Posts Tagged: NSS Labs

Dec 13

The Case for a Compulsory Bug Bounty

Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products.  This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products.

Before I delve into this modest proposal, let’s postulate a few assumptions that hopefully aren’t terribly divisive:

  • Modern societies are becoming increasingly dependent on software and computer programs.
  • After decades of designing software, human beings still build imperfect, buggy, and insecure programs.
  • Estimates of the global damage from cybercrime ranges from the low billions to hundreds of billions of dollars annually.
  • The market for finding, stockpiling and hoarding (keeping secret) software flaws is expanding rapidly.
  • Vendor-driven “bug bounty” programs which reward researchers for reporting and coordinating the patching of flaws are expanding, but currently do not offer anywhere near the prices offered in the underground or by private buyers.
  • Software security is a “negative externality”: like environmental pollution, vulnerabilities in software impose costs on users and on society as a whole, while software vendors internalize profits and externalize costs. Thus, absent any demand from their shareholders or customers, profit-driven businesses tend not to invest in eliminating negative externalities.

Earlier this month, I published a piece called How Many Zero-Days Hit You Today, which examined a study by vulnerability researcher Stefan Frei about the bustling market for “zero-day” flaws — security holes in software that not even the makers of those products know about. These vulnerabilities — particularly zero-days found in widely-used software like Flash and Java — are extremely valuable because attackers can use them to slip past security defenses unnoticed.

Frei’s analysis conservatively estimated that private companies which purchase software vulnerabilities for use by nation states and other practitioners of cyber espionage provide access to at least 85 zero-day exploits on any given day of the year. That estimate doesn’t even consider the number of zero-day bugs that may be sold or traded each day in the cybercrime underground.

At the end of that post, I asked readers whether it was possible and/or desirable to create a truly global, independent bug bounty program that would help level the playing field in favor of the defenders and independent security researchers. Frei’s latest paper outlines one possible answer.


Frei proposes creating a multi-tiered, “international vulnerability purchase program” (IVPP), in which the major software vendors would be induced to purchase all of the available and known vulnerabilities at prices well above what even the black market is willing to pay for them. But more on that in a bit.

The director of research for Austin, Texas-based NSS Labs, Frei examined all of the software vulnerabilities reported in 2012, and found that the top 10 software makers were responsible for more than 30 percent of all flaws fixed. Frei estimates that if these vendors were to have purchased information on all of those flaws at a steep price of $150,000 per vulnerability — an amount that is well above what cybercriminals or vulnerability brokers typically offer for such bugs — this would still come to less than one percent of the annual revenues for these software firms.


Frei points out that the cost of purchasing all vulnerabilities for all products would be considerably lower than the savings that would occur as a result of the expected reduction in losses occurring as a result of cyber crime — even under the conservative estimate that these losses would be reduced by only 10 percent.

In the above chart, for example, we can see Oracle — the software vendor responsible for Java and a whole heap of database software code that is found in thousands of organizations — fixed more than 427 vulnerabilities last year. It also brought in more than $37 billion in revenues that year. If Oracle were to pay researchers top dollar ($150,000) for each vulnerability, that would still come to less than two-tenths of one percent of the company’s annual revenues (USD $67 million).

Frei posits that if vendors were required to internalize the cost of such a program, they would likely be far more motivated to review and/or enhance the security of their software development processes.


Likewise, Frei said, such a lucrative bug bounty system would virtually ensure that every release of commercial software products would be scrutinized by legions of security experts.

“In the short term, it would hit the vendors very badly,” Frei said in a phone interview with KrebsOnSecurity. “But in the long term, this would produce much more secure software.”

“When you look at new innovations like cars, airplanes and electricity, we see that security and reliability was enhanced tremendously with each as soon as there was independent testing,” said Frei, an experienced helicopter pilot. “I was recently reading a book about the history of aviation, and [it noted that in] the first iteration of the NTSB [National Transportation Safety Board] it was explicitly stated that when they investigate an accident, if they could not find a mechanical failure, they blamed the pilot. This is what we do now with software: We blame the user. We say, you should have installed antivirus, or done this and that.”

