Recently Gartner slammed 3Com’s TippingPoint division for sponsoring zero day contests without giving the vendor Apple Inc. a chance to fix the flaws before their patch release. They apparently paid $10,000 bounty to Dino Dai Zovi, a well distinguished security researcher at the recent CanSecWest conference.
Wow! It is rather ironic that a security company, who presumably wants to protect customers, will first put everyone to risk, not notify the vendor on time, and then release signatures! The anti-virus community, long the target of (bogus) claims that they write viruses to make money, wouldn’t touch a contest like this with a barge-pole. In fact, even staunch full-disclosure advocates note the ethical disconnect implicit in security companies producing content earlier than their competitors via such initiatives (see http://blog.ncircle.com/archives/2005/08/3coms_zero_day_initiative_cest.html and our premier issue of Sage.)
As security vendors, our mission is to protect our customers and the internet community at-large , not to create hype and FUD by giving the world a chance to exploit unpatched flaws!! Failing to disclose to anyone leaves the good guys in the dark - but supporting irresponsible disclosure give the bad guys night vision…
May 7th, 2007 at 9:31 am
[…] Rahul Kashyap at McAfee takes 3Com to task for the QuickTime drama: […]
May 7th, 2007 at 10:32 am
Um, ZDI _did_ give provide Apple with the vuln details and did give them a chance to fix these flaws before their _coordinated_ disclosure. In fact, Apple’s updated QuickTime packages hit their update servers at the same time ZDI disclosed the vulnerability.
Please get your facts straight.
May 7th, 2007 at 11:57 am
[…] Source: Computer Security Research - McAfee Avert Labs Blog Published May 07 2007, 02:52 PM by cmosby Filed under: Security and Anti-Virus, Patch Managment, Internet Applications […]
May 7th, 2007 at 12:47 pm
For your reference, the actual facts of the entire matter can be found here:
ZDI advisory is here with timeline of disclosure events (vuln disclosed 30 minutes to Apple after officially buying it from Dino).
ZDI disclosure policy here.
Final thoughts and rebuttals on the hacking contest in our blog posting here.
In order to help protect a larger customer base than our own, we also share ZDI information free of charge to any IPS competitor that asks for it, with minimal fine print.
May 7th, 2007 at 7:12 pm
Hey Terri, et al
It’s a very simple, basic rule that we follow as a security vendor that I want to point out in this blog (no homework required on this) Rule #1 - Protect (the customer and the internet community at large)
We all appreciate vulnerability research in general, we’ve never said anything against that (In fact we acknowledge security researchers in the sage article that I had earlier pointed out). But the question here is about ethics. Why would a security vendor want to sponsor an activity that can potentially put users to risk before a patch has been out? As you said, “(vuln disclosed 30 minutes to Apple after officially buying it from Dino).”
Isn’t that unfair to give absolutely no notice to a vendor to patch?? How would you feel as a vendor if you were told that a new vulnerability has been disclosed and news has already started floating out in the public? Given that now the timelines for creating exploits for vulnerabilities is becoming shorter and shorter, you’re effectively putting everyone using QuickTime (in this specific case) at risk.
About McAfee’s stance on vuln disclosures, you can find it here: http://www.mcafee.com/us/threat_center/report_vulnerability.html
As regards the ZDI model, we’ve already discussed this in our sage article (by Stuart McClure) that I had initially pointed out. [http://www.mcafee.com/us/local_content/white_papers/threat_center/mcafee_sage_v11_en.pdf ] Let me give you some excerpts from this (in case you haven’t read it):
“…If companies provide a cash reward for bugs found in their own software, that’s a good thing. After all, if a researcher has invested his or her time finding a bug, it’s fitting for the benefiting vendor to pay for the work.
But when security companies pay for finding bugs in other vendors’ software, the results may not be so beneficent.
By using the research of others to publicize vulnerabilities, for example, these companies may sell more subscriptions to their threat intelligence services and gain publicity from it—in other words, they will make money”
“…From the customer’s perspective, the disadvantages of such a vulnerability discovery program are many. The more vulnerabilities that are found, the more you must fix to protect yourself; and the more you must fix, the fewer you inevitably will. Further, the more people involved with a particular finding, the more likely that information about the vulnerability will leak out. And a leak means that someone can build a worm that will affect customers before they are patched or prepared. The last point strongly undermines the expressed goal of the program: to protect people.”
“…If an organization offers payment to motivate individuals to report their findings and uses that information to improve its own products, then who can blame them? Or if a vendor discovers vulnerabilities as part of its everyday fight against threats and wants to incent its team members to report their findings, then such a program benefits everyone. But if payment programs simply fill the coffers of malicious hackers who look hard for more and more vulnerabilities, then vendors, customers, and legitimate researchers are all hurt.
