Oct to Nov 2010 - Teletimes
Oct to Nov 2010 - Teletimes
Oct to Nov 2010 - Teletimes
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Andy Greenberg<br />
Digital Arms Dealer<br />
NSS Labs has a plan <strong>to</strong> secure the Internet: Build a Nasdaq for hackers<br />
Rick Moy doesn’t like <strong>to</strong><br />
watch an unfair fight. As<br />
he sees it, malicious hackers<br />
can break in<strong>to</strong> corporate and<br />
government networks using<br />
a single software vulnerability,<br />
while the good guys must<br />
painstakingly check and patch<br />
every one of thousands of<br />
potentially hackable holes in<br />
their systems.<br />
Security audi<strong>to</strong>rs often use<br />
mock attacks, known as penetration<br />
tests, <strong>to</strong> find those<br />
weak points. But testing every<br />
flaw in a target’s network<br />
would require writing thousands<br />
of “exploits”--the programs<br />
used <strong>to</strong> hack in<strong>to</strong> vulnerable<br />
systems. The intruder,<br />
meanwhile, need write only<br />
one.<br />
So Moy, the 42-year-old president<br />
of NSS Labs, wants <strong>to</strong><br />
let the laws of supply and demand<br />
even the odds. In <strong>Oct</strong>ober<br />
his research firm plans<br />
<strong>to</strong> launch an online platform<br />
that will allow researchers<br />
and penetration testers <strong>to</strong> buy<br />
and sell hacking exploits on<br />
an open marketplace known<br />
as Exploit Hub. Security researchers<br />
will be able <strong>to</strong> upload<br />
hacking techniques, name<br />
their price and sell work that<br />
until now has been profitable<br />
only through the cybercriminal<br />
black market. And security audi<strong>to</strong>rs<br />
will be able <strong>to</strong> download<br />
those hacks en masse <strong>to</strong> perform<br />
tests that suss out vulnerabilities<br />
in every cranny in<br />
their network.<br />
“This is like the iPhone App<br />
S<strong>to</strong>re for exploits,” says Moy.<br />
“This is how we can leverage<br />
the work of all these disparate<br />
researchers and also let them<br />
get paid for it.”<br />
The tricky part: keeping Exploit<br />
Hub from becoming a<br />
convenient resource for breaking<br />
in<strong>to</strong> the systems it’s meant<br />
<strong>to</strong> protect. Moy says NSS will<br />
carefully screen cus<strong>to</strong>mers <strong>to</strong><br />
sell only <strong>to</strong> known companies<br />
and agencies, and will use encryption<br />
keys <strong>to</strong> make sure it’s<br />
not selling <strong>to</strong> impos<strong>to</strong>rs. Just<br />
as important, the platform will<br />
host exploits only for known<br />
vulnerabilities, not so-called<br />
zero day exploits--new attacks<br />
for which software companies<br />
haven’t yet issued fixes. Moy’s<br />
goal, after all, is <strong>to</strong> help companies<br />
find fixable flaws, not<br />
demonstrate a blitz they’re<br />
powerless <strong>to</strong> defend against.<br />
“Zero days aren’t a controversy<br />
that we need,” he says.<br />
NSS won’t be the first <strong>to</strong> try<br />
selling an array of digital<br />
weapons <strong>to</strong> penetration testers.<br />
But the largest collections<br />
currently available from<br />
Core Security Technologies,<br />
Immunity and an open source<br />
project known as Metasploit<br />
include exploits for less than<br />
10% of the 14,000 security<br />
Rick Moy: Old-fashioned market forces <strong>to</strong> unstack the odds<br />
flaws publicly revealed in information<br />
technology systems<br />
over the last five years.<br />
Moy thinks that a charge-whatyou-want<br />
market model will<br />
motivate benevolent hackers<br />
<strong>to</strong> create a full-fledged hacking<br />
arsenal and--if companies<br />
buy those exploits in volume-<br />
-give researchers a significant<br />
new revenue stream. NSS will<br />
keep 30% of the sales and, in<br />
return, do the research necessary<br />
<strong>to</strong> guarantee buyers that<br />
the brokered code will work,<br />
while assuring sellers that<br />
they’re not offering hacking<br />
<strong>to</strong>ols <strong>to</strong> cybercriminals or foreign<br />
governments.<br />
That’s a deal that works for<br />
Mario Ceballos, an exploit<br />
writer and penetration tester<br />
for Northrop Grumman (<br />
NOC - news - people )’s security<br />
team. “If they do it right<br />
this gives guys in my position<br />
a venue <strong>to</strong> put our stuff out<br />
there and make some money,”<br />
he says.<br />
Security flaws that already<br />
have available patches may not<br />
seem like a serious problem.<br />
But the labyrinthine nature of<br />
it setups and companies’ lax<br />
attitudes <strong>to</strong>ward security mean<br />
old flaws often go unfixed. A<br />
study by security firm Qualys<br />
last year found that for some<br />
common software like Adobe (<br />
ADBE - news - people ) Flash<br />
and Oracle’s Java, half of users<br />
still hadn’t implemented<br />
patches three months after<br />
they were released. That’s often<br />
because software updates<br />
require costly downtime <strong>to</strong> install<br />
and can create unpredictable<br />
errors.<br />
Even skeptics of Moy’s plan,<br />
like Marcus Ranum, chief technology<br />
officer at Tenable Security,<br />
agree that more comprehensive<br />
penetration tests may<br />
be the only way <strong>to</strong> show companies<br />
how badly they need<br />
<strong>to</strong> revamp their security. “I’ve<br />
seen it managers say that they<br />
don’t believe in attacks until<br />
you demonstrate them,” he<br />
says. “In general I don’t really<br />
approve of the idea of selling<br />
exploits. But it makes sense<br />
in the context of the entire<br />
industry’s stupidity.”<br />
15<strong>Oct</strong> - 14<strong>Nov</strong> <strong>2010</strong><br />
www.teletimesinternational.com<br />
59