Take White Hats Seriously to Staunch the Flow of Zero-Days

  /     /     /  
Publicated : 23/11/2024   Category : security


Take White Hats Seriously to Staunch the Flow of Zero-Days


Zero-day vulnerabilities are serious, and on the rise. And IT-security teams make the problem worse when they fail to respond, or respond poorly, to responsible vulnerability disclosures.



When it comes to the rising zero-day threat, IT-security organizations may have no one to blame but themselves and their poor attitudes toward data stewardship.
Zero-day vulnerabilities and the exploits thereof are trending upward. Earlier this month, for instance, both
Microsoft
and
Apple
had to issue patches on multiple respective zero-day vulnerabilities that were reportedly already being actively exploited in the wild. Meanwhile, digital-transformation technologies like
IoT
and
AI
are only exacerbating the problem.
But if youre a white-hat researcher who finds and responsibly reports a zero-day vulnerability, good luck getting the company to acknowledge it.
The question for disclosure closure
Last month, 14-year-old Grant Thompson
accidentally discovered
a bug in Apples Group FaceTime feature in iOS 12.1 and MacOS Mojave. The flaw allowed a caller to turn someone elses iPhone into a listening device without the other party having to answer a call. Thompsons mother -- an attorney -- emailed Apple, posted several times to social media, and faxed Apple a letter on her law firms letterhead. It was not until her posts went viral and major news outlets picked up the story that Apple began to address the issue on January 30, about a week and a half after the fact.
Thompson and his mother arent the first to endure such endemic vulnerability-disclosure absurdism. Some yet more notorious examples:
Starting in 2017, security researcher Dylan Houlihan repeatedly attempted to get Panera Bread to acknowledge and address a website data leak exposing millions of customers data. (It took an introduction from a mutual contact to even get in touch with Paneras Director of Inofrmation Security, who took him for a scammer at first.) After about eight months of fruitless persistence, Houlihan finally gave the information to renowned cybersecurity journalist
Brian Krebs
-- who not only brought national attention to the story, but also discovered that the data leak impacted tens of millions of people than originally thought. (See:
Massive Data Breaches & Data Leak Hit Retail Industry in 1-2-3 Punch
.)
In 2016, Asus got slapped with an
FTC consent order
subjecting it to,
inter alia
, 20 years worth of audits as fallout from
AsusGate
-- when the company failed to respond appropriately to a security researchers multiple emails from 2013 attempting to get it to address major security flaws in its routers.
Also in 2013, Palestinian researcher Khalil Shreateh attempted to report to Facebook multiple times a bug that would allow any user to post to any other users timeline without the requisite permissions. After not being taken seriously (he was flat-out told this is not a bug), Shreateh was driven to post to CEO Mark Zuckerbergs wall a missive explaining his discovery. Only then did Facebooks security team pay heed -- and then refused to apply its bug-bounty program to Shreateh because Shreateh had technically violated Facebooks white-hats only policy by posting to Zuckerbergs wall. (Outraged members of the security community raised a
$10,000 fund for Shreateh
.
Perverse incentives
At best, companies dismissive behavior and responses (or non-responses, as the case may be) to vulnerability disclosures not only disincentivizes researchers from doing the research and making the disclosures to these companies. At worst, it may turn a hackers hat from white to gray or even black, according to Chris Richter, an advisor to cybersecurity startups. After all, if an IT-security team wont listen, the NSA or a dark-web forum might.
That is a huge business on the dark web -- finding zero-day vulnerabilities, not revealing them to the vendor, and selling them to the highest bidder, says Richter. [Or] they shop it to foreign governments that want to make use of it.
An iPhone vulnerability, for example, can literally fetch
millions of dollars
-- and Richter points out that gray- and black-market bounties are rising.
RTFDisclosure
Theres only so much that can be done about bad corporate culture; sometimes this escalates to wilful ignorance. IT-security departments know that their knowledge of a possible data compromise may trigger a variety of time-sensitive compliance requirements, intense political pressure, and/or the possibility of fines and other unfavorable enforcement actions -- even if they competently handle their incident response (particularly these days if GDPR applies). (See:
GDPR Fines: Some Bark, Little Bite
.) Even when communications-service providers (CSPs) detect another companys breach and so alert it, the response may be a curt Thank you for letting us know; dont ever call us again. (See:
Four Enterprise Security Lessons From
Maury
.)
But for companies like Apple and Panera, the solution begins with making it easy to send disclosures to a properly trained and empowered human who will read and act on them. Katie Moussouris, CEO of Luta Security, reports finding that only 6% of the Forbes Global 2000 offers
dedicated security-reporting channels
.
Make this process obviously distinct from the Hi I think my account is hacked customer-support process,
urges Houlihan
. You do not need to offer a bug bounty or a reward. Just offering a way to allow people to easily contact you with confidence would go a long way.
Related posts:
Six Large Data Dumps Add Fuel to Collection #1s Fire
iOS 12: How Apple Keeps Getting Mobile Security Wrong
Enterprises Confronting Increasing Volume of Critical Vulnerabilities – Study
— Joe Stanganelli is managing director at research and consulting firm Blackwood King LC. In addition to being an attorney and consultant, he has spent several years analyzing and writing about business and technology trends. Follow him on Twitter at @JoeStanganelli.
 

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Take White Hats Seriously to Staunch the Flow of Zero-Days