Brian Gorenc on the topic “Modern Day Entomology - Examing the Inner Workings of the Bug Bazaar”.

Editor's Notes

• #5: Vulnerability Submitted: A researcher submits a previously unpatched vulnerability to the Zero Day Initiative, who validates the vulnerability, determines its worth, and makes a monetary offer to the researcher. Vendor Notified: The Zero Day Initiative responsibly and promptly notifies the appropriate product vendor of a security flaw with their product(s) or service(s). Digital Vaccine® Filter Created: Simultaneously with the vendor being notified, Trend Micro TippingPoint works to create a Digital Vaccine filter to protect customers from the unpatched vulnerability. Vendor Response: The Zero Day Initiative allows the vendor four months to address the vulnerability. Vulnerability is Patched or Remains Unfixed: The vendor will either release a patch for the vulnerability or indicate to the Zero Day Initiative that it is unable to, or chooses not to, patch the vulnerability. Public Disclosure: The Zero Day Initiative will publicly and responsibly disclose the details of the vulnerability on its Web site in accordance with its vulnerability disclosure policy.
• #11: Adobe, Apple, Foxit, Google, Microsoft, Mozilla, Oracle, WebKit
• #12: 3S Pocketnet Tech, ABB, Advantech, ARRIS, Codesys, Cogent Real-Time Systems, Ecava, GE, Honeywell, Indusoft, MICROSYS, Proface, PTC, Rockwell Automation, Schneider Electric, Tibbo, Trihedral Engineering Ltd, Unitronics, WellinTech
• #13: Now, when Hacking Team happened most in the industry poured over the evidence look for 0-day. Not ZDI. We looked for financial data. Who was buying, Who was selling, What were the prices? Are we making a impact in the shady grey market? Hacking Team dumps give us solid evidence here…and it is quite lucrative. RAV service 90,000 E to Czech Republic Similar service to Kazazkhstan for 180,000 E Additional buyers: Guatemala Lebanon Mongolia Russia Egypt Vietnam Malaysia Federal police of brazil Bangladesh Police - Rapid Action Battalion Republic of South Korea - Army Saudi Arabia Cyprus UAE Mexico Republic of Hungary And Small company called Cyberpoint in MD< USA
• #14: Information from their Board of Directors meeting leads to other interesting insights into the marketplace 10 million in revue Expected >30% growth Paid employees $80,000 on average Other Personal Cost 500,000 Grow by 50% next year What is the category? Could it be consultancy fees and the broker costs. Highly likely. To make this money, you need in this business you need 0-day exploits. Via FTE or from the free market… How do they do they engage in the free market?
• #15: Go directly to the researchers. But you have to be good… For example, take Vitaliy Toropov
• #16: Next option is Vulnerability Brokers to keeps the remote access product working is brokers. Here we have an Adobe Flash exploit for sale The most interesting here is the asset availability. Why buy exclusive or non-exclusive? Stealthiness, of course. For highly target attacks, a “fire-and-forget” model is the only real option. The more it is out there, the more likely it will get caught. But what does that benefit cost?
• #17: Much better then the consultancy rate. $95,000 Paid out over a 3 month period. Why is this done? 0-day is only as good as long as it is 0-day. Fees are paid out over time so the original researcher does not burn the bug after the payment.
• #18: What is being avilable? Browsers, Kernel, Mobile, Security Software, Core Software like PHP So how does ZDI fair in the what it is attracting from the marketplace? Are we buying and fixing bugs that will impact the grey market and protect customers? The answer is YES But where is the evidence of our impact in this market place?
• #20: Jan 2013 - https://blog.mozilla.org/security/2013/01/29/putting-users-in-control-of-plugins/
• #21: JIT (Bound Checking, Type Confusion) UAF due to MemGC failed as a mitigation Issue in JavaScript Array Implementation
• #22: JIT (Bound Checking, Type Confusion) UAF due to MemGC failed as a mitigation Issue in JavaScript Array Implementation
• #23: Adobe End of life announcement - https://theblog.adobe.com/adobe-flash-update/
• #24: JIT (Bound Checking, Type Confusion) UAF due to MemGC failed as a mitigation Issue in JavaScript Array Implementation
• #25: JIT (Bound Checking, Type Confusion) UAF due to MemGC failed as a mitigation Issue in JavaScript Array Implementation
• #26: December 2013 The purpose of the amendments was to prevent Western technology companies from selling surveillance technology to governments known to abuse human rights.  The Wassenaar Arrangement was established to contribute to regional and international security and stability by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations. Participating states seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not diverted to support such capabilities. https://www.wassenaar.org/app/uploads/2018/01/WA-DOC-17-PUB-006-Public-Docs-Vol.II-2017-List-of-DU-Goods-and-Technologies-and-Munitions-List.pdf
• #27: Starting in 2007, the Pwn2Own hacking competition has grown into the world’s premier hacking contest. 2017 was the 10th anniversary of the contest, and more than $1 million dollars was made available to contestants. It’s only a slight hyperbole to refer to Pwn2Own as the root of all research. When we announce a new category for Pwn2Own, we don’t expect to see any entries in that category that year. However, history has shown that once we announce a new target at Pwn2Own, researchers start working in that area and submit entries the following year. That happened in 2016 when we announce VMWare as a target. As expected, we didn’t get any entries in 2016, but we did get two successful VMWare escapes in 2017. This was also our first year with Hyper-V and Apache web server as a target, and again, we didn’t receive any attempts on these targets. Next year’s conference should prove interesting.