Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/9/2010
04:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

NSS Labs To Open Marketplace For Buying And Selling Exploits

No zero-days on 'Exploit Hub'

NSS Labs late next month will open up a new online marketplace for researchers to sell their exploits to penetration testers and other buyers.

Exploit Hub is an iPhone App Store-style type marketplace that will provide researchers with a way to make money for the exploits they write for the open-source Metasploit pen-test framework, according to Rick Moy, director of independent testing lab NSS Labs. "The bad guys already have this stuff. We're trying to level the playing field," Moy says. "As soon as a patch is out there, it only takes a few hours for a competent exploit writer to reverse-engineer it with an exploit they can use."

The online marketplace model hasn't had much success in the past, however. But security researchers say Exploit Hub's approach might fare better because it's aimed at security professionals, and will vet participants as well as test the exploits before they go up for sale. It will only offer exploits for sale, not bugs like the former and now defunct WabiSabiLabi marketplace, and it won't allow exploits for any zero-day flaws -- only known vulnerabilities.

Chris Nickerson, CEO of Lares Consulting, says Exploit Hub could be mutually beneficial to both researchers and penetration testers. It will give researchers compensation for their exploit-writing work and provide in-house penetration testers without the expertise or development resources to purchase the exploits they need, he says. Even seasoned pen testers would have a place to buy exploits when they need them: "From a tester side, I'd be more than happy to invest in this because it's going to save some time of my guys [developing exploits with] Metasploit or Core plug-ins ... And it's going to give developers a more secure place to put" their exploits, he says.

There are times when writing your own exploit for a pen-testing engagement just isn't the best use of time. David Maynor, CTO at Errata Security, says writing exploits from scratch on-site can be time-consuming. "When you have a certain amount of time to test, it's a big decision: Do I write something that may work, or do I move on?" says Maynor, who says he personally prefers to write his own exploits. "I doubt I would be on-site and run into a problem and be like, 'Let me check NSS and see if they have something.' If I were to buy something, I would need to work with it for a while before using it on the client side or even better, look at how it's done, and then reimplement it myself with my own payloads so I know it's clean."

NSS Labs' Moy says Exploit Hub plans to offer an open, safe market for the buying and selling of exploits. He says it also fills a major gap in today's penetration-testing tools. "Over the past five years, there have been over 14,000 high-risk or critical vulnerabilities and if you look at the tools and count how many exploits in them [for these], there are maybe 1,000," Moy says. "So if you buy all three of these tools, you're getting less than 10 percent coverage for these high vulnerabilities.

"Our goal is to help arm pen testers and security firms with better tools. Security vendors can use them to test their products, and pen testers to test their products," he says.

NSS Labs will test and validate the exploits to ensure they work, an element of the marketplace that security researchers say is crucial.

So far financial services and entertainment firms have expressed interest in the marketplace, he says, as well as security researchers. NSS Labs is providing guidelines for pricing based on supply and demand: The going rate for an exploit could range from $50 for a Web browser or Windows client exploit to a few thousand to hundreds of thousands of dollars for a more complex Oracle exploit, he says.

Keeping the bad guys out won't be too hard, he says, because buyers will also be vetted.

Whether Exploit Hub succeeds will have a lot to do with whether pen testers embrace it and if their organizations are willing to pay for the code, experts say.

Lares' Nickerson says it could also ultimately force penetration testing vendors to more quickly turn around exploits, too, with this new exploit venue also offering exploit modules. "They [vendors] now have an unlimited timeline to release that into their framework," he says. This may force them to step up their development turnaround efforts, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3571
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
CVE-2019-9700
PUBLISHED: 2019-07-16
Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
CVE-2019-12990
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal.
CVE-2019-12991
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).