0-day exploit..do i hear $1000?

[RT <roelof () sensepost com>]

Moderators: Pass if you will. I think this seriously impacts the whole
industry.

This email was written after I contacted a prominent "exploit collector" and
asked for the new SSH exploit. He asked me "how much are you willing to pay, I
selling 'sploits now". I said "You wanna WHAAT?". Afterwards I thought about
it, and here are some comments/predictions as to what is happening in the
industry.

At present a vulnerability is usually disclosed in the following way:

* L33t Hacker finds problem in vendor ABC's product
* L33t Hacker writes to ABC
* ABC takes some time, builds a patch write an advisory and give credit to L33t
Hacker
* ABC release advisory to bugtraq, SF, packetstorm etc.
* Security firm 123 implement patches for brain dead clients.
* L4t3 Hacker writes exploit for problem
* Exploit is seen on hack.co.za, packetstorm etc.
* Assessment/Pen-test firm 456 test for the problem.

Obviously things does not always goes this way. L33t Hacker might write an
exploit from the start. Exploit writers are usually after fame, wanting to see
their names in lights on a MS advisory. In the above mentioned process the one
people/firms that makes money from the bug are Security Firms 123 and 456. The
L33t Hacker gets fame, not fortune. Hacker L4t3 also gets some fame - in some
cases even more than L33t.

Then someday, Hacker L33t and L4t3 decides that they are not in it for fame,
but for money. So, they open a security firm (many examples e.g. L0pht, Max
Vision, RFP, many more). The problem now is keeping the exploits flowing while
having to write reports, sit in meetings, wear a tie, doing budgets, and
speaking to brain dead clients. So, in many cases, it does not work out.
Hackers usually don't have a lot of patience with brain dead clients, hates
writing report, and can't even balance their own budgets. They see that they
only spend 10% of their time writing 0-day exploits...while that was
the reason they signed up. Ask any "ethical hacker" - its tricky making money
and keeping the brain occupied.

So, while Security Company 123, 456 and 789 are making money, hackers L33t and
L4t3 are unemployed and frustrated by the fact that others are reaping the
rewards of their 0-day exploits that took 3 months to code. These two contact
Hackers r3L4t3 and r3l3a5h and they form the "cyber underground association",
and they sell 0-day exploits. They start off by selling exploit directly to the
client and it goes like this:

* CUA find a problem in vendor ABC's product
* CUA codes the exploit
* CUA let the word spread that they selling it
* 10 script kiddies buy the exploit at $100
* Script kiddie l0s3r puts it on his website
* Security firm 123 and vendor ABC get it, build patch (and the usual)
* Script kiddie l0s3r's site gets DDOS-ed by CUA

CUA made $1000 from the exploit. Security firm 123 made $25 000 from it. Some
networks are comprised by the kids, security firms/vendors takes the heat; an
assessment was done on the network a week ago and it was certified as "safe".
The whole IT security industry takes a knock. Everyone lose. CUA gets together,
have a meeting, decides on new strategy. It goes like this:

* CUA finds a problem in vendor ABC's product (no guessing who ABC is)
* CUA codes the exploit
* CUA contact "Exploit dealer @m1c$" - a well connected person in script kiddie
country.
* @m1c$ sells the exploit only to selected few - at $500 a pop. He sells 10
copies.
* @m1c$ makes $2500, CUA makes $2500.
* One of that selected few was in fact working for Security firm 456.
* Knowing that CUA is killing the trade, and wanting the fame, 456 employee
rebrands the exploit to say 456-inc. and sends if off to Bugtraq (or puts it on
their webpage)
* Everyone gets the code on SF
* 456-inc. gets DDOS-ed.

The other 9 selected few are typically people that will spend $500 on an
exploit, knowing that they can compromise a network that have $5000 worth of
credit cards or the likes. They are thus your black hat dudes - the criminal
type. The industry takes a knock - again, and in a bigger way. Security firm
123 and 789, not willing to pay for the code are booted out of several
contracts, as their client's networks were compromised.

CUA has another meeting. Somehow they are not seeing the $10000s that they
expected. They make a new plan - bigger and better than before. They will
bypass the dealer and only sell to people they know. It goes like this:

* CUA finds yet another bug in ABC's software, codes exploit
* CUA sells exploit to 25 selected people at $1000 a pop.
* Exploit is actually sold to many foreign agencies and a few terrorist
* Exploit is also sold to n0h@ck, an undercover FBI agent.
* CUA is taken to court and convicted under the 2002 Terrorist Bill thingy
* End of CUA
* Oh and the FBI gets DDOS-ed

Think about it for a while. At $1000 an exploit, who are you going to attract?
People that will pay that amount of money must surely be in a situation that
will make it worth their while. Dealing with these people will be dangerous for
sure.

Non-disclosure will spark paying for exploits. Paying for exploits would be the
same as paying for arms. Paying for exploits would make them illegal in no
time. It would very much hurt the industry - the whole security industry - from
the software vendor to the security vendor to the "ethical hackers", and all
the way, the client/end user or firm will be taking the fall. Even the exploit
writers will have a hard time. They are never going to make real money from
their "product", will live in fear for their customers, and will take constant
heat from their law enforcement agencies. A bigger challenge is to write the
code AND make money in an honest way, AND keeping sane in the process, and I
believe it can be done. The more underground the industry goes, the more heat
it will take from government and law enforcement. The more open the industry
is, the more transparent it is, the more acceptable it would become. And now I
hear people saying - full disclosure is the reason behind script kiddies, the
reason behind worms that cost us millions. Well lets quickly think about just
that.

The Nimda worm did damages ranging in the millions of dollars (or so the bright
beanies says). Just about every vulnerable server was attacked and compromised
by the worm, they say. Just think of all the man hours it took just to fix the
problem they say. Think about the loss of productivity etc. OK. Its true. But
this is also true - in the months before Nimda, SensePost (Pen-testing firm I
work for)  could take just about any corporate when doing an assessment.
Easily. Way easy.  Boredom actually set in. About 33% of all servers (those
that were not the official websites or prominent sites) encountered were
vulnerable. Gaping hole.  Getting into the inner network way easy. No firewall
could stop the attack. An open door to any attacker wanting to do damage in the
network. And attackers and cyber criminals did just that. Has anyone EVER asked
what the cost of the IIS double decode or Unicode bug was in dollars? No.
Prolly because it cannot be easily calculated. How many networks were
compromised, credit cards stolen, transactions altered etc. because of the bug?
How much money / credibility was lost due to the bug? And how much would it
cost to fix the bug on every machine - machines that administrators do not even
know exist facing the Internet. For a large firm with multiple class B
addresses - to find the machines? And to patch all?? And how many $'s to
co-ordinate all of that across the planet in one week. After the worm everyone
seems patched. Those that are not are getting emails from just about very IDS
out there - saying - hey! get with the program - patch your server with IP
a.b.c.d. And here at SensePost we are elated - no more boring pen-testing - you
prolly won't find a single double decode / Unicode machine out there now. Are
worms that bad if they don't do local damage - I don't think so - they simply
force people to sit up and react. The Nimda worm did more to secure the
planet's networks in one week then any security company could do in a year.
People simply don't read advisories, and never apply patches.

Makes you think eh?

Regards,
Roelof.


------------------------------------------------------
Roelof W Temmingh               SensePost IT security
roelof () sensepost com            +27 83 448 6996
http://www.sensepost.com        http://www.hackrack.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/