Last week an
article on CIO.com about a new company in the cybersecurity market co-founded
by Luigi caused a little bit of an uproar when it noted that ReVuln® would be selling vulnerabilities rather
than reporting them to vendors or national CERTS. While this is of concern to
security managers, it is hardly a new business model. What is new is that a
high-profile researcher (and Luigi has always thrived on visibility) is
publicly advertising that he is selling vulnerabilities to governments and
other ‘responsible’ entities. That plus the fact that they are apparently
selling non-exclusive notifications to a wide variety of customers.
Luigi
Luigi made a name for himself through uncoordinated
disclosures of vulnerabilities in a wide range of software systems. As I have
noted here in a couple of instances Luigi has taken the coordinated disclosure
route on occasion (via ZDI), but the vast bulk of his prolific disclosure
inventory has been made as simple postings on his personal
web site or via Bugtraq.
A number of commenters over the last couple of years have
questioned how Luigi could hope to make a living if he continued to piss off
vendors via his public disclosures. Those questions have apparently been
answered.
ICS Vulnerabilities for Sale
The ReVuln homepage notes that 44% of the vulnerabilities
they currently have for sale involve industrial control systems (SCADA). With
the current rise in interest in cyber-warfare and cyber-weapons these
vulnerabilities should find a relatively vigorous market with governments. Both
offensive and defensive activities will find access to these vulnerabilities to
be very valuable.
In fact, cyber-defenders are probably going to be forced to
subscribe to the ReVuln services since the company is not apparently selling
exclusive access to these vulnerabilities. Knowing that an adversary might have
access to vulnerabilities in control systems in critical infrastructure,
defenders will want to have access to the same vulnerability information to put
appropriate defenses in place to prevent their utilization in a cyber-attack.
Will Vendors Buy?
The ReVuln website ‘Services’ tab notes that the Zero-day
feed service is available to ‘Companies and Governments’. I’m sure that we
won’t hear about it from any of the advertising departments at the major vendors
that they are subscribing to this service, but I am willing to bet that there
will be some ICS vendors that will think that buying zero day vulnerabilities
in the market place will, in the long run, be more cost effective than allowing
them to be available to governments and other vendors without knowing about
them. At least they would have a chance to get the problems patched if they
know about the vulnerabilities.
Actually, I’m pretty sure that vendors would do their best
to ensure that they are not seen as subscribers to this service. Luigi and
ReVuln are already going to be causing any number of other ‘independent
security researchers’ to look at the ‘vulnerability for sale’ business model.
If it becomes publicly known that any of the major vendors are subscribers, we
will see even more startups in this field.
An interesting question arises because of ReVuln’s marketing
of these vulnerabilities to ‘companies’. I don’t see anything that specifically
identifies system vendors as being (or precludes them from being) potential
customers. If they are willing, for example, to sell to ICS vendors, will
Vendor A get access to 0-days for Vendor S? Ignoring the potential marketing
advantage of knowing about the competitor’s vulnerabilities, it would certainly
make sense that Vendor A should be interested in checking their own system for
vulnerabilities similar to those found in Vendor S’s product line.
Will CERTS Buy?
The most obvious potential government agencies that could
have potential interest in subscribing to this type service (outside of the
military or intelligence services, of course) would be national CERTS. In the
US one would like to think that the ICS-CERT would be a natural customer for
this type of service. Again, a quiet customer because ICS-CERT also has a
strong self-interest in maintaining the coordinated disclosure system.
The question for CERTS is will the politicians allow them
(authorize the spending) to subscribe to this type of service? On the one hand
the intelligence/military folks probably would not like to see this as ICS-CERT
(for example) would be expected to work with the vendor to get the systems
patched. That would remove that 0-day from the potential arsenal of the
intel/military ops people.
On the defense side of the equation, how would the
government go about defending against the 0-days for critical infrastructure
installations if they didn’t notify the vendor? Perhaps we will see the rise of
a defensive programing cadre within military/homeland security that would
develop their own patches for sensitive systems. I can see the military mind
coming up with that idea, but no control systems engineer with any sense would
apply a patch that hadn’t gone through the vendor vetting process. There’s no
telling what neat problems could arise.
ReVuln Security
As one would expect ReVuln takes the security of their
product line very seriously. Their web site makes it clear that the
vulnerability information is not available directly through their web site
(they securely email the 0-days to their customers) and they do not store the
vulnerability information on any of their servers. I would suspect that Luigi
and company are paranoid enough to store that information on stand-alone
computers in a secure and shielded room. After all, they don’t make any money
if someone steals their 0-days.
Regulation
One thing is pretty certain, I foresee some vendors calling
for the regulation of companies like ReVuln. As much as they have opposed
cybersecurity regulation that might have put restrictions or requirements on
their operations someone is certainly going to call for restricting the right
of folks to sell vulnerabilities. I will be very surprised if we don’t see some
sort of pro forma bill introduced during the waning days of this session.
Actually this may be one of the reasons that Luigi and
company chose Malta as their home base (besides the beautiful weather,
picturesque countryside, and lovely blue water); the US Congress (or EU or
whomever) is going to have a difficult time enforcing local laws on their
Maltese operations.
Having said that, what would reasonable regulations look
like? Well, you can’t shut them down and you can’t stop them from reasonable
sales in the public market place; the knowledge of the vulnerabilities comes
from their own research so they certainly own it. You could place some
reasonable restrictions on who they can sell the information to; no known
terrorists or criminal enterprises. Perhaps you could get away with requiring
the offering non-exclusive sales to various CERT organizations and allowing
those organizations to contact the affected vendors.
Or maybe they could just be required to offer to sell the
vulnerabilities to the vendor before offering it on the open market. It would
be interesting to see how you would craft rules to establish what is a
reasonable price for the vendor to take or leave. Of course, that has been the
problem all along as most vendors have been loath to pay some unwashed heathen
(okay, they didn’t actually say that, but that has been the impression that
many in the research community have been dealing with) for finding some
‘relatively minor’ problem with their control system.
Nothing New
In any case, ReVuln is not really anything new. We have been hearing about an underground economy in 0-day sales for a couple of years now. What Luigi and friend have done is to bring the business plan out into the open so that we can all participate (or not). We will certainly discuss it and perhaps try to regulate it. But, it is not going away.
Posts
No comments:
Post a Comment