Continue reading →

Dec 13

How Many Zero-Days Hit You Today?

On any given day, nation-states and criminal hackers have access to an entire arsenal of zero-day vulnerabilities  — undocumented and unpatched software flaws that can be used to silently slip past most organizations’ digital defenses, new research suggests.  That sobering conclusion comes amid mounting evidence that thieves and cyberspies are ramping up spending to acquire and stockpile these digital armaments.


Security experts have long suspected that governments and cybercriminals alike are stockpiling zero-day bugs: After all, the thinking goes, if the goal is to exploit these weaknesses in future offensive online attacks, you’d better have more than a few tricks up your sleeve because it’s never clear whether or when those bugs will be independently discovered by researchers or fixed by the vendor. Those suspicions were confirmed very publicly in 2010 with the discovery of Stuxnet, a weapon apparently designed to delay Iran’s nuclear ambitions and one that relied upon at least four zero-day vulnerabilities.

Documents recently leaked by National Security Agency whistleblower Edward Snowden indicate that the NSA spent more than $25 million this year alone to acquire software vulnerabilities from vendors. But just how many software exploits does that buy, and what does that say about the number of zero-day flaws in private circulation on any given day?

These are some of the questions posed by Stefan Frei, research director for Austin, Texas-based NSS Labs. Frei pored over reports from and about some of those private vendors — including boutique exploit providers like Endgame Systems, Exodus Intelligence, Netragard, ReVuln and VUPEN — and concluded that jointly these firms alone have the capacity to sell more than 100 zero-day exploits per year.

According to Frei, if we accept that the average zero-day exploit persists for about 312 days before it is detected (an estimate made by researchers at Symantec Research Labs), this means that these firms probably provide access to at least 85 zero-day exploits on any given day of the year. These companies all say they reserve the right to restrict which organizations, individuals and nation states may purchase their products, but they all expressly do not share information about exploits and flaws with the affected software vendors.

Frei's minimum estimate of exploits offered by boutique exploit providers each year.

Frei’s minimum estimate of exploits offered by boutique exploit providers each year.


That approach stands apart from the likes of HP TippingPoint‘s Zero-Day Initiative (ZDI) and Verisign‘s iDefense Vulnerability Contributor Program (VCP), which pay researchers in exchange for the rights to their vulnerability research. Both ZDI and iDefense also manage the communication with the affected vendors, ship stopgap protection for the vulnerabilities to their customers, and otherwise keep mum on the flaws until the vendor ships an update to fix the bugs.

Frei also took stock of the software vulnerabilities collected by these two companies, and found that between 2010 and 2012, the ZDI and VCP programs together published 1,026 flaws, of which 425 (44 percent) targeted flaws in Microsoft, Apple, Oracle, Sun and Adobe products. The average time from purchase to publication was 187 days.

“On any given day during these three years, the VCP and ZDI programs possessed 58 unpublished vulnerabilities affecting five vendors, or 152 vulnerabilities total,” Frei wrote in a research paper released today.


Frei notes that the VCP and ZDI programs use the information they purchase only for the purpose of building better protection for their customers, and since they share the information with the software vendors in order to develop and release patches, the overall risk is comparatively low. Also, the vulnerabilities collected and reported by VCP and ZDI are not technically zero-days, since one important quality of a zero-day is that it is used in-the-wild to attack targets before the responsible vendor can ship a patch to fix the problem.

In any case, Frei says his analysis clearly demonstrates that critical vulnerability information is available in significant quantities for private groups, for extended periods and at a relatively low cost.

“So everybody knows there are zero days, but when we talk to C-Level executives, very often we find that these guys don’t have a clue, because they tell us, ‘Yeah, but we’ve never been compromised’,” Frei said in an interview.  “And we always ask them, ‘How do you know?'”

