LAS VEGAS -- While a panel of experts argued on Friday over whether a company should be able to protect customers against vulnerabilities that are not public if doing so runs the risk of leaking information to the bad guys, attendees at the DEFCON hacking conference overwhelmingly supported the idea.

The issue became highlighted by the findings of security firm Errata Security, which discovered that reverse engineering the anti-malware signatures used by network-defense products could give black-hat hackers enough information to figure out the vulnerability and create an exploit. There is evidence to suggest that at least two underground groups already rely on such signatures to recreate zero-day exploits before the vulnerability is patched, said Robert Graham, CEO of Errata Security.

"So it's a double-edged sword," Graham said during his presentation on the issue. "They are shipping out the signature to protect against the exploit, but they are also sending out information on the vulnerability."

TippingPoint, the company whose product signatures Errata had reverse engineered, pulled protections for zero-day exploits and made the signatures harder to decrypt after being notified of the issue, Graham said. However, in a hand vote at the disclosure panel, the audience overwhelmingly supported TippingPoint's -- and other firms' -- right to protect their customers.

The ethics of disclosure has been a perennial focus of the Black Hat and DEFCON conferences. A year ago, security researcher HD Moore polarized the security community by releasing daily flaws in Internet Explorer for the month of July, inadvertently giving rise to a trend in Month-of-Bug knockoffs. This July, a group of relatively unknown security researchers have launched an auction site for vulnerabilities -- an old idea -- but one that will likely help define the ethics of modern disclosure.

At the panel discussion at DEFCON, panelists said that getting paid for vulnerabilities is not a question of ethics anymore, but a question of what the market will bear.

"It is irrelevant whether or not they are getting paid," said one panelist. "They are finding people to pay them in any event."



http://www.securityfocus.com