In the first case, vulnerability disclosure means everyone wins; but in the second case, we all lose.”
May 7th, 2007 at 10:43 pm
Rahul,
While I respect your opinon and assertions, and in fact used to share those opinions at one time, I think you are misunderstanding a primary point-
You say:
“Isn’t that unfair to give absolutely no notice to a vendor to patch?? How would you feel as a vendor if you were told that a new vulnerability has been disclosed and news has already started floating out in the public? Given that now the timelines for creating exploits for vulnerabilities is becoming shorter and shorter, you’re effectively putting everyone using QuickTime (in this specific case) at risk. ”
What I think you are missing here is that Apple *was* given the time to patch. When Dino found the vulnerability, he sold it to the ZDI and did NOT disclose it to anyone else. We turned over the vulnerability to Apple within 30 minutes of contracting it. We did_NOT_Disclose the details of the vulnerability to the public. Apple spent a week getting a patch ready, and when they released a patch we released an advisory.
Media inquiries about the fact that a vulnerability existed vs. customers being at risk are not the same thing. If the press heard that the sky was falling, and asked me to comment, and I said “Yes, the sky is falling soon…” that doesn’t mean that the sky has fallen, or that you now know how it will happen.
Purchasing the vulnerability from the contest that was already taking place was no different than any other vulnerability that the Zero Day Initiative handles- except for the fact that it was, afterall, a contest- and reporters were on site to write stories about whomever won.
Had I specifically given them details about the vulnerability, how to use it, and maybe a little example of how to reproduce it… I would be happy to have you call foul. Since that was NOT the case, it’s incorrect for you to claim it was.
If you have a problem with the practice of purchasing vulnerabilities, that’s ok, and I respect (and used to) share your opinion- but please do not make false statements regarding responsible disclosure- when the details of this vulnerability were- in fact- disclosed responsibly to Apple on the same day(hour) we purchased it.
Regarding this excerpt you quoted:
“But if payment programs simply fill the coffers of malicious hackers who look hard for more and more vulnerabilities, then vendors, customers, and legitimate researchers are all hurt.
In the first case, vulnerability disclosure means everyone wins; but in the second case, we all lose.”
I think Dino (and every ZDI researcher out there) would disagree with being called malicious. Did you know, that the majority of security researchers I’ve met are not malicious? In fact, I worked in Microsoft’s Security Resonse Center directly dealing with researchers and fixing vulns for many years- and what always suprised me the most is that I never actually *met* any criminals.
Well, almost true… I did meet Kevin Mitnick one time at BlackHat, but he’s not a *real* security researcher and doesn’t actually count.
What I do grow tired of is the idea and constant misassertion that researchers are criminals. The criminals don’t sell their vulns to ZDI- they are too busy using them to make amounts of money that we could never keep up with. Additonally, criminals don’t seem to show up at conferences and give away their 0day just to win a Mac. They are busy automating the process of taking other peoples vulns and exploits and turning it into cash for information warfare, industrial espionage, nation/state hostilities.
In the world of vulns, there are a lot of people to be afraid of- but those folks aren’t generally running around conferences hacking mac’s and they probably aren’t selling to ZDI.
And did you know, that we do not redistribute vuln information to any sort of paid subscribers as the report you cite claims? Not even our own IPS customers get information about the vulns we buy until AFTER the vendor patches them. Until the vendor releases a patch themselves, all our customers know is that they have a filter for a Zero Day vulnerability. That’s it.
May 8th, 2007 at 6:30 am
Rahul,
I think you’re confusing CanSecWest announcing a winner to the Hack a Mac contest with ZDI releasing details of the vulnerability. It’s not the same thing, and as far as I saw reported, only ZDI, the matasano researcher, and Apple ever had access to the 0day details and exploit. The fact that Apple thanked them all in their advisory should be clue enough.
With regard to your company’s stance on paying for vulns, I think Mike Rothman said it best::
“…there is very little incentive for security researchers to do their job. They are all finding these bugs in their free time. Sure it helps notoriety and is basically a marketing expense, but this isn’t how they pay the bills. So putting a little bounty is place isn’t a bad thing. Remember, there is a huge community of security researchers out there called the bad guys. They are finding holes and breaking things ALL THE TIME. We need to find ways to allow folks on the right side of the battle to do what they do, and make some money. That’s good for all of us. ”
I think in general, the industry has warmed to the idea of paying researchers (with the exception of tipping point’s competitors - including mcafee).
