The most magnificent thing about Vulnerabilities and who is behind the magic. What I like the most about software vulnerabilities is how “vulnerability”, as a quality of a real object (and the computer program is real), literally appears from nothing.
Let’s say we have a fully updated server. We turn it off, lock it in a safe and forget about it for half a year. Six months later, we get it, turn it on. It is the same and works absolutely the same. But now it is also exposed to dozens of critical vulnerabilities that, with some (un)luck, can be exploited by any script kiddie. New important characteristic of the material object appeared from nowhere, isn’t this magnificent? ?
Who is behind this magic
Of course, this only happens because many people constantly and comprehensively study software products. But we know so little about it, that it seems almost like magic. For example,
- Do you know how many security researchers analyze Windows or Linux kernel (hundreds, thousands, maybe more)?
- Who pays them?
- What is their main motivation?
- Do they always report what they found to the software vendors?
As for the last question, it seems rather naive to think that all the researchers send their most valuable findings to the vendors even for the bounty. Especially those researchers who work for governments and criminal groups. In my opinion, publicly known vulnerabilities which cause us so much trouble with patching are only the smallest part of all existing vulnerabilities. And it’s scary to think what is going on in the main private zone, where all wunderwaffens and all rings-to-rule-them-all should be. ?
Big guys games
We mainly know how the NSA processes 0-day vulnerabilities and exploits. Many thanks to #EFF and other organizations who forced them to disclose “Vulnerabilities Equities Policy and Process for the United States Government” (2017).
There are no technical details or valuable statistics in it, only some descriptions of bureaucratic procedures, but it shows the attitude. Do you think that in other countries governments deal with vulnerabilities in more ethical way and report them to vendors immediately? I don’t think so.
And, btw, it lead to real attacks, I just mentioned couple on of them in my Telegram channel: cyber attacks on Russian Power Grid, “Yandex was hacked” article by Reuters.
Can money solve the problem with unreported vulnerabilities?
Responsible disclosure may become more attractive to independent researchers if the size of bounty will be comparable to the prices on the black market (now it’s not). But individual researchers are not the only actors.
- What about the armies of government hackers that reverse the code in their barracks day after day for a cup of rice?
- And what about the vulnerabilities that are in fact backdoors left by the vendors intentionally?
I don’t see any good and safe solutions for this. This is too far from technologies and is mainly concerns geopolitics and violence.
Once again, it’s a big, dangerous world, you know. We see only the smallest part of all existing vulnerabilities and, unfortunately, even with them we can’t deal effectively.
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: CISO Forum 2019: Vulnerability Management, Red Teaming and a career in Information Security abroad | Alexander V. Leonov