Wednesday, September 8, 2010

Research Firm NSS Will Launch ‘Exploit Hub,’ An App Store For Hackers

Via (Firewall Blog) -

NSS Labs is about to launch a new project that may seem unlikely for a security research firm: a marketplace for brokering the sale of hacking tools. I’ve just written a short article in the magazine on the Carlsbad, Calif.-based company’s plans for the October launch of a Web-based marketplace, dubbed Exploit Hub, for buying and selling exploits used in penetration tests, the audits aimed at sussing out vulnerabilities in corporate and government networks.

NSS president Rick Moy argues that the new marketplace will help close the gap between penetration testers and the malicious hackers whose intrusion techniques they’re trying to outwit. “A penetration tester is only as good as the exploits he has to work with,” he says.

Exploit Hub will allow any researcher to submit hacking code to the marketplace and name his or her price. NSS will test the quality of those exploits and take a 30% cut of sales. Only authorized buyers will be able to purchase and download exploit code, and only “non-zero-day exploits”–those that already have been patched by the software vendor–will be posted on the site.


By focusing on non-zero-days, NSS’s Moy hopes to create a useful tool for penetration testers but one that doesn’t invite misuse or controversy. Non-zero-day exploits will sell for far less, but Moy argues that even an exploit that sells for $50 could generate substantial income for a researcher if hundreds of companies buy the exploit for penetration testing purposes, an application where patched exploits are far more useful than unpatched ones. The goal, after all, is to test the security of a client’s systems by finding patchable bugs on their networks, not to gain access through a vulnerability that has no easy fix.

“There’s no cure for zero days,” Moy says. But luckily, he adds, “Zero days aren’t a controversy we need.”

No comments:

Post a Comment