Friday, July 16, 2010

offensive full disclosure

in my previous post about full disclosure i came up with some pretty restrictive guidelines for when full disclosure was ok. that was specific to disclosure of vulnerabilities in legitimate software/services. some time ago richard bejtlich published a post about about performing full disclosure for vulnerabilities found in attack tools - in other words the sort of software used by the bad guys to victimize innocent users.

while there is admittedly some gray area where legitimate software and attack tools might conceivably overlap, the tools richard described aren't anywhere near being legitimate - they are geared to exploit vulnerable systems and there's virtually no legitimate reason for doing that.

obviously that changes the ethical landscape a lot with respect to full disclosure. the users of such software are not innocent by definition, so actions that put them in harm's way aren't nearly so poorly regarded as those that put innocent users in harm's way. in fact, when cybercriminals are subjected to the same sorts of digital attacks as those they might otherwise perpetrate on others, some might even consider it poetic justice.

richard doubts the tactical efficacy of full disclosure against attack tools for 2 basic reasons:
  1. it will alert the attack tool developers to the problem and ultimately result in the vulnerability being fixed
  2. white hats have to follow rules that prevent them from forming waves of attacks against black hats the way black hats would do if a vulnerability in IE were disclosed
while reason #1 is certainly true, there's still a window of opportunity between the disclosure and the fix during which attackers could be successful. furthermore, there is an undefined window of opportunity between release of the fix and deployment of the fix when attacks could also be successful. remember that security fixes aren't necessarily applied as soon as they're available, and in the case of attack tools specifically there are a number of users of those tools who are not using the most recent versions because they don't want to pay for the product or for support. those using pirated versions of the attack tools are unlikely to get a fix and may not even be aware of a need for one - if they can't be bothered to pay for black hat software it's possible they don't care to invest in developing their own expertise in this field either (otherwise they could just build their own attack tools) and so probably wouldn't be paying attention to security advisories for the attack tools.

reason #2 is also true, but it assumes that the only people interested in attacking the black hats are the white hats and that simply isn't true. taking into account the low risks of getting caught that cybercriminals face, if i were a cybercriminal then the idea of letting some other poor shmuck run a criminal campaign and then simply breaking in and stealing their loot actually seems pretty appealing to me. there's less work involved, less visibility (and so even less risk than the poor shmuck who did things the hard way), etc. stealing from other thieves after they've already done all the hard work of collecting and aggregating whatever it is they were after just seems like the smarter way to go.

furthermore, from a white hat perspective having the black hats attacking each other is also appealing. the more they focus on each other the less they focus on the rest of us. of course, the point richard made about white hats no longer being able to use the vulnerability for their own operations against the attackers would still be true but only if full disclosure were followed in the case of all vulnerabilities. since that isn't the case for vulnerabilities in legitimate software, since only some of the vulnerabilities people know about get disclosed, i see no reason to worry about that happening in the case of offensive full disclosure. some vulnerabilities will no doubt be held back for precisely those sorts of operations.

frankly, i really like the idea of offensive full disclosure - it seems like a win-win proposition to me.