys, and lowering the monetization potential for first-movers. When the threat is remediated, the security bar is raised; the more sophisticated bad guys capable of identifying new techniques without outside help may actually prefer that because it reduces the number of ankle-biters.

The same could be argued for script kiddies, whcih know how to get quick access to the latest wares. As such, it is not uncommon for the bad guys to openly share their attack data, sort of like when a car thief narks on his competitors.

I've experienced this phenomenon in search engine optimization (SEO) and massive multiplayer online game hacking. In SEO, elevating search engine ranking for particular keywords can be extremely lucrative in terms of advertising click-throughs and sales conversions.

In the very early days of SEO, keyword stuffing was all the rage. Soon everyone was doing it, which eliminated its effectiveness and competitive advantage. Search engines later fixed this problem and similar ones, forcing black hat SEO manipulators to constantly evolve their techniques.

For example, dynamic Website host name-keyword generator systems backed by content databases using Markov algorithms amplified link farm networks. Simply put, this gives the appearance of a massive number of Websites all linking to each other with fresh content. Each time a search engine (or any defender) raises the bar, it represents an opportunity for those clever enough to identify a new technique to extract value before anyone else catches on. It was not that long ago in the SEO game that the use of standard content tricks gave way to actual Web application hacking for those willing to risk criminal prosecution.

Black hat SEOs today use the pervasive cross-site scripting (XSS) vulnerability to make it appear to search engines that a high-ranking Website is linking to theirs, by littering the Web with specially crafted URLs.

SQL injection also can get one Website to link to another directly by updating its HTML content. That was the case with Al Gore's "Inconvenient Truth" blog. Of course, loading vulnerable Websites with malware is still an option. Both methods are well-understood and widely employed to manipulate search engine result pages (SERPs). Ask yourself if the results for "buy Viagra" seem as one would expect.

Now that these techniques are becoming heavily saturated, many bad guys would probably love to see something done. For the clever bad guy, raising the bar flattens the playing field and opens new opportunities for profit potential. Overall business impact may decrease temporarily, but it may increase for particular individuals. Those people have no problem with us talking about solutions -- and helping raise the bar for attacks.

Jeremiah Grossman is CTO and founder of WhiteHat Security. Special to Dark Reading

Recommended Reading: