'Offensive security research community helping bad guys'

'Offensive security research community helping bad guys'

Summary: Adobe security chief Brad Arkin argues that benevolent security researchers who publish techniques to defeat security mitigations are doing a major disservice.

TOPICS: Malware, Security

CANCUN, Mexico -- Adobe security chief Brad Arkin has a message for the benevolent security research community: Your work is driving down the cost and complexities of attacks against computer networks.

During a keynote presentation at the Kaspersky security analyst summit (see disclosure), Arkin said the intellectual pursuit of exploiting software vulnerabilities and defeating mitigations is simply providing a roadmap for the bad guys to break into computer systems.

[ SEE: Ten little things to secure your online presence ]

"We are involved in a cat-and-mouse game on [the software] engineering side. Every time we come up with something new and build new defenses, it creates incentive for the bad guy to look beyond that," Arkin explained, noting that the white-hat security research community helps cyber-criminals by publishing vulnerabilities, exploits and techniques to bypass security mitigations.

follow Ryan Naraine on twitter

"My goal isn't to find and fix every security bug," Arkin argued.  "I'd like to drive up the cost of writing exploits.  But when researchers go public with techniques and tools to defeat mitigations, they lower that cost."

At Adobe, Arkin's security teams have been working overtime to stem the flow of zero-day attacks against two of its most widely deployed products -- Adobe Reader and Adobe Flash Player -- and he made the point that too much attention is being paid these days to responding to vulnerability reports instead of focusing on blocking live exploits.

"We may fix one vulnerability that has a security characteristic but when we change that code, we are creating a path to other vulnerabilities that may cause bigger problems in the future," he said.

[ SEE: New vulnerability disclosure deadline puts pressure on tardy software vendors ]

Arkin said that the volume of reported security vulnerabilities is forcing Adobe to respond in a way that may introduce new security defects.  "We may fix a security bug but all of a sudden Adobe Reader can't print to a certain brand of printer.  We're not clear if anyone has ever written an exploit for that bug but we have to push out a fix that cause problems."

Arkin suggested that Adobe -- and other big software vendors -- cut its losses and take a different approach.  Instead of the running on a treadmill to patch every vulnerability report, security teams should invest heavily on mitigations and anti-exploit technologies and work closer with the research community to curb the publication of information that can help malicious hackers.

"We have patched hundreds of CVEs [individual vulnerabilities] over the last year.  But, very, very few exploits have been written against those vulnerabilities.  Over the past 24 months, we've seen about two dozen actual exploits," Arkin said, making the argument that software vendors are not wisely using their security response resources.

[ SEE: Responsible disclosure, the Microsoft way ]

"Finding a bug is pretty straightforward but writing an exploit that works successfully is harder.  An exploit that works reliably 100 per cent of the time is even much harder.  Very few people have skill sets to write these exploits so we have to concentrate on driving up the costs of writing these exploits," he said.

Arkin argued that it's impossible for software vendors to produce code without security defects.  "You can improve the code but you're never going to get it perfect.  At Adobe, we have invested a lot to build mitigations and drive up the cost and complexity [of exploiting software bugs].  But now we have offensive research teams -- the good guys -- who are driving down that cost when they research a new technique to hack into software, write a paper and publish it to the world."

"Something hard becomes very very easy.  These exploits and techniques are copied, adapted and modified very cheaply."

"I'm not saying we should outlaw offensive research.  However, it's clear that these [intellectual] offensive advances very much change the game.  Once something gets published, it's only a matter of time before real-world bad guys put them into their operations."

* Image via Nikita Svetsov.

