At Microsoft's BlueHat briefing earlier in the month there were great presentations and discussion of information relative to tomorrow's exacerbation of today's vulnerability/exploit trends. Along the line of information presented, I expect we all know, from reading vulnerability announcements, analysis, and public exploit work, how talented the researchers are and what the trends are. YMMV from mine, but my mileage got a boost during Cesarr Cerrrrudo's Token Kidnapping presentation, which had an impact beyond what the title of the presentation indicates, and beyond what his HITBSecConf 2008 Dubai Token Kidnapping PDF has. Don't let the "title" of the paper throw you off ( ; ^ ).
Where the BlueHat rubber met the road
The BlueHat panel assembled by MS for discussion of the vulnerability research economy that has developed over the last few years did a great job. I can't summarize the whole panel discussion, nor does it look like the information will be made available, but what I want to mention here relates to mileage. (I hope that when they're released, the MS BlueHat podcast "interviews" of the presenters and panelists work contain the presenter's actual presentation information for your own evaluation of the storm ("actual presentation" versus the mentioned podcast "interviews").
Dan Kaminsky presented data on code development and reasonable current and future numbers of vulnerabilities that can be expected. The discussion had great information on whoi$ paying how much for the vulnerability research results. The panelists also shared quite a bit of "vulnerability economy" information that I haven't seen summarized in any one place, including discussion of how researchers get paid, and by who.
At the end of the discussion, it was apparent that vendors are only going to buy/receive a percentage of discoverable (and exploitable) vulnerabilities via the vulnerability research economy, or from altruistic vulnerability researchers. And in the "vulnerability economy" that the panel described, Vendors lose out bidding for research results to "private" groups who keep the vulnerability information for "private" use. I note the discussion of "private" groups purchasing vulnerability research remained civil.
There have been many trend reports by many great research and analysis groups discussing vulnerabilities, information warfare and criminal activity attacks and trends. When I consider those reports, Dan Kaminsky's BlueHat presentation numbers, and the "vulnerability economy" panel discussion information, I'm left with an obvious conclusion, the ever increasing number of unreported vulnerabilities being turned into 0-days is not going to slow down soon, it's increasing rapidly, from the increasing number of "private" groups focused on information warfare and criminal activity. And as always, should you accept the mission, detecting successful intrusions is the job.
Discussing indicators of exploitation and indentifying complex vectors is typically easier when it's an information sharing effort. This is something SANS, the ISC Handlers, and ISC participants have been doing for quite a few years. So when those Deja-Vu moments occur, while you're dealing with the vendors, consider getting assistance and participate in getting the information out publically as soon as possible, become an ISC participant, drop us a line (Contact) about what's happening to your systems.
Bluehat (Thanks SANS & MS)
BlueHat Security Briefings Blog - with links to presenters sites
Bluehat Vulnerability Economy Panel - Panelists included:
I believe the related MS info is Microsoft Security Advisory (951306)- Vulnerability in Windows Could Allow Elevation of Privilege
For a non-Bluehat correlation see the recent "Application-Specific Attacks: Leveraging the ActionScript Virtual Machine" by Mark Dowd, IBM Global Technology Services, X-Force Researcher.
May 18th 2008
1 decade ago