Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/19/2013
10:39 AM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Prohibition For 0-Day Exploits

The monetization of exploits has been a divisive discussion in the security community for years. Now as governments emerge as the largest market for attack code, will there be a move to regulate the sale of 0-day attacks?

Unless you've been playing Rip Van Winkle, the ability for security researchers to monetize exploits is nothing new -- it arguably was started by TippingPoint's ZDI group buying 0-days in 2005 so it could build IPS signatures ahead of everyone else. The idea of buying exploits then branched to a different path where software vendors would offer a "bug bounty" to learn of holes in their products. Google has paid big money during the past few years on its bug-bounty program, and recently announced a large increase in what it'll pay for each bug. Microsoft and a number of other vendors also have spent on their bug-bounty programs to broaden their efforts to protect their software. This has been a net positive, both allowing researchers to pay their bills, as well as improving vulnerable software.

But according to The New York Times, no one is spending bigger than governments to acquire and control attacks they can then use as part of offensive, intelligence-gathering campaigns. Pollyannas may welp at this reality, but it's not really different than advanced arms research or any other investments made to advance military activities.

The U.S spends billions on advanced military research and on shiny toys like ray guns and scanners for bioweapons, among other programs. Why wouldn't governments spend some money on tools that could result in a game-changing attack such as Stuxnet? Of course they would, and they do. Many may dispute the concept of "cyberwar," but clearly the folks holding military purse strings believe their is a cybercomponent to future warfare ,and they are investing to gain that advantage.

Moreover, you don't have to read the latest Vince Flynn novel to see how cyber-\intel improves the effectiveness of spycraft, and any advantage can save military and intelligence lives. At least, that's how the power brokers are going to justify it.

Yet, would governments at some point decide the best approach would be to regulate the market for exploits? Maybe trying derail it? Chris Borgen wrote about the issues of regulating the purchase of these 0-day exploits, and it's a fascinating read. He goes through a history of how governments got involved in the trade and how they are using the exploits. But then he gets into how some regulators are trying to figure out how to regulate the sale of these munitions, given that evil regimes can buy 0-days and wreak havoc. OK, maybe not havoc, but can certainly cause heartburn.

Chris' points revolve around the perverse incentives developing on the regulatory front. Initially, there was a disincentive to regulating the exploits, since governments like to buy things out of the public (and regulators') visibility. But as these governments continue to invest in their own research capabilities to develop their own attacks, the need for externally sourced exploits wanes. At that point, they may be more interested in regulation, if only to take these alternative sources of exploits, potentially selling exploits to adversaries, out of play. Or at least make it harder for them to do business. So Chris hopes for no regulation because he wants to "keep the world safe for exploits." Yes, it's very counterintuitive, but so is most of the security business.

Personally, I don't think regulatory efforts on 0-day attacks will go very far because folks are equating software code to free speech -- even code intended to steal something from you. You have to love lawyers. But all the same, even if something does get passed to regulate and/or try to prevent the sale of exploits, exploits will still be sold, most likely to the governments that have regulated their sale. Yes, that's a pretty cynical way of looking at things, but it's reality. There was a market for exploits before any regulation, and there will be a market should any regulation come into play.

If you don't believe it, just bust out your history books and go back to the 1920s. The U.S. government banned the sale of alcohol during Prohibition, but it certainly didn't stop the production or consumption of alcohol. What it did was create a thriving black market for booze. How does this situation end any differently? Yeah, it probably doesn't. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pmisner
50%
50%
pmisner,
User Rank: Apprentice
8/27/2013 | 7:50:32 PM
re: Prohibition For 0-Day Exploits
The problem with attacking zero day attacks has been the approach. Coming up with signatures, or trying to recognize behaviors of a potential attack only succeed in the continuance of "whack a mole". My company is working on a new approach, which essentially creates an "AirGap" between the browser and the OS. The browser itself is, for the want of a better term, "virtualized" to the client, from the DMZ. All the components and protocols are hardened along the way.

If an attack does succeed, it doesn't really have any consequences. Kill the browser, and in less than 5 seconds, be back running with a new, fresh, and attack free browser. The attack doesn't enter the network, and the payload never touches the user's OS.
Dave F
50%
50%
Dave F,
User Rank: Apprentice
8/27/2013 | 5:49:59 PM
re: Prohibition For 0-Day Exploits
With apologies to the NRA, viruses don't cripple systems, hackers cripple systems.
It seems to me that a segment involved in the production and sale of 0 day exploits is not very responsive to regulation. And those people are already criminals, so I'm not sure I understand where the potential gain will come from.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/23/2013 | 10:30:44 PM
re: Prohibition For 0-Day Exploits
Regulation doesn't sound like it would be very effective. I think it's best to leave the exploits market alone.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
8/23/2013 | 2:24:55 PM
re: Prohibition For 0-Day Exploits
The feds writing laws to ban the sale of exploits would probably raise the value of exploits on the 'black market' - talk about perverse incentives.
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.