Topics: Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Better idea; no more Flash

    Resource hogging, vulnerability introducing, and an annoyance to find and delete 'Flash cookies'.
    • Bugs

      @HollywoodDog <br>Exactly.<br><br><br>Sounds like Adobe is blaming those people who uncovers Adobe's software vulnerability instead of blaming their own programmers for their buggy software. If Google can provide a solid browser which is way more complex than Reader and Flash combined why can't Adobe produce the same quality software?<br><br>What PDF reader loads its own modules for more than 2 minutes? Only Adobe Reader.<br><br>Looks like adobe is worried because their buggy PDF Reader and Flash is already being replaced.<br><br>There's HTML5 to replace their flash and I already disabled the buggy adobe flash in HTML5 sites like youtube. Also, there are a bunch of lean PDF readers around that have already replaced the buggy Adobe PDF reader.

      As someone has posted in ZDNet before, it's either you provide quality software or your software company will die, no other options.
      Survival of the fittest, a cruel world, but that's nature's law.
  • RE: 'Offensive security research community helping bad guys'

    I'm sorry, but I've never been convinced that Adobe actually knows how to do code quality properly. It's never shown in their products.

    To make things worse, they moved to a [b]quarterly[/b] update schedule when the accepted standard is [b]monthly![/b] I'm not really convinced at all they're serious about security if their patch schedule is worse than the rest of the industry. I'm sorry, I'm not convinced at all.
    • Whack-a-mole is not a strategy

      Why are making this about Adobe? Does the guy's point really escape you?

      Which town has the lower crime rate: the one where the police study crime patterns and patrol randomly in high-crime areas, or the one where every night somebody puts up a web page of all the businesses that have their doors unlocked, and the cops run around from one to the next securing the places that were published?
      Robert Hahn
      • RE: 'Offensive security research community helping bad guys'

        @Robert Hahn The guy isn't a cop, and while everybody else closes their doors every night, he closes his once a week, and wonders why he gets so many more thieves.

        And while we're at it, the thieves are super high tech, with remotely controlled stealth drones that evade the police. The illustration breaks down because we really have no concept of "patrolling the neighborhood" on the Internet.

        Not to mention that we currently have no way of truly enforcing code quality. We currently have no way of making sure that businesses are paying attention to their security flaws and actually closing them. If left to their own devices, businesses will [b]NOT[/b] fix their flaws. We've had flaws that have been left open for years.

        I'm sorry, no, the metaphor doesn't match. This is not your local neighborhood police. We currently have no way of patrolling the Internet and stopping crime at its source.
      • Heres the proper analogy.


        Which town has the lower crime rate:

        1. The ones where the police check on places they know are at highest risk, study criminal patterns and investigate and patrol those places most at risk more frequently, or;

        2. The one where every other night some POLICE post a notice on the internet how to pick certain kinds of residential and commercial locks, as well as how to defeat particular security and surveillance methods used in various locations resulting in the police having to not only maintain their regular routines but also attending specifically to these posted online locations that are now at a very real risk due to the online revelations.

        And ya, its not just Adobe, its more then that and its not a cute or bright idea for so called "white hats" to be giving out good info to the world they know the black hats patrol for B&E info. Its dumb. Its stupid and its counter productive and has no real value to the public. At best it can only be happening for the ones who do it because they feel it somehow aggrandizes their stature in the community by being able to identify the risks that may exist.
      • RE: 'Offensive security research community helping bad guys'

        @Robert Hahn You've got the analogy wrong: which town has the higher crime rate? The one where citizens check whether their locks are easily pickable (yeah, they all actually are...but let's pretend for our own peace of mind and the sake of the argument...), and take countermeasures (prop a chair against the handle, get a Doberman, etc.) or the one where noone bothers checking if the locks actually work and aren't all master-keyed, for example.
  • Boo Hoo Hoo

