Why Selling Exploits Is A Good Idea

An online market for security exploits sounds a dangerous concept – in fact, it’s a good idea that should help keep companies safe, says Peter Judge

Last week NSS Labs launched an online site for selling exploits. To anyone with a vague grasp of the way IT security works, that might sound like a very bad idea. In fact it’s a good one – and fairly well established.

The NSS Labs Exploit Hub will let people buy working exploit code – software that can break into IT systems through vulnerabilities which exist in the operating systems and apps running on them.

Software has vulnerabilities, and the security game is usually seen as a race between hackers and security researchers, to find those flaws and create code that exploits them (hackers) or patches which seal the vulnerability (researchers). If security is a contest between exploits and vulnerabilities, why increase the flow of exploits?

Penetration testing

Of course, the answer is that, researchers and CSOs need fo find out if their systems are secure, and the only real way to test that is to attack them using exploit code, under controlled conditions – so called “penetration testing”. A team given the task of testing corporate systems needs to have an arsenal of exploits.

Where do they get those exploits? They can use the malicious code which is found in the wild and labelled by the anti-malware firms, or they can write their own. It’s better if they can choose from a set of fully documented exploits which are tested and shared.

Exploits on the site are designed to meet well-documented flaws, for which fixes already exist. So it won’t add new dangers to the online world. And users of the site will be vetted. This might be a potential weakness as vetting processes can be subverted – but from all accounts, the existing online underground market for exploits is probably an easier source for anyone with malicious intent.

The fact that pen-testers can now pay for those exploits in a public marketplace should also mean that the security researchers’ work gets the recognition it deserves, and provides an incentive for future work.

In fact, the legitimate market for exploits has been in existence for a while, and flaw brokers have included TippingPoint, iDefense Labs, Immunity and Netragard.

Remember WabiSabiLabi?

For some of us, NSS Labs’ marketplace brings back memories of a short-lived auction site launched in 2007 by Swiss researchers WabiSabiLabi. The site got a ton of criticism because as well as fully-documented exploits, it also aimed to sell exploits for newly-discovered, unpatched, “zero day” weaknesses.

WabiSabiLabi claimed that this merely increased the urgency with which CSOs would deal with the exploits (and the value given to the security researchers’ work) but others argued that a visible online marketplace would simply increase the rate at which exploits circulated and boost the damage caused by zero day bugs.

“A perfect marketplace of software vulnerabilities was too forward looking for the imperfect world we live in,” the WSLabs site now says. “The international group had to stop trading its knowledge after controversy and legal threats surfaced from third parts and competitors.”

Founder Robert Preatoni was charged with industrial espionage in 2008, although colleagues in the security field defended his reputation.

The publicity around WabiSabiLabi probably set back online exploit trading. but the security community – like the hacker world – is continually evolving into a more mature and business-like environment. The world is certainly happy now, with the idea.