Security Watch

Do Vulnerability Auctions Compromise Security?

On the fence regarding whether vulnerability researchers should be compensated for their findings. Plus, "friendly hacking" between Netscape and Digg users; 74,000 .eu domain names frozen.

• By Russ Cooper
• 09/11/2006

Well, the assumption here is that vendors were receiving the vast majority of vulnerability discoveries in the past, and now it would seem they are getting less. It's difficult to say that was true, as many vulnerabilities have been held in private repositories for a variety of reasons for a long time. Maybe they were used to prove one individual's penetration testing skills were better than another, or they were used to ensure bots remained hidden. Whatever the motivation, responsible disclosure has never reached the hoped for level we have all wanted.

The Cybertrust RIT is split on whether or not legitimate companies should be paying vulnerability researchers for their discoveries. On the one side, paying provides an incentive for getting the discovery into the hands of someone who will inform vendors. On the other side, if one accepts that payment is reasonable, then why shouldn't the discoverer be able to receive the highest payment possible, including selling the discovery to someone who wants to use it for criminal purposes?

Underlying the reasoning above is the intent of the discoverer. If such a discoverer is inclined towards criminal activity, or doesn't care about the effects on the Internet community, they are likely to find a way to abuse their discoveries -- payment or not. Payment may entice some, but there have been many who have used responsible disclosure as a way to demonstrate their skills and acquire much longer lasting payment ... via employment with one of the many security firms who work with their discoveries. We must continue to make clear the distinction between legitimate disclosure, and criminal acts -- knowingly or not -- to ensure we cultivate a discovery community who work for the betterment of the Internet community.

Why Digg Fans Hacking Netscape.com Should Be Taken Seriously
The recently relaunched Netscape.com news site failed to implement adequate scrubbing of user submissions. As a result, attackers were able to inject their own JavaScript into articles being viewed by visitors. The malicious JavaScript created popups in favor of rival site Digg.com, some even redirecting visitors from Netscape.com to Digg.com.

It's certainly interesting to see the wording used to describe this criminal defacement activity. It seems that because there's some apparent "rivalry" between Netscape and Digg, the acts are being described in "friendly" terms, as if it were nothing more than a childish prank.

Yet the issue has several important aspects. First, how could Netscape.com, a site owned by AOL with years of security issues under their belt, be opened to accept user input that was not properly parsed? For such a site, scrubbing submissions should have been their Number 1 security concern after basic practices. That they were susceptible strongly suggests the site's design is flawed at the core.

Second, why is it that because the malicious JavaScript injections did not install malware components on the victims, it is being described as relatively benign? The attacking criminals knew what the result of their acts was going to be, and no matter the reason, they intentionally altered the service Netscape.com intended to deliver its visitors. We'd call that a criminal act and no mere prank.

We must remember that if we expect to teach individuals the difference between right and wrong, we must be consistent in our messaging. Defacing a site, for whatever reason, should be deemed a criminal act and not trivialized because it looks cute.

Finally, this is another example of attacks against application implementation and configuration rather than the application or the operating system itself.

EURid Suspends More Than 74,000 .eu Domain Names
According to charges levied by EURid, the non-profit organization set up to manage the .eu domain name space, three companies in the U.K. have attempted to hijack the name allocation process it manages. EURid alleges the trio was attempting to obtain domain names for later sale, something which is prohibited under EURid policies.

According to the CEO of GoDaddy, a competing domain registrar, the EURid process inadequately verifies whether approved registrars are really acting on behalf of legitimate customers. The process for obtaining domain names attempts to level the playing field, giving each registrar a chance at a single name before being put at the back of the line behind all other registrars. The GoDaddy CEO suggests that many registrars were actually operating in concert with others, effectively improving their chances of obtaining desirable domain names.

At some point there will have to be something to replace the incredibly lucrative domain name system, something which permits companies to have their brand name -- even when it's identical to another company -- yet remain distinct enough to allow consumers the way to know which they actually want.