Author Topic: Greed and obscurity over security  (Read 3319 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33871
  • malware fighter
Greed and obscurity over security
« on: July 07, 2006, 11:10:03 AM »
Hello you malware fighters,

Some pay out for new vulnerabilities and holes to earn on warning the unprotected.
Creepy and obscure methods. Read about this here:
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/6bfa7f90/PLEBO-2006.06.01-VULNBIZ_OF_EEYE_IDEFENSE.obj

and form your own opinion,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

drhayden1

  • Guest
Re: Greed and obscurity over security
« Reply #1 on: July 07, 2006, 02:38:51 PM »
polonus-hi

couldn't get that link to load--can you check it and let me know-sounds interesting 8)
i get a alert--this document contains no data error after @60 seconds of trying to load link
« Last Edit: July 07, 2006, 02:41:59 PM by drhayden1 »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33871
  • malware fighter
Re: Greed and obscurity over security
« Reply #2 on: July 07, 2006, 02:50:42 PM »
Hi drhayden1,

Mine opens fine, well here is an exerpt of the contents:
REPORT NAME: PLEBO-2006.06.01-VULNBIZ_OF_EEYE_IDEFENSE


1. SUMMARY
~~~~~~~~~~
The business of vulnerability discovery and development has evolved rapidly in recent years.
It has remarkable implications for the information technology industry and the world.
For example, the rise of Firefox could never have happened if there had not been 0day attacks against Internet Explorer.

To understand this business, Plebo Aesdi Nael chooses two representive companies for thorough analysis:
eEye, an entity that sells security tools(sniffer, scanner, etc) and hosts a team dedicated to the research of vulnerability discovery.
iDefense, an entity that conducts various research and buys vulnerabilities and then sells them to customers("governments and Fortune 500 organizations").

For eEye we'll study the tactics of its team dedicated to vulnerability discovery.
For iDefense we'll try to figure out how it profits by trading intelligence.

2. EEYE
~~~~~~~
First of all here is the analysis of the benchmark of eEye's team dedicated to vulnerability discovery.

T

Our conclusion for eEye's team dedicated to vulnerability discovery:
Always, words in advisories chosen carefully to unmistakably describe every aspect in great detail;
Usually, good at blind fuzzers targeting various binary files and packets;
Sometimes, able to conduct research against complicated problems and achieve excellent result.

The future of this team is not clear, due to growth of players with the same tactics, and more protections recently applied at OS level.


6. IDEFENSE
~~~~~~~~~~~
According to its website, iDefense makes money by selling information to customers.
Information such as private vulnerabilities, research papers, malicious code analysis, threat reports, news alerts, etc.
Judging from the official website, the only worthwhile material would be private vulnerabilities,
since quality of other materials are not far above the level of average security websites, and hardly benefits professionals.

Currently iDefense is owned by VeriSign, bought at the price of $40m in 2005("7. IDEFENSE: NEWS - VERISIGN BUYS IDEFENSE").

In a modest way, presumably iDefense generates 10 percent of the $40m price tag every year, equal to $4m/yr;
Again presume in a modest way, half of $4m/yr is directly from trading private vulnerabilities, equal to $2m/yr;
Meanwhile, by exaggeration, presumably iDefense receives 10 useful vulnerabilities every year, as 10v/yr;
We can see, as a very modest estimate, one useful vulnerability gives $0.2m to iDefense.

By carefully examining historic advisories from iDefense, we noticed there was significent delay of reporting to vendor:
After receiving a vulnerability, iDefense delayed weeks and sometimes months to report it to vendor("8. IDEFENSE: RECORD - DELAY OF REPORTING TO VENDOR").
As a company in information technology industry, weeks are time long enough to be very useful.
One bold but not groundless guess would be that, vulnerabilities under control of iDefense were generating profits during those weeks when vendors were not notified.
Nowadays iDefense don't provide the date of "Disclosed to iDEFENSE" anymore.

Our conclusion for iDefense:
Major service is private vulnerabilities;
Have connections to profit millions by providing this service;
Possibly good at bargin to buy private vulnerabilities from the globe(not confirmed, as "9. IDEFENSE: PHC - p62-0x06").

7. IDEFENSE: NEWS - VERISIGN BUYS IDEFENSE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VeriSign buys iDefense for $40 million
http://news.zdnet.com/2100-1009_22-5787653.html
By Joris Evers, CNET News.com
Published on ZDNet News: July 13, 2005, 9:00 PM PT

V

iDefense, a Delaware Corporation, is a born-again security company that
sells intelligence to clients, willing to pay exorbitant sums of money
in order to learn what Chinese hackers are doing on IRC or learn about
new vulnerabilities in software packages no one knows about.

Though previously such intentions were considered merely alarming or
simply "laughable," iDefense has decided to overstep its original goal
of merely releasing contributed vulnerability information on behalf of
paid clients and actually release vulnerability information that has
leaked, without the knowledge or approval of the discoverers or exploit
authors. Just such a thing has happened as shown by the recent iD
sadmind vulnerability release. Thanks to HD Moore, the master of
re-constructing tcpdump logs into perl scripts for creating an exploit
for this vulnerability which could then be used by the entire world!


II. DESCRIPTION

iDefense has developed an exploit targeting previously undisclosed
information disclosure vulnerabilities within the Whitehat community.
The exploit works by tempting noted figures within the public
full-disclosure and underground hacking communities with payouts in
exchange for their leaking of vulnerabilities and working exploits to
Dave Endler.

This exploit is initially delivered by an email from Dave, asking if the
individual is interested in making money from any vulnerabilities that
they have knowledge of for which they have working 0day exploits.

If the individual accepts the message sent from iDefense, they are asked
to disclose to iDefense the nature and effect of the vulnerability. Upon
acceptance of the information by iDefense, an iDefense Labs ID# is
assigned to the individual and a offer (pay0la) is made. Payment may be
delivered thru paypal, Western Union, or wire transfer.

In exchange for payment, the individual agrees to give up any copyrights
or other intellectual property rights to the exploit and vulnerability
information they sold to iDefense.

iDefense then turns around and notifies its clients of the
vulnerability, and at times, coordinates the bugfix with the vendor.

-

III. ANALYSIS

The anonymity and potential money offered by iDefense to whitehats in
exchange for vulnerability information is very tempting. This exploits
one of the more sensitive of vulnerabilities existing in the community,
and what sets whitehats apart from true blackhats -- Greed. Phrack Labs
has been studying this vulnerability for the past year.


I

VI. CREDIT

Dave Endler, without whose inept handling of contributor information
none of this would be possible.


Get paid for security research and have your d0x dropped.
http://www.idefense.com/contributor.html


About Phrack High Council

PHC is a global security intelligence organization that proactively
monitors whitehats throughout the world - from honeynet projects and
false-prophet IDS vendors to untrustworthy blackhat wannabes. Our
intelligence services provide members of the underground with timely
access to actionable intelligence and decision support on
security-related threats.  For more information, visit
http://phrack.efnet.ru .


|=[ EO


polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

drhayden1

  • Guest
Re: Greed and obscurity over security
« Reply #3 on: July 07, 2006, 02:55:38 PM »
thanks polonus :D

out into the real world ::)

have a good one avast! world

http://www.idefense.com/contributor.html

polonus-here's one of the errors i get trying to open one of the links

page not found...does not exist on this server :o ::)
« Last Edit: July 07, 2006, 03:02:30 PM by drhayden1 »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33871
  • malware fighter
Re: Greed and obscurity over security
« Reply #4 on: July 07, 2006, 03:09:41 PM »
Hi drhayden1,

That link does not work neither for me, apparently became victim of the proverbial 'aftermath' linkrot.
But you see from the exerpt of the article the general idea of the workings of these two  firms, the obscurity of the whole affair is mainly hidden in the fact, that the general public is kept in the dark about existing vulnerabilities, and even worse it takes too long before the software owners are informed, so some can fill their pockets in the mean time.

What was behind the link, we don't know. What do you get from Idefense?
As well, we are increasing the value of the Incentive and Retention
reward programs and launching a new Growth reward program. Details on
the new pricing structure for each program are below. More in depth
descriptions of the programs can be found on our website at
http://www.idefense.com/poi/teams/vcp_reward_programs.jsp.

Retention program:
The retention program is designed to reward the top five contributors
each year. The old and new pricing structures are as follows:

Old New
1 $5,000 $10,000
2 $4,000 $8,000
3 $3,000 $6,000
4 $2,000 $4,000
5 $1,000 $2,000

Incentive program:
The purpose of the incentive program is to reward the top three
contributors for each quarter. The old and new pricing structures are as
follows:

Old New
1 $3,000 $5,000
2 $2,000 $3,000
3 $1,000 $1,000


polonus

« Last Edit: July 07, 2006, 03:12:58 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

drhayden1

  • Guest
Re: Greed and obscurity over security
« Reply #5 on: July 08, 2006, 12:32:16 AM »
thanks polonus-for all the information because of the links not loading for some reason :D

Wdzięczności *polonus-for* cała informacja z powodu łącznoś& nie ładujący (ładowanie) z pewnych powodów

« Last Edit: July 09, 2006, 01:53:33 AM by drhayden1 »