Continue reading →

Feb 13

Flaw Flood Busts Bug Bank

The Common Vulnerability & Exposures (CVE) index, the industry standard for cataloging software security flaws, is growing so rapidly that it will soon be adding a few more notches to its belt: The CVE  said it plans to allow for up to 100 times more individual vulnerabilities to be indexed each year to accommodate an increasing number of software flaw reports.

beltfixCurrently, when a vulnerability is reported or discovered, it is assigned a CVE number that corresponds to the year it was reported, followed by a unique 4-digit number. For example, a recent zero-day Java flaw discovered earlier this year was assigned the identifier CVE-2013-0422.  But in a recent publication, The MITRE Corp., the organization that maintains the index, said it wanted to hear feedback on several proposed changes, such as modifying the CVE to allow for up to 999,999 vulnerabilities to be cataloged annually.

“Due to the increasing volume of public vulnerability reports, the Common Vulnerabilities and Exposures (CVE) project will change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year,”  CVE Project announced last month. “The current syntax, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year.”

It’s not clear if this shift means software is getting buggier or if simply more people are looking for flaws in more places (probably both), but new research released today suggests that bug finders have more incentive than ever to discover — and potentially get paid handsomely for — new security holes.

For example, one of the hottest areas of vulnerability research right now centers on the industrial control system space — the computers and networks that manage critical infrastructure systems which support everything from the power grid to water purification, manufacturing and transportation systems. In a report released today, Austin, Texas based security firm NSS Labs said the number of reported vulnerabilities in these critical systems has grown by 600 percent in 2010 and nearly doubled from 2011 to 2012 alone.

NSS’s Stefan Frei found that 2012 reversed a long running trend of decreasing vulnerability disclosures each year. At the same time, NSS tracked a decline in vulnerabilities being reported by perhaps the top two organizations that pay researchers to find bugs. For example, Frei noted, iDefense‘s Vulnerability Contributor Program (VCP) and HP Tipping Point‘s Zero Day Initiative (ZDI) each reversed their five-year-long rise in vulnerability reports with a reduction of more than 50 percent in 2012.

Frei suggests one major reason for the decline in bugs reported by ZDI and the VCP: researchers looking to sell vulnerability discoveries today have many more options that at any time in the past.

Continue reading →

Aug 10

Anti-virus Products Struggle Against Exploits

Most anti-virus products designed for use in businesses do a poor job of detecting the exploits that hacked and malicious Web sites use to foist malware, a new report concludes.

Independent testing firm NSS Labs looked at the performance of 10 commercial anti-virus products to see how well they detected 123 client-side exploits, those typically used to attack vulnerabilities in Web browsers including Internet Explorer and Firefox, as well as common desktop applications, such as Adobe Flash, Reader, and Apple QuickTime.

Roughly half of the exploits tested were exact copies of the first exploit code to be made public against the vulnerability. NSS also tested detection for an equal number of exploit variants, those which exploit the same vulnerability but use slightly different entry points in the targeted system’s memory. None of the exploits used evasion techniques commonly employed by real-life exploits to disguise themselves or hide from intrusion detection systems.

Among all ten products, NSS found that the average detection rate against original exploits was 76 percent, and that only three out of ten products stopped all of the original exploits. The average detection against exploits variants was even lower at 58 percent, NSS found.

Continue reading →

Jun 10

Anti-virus is a Poor Substitute for Common Sense

Common sense always speaks too late.” — Raymond Chandler

A new study about the (in)efficacy of anti-virus software in detecting the latest malware threats is a much-needed reminder that staying safe online is more about using your head than finding the right mix or brand of security software.

Last week, security software testing firm NSS Labs completed another controversial test of how the major anti-virus products fared in detecting malware pushed by malicious Web sites: Most of the products took an average of more than 45 hours — nearly two days — to detect the latest threats.

The two graphs below show the performance of the commercial versions of 10 top anti-virus products. NSS permitted the publication of these graphics without the legend showing how to track the performance of each product, in part because they are selling this information, but also because — as NSS President Rick Moy told me — they don’t want to become an advertisement for any one anti-virus company.

That’s fine with me because my feeling is that while products that come out on top in these tests may change from month to month, the basic takeaway for users should not: If you’re depending on your anti-virus product to save you from an ill-advised decision — such as opening an attachment in an e-mail you weren’t expecting, installing random video codecs from third-party sites, or downloading executable files from peer-to-peer file sharing networks — you’re playing Russian Roulette with your computer.

Continue reading →