Hi drhayden1,
Mine opens fine, well here is an exerpt of the contents:
REPORT NAME: PLEBO-2006.06.01-VULNBIZ_OF_EEYE_IDEFENSE
1. SUMMARY
~~~~~~~~~~
The business of vulnerability discovery and development has evolved rapidly in recent years.
It has remarkable implications for the information technology industry and the world.
For example, the rise of Firefox could never have happened if there had not been 0day attacks against Internet Explorer.
To understand this business, Plebo Aesdi Nael chooses two representive companies for thorough analysis:
eEye, an entity that sells security tools(sniffer, scanner, etc) and hosts a team dedicated to the research of vulnerability discovery.
iDefense, an entity that conducts various research and buys vulnerabilities and then sells them to customers("governments and Fortune 500 organizations").
For eEye we'll study the tactics of its team dedicated to vulnerability discovery.
For iDefense we'll try to figure out how it profits by trading intelligence.
2. EEYE
~~~~~~~
First of all here is the analysis of the benchmark of eEye's team dedicated to vulnerability discovery.
T
Our conclusion for eEye's team dedicated to vulnerability discovery:
Always, words in advisories chosen carefully to unmistakably describe every aspect in great detail;
Usually, good at blind fuzzers targeting various binary files and packets;
Sometimes, able to conduct research against complicated problems and achieve excellent result.
The future of this team is not clear, due to growth of players with the same tactics, and more protections recently applied at OS level.
6. IDEFENSE
~~~~~~~~~~~
According to its website, iDefense makes money by selling information to customers.
Information such as private vulnerabilities, research papers, malicious code analysis, threat reports, news alerts, etc.
Judging from the official website, the only worthwhile material would be private vulnerabilities,
since quality of other materials are not far above the level of average security websites, and hardly benefits professionals.
Currently iDefense is owned by VeriSign, bought at the price of $40m in 2005("7. IDEFENSE: NEWS - VERISIGN BUYS IDEFENSE").
In a modest way, presumably iDefense generates 10 percent of the $40m price tag every year, equal to $4m/yr;
Again presume in a modest way, half of $4m/yr is directly from trading private vulnerabilities, equal to $2m/yr;
Meanwhile, by exaggeration, presumably iDefense receives 10 useful vulnerabilities every year, as 10v/yr;
We can see, as a very modest estimate, one useful vulnerability gives $0.2m to iDefense.
By carefully examining historic advisories from iDefense, we noticed there was significent delay of reporting to vendor:
After receiving a vulnerability, iDefense delayed weeks and sometimes months to report it to vendor("8. IDEFENSE: RECORD - DELAY OF REPORTING TO VENDOR").
As a company in information technology industry, weeks are time long enough to be very useful.
One bold but not groundless guess would be that, vulnerabilities under control of iDefense were generating profits during those weeks when vendors were not notified.
Nowadays iDefense don't provide the date of "Disclosed to iDEFENSE" anymore.
Our conclusion for iDefense:
Major service is private vulnerabilities;
Have connections to profit millions by providing this service;
Possibly good at bargin to buy private vulnerabilities from the globe(not confirmed, as "9. IDEFENSE: PHC - p62-0x06").
7. IDEFENSE: NEWS - VERISIGN BUYS IDEFENSE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VeriSign buys iDefense for $40 million
http://news.zdnet.com/2100-1009_22-5787653.htmlBy Joris Evers, CNET News.com
Published on ZDNet News: July 13, 2005, 9:00 PM PT
V
iDefense, a Delaware Corporation, is a born-again security company that
sells intelligence to clients, willing to pay exorbitant sums of money
in order to learn what Chinese hackers are doing on IRC or learn about
new vulnerabilities in software packages no one knows about.
Though previously such intentions were considered merely alarming or
simply "laughable," iDefense has decided to overstep its original goal
of merely releasing contributed vulnerability information on behalf of
paid clients and actually release vulnerability information that has
leaked, without the knowledge or approval of the discoverers or exploit
authors. Just such a thing has happened as shown by the recent iD
sadmind vulnerability release. Thanks to HD Moore, the master of
re-constructing tcpdump logs into perl scripts for creating an exploit
for this vulnerability which could then be used by the entire world!
II. DESCRIPTION
iDefense has developed an exploit targeting previously undisclosed
information disclosure vulnerabilities within the Whitehat community.
The exploit works by tempting noted figures within the public
full-disclosure and underground hacking communities with payouts in
exchange for their leaking of vulnerabilities and working exploits to
Dave Endler.
This exploit is initially delivered by an email from Dave, asking if the
individual is interested in making money from any vulnerabilities that
they have knowledge of for which they have working 0day exploits.
If the individual accepts the message sent from iDefense, they are asked
to disclose to iDefense the nature and effect of the vulnerability. Upon
acceptance of the information by iDefense, an iDefense Labs ID# is
assigned to the individual and a offer (pay0la) is made. Payment may be
delivered thru paypal, Western Union, or wire transfer.
In exchange for payment, the individual agrees to give up any copyrights
or other intellectual property rights to the exploit and vulnerability
information they sold to iDefense.
iDefense then turns around and notifies its clients of the
vulnerability, and at times, coordinates the bugfix with the vendor.
-
III. ANALYSIS
The anonymity and potential money offered by iDefense to whitehats in
exchange for vulnerability information is very tempting. This exploits
one of the more sensitive of vulnerabilities existing in the community,
and what sets whitehats apart from true blackhats -- Greed. Phrack Labs
has been studying this vulnerability for the past year.
I
VI. CREDIT
Dave Endler, without whose inept handling of contributor information
none of this would be possible.
Get paid for security research and have your d0x dropped.
http://www.idefense.com/contributor.htmlAbout Phrack High Council
PHC is a global security intelligence organization that proactively
monitors whitehats throughout the world - from honeynet projects and
false-prophet IDS vendors to untrustworthy blackhat wannabes. Our
intelligence services provide members of the underground with timely
access to actionable intelligence and decision support on
security-related threats. For more information, visit
http://phrack.efnet.ru .
|=[ EO
polonus
