SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Tuesday, June 26, 2012

More Disclosure of Vulnerabilities in Attacker Tools

Posted on 4:09 PM by Unknown
Two years ago I wrote Full Disclosure for Attacker Tools, where I wrote in part:

The idea of finding vulnerabilities in tools used by attackers is not new. It's part of the larger question of aggressive network self defense that I first discussed here in 2005 when reviewing a book of that title. (The topic stretches back to 2002 and before, before this blog was born.) If you follow my blog's offense label you'll see other posts, such as More Aggressive Network Self Defense that links to an article describing Joel Eriksson's vulnerability research into Bifrost and other remote access trojans.

What's a little more interesting now is seeing Laurent Oudot releasing 13 security advisories for attacker tools. Laurent writes:

For example, we gave (some of) our 0days against known tools like Sniper Backdoor, Eleonore Exploit Pack, Liberty Exploit Pack, Lucky Exploit Pack, Neon Exploit Pack, Yes Exploit Pack...

In the post I addressed some of the issues involved, but a recent development involving the popular Poison Ivy (PI) remote administration tool (RAT) brought the debate back to life.

Today I became aware of Gal Badishi's Monday post Own And You Shall Be Owned. In the post he writes:

We will now present a fully working exploit for all Windows platforms (i.e., bypassing DEP and ASLR), allowing a computer infected by Poison Ivy (or any computer, for that matter) to assume control of PI’s C&C server...

In light of this analysis, a Metasploit module without encryption is being prepared.

"C&C server" means "Command and Control server," or the system operated by an intruder to control the multitude of victim systems on which he installed PI.

On the surface it may seem cool that "good guys" can now attack "bad guy" infrastructure thanks to this research. However, I think it's important to weigh the pros and cons of this disclosure of vulnerabilities in attacker tools.

Reasons One Should Disclose Vulnerabilities in Attacker Tools

  1. Intruders already know about the vulnerabilities anyway.
  2. Good guys already know about the vulnerabilities anyway.
  3. Publicizing, and especially weaponizing (via Metasploit), this vulnerability gives good guys a way to strike back at bad guy infrastructure.
  4. "Information wants to be free." Trying to protect the info from disclosure is a losing game.
  5. If good guys didn't know about the vulnerabilities, they now can put them to work attacking intruder infrastructure for "active defense" and "research" purposes.
  6. There's no place to disclosure vulnerabilities in attacker tools "responsibly" anyway.
Reasons One Should Not Disclose Vulnerabilities in Attacker Tools
  1. Not all intruders know about the vulnerabilities, or perhaps none do.
  2. By publicizing the vulnerabilities, it tips the intruders to defend their infrastructure by patching.
  3. Good guys who previously had access to the infrastructure lose access once the intruders upgrade their vulnerable software.
  4. A researcher just saved intruders time and resources by providing free software security and quality assurance services.
  5. Information doesn't have to leak. Many organizations keep secrets, even without the infrastructure of classified systems.
  6. There are several private, vetted mailing lists that do a reasonably good job keeping information confidential, while providing benefit to defenders.
I tend to think it's a bad idea to publicize vulnerabilities in intruder tools for the reasons I listed, but I see the other side as well. My biggest concern is that researchers don't weigh these issues, or given them enough thought, prior to publishing their findings. What do you think?

Tweet

Email ThisBlogThis!Share to XShare to Facebook
Posted in offense | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • DojoCon Videos Online
    Props to Marcus Carey for live streaming talks from DojoCon . I appeared in my keynote , plus panels on incident response and cloud secur...
  • Practice of Network Security Monitoring Table of Contents
    Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monito...
  • Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days
    Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report . In the twelve days that followed public...
  • Feedback from Network Security Monitoring 101 Classes
    At Black Hat in Las Vegas I taught two Network Security Monitoring 101 (NSM101) classes. This is a new class that I developed this year, a...
  • A Book for the Korean Cyber Armies
    I've got a book for the Korean cyber armies, North and South. That's right, it's my first book , The Tao of Network Security Mo...
  • What is Cloud?
    The slide at left was one of my favorites from Craig Balding's Cloud Security Ghost Story talk from Black Hat EU earlier this year. I ...
  • SQL Injection Challenge and Time-Based Security
    Thanks to this Tweet by @ryancbarnett, I learned of the lessons learned of the Level II component of the ModSecurity SQL Injection Challen...
  • Bejtlich Speaking at TechTarget Emerging Threats Events in Seattle and New York
    I will be speaking at two events organized by TechTarget , for whom I used to write my Snort Report and Traffic Talk articles. The one-da...
  • Review of Crypto Posted
    Amazon.com just posted my four star review of Crypto by Steven Levy. From the review : Steven Levy's "Crypto" is a fascinati...
  • SANS WhatWorks Summit in Forensics and Incident Response
    I wanted to remind everyone about the SANS WhatWorks Summit in Forensics and Incident Response in DC, 8-9 July 2010. The Agenda looks gre...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ▼  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ▼  June (6)
      • China's High-Tech Military Threat and Air Sea Battle
      • Bejtlich's Thoughts on "Why Our Best Officers Are ...
      • More Disclosure of Vulnerabilities in Attacker Tools
      • What Gets Measured, Matters
      • Flame Hypocrisy
      • Whither United States Air Force Academy?
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ►  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ►  May (15)
    • ►  April (15)
    • ►  March (16)
    • ►  February (19)
    • ►  January (25)
  • ►  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile