[ISN] A Hacker's Nasdaq

From: InfoSec News (alerts@private)
Date: Mon Jul 09 2007 - 23:16:04 PDT


By Andy Greenberg

In the summer of 2005, Charlie Miller was working in his living room 
when he discovered a hackable vulnerability in a common species of 
server software. Miller knew he had found something dangerous. But until 
he offered his prize to a government agency five months later, he had no 
idea just how much it was worth.

"I asked for $80,000," he says. "When the guy on the phone agreed 
immediately without consulting his boss, I knew I should have asked for 
much more."

In fact, the unnamed agency eventually bargained the price for the 
information, an exploitable bug in the Linux server program Samba, down 
to $50,000. And what did the agency do with its newly purchased security 
hole? Miller received his check and didn't ask questions.

"They didn't buy it in order to patch it," Miller says. "I can speculate 
that it wasn't exactly used for the common good."

Miller's experience, described in a paper he presented to the Workshop 
on the Economics of Information Security at Carnegie Mellon last June, 
highlights a growing problem in computer security. When the industry's 
ever-larger ranks of independent researchers find exploitable 
vulnerabilities in software, they're forced to price their discoveries 
on an ad hoc basis with no sense of fair market value. And even worse, 
independent researchers are often tempted to sell to the highest bidder, 
not the buyer most likely to use the data responsibly, or even one whose 
identity and motives are clear.

Today, several IT security companies are moving into that chaotic 
marketplace to broker a more equitable exchange of software bugs for 
dollars. These vulnerability traders argue that they're giving hackers a 
less harmful avenue to profit from their skills. But they also raise 
questions about where to draw the line in legitimizing an industry that 
some security professionals say borders on extortion.

The newest market-maker in the IT security field has a strange name: 
WabiSabiLabi. But the Chiasso, Switzerland-based company has a serious 
purpose: It offers an eBay-style Web auction platform for security bugs. 
Launched last Tuesday, the site is already auctioning off four 
exploitable software flaws, including one in Yahoo!'s instant messenger 
program, which has a minimum bid of 2,000 euros.

Even in a seemingly trivial program like Yahoo! Messenger, a 
vulnerability can be used to steal data from corporate or government 
servers, says WabiSabiLabi's Chief Executive Herman Zampariolo. He says 
the company performs background checks on all buyers to ensure that they 
have no record of criminal hacking. Bugs sold on the site are intended 
only for legitimate purposes like penetration testing.

Zampariolo notes that a small fraction of the site's 34,000 unique 
visitors have come from the U.S. military. Software companies themselves 
can also buy information about flaws in their own programs, but rarely 
do, for fear that offering a bounty would only draw more hackers to 
their products.

WabiSabiLabi, whose name combines a Japanese word for "imperfection" and 
a German abbreviation for "laboratory," tests each vulnerability to 
ensure it fits the seller's description, and in six months plans to 
begin charging a 10% commission for its services.

"The IT security market is totally based on finding vulnerabilities," 
says the company's strategic director, Roberto Preatoni. "But the 
industry doesn't properly value independent researchers. They're told 
that to be ethical, they must disclose their findings for free. It's 
like blackmail. We believe they should be able to profit from their 

So does Adriel Desautels, whose company, Netragard, also buys and sells 
vulnerabilities, sometimes paying researchers as much as $200,000 for a 
single flaw. Desautels performs background checks on all clients and 
sees his company as a healthy alternative to the black market, which is 
always hungry for new ways to steal corporate secrets and credit card 

But Dave Aitel, chief technology officer of another vulnerabilities 
broker called Immunity, says that security professionals will never be 
able to offer hackers as much money for software bugs as the bad guys. 
"It's hard to say no if the black market offers you $300,000," Aitel 
says. "But with us, at least you get a fair valuation and you know that 
we're bound by the law. The mafia tends to break your knees if they want 
a cheaper price."

In the eyes of some security professionals, Immunity and Netragard 
themselves are far from saintly: Neither company reports all of its 
vulnerabilities to the software's manufacturer upon acquiring them, 
since doing so would devalue the bugs they purchase. In other words, the 
vulnerabilities they buy stay often vulnerable, and so do the software's 

3Com's Zero-Day Initiative, by contrast, always reports its bug-buying 
immediately. That means weaknesses are quickly patched, making users 
more secure but reducing the price the company can pay hackers. The 
Zero-Day Initiative won't say how much it offers for each vulnerability, 
but Miller estimates that the company pays a maximum of around $10,000 
per flaw. That's not enough to have kept him from looking to more 
generous--and less virtuous-- buyers, Miller says.

According to IBM's X-force Research security team, that's one more 
reason that buying bugs, even with the intention of reporting them, is 
only encouraging an industry that thrives on extortion. "It's a false 
economy," says X-force's Team Manager David Dewey.

Dewey sorts hackers into three types: Blacks hats, white hats and gray 
hats. "The black hats will always sell to the highest bidder, which is 
the underground," he says. "The white hats aren't motivated by money. So 
the best you can do with a bug bounty program is sway some of the grays, 
at the expense of security technology as a whole."

Dewey argues that the money spent buying bugs from hackers could be 
better invested in full-time research teams: The only way to control a 
freelance hacker, he says, is to give him a job. But as the IT security 
field matures and becomes more mainstream, Dewey admits that more 
independent researchers than ever are flooding the software 
vulnerabilities market.

So how to keep them from selling their findings to the criminal 

"It can't be prevented," says Dewey. "As long as there are talented 
researchers and someone to pay them, it's going to keep happening. We 
just have to find the bugs first."

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jul 09 2007 - 23:31:15 PDT