Feeds

Exploit broker aims marketing machine at Unix app crack

Deals so great... they're insane!

Security for virtualized datacentres

WabiSabiLabi, which bills itself as the eBay of software vulnerabilities, has borrowed a page from used car salesmen, except instead of talking up their affordable rates and low down payments, the outfit is championing the sale of a nasty sounding exploit that puts Unix boxes at risk.

The vulnerability resides in ClamAV, an open source anti-virus toolkit for Unix-based email gateways. Two weeks ago, WabiSabiLabi listed the auction of exploit code that targets the antivirus program, so far without a single person bidding on it. Enter the group's marketing monkeys, who in a blog post are trying to drum up interest.

"It has been recently submitted to our labs a vulnerability that allows a malicious user to execute arbitrary code on the machine running one of the utilities of the ClamAV suite by simply sending a specially crafted email to the vulnerable mail server," the spinmeisters write (their emphasis). "This vulnerability has a starting price of 500 euros: bid on that and, as a security company, you will gain a very high competitive advantage."

The selling of exploits for cash is becoming increasingly common as security researchers try to recoup compensation for what often amounts to hundreds of hours in the lab turning a vague theory about a weakness into a proof-of-concept code. While shopping around vulnerabilities can sometimes be a contentious issue, it has been embraced by at least two mainstream security companies that say the practice goes a long way to making their customers safer.

"It's one thing to market your program and market the existence of it," says Terri Forslof, manager of security response for TippingPoint, whose Zero Day Initiative pays bounties to researchers for responsibly disclosing vulnerabilities. "It's another to try and use something like that and specifically market that vuln. If anything, it just seems kind of cheesy to me."

WabiSabiLabi's carnival barking comes almost two weeks after Roberto Preatoni, the group's founder, was among those arrested by Italian police investigating a spying scandal involving Telecom Italia. WabiSabiLabi issued a press release saying "we are confident that his innocence will be established if a case ever comes to court."

The shameless plug also comes amid what might be considered less-than-spectacular enthusiasm for WabiSabiLabi's vulnerability marketplace. In all, it records 38 auctions listed since the site went live in August. Of the 19 listings currently pending at the time of writing, only two had bids, and in each case, there was only one bid. Furthermore, seven listings were scheduled to expire in less than nine hours, and none of them had attracted a single bid.

Representatives from Switzerland-based WabiSabiLabi weren't immediately available for comment.

In all, WabiSabiLabi claims to have received more than 150 vulnerability submissions, and that raises another question: What is it doing with all of those exploits? The company says it's rejected about 40 entries because researchers used illegal methodologies such as reverse engineering of protected software to discover them.

Even still, there's a wide gulf between the remaining 110 submissions and the 38 that have been publicly brokered, and that has Forslof scratching her head about things like whether the group sells some exploits privately before listing them on its marketplace.

"When I look at that I can't say what number of those were valid, [and] what the process is to vet those out," she says. "What I'd still like to see from them is quite a bit more transparency." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.