[ISN] WabiSabiLabi: A Really Bad Idea?

From: InfoSec News (alerts@private)
Date: Wed Jul 18 2007 - 22:32:32 PDT

Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>

Security UPDATE--WabiSabiLabi: A Really Bad Idea?--July 18, 2007


Keep Unsecured Machines Off Your Network

Reducing Costs and Risks of Data Protection

ALERT: "How A Hacker Launches A LDAP Injection Attack!"- White Paper 

=== CONTENTS ===================================================

IN FOCUS: WabiSabiLabi: A Really Bad Idea?

   - Survey Says Pay for Certifications Is Dropping, Except in Security
   - Google Adds Security to Its Hosted Application Offerings
   - Recent Security Vulnerabilities

   - Security Matters Blog: Microsoft's Malware Removal Starter Kit
   - FAQ: Preparing Exchange Server 2007 For Active Directory
   - From the Forum: Problems with Symantec Anti-Virus Corp. 10.2
   - Share Your Security Tips
   - Microsoft Learning Paths for Security: Managing Network Security 

   - Wanted: Your Reviews of Products 




=== SPONSOR: St. Bernard Software =========================================

Keep Unsecured Machines Off Your Network
   IT departments tend to spend a lot of time and energy on creating 
and managing firewall rules and router tables, yet overlooking a direct 
channel between the Internet and computers on the corporate network. 
Without any type of filtering solution in place - this connection is 
managed purely by the user. Do you trust your users enough to make the 
right decisions? Even if you believe that your users are capable of 
safely using the Internet, it really only takes one bad apple to ruin 
the lot by downloading a virus or viewing highly objectionable content. 
Here are five steps to build a world-class web filtering solution -- 

=== IN FOCUS: WabiSabiLabi: A Really Bad Idea? =============
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

About a month ago, I wrote about a new twist in the world of 
vulnerability research in which Intellectual Weapons announced that 
it's offering to work with researchers to develop fixes for security 
vulnerabilities and then patent those fixes. The idea is to profit 
through the sale of patent rights or infringement case settlements. If 
you missed that column you can read it at the URL below:

By now you probably know that other companies, such as 3Com and 
iDefense, also have programs that pay researchers for vulnerability 
information. In those two programs, discoverers receive cash for their 
hard work, and 3Com and iDefense earn income too by selling the 
information to their network of customers in one fashion or another. 
This month yet another company, Switzerland-based WabiSabiLabi (at the 
URL below), entered the mix by offering an auction platform for 
vulnerabilities. Researchers submit their vulnerabilities for sale in 
one of four auction formats (traditional, dutch, buy now, and buy 
exclusively) and if the vulnerability sells, then the researcher earns 
money and WabiSabiLabi earns its cut too. 

Reaction to the auction has been mixed. Some people think it's an 
incredibly bad idea because there's no telling who might actually buy a 
vulnerability. Although WabiSabiLabi says that it will diligently work 
to verify the identity of a buyer, that's no real guarantee because a 
real bad guy could easily use a front man to do the buying. 

Furthermore, WabiSabiLabi leaves it up to the discoverer to inform any 
particular vendor affected by a vulnerability. This too is another 
cited bad aspect of the auction site. With this policy, WabiSabiLabi is 
basically standing behind "traditional Swiss neutrality", as it openly 

So far, WabiSabiLabi has four vulnerabilities posted for sale, one each 
for Yahoo! Instant Messenger, SquirrelMail GPG Plugin, Pidgin Instant 
Messenger, and the Linux kernel. As was pointed out by Montasano 
Security on its company blog, the nature of GPG problem can be 
discovered by anyone well-versed in PHP code analysis. And, someone 
already publicly posted an exploit for the Linux kernel problem. So 
half of WabiSabiLabi's auction items are already mostly worthless in 
terms of cash value. And the Linux kernel exploit clearly points out 
that WabiSabiLabi is already having a negative effect on overall system 
security around the globe. 

According to a statement in a company press release, "[WabiSabiLabi] 
decided to set up this portal for selling security research because 
although there are many researchers out there who discover 
vulnerabilities very few of them are able or willing to report it to 
the right people due to the fear of being exploited."

What I don't completely understand is why any company would willingly 
pay developers to write code and to put that code through some amount 
of quality assurance testing yet be totally unwilling to pay an 
outsider who found significant problems with that code ? especially 
security problems. A solution to this long-time standoff would be to 
form a new group whose member companies would be willing to pay anyone 
for vulnerability information as long as acceptable disclosure policies 
were maintained by the discoverers ? basically like 3Com and iDefense 
are already doing except with widespread vendor participation.

