Re: 0-day exploit..do i hear $1000?
From: Jonathan M. Smith (jms@central.cis.upenn.edu)Date: 10/18/01
- Previous message: Blue Boar: "POP3 thread"
- In reply to: RT: "0-day exploit..do i hear $1000?"
- Next in thread: RT: "Re: 0-day exploit..do i hear $1000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Oct 2001 13:24:48 -0400 (EDT) From: "Jonathan M. Smith" <jms@central.cis.upenn.edu> To: RT <roelof@sensepost.com> Subject: Re: 0-day exploit..do i hear $1000? Message-ID: <Pine.SOL.4.21.0110181323000.5170-100000@central.cis.upenn.edu>
An interesting result of this might be that the economics of security are
clarified, so that security is taken seriously pre-hack, rather than
post-hack. If there's money involved, management types will take it
seriously.
-JMS
On Thu, 18 Oct 2001, RT wrote:
> Moderators: Pass if you will. I think this seriously impacts the whole
> industry.
>
> This email was written after I contacted a prominent "exploit collector" and
> asked for the new SSH exploit. He asked me "how much are you willing to pay, I
> selling 'sploits now". I said "You wanna WHAAT?". Afterwards I thought about
> it, and here are some comments/predictions as to what is happening in the
> industry.
>
> At present a vulnerability is usually disclosed in the following way:
>
> * L33t Hacker finds problem in vendor ABC's product
> * L33t Hacker writes to ABC
> * ABC takes some time, builds a patch write an advisory and give credit to L33t
> Hacker
> * ABC release advisory to bugtraq, SF, packetstorm etc.
> * Security firm 123 implement patches for brain dead clients.
> * L4t3 Hacker writes exploit for problem
> * Exploit is seen on hack.co.za, packetstorm etc.
> * Assessment/Pen-test firm 456 test for the problem.
>
> Obviously things does not always goes this way. L33t Hacker might write an
> exploit from the start. Exploit writers are usually after fame, wanting to see
> their names in lights on a MS advisory. In the above mentioned process the one
> people/firms that makes money from the bug are Security Firms 123 and 456. The
> L33t Hacker gets fame, not fortune. Hacker L4t3 also gets some fame - in some
> cases even more than L33t.
>
> Then someday, Hacker L33t and L4t3 decides that they are not in it for fame,
> but for money. So, they open a security firm (many examples e.g. L0pht, Max
> Vision, RFP, many more). The problem now is keeping the exploits flowing while
> having to write reports, sit in meetings, wear a tie, doing budgets, and
> speaking to brain dead clients. So, in many cases, it does not work out.
> Hackers usually don't have a lot of patience with brain dead clients, hates
> writing report, and can't even balance their own budgets. They see that they
> only spend 10% of their time writing 0-day exploits...while that was
> the reason they signed up. Ask any "ethical hacker" - its tricky making money
> and keeping the brain occupied.
>
> So, while Security Company 123, 456 and 789 are making money, hackers L33t and
> L4t3 are unemployed and frustrated by the fact that others are reaping the
> rewards of their 0-day exploits that took 3 months to code. These two contact
> Hackers r3L4t3 and r3l3a5h and they form the "cyber underground association",
> and they sell 0-day exploits. They start off by selling exploit directly to the
> client and it goes like this:
>
> * CUA find a problem in vendor ABC's product
> * CUA codes the exploit
> * CUA let the word spread that they selling it
> * 10 script kiddies buy the exploit at $100
> * Script kiddie l0s3r puts it on his website
> * Security firm 123 and vendor ABC get it, build patch (and the usual)
> * Script kiddie l0s3r's site gets DDOS-ed by CUA
>
> CUA made $1000 from the exploit. Security firm 123 made $25 000 from it. Some
> networks are comprised by the kids, security firms/vendors takes the heat; an
> assessment was done on the network a week ago and it was certified as "safe".
> The whole IT security industry takes a knock. Everyone lose. CUA gets together,
> have a meeting, decides on new strategy. It goes like this:
>
> * CUA finds a problem in vendor ABC's product (no guessing who ABC is)
> * CUA codes the exploit
> * CUA contact "Exploit dealer @m1c$" - a well connected person in script kiddie
> country.
> * @m1c$ sells the exploit only to selected few - at $500 a pop. He sells 10
> copies.
> * @m1c$ makes $2500, CUA makes $2500.
> * One of that selected few was in fact working for Security firm 456.
