Site Plans to Sell Hacks to Highest BidderBy Brian Krebswashingtonpost.com Staff WriterThursday, July 12, 2007; 2:51 PMA Swiss Internet start-up is raising the ire and eyebrows of the computer security community with the launch of an online auction house where software vulnerabilities are sold to the highest bidder.The founders of WabiSabiLabi.com (pronounced wobby-sobby-lobby) say they hope the service presents a legitimate alternative for security researchers who might otherwise be tempted to sell their discoveries to criminals.Several established vulnerability management companies already purchase information about software flaws from researchers, yet the terms of those deals are private and generally set by the companies. Letting all interested parties bid on security vulnerabilities in an "eBay"-style auctionassures that researchers receive the fair market value for the work they do in finding the flaws, said Herman Zampariolo, WabiSabiLabi's chief executive."Without an open marketplace, it is impossible to know just how much this intellectual property is worth, and while the free market is not the most perfect way to discover that, it's a good proxy," Zampariolo said. "Sure, lots of companies are setting figures for what they think vulnerabilities are worth, but a majority of researchers are getting far less than what their information is worth, and that's scandalous."Vulnerabilities that could be sold on the site range from those present in hardware that supports critical information infrastructure -- such as Internet routers -- to flaws in common desktop applications, such as Web browsers, instant messenger and e-mail programs. In many cases, the flaws could be exploited by criminals to gain control over home computers or business networks,giving them access to sensitive information.What's scandalous, say some security experts, is the idea that the company can be sure that it is not selling instructions for breaking into computers and networks directly to the criminals most likely to use them."How do you know bidders aren't people with nefarious purposes," asked Teri Forslof, manager of security response for TippingPoint, a 3Com company that buys vulnerabilities from researchers. "It's really easy to create a shell company that looks good on paper that is set up to be nothing but a front for bad guys."Zampariolo said the company thoroughly screens all potential sellers and buyers, requiring proof of identification, articles of incorporation, and even bank account information from all parties involved. For the first six months of operation, the service will be free, after which the auction house plans to take a 10 percent cut of the final selling price of a vulnerability. Security flaws upfor auction that are not designated by the seller as "exclusive" for the buyer will be shared amonga vulnerability alert club to which the company will sell access.Still, the inability to positively "know your customer" was the prime reason that researcher Greg Hoglund abandoned an idea he had several years ago for setting up an online auction for software flaws. He even built the online auction portal, which he planned to call "Zero-Bay," a play on eBay and the term "zero-day." Zero-day (or "0day") threats are previously undocumentedflaws that software vendors learn about only after cyber criminals have begun exploiting them online for financial gain. Hoglund ultimately pulled the plug on the company the evening before its launch, concerned about possible legal liability if vulnerabilities sold through Zero-Bay were to wind up in the hands of cyber crooks."I was thinking vendors could purchase the research for a fair market price as opposed to expecting to receive the information for free," Hoglund said. "But I basically decided that if the bad guys get their hands on it, that could be a lot of people at risk, and that was a risk I wasn't willing to take."Companies like TippingPoint and VeriSign's iDefense both pass along details of vulnerabilities they buy to the affected software vendors, and both withhold public disclosure of the flaws until the vendor has shipped a "patch" to plug the security holes. WabiSabiLabi's founder said the company currently has no plans to notify affected vendors, saying that could ultimately decrease the price buyers are willing to pay for any one vulnerability. Matthew Murphy, a 20-year-old Los Angeles-based security researcher who has sold several vulnerabilities to iDefense, said he would be uncomfortable selling a flaw if he could not vouch for the buyer's intentions. But Murphy said he is more discomfited by the fact that vendors are not notified of the details behind flaws to be sold via WabiSabiLabi."I think that the people in the security research community who would sell to just anyone are in arelative minority," Murphy said. "Without a little bit of transparency and some kind of buyer credibility, it's not going to take off relative to other services out there."Software vulnerability researcher Dino Dai Zovi said he's excited about the vulnerability auction service and its prospects for rewarding researchers with better prices."I can see this service creating much more incentives for researchers to find flaws," Dai Zovi said. "Not everyone is willing to spend 20 to 40 hours looking for vulnerabilities in [Microsoft Windows] software just to receive a little 'thank you' note in Microsoft's security advisories."Dai Zovi said he has never sold a vulnerability, although he recently won a $10,000 bounty in an impromptu research challenge at a hacker conference in Canada. At the suggestion of conferenceorganizers, TippingPoint offered the reward to anyone who could find a previously unknown flaw that would allow an attacker to break into a fully protected MacBook laptop computer from Apple. A few hours into the challenge, Dai Zovi found a vulnerability in QuickTime, the mediaplayer software loaded on all Apple computers as well as many Microsoft Windows machines worldwide.It is unclear whether any major software vendors would bid on vulnerabilities in their own software. Microsoft has emphatically and publicly stated under no circumstances would it ever buy vulnerability research. Mozilla, the maker of the Firefox Web browser, offers a $500 "bug bounty" for each vulnerability privately reported to the company. WabiSabiLabi already has opened bidding on four software vulnerabilities, which it claims its in-house researchers tested to ensure that
View Full Document
Unlocking...