I do support the need for security researchers to be compensated for 
their hard work, and it's troubling that many vendors can't bring 
themselves to pay independent researchers. Nevertheless I don't see how 
WabiSabiLabi is an effective solution. It'll be interesting to watch 
over time to see if people continue to neutralize WabiSabiLabi by 
revealing the nature of the vulnerabilities that it tries to sell.

=== SPONSOR: Double-Take Software ========================================

Reducing Costs and Risks of Data Protection
   Get yourself up-to-speed on the latest data protection strategies 
for branch and remote offices including how to protect and recover 
customer databases, e-mail servers, and financial information that is 
critical to every company's day-to-day operation. Download this free 
whitepaper today! 

=== SECURITY NEWS AND FEATURES =================================

Survey Says Pay for Certifications Is Dropping, Except in Security
   New survey results show that the premium base pay for those having 
various certifications hasn't increased over the past six months, 
unless the certification was in the area of security.

Google Adds Security to Its Hosted Application Offerings
   Google took another leap forward, adding security to its hosted 
application offerings by entering into a deal to acquire email security 
firm Postini.

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

=== SPONSOR: SPI Dynamics ========================================

ALERT: "How A Hacker Launches A LDAP Injection Attack!"- White Paper 
It's as simple as placing additional LDAP query commands into a Web 
form input box giving hackers complete access to all your backend 
systems! Firewalls and IDS will not stop such attacks because LDAP 
Injections are seen as valid data. Download this *FREE* white paper 
from SPI Dynamics for a complete guide to protection! 

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Microsoft's Malware Removal Starter Kit
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=5E7F1:57B62BBB09A692792C494A7CE886F240
Microsoft published a new toolkit to help small and medium businesses 
remove malware from infected systems.

FAQ: Preparing Exchange Server 2007 For Active Directory
   by John Savill, http://list.windowsitpro.com/t?ctl=5E7EF:57B62BBB09A692792C494A7CE886F240 

Q: How do I manually prepare my AD forest and domain for Exchange Serve 

Find the answer at

FROM THE FORUM: Problems with Symantec Anti-Virus Corp. 10.2
   (Two messages in this thread)
A forum participant writes that anytime he tries to install anything on 
his server, including patches, upgrades, new programs, etc., the 
installation process causes the server to hang to the point that it 
becomes unresponsive and he then has to reboot the system. If he 
disables all of the Symantec services then installations work fine. He 
wants to know if anyone has ideas why this happens? 

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.


=== PRODUCTS ===================================================

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit

Learn about a disaster-recovery and high-availability solution for 
conscientious IT professionals. Find out how WANsync works to protect 
data and how it can ensure the integrity of the application as well as 
the data. Download your free copy today!     

To achieve the secure mail and messaging infrastructure that's crucial 
to today's businesses, every organization needs to plan for three 
fundamental mail and message management services from the start. This 
eBook introduces those services--security, availability, and control 
services--and explains how you can implement them in a Microsoft-
centric email and messaging environment. Download now!      

Learn how high-speed data connectors for the new SQL Server Integration 
Services environment make plug-and-play with mainframe, legacy, 
Teradata, and other database systems a reality. ETI's new connectors 
are cost-effective drop-in solutions that provide best-of-breed 
bidirectional data movement. On-demand Web seminar.   

=== FEATURED WHITE PAPER =======================================

When customers depend on your IT services to communicate with you, 
purchase your products, or manage orders, what happens when your 
applications or Web sites become unavailable? Download this free white 
paper and learn how to eliminate application downtime disruptions and 
ensure the continuity of your business. 

=== ANNOUNCEMENTS ==============================================

Windows IT Pro: Buy 1, Get 1With Windows IT Pro's real-life solutions, 
news, tips, tricks, AND access to over 10,000 articles online, 
subscribing is like hiring your very own team of Windows consultants. 
Subscribe now, and get 2 years for the price of 1!  

Got a Tough Exchange or Outlook Question?
Rely on Exchange & Outlook Pro VIP, the new online resource with in-
depth articles on administration, migration, security, and performance. 
Subscribers get direct access to our top-flight editors, so subscribe 
and receive personalized solutions to your toughest technical 
questions. It beats a support call to Microsoft!    


Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=5E7F2:57B62BBB09A692792C494A7CE886F240
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Wed Jul 18 2007 - 22:40:22 PDT