Hey, Jose. > well, one reason would be to have unique information > for their intrusion > detection engines or for their pen testing teams. > payback is almost immediate there. This certainly is an excellent point. MSSP's are likely to see that putting a little $$ up front for big dividends in publicity on the back end. Who's to say it hasn't already happening. > i fully expect infosec companies to start > contracting to hacking groups > for idea, exploits and info. its profitable all > around, and in this era of returning to the > underground This opens up a lot of possibilities, doesn't it? Think about it...if companies are going pay $$ for vulnerabilities, then they are going to have to be to a standard, right? I mean, not just anything will suffice...the information provided will have to be pretty explicit, to the point that the vulnerability is demonstratable and reproduceable. Otherwise, what's the point? What this will do is not only increase the numbers of folks doing security research, but also the technical sophistication of those individuals...b/c at that point, there would be something really worth working for...recognition AND $$. The next logical step is that full attacks will be developed around the vulnerabilities, in order to demonstrate them. These attacks will be pretty sophisticated, particularly when you consider the 'one-upmanship' and competition that's part of the industry. These attacks will become more and more stealthy, leaving little trace, and cleaning up what they do leave. The goal of the attacks will be to gain access and gather extremely sensitive information...face it, web page defacements are nothing, not when you can capture medical data, corporate officer's communications, etc. So what happens? Well, the security companies pay for these vulnerabilities and attacks, so there is sure to be a mound of legal paperwork requiring no further disclosure. If the information is not available to the public, then only those companies that pay the security firm will be prepared for the attacks. At some point, the information will leak out somehow, and things will be worse than they already are. Up to now, many of the publicly reported incidents have been as loud and as noisy as possible...getting attention is the key. But what happens when someone takes a new exploit and tries to see how long they can go undetected on a corporate infrastructure? What happens when the competition becomes, who can stay on the LAN the longest? Or who can collect the most sensitive information? Such as sales projections and reports...the 'attacker' could use that information to place advantagous stock trades. Besides keeping the information on new vulnerabilties from being public, paying for them will definitely lead to a much more sophisticated attacker, more so than the kiddies we see now. Of course, many of us will try to keep up, just out of personal or professional pride, but what about all those unprotected companies out there? You know, the same guys that got hit by sadmin/IIS, Code Red, and Nimda? What happens to them? Carv __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com
This archive was generated by hypermail 2b30 : Fri Oct 19 2001 - 13:41:08 PDT