I still dont see why a security company would buy an exploit if it isnt public knowledge: what use to his customer is "look at this root shell, you are vulnerable, the vendor doesnt know, the underground does, you cant patch"?!?! Sure there are workarounds, but whern a bug is found the software needs to be fixed. So how are people going to sell >1 copy of their exploit? The first person to buy tells the vendoer, then its public knowledge (of the vuln. the expolit code is still rare). Now 99% of security comapnies can scan for vuln (even if they dont get a root prompt), and 1% can actually exploit. To the customer its the same "You are vulnerable" (show core dump/root prompt) "get the patch from here, problem sorted". None of the security companies need to buy the exploit. Knowledge of the vuln is surely enough? Security companies pushing some of their cash back into the underground to fund research, to find bugs in software is a good idea - but the fruits of that research must be public. That leaves the leech comapnies doing no research and still making a profit - but i guess most clients would favour the ones perfoming active research, whose name is known. (i agree the argument is ttoally different for IDS signatures...) - foob On Fri, 19 Oct 2001, H C wrote: > Hey, Jose. > > > well, one reason would be to have unique information > > for their intrusion > > detection engines or for their pen testing teams. > > payback is almost immediate there. > > This certainly is an excellent point. MSSP's are > likely to see that putting a little $$ up front for > big dividends in publicity on the back end. Who's to > say it hasn't already happening. > > > i fully expect infosec companies to start > > contracting to hacking groups > > for idea, exploits and info. its profitable all > > around, and in this era of returning to the > > underground > > This opens up a lot of possibilities, doesn't it? > Think about it...if companies are going pay $$ for > vulnerabilities, then they are going to have to be to > a standard, right? I mean, not just anything will > suffice...the information provided will have to be > pretty explicit, to the point that the vulnerability > is demonstratable and reproduceable. Otherwise, what's > the point? > > What this will do is not only increase the numbers of > folks doing security research, but also the technical > sophistication of those individuals...b/c at that > point, there would be something really worth working > for...recognition AND $$. The next logical step is > that full attacks will be developed around the > vulnerabilities, in order to demonstrate them. These > attacks will be pretty sophisticated, particularly > when you consider the 'one-upmanship' and competition > that's part of the industry. These attacks will > become more and more stealthy, leaving little trace, > and cleaning up what they do leave. The goal of the > attacks will be to gain access and gather extremely > sensitive information...face it, web page defacements > are nothing, not when you can capture medical data, > corporate officer's communications, etc. > > So what happens? Well, the security companies pay for > these vulnerabilities and attacks, so there is sure to > be a mound of legal paperwork requiring no further > disclosure. If the information is not available to > the public, then only those companies that pay the > security firm will be prepared for the attacks. At > some point, the information will leak out somehow, and > things will be worse than they already are. > > Up to now, many of the publicly reported incidents > have been as loud and as noisy as possible...getting > attention is the key. But what happens when someone > takes a new exploit and tries to see how long they can > go undetected on a corporate infrastructure? What > happens when the competition becomes, who can stay on > the LAN the longest? Or who can collect the most > sensitive information? Such as sales projections and > reports...the 'attacker' could use that information to > place advantagous stock trades. > > Besides keeping the information on new vulnerabilties > from being public, paying for them will definitely > lead to a much more sophisticated attacker, more so > than the kiddies we see now. Of course, many of us > will try to keep up, just out of personal or > professional pride, but what about all those > unprotected companies out there? You know, the same > guys that got hit by sadmin/IIS, Code Red, and Nimda? > What happens to them? > > Carv > > > > __________________________________________________ > Do You Yahoo!? > Make a great connection at Yahoo! Personals. > http://personals.yahoo.com >
This archive was generated by hypermail 2b30 : Sat Oct 20 2001 - 11:15:26 PDT