News Stay informed about the latest enterprise technology news and product updates.

Is paying for vulnerability info the right approach?

As cyberspace grows more dangerous, is it necessary to gather intelligence from the very people you're trying to stop? Depends who you ask.

In a dangerous world, few question the need for intelligence gatherers to go underground with a cash-filled briefcase in search of information that can help them thwart attacks and save lives.

Shouldn't the same rules apply in cyberspace, where bad people are using increasingly sophisticated malware to crack network defenses, hijack millions of computers and rob us blind?

Absolutely, said Jonathan Eunice, principal analyst and IT advisor for Nashua, N.H.-based research firm Illuminata Inc.

"Who better to know where those vulnerabilities are?" Eunice asked. "It's like police paying informers, many of whom do from time to time commit crimes themselves. It's not a practice you'd see in an ideal world -- but we don't live in an ideal world."

The question gained more relevance last week when:

  • The Honeynet Project and Research Alliance reported more than a million machines worldwide are bot-infested and under the control of hackers; and
  • Malcode trackers at Reston, Va.-based security firm iDefense reported that more than 15,000 of the 27,260 attacks they monitored last year were designed to covertly steal information or take over computers for criminal purposes.

This research didn't come from iDefense's somewhat controversial Vulnerability Contributor Program (VCP), in which underground researchers are paid to supply information on new software vulnerabilities. The firm's vulnerability watchers tend to operate separately from the malcode trackers.

But since malicious code uses those vulnerabilities to spread, decided to revisit debate over initiatives like VCP. In interviews two years ago, IT professionals were

Read more

Botnets more menacing than ever

Vulnerable Commodity: Security experts and practitioners debate the wisdom of buying info from the digital underground

mixed on the program's merits. Critics argued it's nearly impossible to verify the identity of hackers peddling their wares, especially if they want to remain anonymous. They also said there's no way to control information once it's released to a third party.

But as threats grow grimmer, more people seem to share Eunice's view -- to a point. In the end, those asked said the black hats should still be avoided.

Glenn C. Hill, IT security manager for Northeastern University in Boston, said the IT community usually learns about vulnerabilities by:

  • Self-discovery after an incident that may or may not include a consequence;
  • Self-discovery through experience, training or intuitive awareness;
  • Published statements, disclosures or consequences others experience, and;
  • Paying someone to identity vulnerabilities on an organization's behalf.

Insurance companies pay loss-control experts to tell them how to reduce risk, he said. The FBI hired Frank Abagnale to help solve document fraud cases. Ex-burglars show up on television to help homeowners learn the security vulnerabilities of their homes.

"These guys don't do it for free," Hill said. "Since everybody gets paid, who's to say the folks who spend time discovering cybervulnerabilities don't deserve their dollar too?"

In Hill's view, the issues are where to spend the money and identify risks or legal and ethical implications exist.

"Those who hire so-called 'ex' offenders are rolling the dice," he said. "They bet their reputation, their stockholders' money, their financiers' money and the very life of their company on the hope that 'ex' offenders will act in good faith, and that a judge or jury won't some day find the company liable for a consequence where negligent hiring, negligent retention, or some other act or omission could have or should have been known before a consequence occurred. If the company can cover the bet, it's their company to lose."

Hill would rather travel that road as a last resort. And then, he said, "only after carefully weighing what I expect to gain versus the risk in doing so."

Anna Orlove, president of Wellesely, Mass., security consulting firm SecurSee Solutions Inc., said the key is knowing which hats you're dealing with.

"Black hats are motivated by money alone and will serve any master," she said. "They steal your intellectual property and sell it to the highest bidder, regardless of that client's intent of purpose with their results. These you don't want to interface with as they will sell your secrets too."

Orlove believes the vast majority of hats are gray, motivated by an "innate, often obsessive," curiosity. Most are happy and loyal if rewarded for the fruits of their labor, she said. "Most of them are students and/or admins in a network operations center somewhere, and almost all of them toil away because they love the box, not necessarily the boss."

Give them a purpose like homeland security, acknowledge and reward them, and "these hats are one of our best tools to achieving a proactive, predictive security status," she said. "These you should recruit and nurture. They are our national treasures."

Ken Dunham, director of malicious code for iDefense, said his firm's position hasn't changed.

"It's a misnomer to call these people hackers," he said of those involved with VCP. "People are doing research, looking to get paid."

He said iDefense works hard to have responsible disclosure and "keep this stuff off the street" before it's exploited. And, he said, "We're very diligent about giving vendors time to patch before we publicly disclose vulnerabilities."

Note: Interviews for this story were conducted by phone and e-mail.

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.