Tag Archives: PDF

Make vendors liable for vulnerabilities?

Where does the Buck stop?


 
Should software vendors be liable for vulnerabilities in the products they sell? Are they already liable to some degree, or would new legislation be required in order to make it so? These are interesting questions, sure to provoke strong opinions on both sides of the fence.
 
In almost every case, when you buy a software product, a close inspection of the End User License Agreement (EULA) will reveal a host of exculpatory clauses, exonerating the vendor of responsibility for any kind of direct, indirect, consequential (and just about every other applicable adjective) damages “whatsoever” that may arise from the installation or use of (or inability to use) the software product. But is this reasonable or indeed fair?
 
Software products are not a tangible asset and as such escape much of the legislation that applies to the sale of goods and their fitness for purpose. However the majority of successful compromises of systems and enterprises arise from the exploitation of a vulnerability or flaw in an application or operating system, and often results in direct financial loss.
 
At first glance the case for enforcing some kind of liability on vendors seems obvious. Make the vendor legally responsible for the quality of their product and thus increase their focus on writing secure code. Lower the number of vulnerabilities in published product and create an ecosystem where vendors routinely produce more robust software. Indeed the idea is not a new one. A House of Lords Science and Technology Committee report on Personal Internet Security from 2006/7 reached the following conclusion (8.15):
 
We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced.”
 
Similar calls have been echoed by such luminaries as Bruce Schneier and Viviane Reding, but what might be some of the consequences and does adequate cover exist already?
 
The first and most obvious is that it may well increase the cost of developing software, the impossibility of creating invulnerable code would oblige vendors to take out unlimited liability insurance contracts against the inevitable stream of lawsuits, the cost of this being passed on to the consumer. Particularly when the temptation might exist for companies to skimp on even the most basic of security practices, passing the buck to the software vendor when a breach occurs. This could effectively be the death-knell for free software.
 
A second unintended consequence could be equally costly for the consumer. What happens when the vendor releases an updated product addressing identified flaws with an earlier version? Would cover cease for the now legacy versions, obliging consumers to commit to expensive and perhaps unnecessary upgrades to continue to benefit from their newfound legal protection?
 
Where do we truly stand right now, are those EULAs worth the bits they’re written on? Is new legislation required or even worthwhile? In the traditional last refuge of the scoundrel, I Am Not A Lawyer, so I’ll defer to the opinion of a colleague who is:
 
If a software vendor negligently exposes its software to vulnerabilities, in particular because of defects in the software or non-compliance with best practices, under current law it can be held liable for all consequences arising therefrom. Exculpatory clauses in EULAs can limit liability but the validity of such clauses have to be examined on a case-by-case basis
 
Bear this in mind though; the vast majority of breaches are the result of the exploitation of vulnerabilities for which a patch has already been released by the vendor. Even with a physical good such as a car, the vendor is not required to fix the (potentially life-endangering) fault, only to issue a recall and make the necessary changes. Is it really so different, and if you don’t respond to the recall notice, or install the patch, where do you think the liability is going to lie in those cases?
 

Don’t be dumb, keep schtumm!

This quote “The sweep was part of a civil suit brought by Microsoft in its increasingly aggressive campaign to take the lead in combating such crimes, rather than waiting for law enforcement agencies to act” from this article is what motivated me to tweet “Opening civil proceedings “without waiting for law enforcement”, against 39 John Does and citing their online handles is a very dumb idea.”
 
The security industry and research organisations should work with law enforcement, not against it. All 39 of the online handles mentioned in the court submission (covered in my blog yesterday) are now fully aware that they are under active investigation and have the chance to “disappear”, probably to resurface elsewhere and carry on business as usual.
 
It is disturbingly similar to how the identities of the Koobface gang were exposed without waiting for due legal process, even though the intelligence behind this “exposé” was mostly generated in an industry group working with law enforcement towards an eventual prosecution. Once the information is published, without waiting for due legal process the criminals have a chance to go to ground.
 
Again in the Microsoft civil suit example, there is a reliance on information that was shared within working groups. The normal model is to collaborate across industry and come up with a shared result in terms of law enforcement. Marketing actions like this very much break that model.
 
The successful dismantling of the Esthost botnet with the arrest of the criminals involved is a true model of how the security industry and law enforcement can and should work together to better secure the internet and internet users. That investigation was 6 years in the making and led to the arrest of an entire crime ring and the dismantling of their infrastructure.
 
Long term law enforcement success should not be sacrificed on the altar of marketing initiatives.
 

Beginning of the end for ZeuS/SpyEye?

Bortusk Criminal Swag by bixentro

used by persmission from bixentro's Flickr photostream


 
In a court submission that runs to 162 pages, Microsoft and the Information Sharing and Analysis Center (FS-ISAC), a trade group representing 4,400 financial institutions, and NACHA, the Electronic Payments Association, are pursuing the criminals they believe to be behind the ZeuS, SpyEye and Ice IX botnets
 
The codebase behind ZeuS, Ice-IX and SpyEye has a long and infamous history in internet crime, ZeuS has been around since 2006 (2007 is specified in the court submission) and is responsible for hundreds of individual botnets stealing millions of pounds from consumer and business bank accounts. SpyEye was originally set up as a competitor to ZeuS and even went as far as to remove ZeuS if it found it on a computer that SpyEye was trying to infect. More recently the two code bases have been merged into a single piece of crimeware.
 
The court submission from Microsoft, while it openly states that the identities of the “John Does” are currently unknown, does go a long way towards exposing the huge infrastructure behind crimeware of this nature. It specifies, three individuals identified as the original ZeuS, SpyEye and Ice-IX coders and two further code developers, two PDF and Flash exploit vendors responsible for creating malicious files that drop the bot onto your PC, three web-inject vendors who create the scripts that inject fake content into legitimate banking web sites, four individual botnet hosters and fifteen individual botnet operators, seven money mule recruiters, three specialists in cashing out stolen funds and one individual responsible for handling “incoming notifications of newly compromised victims”.
 
The court submission identifies malicious network infrastructure that spans the globe, from North America through the UK and Germany via Iran, Hong Kong and even Laos all the way to Australia. A total of 3357 domain names across 35 registrars have been identified as being related to what they are collectively calling “the ZeuS botnets”, with 1703 of those domains registered with Verisign. In raids on two hosting locations on March 23rd servers were seized leading to disruption of botnets and criminal activities. However, as Microsoft notes, this enforcement action only closed down two IP addresses and secured 800 monitored domains (from 3357), so the immediate effect can be expected to be minimal.
 
Of course, cybercrime is bigger than just 39 people and currently no specific individuals have been identified, but if nothing else, this indictment serves as a graphic illustration of the maturity of the criminal business model. Criminals such as Slavik and gribodemon have successfully evaded justice for many years, but let’s hope that this continued focus and international cooperation across the security and law enforcement communities can eventually make a significant dent in their illegal operations.
 
The ZeuS Tracker project, which lists Command & Control servers around the world is today listing 806 ZeuS and Ice IX servers, 343 of which are currently online and active. SpyEye Tracker lists 487 servers globally, of which 16 are currently active.