    Hate to say it, but most of these CEO, CIO, CxO guys, (not just Adobe) cares are about the numbers. Less engineering or cheap engineering while trying to get the product out the door ASAP so they would look good for the investor. As the result, the company structure looks like an upside down pyramid. They want free QA from the end users, and trying to make money while fixing for users or even try to sell the fixed as a new version of whatever the product. Imagine, the engineers approve and certify their own products, where's the check and balance in that? I would not be too thrill if I work so hard to get new features work and roll out; but on the other hand, I better get something stable when I release any new feature. I am not saying Apple doesn't have problem and couldn't be hack, but if we look at them or their business model. Apple can do a good job on both hardware and software, (i.e. when they release any product, they tends to be rock stable, except the iPhone antenate problem). They can get their product manufacture fast, easy to use even a grand mother can operate, granted their "I" products are not cheap. But, in the end which company can actually think about user need but boasting of their unstable, vulnerable features, even feature that no one care to use but only a small fraction of user actually need. It just seem that these corporate guys aren't any better than those day trading wall street people, (i.e. SHORT SIGHT and GREEDY).
    • You may be right, its the commercial/retail world, but...


      Perhaps your suggesting these companies literally burn the midnight oil until they have an almost perfect product, and I say almost perfect because its never going to be perfect. And not even Apple. They have plenty more problems then just the iPhone antenna.

      And if that is what you are suggesting I guess your also suggesting you want to pay the perfectly inflated price that reflects the amount of work and time involved to create such software. At some point, a little reality has to creep in here.

      And I guess if you know of some assortment of magical/perfect coders that Apple, Microsoft, Adobe and yes-even Google don't know about that can create this perfect code your looking for, and do it at high speed, then you should be a headhunter working on a commission and you will be rich. Every software company wants someone who can write perfectly secure code in the same time it takes for the typical coder to do it, and if you know of a bunch you should be able to get them some of the best money available.

      Quite frankly, I have a couple Apple products, an iPhone and a Classic iPod 80GB. I like them both, but god save us if we have to start paying the price for all computers that Apple charges. You should have a look around the net about how easy it is for someone with nothing better to do to break into OSX. And I say nothing better to do because most people who are interested in such a task and up to the challenge do have something better to do, like exploit a Windows machine so at least they are going after close to 90% of the computers in the world.
  • RE: 'Offensive security research community helping bad guys'

    I've been wondering for awhile now when someone would bring this up. Having over 25 years experiance with computers and seeing how we seem to be getting more and more malware, it makes since for the researchers that find the exploit in the software to contact the company involved and inform them and say nothing to anyone else about it. Because ever time one of these papers are published your showing the bad guys where to look, instead of making them work their butts off to find it themselves. Common Sense doesn't seem to be to common does it.
    • It doesn't make sense, no.


      And yes, while there seems to be more malware then ever, make no mistake there is a simple and good reason for that. I know people who have worked in the computer industry for more then 10 years and oddly enough, each of them seems to have a slightly skewed recollection of how far we have come in the last 10 years.

      The fact is that home computers 10-11 years ago were just starting to get their first solid widespread footholds into the average households. High speed in most locations was rare and now it is commonplace. Computers are now used in homes for far more then they were 10 years ago far more frequently. More homes now just don't at least have a computer, more homes now have several computers, and even home networks. Its endless.

      You might just as well say "of course there is more malware, theres far more opportunity and reason for malware".
  • RE: 'Offensive security research community helping bad guys'

    "Arkin suggested that Adobe ??? and other big software vendors ??? cut its losses and take a different approach. Instead of the running on a treadmill to patch every vulnerability report, security teams should invest heavily on mitigations and anti-exploit technologies and work closer with the research community to curb the publication of information that can help malicious hackers."<br><br>That would be a good idea. From what I remember from past stories like this, the practice of full disclosure really started to gain momentum back in the old days when companies would regularly sit on bug reports without doing anything of significance to fix them. Also, it's seemingly presumed that the "bad guys" don't know that the flaws exist before the disclosure is made, which seems like a somewhat naive way to see things (except maybe for the script kiddies).<br><br>In other words, if the software companies had a less "CYA" attitude towards security, they wouldn't be in the mess they're in now.
    Third of Five