Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/9/2010
04:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

NSS Labs To Open Marketplace For Buying And Selling Exploits

No zero-days on 'Exploit Hub'

NSS Labs late next month will open up a new online marketplace for researchers to sell their exploits to penetration testers and other buyers.

Exploit Hub is an iPhone App Store-style type marketplace that will provide researchers with a way to make money for the exploits they write for the open-source Metasploit pen-test framework, according to Rick Moy, director of independent testing lab NSS Labs. "The bad guys already have this stuff. We're trying to level the playing field," Moy says. "As soon as a patch is out there, it only takes a few hours for a competent exploit writer to reverse-engineer it with an exploit they can use."

The online marketplace model hasn't had much success in the past, however. But security researchers say Exploit Hub's approach might fare better because it's aimed at security professionals, and will vet participants as well as test the exploits before they go up for sale. It will only offer exploits for sale, not bugs like the former and now defunct WabiSabiLabi marketplace, and it won't allow exploits for any zero-day flaws -- only known vulnerabilities.

Chris Nickerson, CEO of Lares Consulting, says Exploit Hub could be mutually beneficial to both researchers and penetration testers. It will give researchers compensation for their exploit-writing work and provide in-house penetration testers without the expertise or development resources to purchase the exploits they need, he says. Even seasoned pen testers would have a place to buy exploits when they need them: "From a tester side, I'd be more than happy to invest in this because it's going to save some time of my guys [developing exploits with] Metasploit or Core plug-ins ... And it's going to give developers a more secure place to put" their exploits, he says.

There are times when writing your own exploit for a pen-testing engagement just isn't the best use of time. David Maynor, CTO at Errata Security, says writing exploits from scratch on-site can be time-consuming. "When you have a certain amount of time to test, it's a big decision: Do I write something that may work, or do I move on?" says Maynor, who says he personally prefers to write his own exploits. "I doubt I would be on-site and run into a problem and be like, 'Let me check NSS and see if they have something.' If I were to buy something, I would need to work with it for a while before using it on the client side or even better, look at how it's done, and then reimplement it myself with my own payloads so I know it's clean."

NSS Labs' Moy says Exploit Hub plans to offer an open, safe market for the buying and selling of exploits. He says it also fills a major gap in today's penetration-testing tools. "Over the past five years, there have been over 14,000 high-risk or critical vulnerabilities and if you look at the tools and count how many exploits in them [for these], there are maybe 1,000," Moy says. "So if you buy all three of these tools, you're getting less than 10 percent coverage for these high vulnerabilities.

"Our goal is to help arm pen testers and security firms with better tools. Security vendors can use them to test their products, and pen testers to test their products," he says.

NSS Labs will test and validate the exploits to ensure they work, an element of the marketplace that security researchers say is crucial.

So far financial services and entertainment firms have expressed interest in the marketplace, he says, as well as security researchers. NSS Labs is providing guidelines for pricing based on supply and demand: The going rate for an exploit could range from $50 for a Web browser or Windows client exploit to a few thousand to hundreds of thousands of dollars for a more complex Oracle exploit, he says.

Keeping the bad guys out won't be too hard, he says, because buyers will also be vetted.

Whether Exploit Hub succeeds will have a lot to do with whether pen testers embrace it and if their organizations are willing to pay for the code, experts say.

Lares' Nickerson says it could also ultimately force penetration testing vendors to more quickly turn around exploits, too, with this new exploit venue also offering exploit modules. "They [vendors] now have an unlimited timeline to release that into their framework," he says. This may force them to step up their development turnaround efforts, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.