Wabisabilabi? A bad trend on the rise!
There’s been some recent buzz in the network security industry because some “white hat hackers” are looking for more than just acknowledgment for vulnerabilities they discover. A so called “white hat hacker” is a person who spends their time looking for ways to exploit systems in order to make them more secure. The goal is to discover a vulnerability in a product, then send the information regarding the vulnerability to the company behind the product so they can put together a fix for it.
An example of such a vulnerability is the Windows ANI File Parsing Buffer Overflow discovered by security company. According to eEye this vulnerability was originally reported in November 2004, but Microsoft didn’t release a patch to fix the vulnerability until April 2007. Unfortunately, such delays are common.
These vulnerabilities are also added to different databases such as the ones found at http://www.securityfocus.com or http://www.milw0rm.com and used by security professionals to perform penetration tests. Penetration testing is a service offered by many security professionals where they are paid by an organization to test their network for vulnerabilities, or in other words an organization pays a security company to “hack” their network, then help them plug up the holes they found, before a “bad guy” does.
A new website has emerged, http://www.wabisabilabi.com, that offers a place for vendors and security researchers to buy and sell information regarding vulnerabilities. Personally, I find this trend to be very alarming. To date security researchers have discovered vulnerabilities and submitted their discoveries to the appropriate vendors for the sole purpose of making the world a better place. My fear is that by promoting the buying and selling of security vulnerabilities, it’s the “bad guys” who will start doing most of the buying. If this concept gains acceptance the only natural result according to Marc Maiffret, chief technology officer at eEye Digital Security, “are pretty much supporting a market which eventually turns into a bidding war. It drives people not to report (problems) to vendors.” And “problems” not reported to vendors, will turn into “problems” for you and me.