Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/4/2009
07:06 PM
50%
50%

Disclosure Helps Bad Guys -- But Not The Way You'd Think

When publicly disclosing new attack techniques or simplifying older ones, many researchers -- including myself -- have been accused of indirectly assisting the bad guys by schooling them in their evil ways. Admittedly, we can never really be sure we're not helping them, but at the same time, we can't be certain the bad guys don't already know what we do.

When publicly disclosing new attack techniques or simplifying older ones, many researchers -- including myself -- have been accused of indirectly assisting the bad guys by schooling them in their evil ways. Admittedly, we can never really be sure we're not helping them, but at the same time, we can't be certain the bad guys don't already know what we do.Neither can we ensure sensitive details would remain exclusively under good-guy control even if we agreed not to disclose them. I have a hard time believing any researcher is the smartest person in the world.

So I find it preferable to share attack-related discoveries openly with the defense side so they can improve their readiness. This can happen only by democratizing the information so the good guys have equal opportunity to take action, or not, based on their needs and what is currently known. The alternative is researchers keeping knowledge to themselves, leaving the good guys to blindly fend for themselves. Personally, I'm under no illusions that the bad guys are anxiously awaiting our disclosures so they can then attack systems and monetize the next day.

One commonly asked question is, "Have the bad guys ever made threats against you for making their lives harder by exposing these secrets?" I've heard rumors about this happening to others, but fortunately I haven't had to deal with it. One reason for those threats could be that when a new attack technique hits the Web security scene (found by the good or bad guys), there's a window of time when only a limited few with the necessary skills can extract value. Script kiddies, conversely, must wait until tools are made available.

As a newly found threat becomes better understood, scripts are released so that anyone can use them, boosting overall negative business impact, increasing competition among the bad guys, and lowering the monetization potential for first-movers. When the threat is remediated, the security bar is raised; the more sophisticated bad guys capable of identifying new techniques without outside help may actually prefer that because it reduces the number of ankle-biters.

The same could be argued for script kiddies, whcih know how to get quick access to the latest wares. As such, it is not uncommon for the bad guys to openly share their attack data, sort of like when a car thief narks on his competitors.

I've experienced this phenomenon in search engine optimization (SEO) and massive multiplayer online game hacking. In SEO, elevating search engine ranking for particular keywords can be extremely lucrative in terms of advertising click-throughs and sales conversions.

In the very early days of SEO, keyword stuffing was all the rage. Soon everyone was doing it, which eliminated its effectiveness and competitive advantage. Search engines later fixed this problem and similar ones, forcing black hat SEO manipulators to constantly evolve their techniques.

For example, dynamic Website host name-keyword generator systems backed by content databases using Markov algorithms amplified link farm networks. Simply put, this gives the appearance of a massive number of Websites all linking to each other with fresh content. Each time a search engine (or any defender) raises the bar, it represents an opportunity for those clever enough to identify a new technique to extract value before anyone else catches on. It was not that long ago in the SEO game that the use of standard content tricks gave way to actual Web application hacking for those willing to risk criminal prosecution.

Black hat SEOs today use the pervasive cross-site scripting (XSS) vulnerability to make it appear to search engines that a high-ranking Website is linking to theirs, by littering the Web with specially crafted URLs.

SQL injection also can get one Website to link to another directly by updating its HTML content. That was the case with Al Gore's "Inconvenient Truth" blog. Of course, loading vulnerable Websites with malware is still an option. Both methods are well-understood and widely employed to manipulate search engine result pages (SERPs). Ask yourself if the results for "buy Viagra" seem as one would expect.

Now that these techniques are becoming heavily saturated, many bad guys would probably love to see something done. For the clever bad guy, raising the bar flattens the playing field and opens new opportunities for profit potential. Overall business impact may decrease temporarily, but it may increase for particular individuals. Those people have no problem with us talking about solutions -- and helping raise the bar for attacks.

Jeremiah Grossman is CTO and founder of WhiteHat Security. Special to Dark Reading Jeremiah Grossman, Chief of Security Strategy, SentinelOne, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, & Founder of WhiteHat Security. Jeremiah Grossman's career spans nearly 20 years. He has lived a literal lifetime in computer security to become one of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...