Zero-day auction site opened by Swiss lab

By Bill Brenner, Senior News Writer 06 Jul 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

People who didn't have [these exploits] before will have an opportunity to get them and as far as [WabiSabiLabi] is concerned it's not their problem. That just doesn't fly. Eric Maiwald, senior analyst, Burton Group

A Swiss organization called WabiSabiLabi Ltd. has started up a marketplace for zero-day flaws that will work much like online auction site, eBay. At least one analyst said the move is almost certain to fuel new debate over how flaws should be disclosed.

Among the first vulnerabilities available for a price is an unpatched buffer overflow flaw in Yahoo! Messenger 8.1 attackers could exploit remotely to execute malicious code on victims' machines. The WabiSabiLabi Web site described the flaw as "remotely exploitable by any user in the victim's address book (some interaction from the victim is required)."

Eric Maiwald, a senior analyst at Midvale, Utah-based Burton Group, said WabiSabiLabi's program could make exploits available to attackers who might not have had them otherwise.

"I don't see this as something responsible," he said. "There will already be people who know about these flaws, but now people who didn't have them before will have an opportunity to get them and as far as [WabiSabiLabi] is concerned it's not their problem. That just doesn't fly."

Maiwald said the startup will add fuel to the wider debate over responsible disclosure, but that he's "not sure this debate really needs more gasoline."

WabiSabiLabi CEO Herman Zampariolo disagrees. He said the portal was established to sell security research because very few researchers are able or willing to report their findings to the right people for fear of being exploited.

Flaw disclosure: Is paying for vulnerability info the right approach? As cyberspace grows more dangerous, is it necessary to gather intelligence from the very people you're trying to stop? Depends who you ask. VeriSign raises stakes in battle for threat intelligence Not to be outdone by 3Com's "Zero-Day Initiative," VeriSign says it'll shell out more cash for hackers who provide vulnerability intelligence. WabiSabiLabi: A marketplace for zero-day flaws.

"Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year," he said in a statement. "Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals."

He said researchers can submit their findings to the exchange once they have registered. The organization will then run the findings through its lab to verify the flaw works. It will then package the findings as a proof of concept that can be sold to the marketplace by auction with a predefined starting price. The proof of concept could also be sold to as many buyers as possible at a fixed price or exclusively sold to one buyer, Zampariolo said.

"WSLabi will also help researchers to design the best business model (selling schemes, starting selling price etc.) which will enable them to maximize the value of their findings," he said. "For example, a piece of research that would currently sell to one company on an exclusive basis for $300-$1,000 could sell for 10 to 20 times more than this amount using the portal."

Both researchers and buyers will have to identify themselves to WSLabi to ensure they are legitimate, the organization said. Researchers can't submit material from an illegal source or activity. Buyers will also be carefully vetted before they can have access to the auction platform so that the risk of "selling the right stuff to the wrong people" is minimized. The marketplace will be free to use for the first six months for both researchers and buyers, the organization said.

This isn't the first operation where flaws are available for a price, though it does appear to be the first instance where an open marketplace has been established for it. VeriSign Inc.'s iDefense Labs and 3Com Corp.'s Tipping Point division both offer payment for vulnerability research, and some see them as examples of irresponsible disclosure.

Critics of iDefense's Vulnerability Contributor Program (VCP), for example, have argued it's nearly impossible to verify the identity of hackers peddling their wares, especially if they want to remain anonymous. They also believe there's no way to control information once it's released to a third party.

TippingPoint's Zero-Day Initiative (ZDI) has sparked similar concerns, though both VeriSign and 3Com have stressed that they have thorough vetting procedures to keep the bad seeds out.

Those who support such programs have said they are necessary in an age where security pros are struggling to stay ahead of attackers who grow more sophisticated by the day. Such programs give white hat researchers the chance to expose serious flaws while IT pros are able to use the information to adequately defend their companies, advocates have said.

Tags: Information Security Laws, Investigations and Ethics,  Security Patch Management,  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Hacker Tools and Techniques: Underground Sites and Hacking Groups Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam ATM malware lets attackers take over machines

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) FERPA  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary