COLUMN

Are hacking contests good or evil?

By Bill Brenner 04 May 2007 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

In an analysis on the Gartner Web site this week, they said the QuickTime flaw New York hacker Dino Dai Zovie used to hijack a Mac poses a wide risk and highlights the danger of vulnerability research conducted in public.

They say public vulnerability research and hacking contests are "risky endeavors" that cut against the grain of responsible disclosure, where vendors are given an opportunity to develop patches or workarounds before public announcements are made.

"Vulnerability research is an extremely valuable endeavor for ensuring more secure IT," they wrote. "However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities -- which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers."

They're not the first security experts to see the evil in public hacking demonstrations. But their position isn't winning over many security bloggers. In fact, most of the discussion in the blogosphere this week seems to favor the practice.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Mac hack puts Apple faithful on the defense Despite new Windows flaws, ANI still preoccupies Vista SP1: To be or not to be?

In the Rage 3D blog, which ran a synopsis of the Gartner position; respondents defended the necessity of such contests.

"These contests are crucial to maintaining development on fixing security exploits," one blogger wrote in the comment section. "Most often, the initial programmers made the mistake once, so they'll most likely make it again. Furthermore, independent hackers are usually the first to find the exploits, and it's certainly better to bribe them to give it up than have them use the exploits to make money in more fraudulent ways."

The most important thing is that Dai Zovie's exploit shattered the "ridiculous notion" that Apple's software is always secure, the blogger said.

Another blogger responded, "If these exploits become more [well] known to a lot of people, it forces the company to fix the issue, otherwise it will [have] gone unnoticed except by a few of the hackers using it, with free reign."

The fact that Apple fixed the QuickTime flaw so quickly shows that it pays to pressure the vendor with such public disclosures, some bloggers suggested in the Matasano Chargen blog kept by New York security consultancy Matasano Security, of which Dai Zovi is a member emeritus.

"Thanks to Dino for finding the issue and to Apple for such a quick reaction," wrote one respondent to the blog. "That's how it should be. Exploit found. Exploit fixed. Nothing exploited but a few media articles."

Blogger Jim Stroud, a self-described "searchologist" with expertise in recruitment research and competitive intelligence, addressed the question of whether these contests are more about promoting companies, researchers and products than about bettering security. From a recruiting standpoint, he said, such activities can be good for the IT security industry.

"I suppose there are some dangers involved with [hacking contests]," he wrote, "but [it's] a great way to passively recruit engineers working in security … I mean, if they can hack their way into your product, wouldn't you want them to work for you?"

He's right. It's better to find these researchers and get them working for the security of your product than against it. But I also agree with those who say researchers like Dai Zovi are already working on the good side of the fence.

A look at Dai Zovi's background shows he's been working for years to improve computer security. He has worked with @stake and the IDART Red Team at Sandia Labs. He has spoken at a number of security conferences.

Gartner may want guys like this to stop showing off security weaknesses in public, but that wouldn't make us safer. In the end, the bad guys will figure these exploits out on their own and it's better if the good guys know about it so they can defend themselves.

Gartner is right that it would be better to work with the vendor on a solution and give them time to release a fix before showing off the weakness in public. But unfortunately, vendors don't always work quickly enough to convert a researcher's findings into a fix. Sometime they need to be pushed under the public eye.

Tags: Vulnerability Risk Assessment,  Security Testing and Ethical Hacking,  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability Risk Assessment Information security book excerpts and reviews What patch management metrics does Project Quant use? Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Vulnerability Risk Assessment Research Security Testing and Ethical Hacking Information security book excerpts and reviews H.D. Moore speaks about Metasploit Project deal, Release 3.3 Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Security testing firm uncovers XML vulnerabilities Screencast: Samurai offers pen-testing nirvana The requirements needed to make an external penetration test legal Hacker Tools and Techniques: Underground Sites and Hacking Groups Russian cybercriminals target H1N1 Swine Flu fears Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation DoD urges less network anonymity, more PKI use New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary