0-day exploit..do i hear $1000?

From: RT (roelofat_private)
Date: Thu Oct 18 2001 - 09:44:38 PDT

  • Next message: rain forest puppy: "Re: 0-day exploit..do i hear $1000?"

    Moderators: Pass if you will. I think this seriously impacts the whole
    industry.
    
    This email was written after I contacted a prominent "exploit collector" and
    asked for the new SSH exploit. He asked me "how much are you willing to pay, I
    selling 'sploits now". I said "You wanna WHAAT?". Afterwards I thought about
    it, and here are some comments/predictions as to what is happening in the
    industry.
    
    At present a vulnerability is usually disclosed in the following way:
    
    * L33t Hacker finds problem in vendor ABC's product
    * L33t Hacker writes to ABC
    * ABC takes some time, builds a patch write an advisory and give credit to L33t
    Hacker
    * ABC release advisory to bugtraq, SF, packetstorm etc.
    * Security firm 123 implement patches for brain dead clients.
    * L4t3 Hacker writes exploit for problem
    * Exploit is seen on hack.co.za, packetstorm etc.
    * Assessment/Pen-test firm 456 test for the problem.
    
    Obviously things does not always goes this way. L33t Hacker might write an
    exploit from the start. Exploit writers are usually after fame, wanting to see
    their names in lights on a MS advisory. In the above mentioned process the one
    people/firms that makes money from the bug are Security Firms 123 and 456. The
    L33t Hacker gets fame, not fortune. Hacker L4t3 also gets some fame - in some
    cases even more than L33t.
    
    Then someday, Hacker L33t and L4t3 decides that they are not in it for fame,
    but for money. So, they open a security firm (many examples e.g. L0pht, Max
    Vision, RFP, many more). The problem now is keeping the exploits flowing while
    having to write reports, sit in meetings, wear a tie, doing budgets, and
    speaking to brain dead clients. So, in many cases, it does not work out.
    Hackers usually don't have a lot of patience with brain dead clients, hates
    writing report, and can't even balance their own budgets. They see that they
    only spend 10% of their time writing 0-day exploits...while that was
    the reason they signed up. Ask any "ethical hacker" - its tricky making money
    and keeping the brain occupied.
    
    So, while Security Company 123, 456 and 789 are making money, hackers L33t and
    L4t3 are unemployed and frustrated by the fact that others are reaping the
    rewards of their 0-day exploits that took 3 months to code. These two contact
    Hackers r3L4t3 and r3l3a5h and they form the "cyber underground association",
    and they sell 0-day exploits. They start off by selling exploit directly to the
    client and it goes like this:
    
    * CUA find a problem in vendor ABC's product
    * CUA codes the exploit
    * CUA let the word spread that they selling it
    * 10 script kiddies buy the exploit at $100
    * Script kiddie l0s3r puts it on his website
    * Security firm 123 and vendor ABC get it, build patch (and the usual)
    * Script kiddie l0s3r's site gets DDOS-ed by CUA
    
    CUA made $1000 from the exploit. Security firm 123 made $25 000 from it. Some
    networks are comprised by the kids, security firms/vendors takes the heat; an
    assessment was done on the network a week ago and it was certified as "safe".
    The whole IT security industry takes a knock. Everyone lose. CUA gets together,
    have a meeting, decides on new strategy. It goes like this:
    
    * CUA finds a problem in vendor ABC's product (no guessing who ABC is)
    * CUA codes the exploit
    * CUA contact "Exploit dealer @m1c$" - a well connected person in script kiddie
    country.
    * @m1c$ sells the exploit only to selected few - at $500 a pop. He sells 10
    copies.
    * @m1c$ makes $2500, CUA makes $2500.
    * One of that selected few was in fact working for Security firm 456.
    * Knowing that CUA is killing the trade, and wanting the fame, 456 employee
    rebrands the exploit to say 456-inc. and sends if off to Bugtraq (or puts it on
    their webpage)
    * Everyone gets the code on SF
    * 456-inc. gets DDOS-ed.
    
    The other 9 selected few are typically people that will spend $500 on an
    exploit, knowing that they can compromise a network that have $5000 worth of
    credit cards or the likes. They are thus your black hat dudes - the criminal
    type. The industry takes a knock - again, and in a bigger way. Security firm
    123 and 789, not willing to pay for the code are booted out of several
    contracts, as their client's networks were compromised.
    
    CUA has another meeting. Somehow they are not seeing the $10000s that they
    expected. They make a new plan - bigger and better than before. They will
    bypass the dealer and only sell to people they know. It goes like this:
    
    * CUA finds yet another bug in ABC's software, codes exploit
    * CUA sells exploit to 25 selected people at $1000 a pop.
    * Exploit is actually sold to many foreign agencies and a few terrorist
    * Exploit is also sold to n0h@ck, an undercover FBI agent.
    * CUA is taken to court and convicted under the 2002 Terrorist Bill thingy
    * End of CUA
    * Oh and the FBI gets DDOS-ed
    
    Think about it for a while. At $1000 an exploit, who are you going to attract?
    People that will pay that amount of money must surely be in a situation that
    will make it worth their while. Dealing with these people will be dangerous for
    sure.
    
    Non-disclosure will spark paying for exploits. Paying for exploits would be the
    same as paying for arms. Paying for exploits would make them illegal in no
    time. It would very much hurt the industry - the whole security industry - from
    the software vendor to the security vendor to the "ethical hackers", and all
    the way, the client/end user or firm will be taking the fall. Even the exploit
    writers will have a hard time. They are never going to make real money from
    their "product", will live in fear for their customers, and will take constant
    heat from their law enforcement agencies. A bigger challenge is to write the
    code AND make money in an honest way, AND keeping sane in the process, and I
    believe it can be done. The more underground the industry goes, the more heat
    it will take from government and law enforcement. The more open the industry
    is, the more transparent it is, the more acceptable it would become. And now I
    hear people saying - full disclosure is the reason behind script kiddies, the
    reason behind worms that cost us millions. Well lets quickly think about just
    that.
    
    The Nimda worm did damages ranging in the millions of dollars (or so the bright
    beanies says). Just about every vulnerable server was attacked and compromised
    by the worm, they say. Just think of all the man hours it took just to fix the
    problem they say. Think about the loss of productivity etc. OK. Its true. But
    this is also true - in the months before Nimda, SensePost (Pen-testing firm I
    work for)  could take just about any corporate when doing an assessment.
    Easily. Way easy.  Boredom actually set in. About 33% of all servers (those
    that were not the official websites or prominent sites) encountered were
    vulnerable. Gaping hole.  Getting into the inner network way easy. No firewall
    could stop the attack. An open door to any attacker wanting to do damage in the
    network. And attackers and cyber criminals did just that. Has anyone EVER asked
    what the cost of the IIS double decode or Unicode bug was in dollars? No.
    Prolly because it cannot be easily calculated. How many networks were
    compromised, credit cards stolen, transactions altered etc. because of the bug?
    How much money / credibility was lost due to the bug? And how much would it
    cost to fix the bug on every machine - machines that administrators do not even
    know exist facing the Internet. For a large firm with multiple class B
    addresses - to find the machines? And to patch all?? And how many $'s to
    co-ordinate all of that across the planet in one week. After the worm everyone
    seems patched. Those that are not are getting emails from just about very IDS
    out there - saying - hey! get with the program - patch your server with IP
    a.b.c.d. And here at SensePost we are elated - no more boring pen-testing - you
    prolly won't find a single double decode / Unicode machine out there now. Are
    worms that bad if they don't do local damage - I don't think so - they simply
    force people to sit up and react. The Nimda worm did more to secure the
    planet's networks in one week then any security company could do in a year.
    People simply don't read advisories, and never apply patches.
    
    Makes you think eh?
    
    Regards,
    Roelof.
    
    
    ------------------------------------------------------
    Roelof W Temmingh               SensePost IT security
    roelofat_private            +27 83 448 6996
    http://www.sensepost.com        http://www.hackrack.com
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/
    



    This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 10:50:56 PDT