Re: 0-day exploit..do i hear $1000?

[H C <keydet89 () yahoo com>]

Hey, Jose.

> well, one reason would be to have unique information
> for their intrusion
> detection engines or for their pen testing teams.
> payback is almost immediate there.

This certainly is an excellent point.  MSSP's are
likely to see that putting a little $$ up front for
big dividends in publicity on the back end.  Who's to
say it hasn't already happening.
 
> i fully expect infosec companies to start
> contracting to hacking groups
> for idea, exploits and info. its profitable all
> around, and in this era of returning to the 
> underground 

This opens up a lot of possibilities, doesn't it? 
Think about it...if companies are going pay $$ for
vulnerabilities, then they are going to have to be to
a standard, right?  I mean, not just anything will
suffice...the information provided will have to be
pretty explicit, to the point that the vulnerability
is demonstratable and reproduceable. Otherwise, what's
the point?  

What this will do is not only increase the numbers of
folks doing security research, but also the technical
sophistication of those individuals...b/c at that
point, there would be something really worth working
for...recognition AND $$.  The next logical step is
that full attacks will be developed around the
vulnerabilities, in order to demonstrate them.  These
attacks will be pretty sophisticated, particularly
when you consider the 'one-upmanship' and competition
that's part of the industry.  These attacks will
become more and more stealthy, leaving little trace,
and cleaning up what they do leave.  The goal of the
attacks will be to gain access and gather extremely
sensitive information...face it, web page defacements
are nothing, not when you can capture medical data,
corporate officer's communications, etc.  

So what happens?  Well, the security companies pay for
these vulnerabilities and attacks, so there is sure to
be a mound of legal paperwork requiring no further
disclosure.  If the information is not available to
the public, then only those companies that pay the
security firm will be prepared for the attacks.  At
some point, the information will leak out somehow, and
things will be worse than they already are.

Up to now, many of the publicly reported incidents
have been as loud and as noisy as possible...getting
attention is the key.  But what happens when someone
takes a new exploit and tries to see how long they can
go undetected on a corporate infrastructure?  What
happens when the competition becomes, who can stay on
the LAN the longest?  Or who can collect the most
sensitive information?  Such as sales projections and
reports...the 'attacker' could use that information to
place advantagous stock trades.

Besides keeping the information on new vulnerabilties
from being public, paying for them will definitely
lead to a much more sophisticated attacker, more so
than the kiddies we see now.  Of course, many of us
will try to keep up, just out of personal or
professional pride, but what about all those
unprotected companies out there?  You know, the same
guys that got hit by sadmin/IIS, Code Red, and Nimda? 
What happens to them?

Carv



__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com