Monthly Archives: April 2012

Thank You Anonymous

We (Netragard) have been meaning to say Thank You to Anonymous for a long time now. With that said, Netragard does not condone the actions of Anonymous, nor the damage they have caused.   What Anonymous has demonstrated, and continues to demonstrate, is just how poorly most network infrastructures are managed from a security perspective (globally, not just within the USA).  People need to wake up.

If you take the time to look at most of the hacks done by Anonymous, you’ll find that their primary points of entry are really quite basic.  They often involve the exploitation of simple SQL Injection vulnerabilities, poorly configured servers, or even basic Social Engineering.  We’re not convinced that Anonymous is talentless; we just think that they haven’t had to use their talent because the targets are so soft.

What Anonymous has really exposed here are issues with the security industry as a whole and with the customers that are being serviced. Many of Anonymous’s victims use third party Penetration Testing vendors and nightly Vulnerability Scanning services.  Many of them even use “best of breed” Intrusion Prevention Systems and “state of the art” firewalls.  Despite this, Anonymous still succeeds at Penetration with relative ease, without detection and by exploiting easy to identify vulnerabilities.  So the question becomes, why is Anonymous so successful?

Part of the reason is that regulatory requirements like PCI DSS 11.3 (and others) shift businesses from wanting Penetration Tests for security reasons to needing Penetration Tests in order to satisfy regulatory requirements.  What is problematic is that most regulatory requirements provide no minimum quality standard for Penetration Testing.  They also provide no incentive for quality testing.  As a result, anyone with an automated vulnerability scanner and the ability to […]

Netragard on Exploit Brokering

Historically ethical researchers would provide their findings free of charge to software vendors for little more than a mention.  In some cases vendors would react and threaten legal action citing violations of poorly written copyright laws that include but are not limited to the DMCA.  To put this into perspective, this is akin to threatening legal action against a driver for pointing out that the breaks on a school bus are about to fail.

This unfriendliness (among various other things) caused some researchers to withdraw from the practice of full disclosure. Why risk doing a vendor the favor of free work when the vendor might try to sue you?

Organizations like CERT help to reduce or eliminate the risk to security researchers who wish to disclose vulnerabilities.  These organizations work as mediators between the researchers and the vendors to ensure safety for both parties.  Other organizations like iDefense and ZDI also work as middlemen but unlike CERT earn a profit from the vulnerabilities that they purchase. While they may pay a security researcher an average of $500-$5000 per vulnerability, they charge their customers significantly more for their early warning services.  Its also unclear (to us anyway) how quickly they notify vendors of the vulnerabilities that they buy.

The next level of exploit buyers are the brokers.  Exploit brokers may cater to one or more of three markets that include National, International, or Black.  While Netragard’s program only sells to National buyers, companies like VUPEN sell internationally.  Also unlike VUPEN, Netragard will sell exploits to software vendors willing to engage in an exclusive sale.   Netragard’s Exploit Acquisition Program was created to provide ethical researchers with the ability to receive fair pay for their hard work; it was not created […]