Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/4/2009
07:06 PM
50%
50%

Disclosure Helps Bad Guys -- But Not The Way You'd Think

When publicly disclosing new attack techniques or simplifying older ones, many researchers -- including myself -- have been accused of indirectly assisting the bad guys by schooling them in their evil ways. Admittedly, we can never really be sure we're not helping them, but at the same time, we can't be certain the bad guys don't already know what we do.

When publicly disclosing new attack techniques or simplifying older ones, many researchers -- including myself -- have been accused of indirectly assisting the bad guys by schooling them in their evil ways. Admittedly, we can never really be sure we're not helping them, but at the same time, we can't be certain the bad guys don't already know what we do.Neither can we ensure sensitive details would remain exclusively under good-guy control even if we agreed not to disclose them. I have a hard time believing any researcher is the smartest person in the world.

So I find it preferable to share attack-related discoveries openly with the defense side so they can improve their readiness. This can happen only by democratizing the information so the good guys have equal opportunity to take action, or not, based on their needs and what is currently known. The alternative is researchers keeping knowledge to themselves, leaving the good guys to blindly fend for themselves. Personally, I'm under no illusions that the bad guys are anxiously awaiting our disclosures so they can then attack systems and monetize the next day.

One commonly asked question is, "Have the bad guys ever made threats against you for making their lives harder by exposing these secrets?" I've heard rumors about this happening to others, but fortunately I haven't had to deal with it. One reason for those threats could be that when a new attack technique hits the Web security scene (found by the good or bad guys), there's a window of time when only a limited few with the necessary skills can extract value. Script kiddies, conversely, must wait until tools are made available.

As a newly found threat becomes better understood, scripts are released so that anyone can use them, boosting overall negative business impact, increasing competition among the bad guys, and lowering the monetization potential for first-movers. When the threat is remediated, the security bar is raised; the more sophisticated bad guys capable of identifying new techniques without outside help may actually prefer that because it reduces the number of ankle-biters.

The same could be argued for script kiddies, whcih know how to get quick access to the latest wares. As such, it is not uncommon for the bad guys to openly share their attack data, sort of like when a car thief narks on his competitors.

I've experienced this phenomenon in search engine optimization (SEO) and massive multiplayer online game hacking. In SEO, elevating search engine ranking for particular keywords can be extremely lucrative in terms of advertising click-throughs and sales conversions.

In the very early days of SEO, keyword stuffing was all the rage. Soon everyone was doing it, which eliminated its effectiveness and competitive advantage. Search engines later fixed this problem and similar ones, forcing black hat SEO manipulators to constantly evolve their techniques.

For example, dynamic Website host name-keyword generator systems backed by content databases using Markov algorithms amplified link farm networks. Simply put, this gives the appearance of a massive number of Websites all linking to each other with fresh content. Each time a search engine (or any defender) raises the bar, it represents an opportunity for those clever enough to identify a new technique to extract value before anyone else catches on. It was not that long ago in the SEO game that the use of standard content tricks gave way to actual Web application hacking for those willing to risk criminal prosecution.

Black hat SEOs today use the pervasive cross-site scripting (XSS) vulnerability to make it appear to search engines that a high-ranking Website is linking to theirs, by littering the Web with specially crafted URLs.

SQL injection also can get one Website to link to another directly by updating its HTML content. That was the case with Al Gore's "Inconvenient Truth" blog. Of course, loading vulnerable Websites with malware is still an option. Both methods are well-understood and widely employed to manipulate search engine result pages (SERPs). Ask yourself if the results for "buy Viagra" seem as one would expect.

Now that these techniques are becoming heavily saturated, many bad guys would probably love to see something done. For the clever bad guy, raising the bar flattens the playing field and opens new opportunities for profit potential. Overall business impact may decrease temporarily, but it may increase for particular individuals. Those people have no problem with us talking about solutions -- and helping raise the bar for attacks.

Jeremiah Grossman is CTO and founder of WhiteHat Security. Special to Dark Reading Jeremiah Grossman, Chief of Security Strategy, SentinelOne, Professional Hacker, Black Belt in Brazilian Jiu-Jitsu, & Founder of WhiteHat Security. Jeremiah Grossman's career spans nearly 20 years. He has lived a literal lifetime in computer security to become one of the ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.