Exploits For Sale
Security pros are keeping a wary eye on an auction site that tempts bug catchers with cash for their exploits.
If youve been in the security sector for any length of time, youve come across bugs in products. And if youre like me, youve encountered some significant flaws in widely used commercial products.
One is then forced to wonder how the heck the code tree is controlled at these places, especially since most of these problems seem to reappear after new releases. No matter, you are excited at the prospect of reporting your findings so you gear up to prepare a report. Because you are honest and youd hate to see your organization or anyone else fall victim to an exploit, you go through the normal process, careful to operate within the fine lines that etiquette dictates.
But wait, something is wrong.
Forty-eight hours later, the very same company releases a critical update to their product with zero mention of you.
Sound familiar? Of course it does.
This hypothetical scenario has turned many a mild mannered security researcher into a salty, cussing buccaneer. Wouldnt it be nice if you could actually get some kind of recognition for your efforts? Even better, how about a cash reward?
Fresh Exploits, Get Yer Exploits Here!
Today, that pipe dream has become reality thanks to the folks at Switzerland-based WabiSabiLabi (WSLabi). In the spirit of Ebay, you can now go to their site, create an account and buy and sell exploits. Of course youll have to go through a vetting process, which requires you to submit a copy of your ID before you can complete an auction. But hey, if you have eight bucks, you can be anyone you like. Perfect!
For the legitimate researcher, this may break open a new revenue stream while at the same time, open a fast track of attack vectors via a supermarket of exploit code available to crime groups and various other shady individuals. Most security experts agree that this new auction approach to exploit code is dangerous. Many of the experts Ive spoken to believe that the site will do nothing more than provide a way for extortionists to make money.
In any other venue, people would be up in arms over this. said one computer security professional. We know that most legitimate security researchers do not do it for the money while we also know that most criminal researchers are out looking for a payday. This site provides yet another revenue stream for criminals.
Even with all of the press on WSLabi, right now there are only four live auctions on the site with one bid on a kernel exploit. The amount of that bid is 550 Euros which is just a touch over $750.
WSLabi states, Both researchers and buyers will have to identify themselves to WSLabi to ensure they are legitimate. Researchers cannot submit security research material which comes from an illegal source or activity. Buyers will also be carefully vetted before being granted access to the auction platform so that the risk of selling the right stuff to the wrong people is minimized.
One has to ask, How will you know if research material comes from an illegal source or activity?
Unlike tangible goods that have serial numbers, research materials are next to impossible to validate. Interestingly, the only mention of validation is how WSLabi will make sure that the proof-of-concepts actually work. WSLabi will then verify the research by analyzing and replicating it at their independent testing laboratories. They will eventually then package the findings with a Proof of Concept; this can then be sold to the marketplace via three methods from the marketplace platform...
So there you have it folks. It remains to be seen if this new marketplace will actually take off but one thing is for sure, even if this venture fails, the black market for exploits is still teeming with life.
If you cant sell your exploits at WSLabi or any other venue of the like, there is no shortage of shady characters willing to lay down cash for your discoveries. And this will not change anytime soon.
This article was first published on EnterpriseITPlanet.com