Fool Disclosure Woes

Monday, December 14, 2009

Every so often we come up with some crafty methods to research security threats, theories and vulnerabilities and yet many times we’re left lingering with the feeling of guilt by not disclosing security holes. I believe it this is a feeling shared by many ethical security researchers: “To disclose or not to disclose…”

SNE,HNE,SNE

Full disclosure is a dual edged sword for vendors and researchers alike. On the one hand, disclosing a vulnerability theoretically allows for users of a product to be made aware of the risk associated with using a particular product. On the other hand, it allows many-a-shady characters to potentially capitalize on a vulnerability. This could lead to huge financial losses, reputation disruptions, loss of potential services and or revenue. There is also the potential savings benefits of creating an in-house patch immediately as opposed to waiting for a vendor.

There has been and will continue to be many arguments for both disclosing and not disclosing vulnerabilities. Here are my personal gripes:

And you are who?

Too many large companies have this “ego” surrounding them; “We’re CompanyX… Market Cap 1.2 Billion!” They’re quick to sic a team of legal eagles when it comes to disclosing information that is not favorable to them. [1]

As a researcher, I tinker. There is a personal satisfaction gained when I discover a flaw. Rather than deal with the possible legal hounds flooding my inbox, I always (repeat always) make it a point to contact a vendor to get some dialog open. Personally I feel that it’s the right thing to do however, I have noticed throughout the years that too many vendors keep security issues under the table. This is the part that eats at me as a researcher. “Here I am contacting you, so you can fix your mess up, you send a generic thanks and shoot something off into the backburner…” I can count right now about seven companies publicly traded that I have contacted with vulnerabilities stretching over three to four years with all seven companies asleep at the wheel.

It seems that unless a researcher desires to unload a bomb a-la “Full Disclosure” (without contacting the vendor), nothing will ever be fixed. Yet when this is done (Full Disclosure), companies are quick to prop up the damage control departments. It’s a lose lose situation, one that need be address within many a PSIRT department. Did I type that? SIRT, CERT, ISIRT, ESIRT or whatever acronym you decide call your incident response, security research, security development team.

Development to Market

How many companies outside of Microsoft release developmental programs under the term “stable” edition slash version. While I can’t see many companies spending fortunes on hiring out professional fuzzers or application testers, when will these companies take a second look at the benefits of working with researchers. Let’s create a fictitious company and call them SupersoftWare. SupersoftWare develops widget gizmos that allow super accurate measurements of a WAN link. The cost for the gizmos are $500.00 (USD) and they’ve gained over 100,000 sales in the first year and are a profitable company.

Recently, a researcher discovered a vulnerability in SupersoftWare that allows a remote user to access any device on that WAN. Can we calculate the total cost for this vulnerability if it were brought to market. Security researchers know there is a market for vulnerabilities both on the good side [2] and the bad side [3]. How much would it cost SupersoftWare in potential lost revenue – if some of their existing clients jumped ship? A one percent loss would equate to $500,000.00 (1,000 clients * $500.00). How much would it cost a company to run SupersoftWare’s gizmo with a potential hole in it? We can apply a qualitative or quantitative approach the difference wouldn’t be much as the facts would remain the same: Remote user can access your device… How much risk are you willing to take?

As a company, do you market it away? Do you spend money on hiring legal eagles and sic them after the researcher? How about (*drum roll*), working with the researchers from time to time. What costs are associated with that? Here you have a researcher who took the time to contact you, use it to your benefit. Send them a SupersoftWare gizmo to use for R&D. I’m positive the researcher would appreciate the equipment, it costs you less in the long run and you get free bughunting. Imagine that.

So small a target

“The possibility of someone using this attack is so small!” Imagine for a moment you could think for anyone else in this world. Imagine how rich you’d be if you could. Personally, I’d hang around Warren Buffet’s parking lot to get a glimpse on becoming a millionaire. Many individuals in companies often overlook the potential of one US dollar. You’ve read it correctly, ONE US Dollar. That dollar is what millions of attackers are aiming for – albeit in bulk, while a company may see a small target, at 1% of the fictitious SupersoftWare company compromised, the potential to make money is endless. Not only is it endless, it’s there for the taking. Never underestimate the power of an attacker, there will always be hundreds of thousands of attackers for every security staffer you have. There is no such thing as a small target. Even one company with one employee can be compounded to cause an extreme amount of damage.

To taper this down a bit before it becomes a book, I sit here wondering; to disclose or not to disclose, that is the question. 51 vulnerabilities in under an hour… “Hi whom do I contact in regards to…” Error 404

[1] http://www.wired.com/politics/security/news/2005/08/68365 “Router Flaw Is a Ticking Bomb”
[2] http://www.zerodayinitiative.com/
[3] http://securityevaluators.com/files/papers/0daymarket.pdf

Original Post:
http://www.theaeonsolution.com/security/?p=63
Possibly Related Articles:
8870
Breaches Vulnerabilities
Vulnerabilities Full Disclosure
Post Rating I Like this!