Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/4/2009
07:06 PM
50%
50%

Disclosure Helps Bad Guys -- But Not The Way You'd Think

When publicly disclosing new attack techniques or simplifying older ones, many researchers -- including myself -- have been accused of indirectly assisting the bad guys by schooling them in their evil ways. Admittedly, we can never really be sure we're not helping them, but at the same time, we can't be certain the bad guys don't already know what we do.

When publicly disclosing new attack techniques or simplifying older ones, many researchers -- including myself -- have been accused of indirectly assisting the bad guys by schooling them in their evil ways. Admittedly, we can never really be sure we're not helping them, but at the same time, we can't be certain the bad guys don't already know what we do.Neither can we ensure sensitive details would remain exclusively under good-guy control even if we agreed not to disclose them. I have a hard time believing any researcher is the smartest person in the world.

So I find it preferable to share attack-related discoveries openly with the defense side so they can improve their readiness. This can happen only by democratizing the information so the good guys have equal opportunity to take action, or not, based on their needs and what is currently known. The alternative is researchers keeping knowledge to themselves, leaving the good guys to blindly fend for themselves. Personally, I'm under no illusions that the bad guys are anxiously awaiting our disclosures so they can then attack systems and monetize the next day.

One commonly asked question is, "Have the bad guys ever made threats against you for making their lives harder by exposing these secrets?" I've heard rumors about this happening to others, but fortunately I haven't had to deal with it. One reason for those threats could be that when a new attack technique hits the Web security scene (found by the good or bad guys), there's a window of time when only a limited few with the necessary skills can extract value. Script kiddies, conversely, must wait until tools are made available.

As a newly found threat becomes better understood, scripts are released so that anyone can use them, boosting overall negative business impact, increasing competition among the bad guys, and lowering the monetization potential for first-movers. When the threat is remediated, the security bar is raised; the more sophisticated bad guys capable of identifying new techniques without outside help may actually prefer that because it reduces the number of ankle-biters.

The same could be argued for script kiddies, whcih know how to get quick access to the latest wares. As such, it is not uncommon for the bad guys to openly share their attack data, sort of like when a car thief narks on his competitors.

I've experienced this phenomenon in search engine optimization (SEO) and massive multiplayer online game hacking. In SEO, elevating search engine ranking for particular keywords can be extremely lucrative in terms of advertising click-throughs and sales conversions.

In the very early days of SEO, keyword stuffing was all the rage. Soon everyone was doing it, which eliminated its effectiveness and competitive advantage. Search engines later fixed this problem and similar ones, forcing black hat SEO manipulators to constantly evolve their techniques.

For example, dynamic Website host name-keyword generator systems backed by content databases using Markov algorithms amplified link farm networks. Simply put, this gives the appearance of a massive number of Websites all linking to each other with fresh content. Each time a search engine (or any defender) raises the bar, it represents an opportunity for those clever enough to identify a new technique to extract value before anyone else catches on. It was not that long ago in the SEO game that the use of standard content tricks gave way to actual Web application hacking for those willing to risk criminal prosecution.

Black hat SEOs today use the pervasive cross-site scripting (XSS) vulnerability to make it appear to search engines that a high-ranking Website is linking to theirs, by littering the Web with specially crafted URLs.

SQL injection also can get one Website to link to another directly by updating its HTML content. That was the case with Al Gore's "Inconvenient Truth" blog. Of course, loading vulnerable Websites with malware is still an option. Both methods are well-understood and widely employed to manipulate search engine result pages (SERPs). Ask yourself if the results for "buy Viagra" seem as one would expect.

Now that these techniques are becoming heavily saturated, many bad guys would probably love to see something done. For the clever bad guy, raising the bar flattens the playing field and opens new opportunities for profit potential. Overall business impact may decrease temporarily, but it may increase for particular individuals. Those people have no problem with us talking about solutions -- and helping raise the bar for attacks.

Jeremiah Grossman is CTO and founder of WhiteHat Security. Special to Dark Reading Jeremiah Grossman, Chief of Security Strategy, SentinelOne, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, & Founder of WhiteHat Security. Jeremiah Grossman's career spans nearly 20 years. He has lived a literal lifetime in computer security to become one of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Will This Be the Year of the Branded Cybercriminal?
Raveed Laeb, Product Manager at KELA,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
CVE-2019-19142
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.
CVE-2019-19801
PUBLISHED: 2020-01-17
In Gallagher Command Centre Server versions of v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an unprivileged but authenticated user is able to perform a backup of the Command Centre databases.
CVE-2019-19802
PUBLISHED: 2020-01-17
In Gallagher Command Centre Server v8.10 prior to v8.10.1134(MR4), v8.00 prior to v8.00.1161(MR5), v7.90 prior to v7.90.991(MR5), v7.80 prior to v7.80.960(MR2) and v7.70 or earlier, an authenticated user connecting to OPCUA can view all data that would be replicated in a multi-server setup without p...