> * Knowing that CUA is killing the trade, and wanting the fame, 456 employee
> rebrands the exploit to say 456-inc. and sends if off to Bugtraq (or puts it on
> their webpage)
> * Everyone gets the code on SF
> * 456-inc. gets DDOS-ed.
>
> The other 9 selected few are typically people that will spend $500 on an
> exploit, knowing that they can compromise a network that have $5000 worth of
> credit cards or the likes. They are thus your black hat dudes - the criminal
> type. The industry takes a knock - again, and in a bigger way. Security firm
> 123 and 789, not willing to pay for the code are booted out of several
> contracts, as their client's networks were compromised.
>
> CUA has another meeting. Somehow they are not seeing the $10000s that they
> expected. They make a new plan - bigger and better than before. They will
> bypass the dealer and only sell to people they know. It goes like this:
>
> * CUA finds yet another bug in ABC's software, codes exploit
> * CUA sells exploit to 25 selected people at $1000 a pop.
> * Exploit is actually sold to many foreign agencies and a few terrorist
> * Exploit is also sold to n0h@ck, an undercover FBI agent.
> * CUA is taken to court and convicted under the 2002 Terrorist Bill thingy
> * End of CUA
> * Oh and the FBI gets DDOS-ed
>
> Think about it for a while. At $1000 an exploit, who are you going to attract?
> People that will pay that amount of money must surely be in a situation that
> will make it worth their while. Dealing with these people will be dangerous for
> sure.
>
> Non-disclosure will spark paying for exploits. Paying for exploits would be the
> same as paying for arms. Paying for exploits would make them illegal in no
> time. It would very much hurt the industry - the whole security industry - from
> the software vendor to the security vendor to the "ethical hackers", and all
> the way, the client/end user or firm will be taking the fall. Even the exploit
> writers will have a hard time. They are never going to make real money from
> their "product", will live in fear for their customers, and will take constant
> heat from their law enforcement agencies. A bigger challenge is to write the
> code AND make money in an honest way, AND keeping sane in the process, and I
> believe it can be done. The more underground the industry goes, the more heat
> it will take from government and law enforcement. The more open the industry
> is, the more transparent it is, the more acceptable it would become. And now I
> hear people saying - full disclosure is the reason behind script kiddies, the
> reason behind worms that cost us millions. Well lets quickly think about just
> that.
>
> The Nimda worm did damages ranging in the millions of dollars (or so the bright
> beanies says). Just about every vulnerable server was attacked and compromised
> by the worm, they say. Just think of all the man hours it took just to fix the
> problem they say. Think about the loss of productivity etc. OK. Its true. But
> this is also true - in the months before Nimda, SensePost (Pen-testing firm I
> work for) could take just about any corporate when doing an assessment.
> Easily. Way easy. Boredom actually set in. About 33% of all servers (those
> that were not the official websites or prominent sites) encountered were
> vulnerable. Gaping hole. Getting into the inner network way easy. No firewall
> could stop the attack. An open door to any attacker wanting to do damage in the
> network. And attackers and cyber criminals did just that. Has anyone EVER asked
> what the cost of the IIS double decode or Unicode bug was in dollars? No.
> Prolly because it cannot be easily calculated. How many networks were
> compromised, credit cards stolen, transactions altered etc. because of the bug?
> How much money / credibility was lost due to the bug? And how much would it
> cost to fix the bug on every machine - machines that administrators do not even
> know exist facing the Internet. For a large firm with multiple class B
> addresses - to find the machines? And to patch all?? And how many $'s to
> co-ordinate all of that across the planet in one week. After the worm everyone
> seems patched. Those that are not are getting emails from just about very IDS
> out there - saying - hey! get with the program - patch your server with IP
> a.b.c.d. And here at SensePost we are elated - no more boring pen-testing - you
> prolly won't find a single double decode / Unicode machine out there now. Are
> worms that bad if they don't do local damage - I don't think so - they simply
> force people to sit up and react. The Nimda worm did more to secure the
> planet's networks in one week then any security company could do in a year.
> People simply don't read advisories, and never apply patches.
>
> Makes you think eh?
>
> Regards,
> Roelof.
>
>
> ------------------------------------------------------
> Roelof W Temmingh SensePost IT security
> roelof@sensepost.com +27 83 448 6996
> http://www.sensepost.com http://www.hackrack.com
>
>
- Previous message: Blue Boar: "POP3 thread"
- In reply to: RT: "0-day exploit..do i hear $1000?"
- Next in thread: RT: "Re: 0-day exploit..do i hear $1000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
