[Infowarrior] - Just Who's Being Exploited?

[Richard Forno]

 Just Who's Being Exploited?
Jamie Reid, 2008-04-21
http://www.securityfocus.com/columnists/470?ref=rss

A cynic, it has been said, is someone who knows the price of everything and
the value of nothing.


³ In spite of all the vendor-hacker goodwill that 0-day purchasing schemes
have been designed to promote, something isn't adding up. ²

Last month's revelation that Tipping Point paid out a prize of $10,000 and a
new laptop (MSRP: about $2000) at the CanSecWest conference, for the
privilege of being the exclusive licensor of a heretofore unpublished
vulnerability in Apple's Safari web browser to researcher, Charles Miller of
Independent Security Evaluators, may lend some credence to this adage.

The topic of 0-day vulnerability pricing is not new.  Attempts to derive a
price that precisely values the exclusive knowledge of how to secretly
control millions of hosts, vary in their approach, but the $10,000 bounty
posted by Tipping Point resonates with many as a fair price for a remotely
exploitable, admin-privilege-yielding vulnerability in a widely deployed
software package. Competitors in the bug-buying space like WabiSabiLabi's
auction scheme,  and iDefense's VCP offer lower rewards, but provide
different structured incentive packages for disclosing 0-day exploits to
them.

One professional security researcher, when asked to provide an estimate
said, "[The time] depends on the person and tools they know," and elaborated
that the specific circumstances around the vulnerability change the amount
of effort, replying "[For him it] can be anywhere from a few minutes for an
ActiveX vulnerability to a couple of days for a system vulnerability." Based
on his personal consulting rates, his estimate agrees with the figure of the
Tipping Point prize, quoting, "probably under $10,000".

Some arithmetic and a simple cost-benefit analysis, however, suggests that
researchers may be vastly underbidding buyers. Given the cost of cleaning up
after a worm, and even a fraction of the exaggerated damages some companies
claim in computer crime cases, a bounty of $10,000 is a song.

If you are a twenty-something computer-science student in a former Soviet
state and your prospects for gainful employment are limited to running DDoS
botnets for extorting casinos and porn sites, sure, $10,000 is a tidy sum.
But from the perspective of a potential victim of a worm infestation, this
bug finder's fee wouldn't cover the premium of an insurance policy against
the damage from a 0-day worm.

A useful treatment of what vulnerabilities can be worth has been written by
the same researcher who won the CanSecWest competition, Charlie Miller. In
his paper, The Legitimate Vulnerability Market: Inside the Secretive World
of 0-Day Exploit Sales, he demonstrates how a buyer associated with a
government agency (presumably American) paid  $50,000 for an exploit for a
vulnerability in an unspecified Linux daemon back in 2005.

A source I spoke with close to the Tipping Point ZDI program indicated that
the vast majority of bugs the program receives are cross-site scripting and
SQL injection attacks against "dinky web applications," such as bulletin
boards, counters and blogging tools, and while paying for these relatively
"crappy" bugs is a loss, buying only a few really good 0-day bugs at $10,000
justifies paying for the less serious ones.

There are a few factors, however, that the prices paid by Mr. Miller's
spooky government customers, and the existing vulnerability buying programs,
seem to take into account.

The first appears when one considers what it would cost for a given
organization to do the research to find 0-day themselves, and the
opportunity cost of assigning the resources to the task, even $50,000 is
low. Let's even assume that a government hires a consultant with successful,
first-hand vulnerability development experience and we can play with some
ball-park figures.

Security consultants of a Big-5 consulting firm bill about $1200 a day for a
junior consultant, and $2500 a day for a senior one. According Charles
Miller, the winner of the Pwn2Own challenge at CanSecWest, it took three
weeks to find and develop an exploit for the Safari browser. So, consider
that 15 days security consulting at the Big-5 rate costs between $18,000 and
$37,500 and compare it to Miller's $12,000 gross win. In this case, that is
a pretty hefty agency fee. Not that there is anything wrong with that, but
it does suggest exploit writers may not be the only ones doing the
exploiting.

The sources I spoke with also indicated that the bar is much higher for bug
finders now than it was 5 years ago. A working understanding of reverse
engineering, assembly languages, stack protection schemes and memory
management is necessary to find serious vulnerabilities in most software.
However the sources acknowledged that ready-made shell code from projects
like Metasploit does not raise the bar to an unreachable level.

These liberal estimates of consulting time assume that hackers of the
calibre to develop 0-day on-order are available to a government. Sure there
are a few good hackers out there relative to the number of security
professionals, but demand for them from cash-hemorrhaging security start-ups
precludes most good hackers from entering public service.

Even the clumsy, rudimentary risk pricing using Annualized Loss Expectancy
(ALE) that estimates the projected cost of recovery using the number of
likely occurrences makes worm defense worth hundreds of thousands of dollars
for a bank, hospital or large enterprise. When the costs of recovery
projected buy risk models for IT security are compared with the amounts
being paid for 0-day vulnerabilities, there is a big scary gap that shows
one of the following:

   1. according to the market prices for 0-day exploits, the security risk
from 0-day vulnerabilities is vastly overestimated,
   2. according to IT risk models, vulnerabilities are completely
underpriced, or
   3. most 0-day developers lack basic negotiation skills.

The turnaround on the winning Pwn2Own exploit was a few weeks by a very
experienced creator and, anecdotally, since the average security consultant
doesn't even code, it would take one significantly longer than three weeks
to find and develop a working 0-day exploit.

Maybe the middle ground in all of this, however improbable, is for exploit
writers to  exchange 0-day exploits for a royalty agreement for each IDS
installation that used a signature for their exploit. The business of
security companies is to package and pass along costs to customers with a
premium, and a royalty program would improve the incentives, and in turn the
quality of development done by lone hackers.

Somehow, the cost-benefit equation has to be rewritten to better favor the
legitimate, yet difficult, work of security researchers. Because, in spite
of all the vendor-hacker goodwill that 0-day purchasing schemes have been
designed to promote, something isn't adding up.

But perhaps I am just a cynic.


Jamie Reid is a privacy, security and risk consultant to healthcare agencies
in Toronto.