Richard
May 9th, 2007 at 12:02 pm
So Rahul- is this your organization idea of responsible?
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=528
“VIII. DISCLOSURE TIMELINE
08/14/2006 Initial vendor notification
10/17/2006 Second vendor notification
02/07/2007 Third vendor notification
02/08/2007 Initial vendor response
05/08/2007 Coordinated public disclosure
6 months to even RESPOND to reported vulnerability in your product??? What do you say for that? Maybe McAfee should stop criticize other competitors and start working on their own policy!
May 11th, 2007 at 2:46 pm
…as a simple end-user/administrator and NOT a security researcher,I ‘m probably not the most qualified person in the world for commenting this out.
So,excuse me if I seem kind of “intruding” here,but I’m pretty sure that since my thoughts are also shared by a wide area of customers,they also have their value…
Amongst various articles responding to McAfee’s statements for ZDI,
the responce that mainly attracted my interest was this one…
http://blog.ncircle.com/blogs/vert/archives/2007/05/why_zdi_benefits_everybody.html
So,allow me to copy/paste a few words from there and comment on them…
“They referenced a two year old post by a former employee and attempted to use it as ammunition in their obvious attack on Tipping Point.
I find it most interesting that their attack has so little basis that the only ammunition they could find came from a two year old post… The security industry is constantly growing and changing… It’s changing so fast that I would consider a post from 6 months ago to be too old to act as a reliable reference.”
I guess that THEIR way of referencing “former-employees”‘ statements,
is also giving away some food for thought…
6 months,2 years,20 years or whatever…now,I really don’t get this one:
since when ethics became…time-dependent?
Maybe since time became…equal to money?
And later,in the same article:
“Enter ZDI and iDefense. Now you have a third option, you sell the vulnerability you discover to one of these companies and suddenly everyone benefits. You walk away with some cash in your pocket, the vendor deals with a company that believes in responsible disclosure and the purchaser of the vulnerability has new value-add for it’s customers. “Yes we’ll identify this vulnerability that the vendor isn’t even aware of yet.” Everyone wins.”
…Enter ZDI and iDefense…Now you have a third option…
You walk away with some cash in your pocket…Everyone wins…tic-toc,tic-toc…when you wake up,you’ll remember nothing…Enter the Dark Side…the Matrix has you…
May 14th, 2007 at 10:26 am
Hey Terri (and others),
Thanks for your elaborate reply. As you mentioned, yes I can also see that your stance on such bounty programs has changed
. Security Research is definitely *capable* of befitting everyone as long as people behave responsibly and ethically. There’s no doubt about that. What we’re discussing here is about the ethics aspect and NOT about security research.
As I have previously mentioned, Stuart states in his Sage article an example of a malicious hacker who had brought down a website (http://www.techworld.com/security/news/index.cfm?NewsID=3465 ) and someone with the same alias ATmaCA was credited with finding a new vulnerability in your own ZDI program (http://www.zerodayinitiative.com/advisories/ZDI-06-015.html ). Is this the same person? Possibly, and we do not know what *other* damage he/she might have done, now that he/she is well funded! This lack of accountability is what is really *BAD*.
Exploits are like digital weapons, and vulnerabilities are the raw materials. People who run bounty and compensation programs are the equivalent of arms dealers with ineffective laws and no oversight. There is absolutely no way of guaranteeing that bounty programs do not go astray in the confusion or are misused. These programs are tantamount to funding weapons creation in the digital age and the people running the programs have no accountability. Yet, when something goes astray with an exploit generated from their disclosed vulnerability or researcher, they have no risk from benefiting from the press and exposure.
Secondly, you mentioned that “Dino (and every ZDI researcher out there) would disagree with being called malicious.” I think that it is unfair for you to drag Dino into this because, if you scroll up, I’ve explicitly mentioned that we are NOT against security research. In fact McAfee Avert Labs has some of the top notch security researchers in the industry and no one can doubt that fact. What we need to note here is that as the funding party of this event, can you guarantee that the next time you allow this, no POC or exploit gets leaked in the next conference? The point here is again responsibility and ethics, that’s exactly what Gartner is saying here again [ http://www.gartner.com/DisplayDocument?id=504693&ref=g_sitelink&ref=g_SiteLink ]
We’re here in the security industry to make things better and not to fund activities that are irresponsible and gives us a ‘coolness’ factor buzz in the media.
September 17th, 2008 at 2:26 pm
[…] http://www.avertlabs.com/research/blog/?p=270 - […]
September 17th, 2008 at 9:00 pm
[…] http://www.avertlabs.com/research/blog/?p=270 - […]