[fc-discuss] Financial Cryptography Update: The Market Price of a Vulnerability

iang@iang.org iang@iang.org
Tue, 7 Feb 2006 12:23:21 +0000 (GMT) 

(( Financial Cryptography Update: The Market Price of a Vulnerability ))

                           February 07, 2006


------------------------------------------------------------------------

https://www.financialcryptography.com/mt/archives/000649.html



------------------------------------------------------------------------

More on threats.  A paper Paul sent to me mentions that:

http://events.ccc.de/congress/2005/fahrplan/attachments/542-Boehme2005_
22C3_VulnerabilityMarkets.pdf
http://events.ccc.de/congress/2005/fahrplan/events/801.en.html
=======8<========8<========
Stuart Schechter’s thesis [11] on vulnerability markets actually
discusses bug challenges in great detail and he coined the term market
price of vulnerability (MPV) as a metric for security strength.
============>8=========>8==

A good observation - if we can price the value of a vulnerability then
we can use that as a proxy for the strength of security.  What luck
then that this week, we found out that the price of the Windows
Metafile (WMF) bug was ... $4000!

http://www.developerpipeline.com/shared/article/printablepipelinearticl
e.jhtml?articleid=178601579
=======8<========8<========
The Windows Metafile (WMF) bug
<http://www.techweb.com/encyclopedia/defineterm.jhtml;?term=windows+met
afile&x=0&y=0> that caused users -- and Microsoft -- so much grief in
December and January spread like it did because Russian hackers sold an
exploit to anyone who had the cash, a security researcher said Friday.

The bug in Windows' rendering of WMF images was serious enough that
Microsoft issued an out-of-cycle patch
<http://www.techweb.com/wire/security/175802150> for the problem in
early January, in part because scores of different exploits lurked on
thousands of Web sites, including many compromised legitimate sites. At
one point, Microsoft was even accused of purposefully creating the
vulnerability as a "back door"
<http://www.techweb.com/wire/security/177100876> into Windows.

Alexander Gostev, a senior virus analyst for Moscow-based Kaspersky
Labs, recently published research
<http://www.viruslist.com/en/analysis?pubid=178619907#zero> that
claimed the WMF exploits
<http://www.developerpipeline.com/shared/article/printablepipelineartic
le.jhtml?articleid=178601579>
could be traced back to an unnamed person who, around Dec. 1, 2005,
found the vulnerability.

"It took a few days for exploit-enabling code to be developed," wrote
Gostev in the paper published online, but by the middle of the month,
that chore was completed. And then exploit went up for sale.

"It seems that two or three competing hacker groups from Russian were
selling this exploit for $4,000," said Gostev.
============>8=========>8==

(That's a good article, jam-packed with good info.)  Back to the paper.
 Rainer Bohme surveys 5 different vulnerability markets.  Here's one:

http://dud.inf.tu-dresden.de/~labuschk/rb21/index.shtml

=======8<========8<========
Vulnerability brokers are often referred to as “vulnerability sharing
circles”. These clubs are built around independent organizations
(mostly private companies) who offer money for new vulnerability
reports, which they circulate within a closed group of subscribers to
their security alert service. In the standard model, only good guys are
allowed to join the club. The customer bases are said to consist of
both vendors, who thus learn about bugs to fix, and corporate users,
who want to protect their systems even before a patch becomes
available. With annual subscription fees of more than ten times the
reward for a vulnerability report, the business model seems so
profitable that there are multiple players in the market: iDefense,
TippingPoint, Digital Armaments, just to name a few.
============>8=========>8==

OK!  He also considers Bug Challenges, Bug Auctions, Exploit
derivatives, and insurance.  Conclusion?

=======8<========8<========
It appears that exploit derivatives and cyber-insurance are both
acceptable,
with exploit derivatives having an advantage as timely indicator
whereas cyber-insurance gets adeduction in efficiency due to the
presumably high transaction costs. What’s more, both concepts
complement one another. Please note the limitations of this qualitative
assessment, which should be regarded as a starting point for discussion
and exchange of views.
=======8<========8<========

-- 
Powered by Movable Type
Version 2.64
http://www.movabletype.org/