Stop me if this story sounds familiar: you’re running penetration tests on your systems, and you discover several vulnerabilities. Unfortunately, when you report these vulnerabilities to your superiors, they aren’t seen as ‘priority’ fixes. Or maybe you’re on the other end of the yardstick – maybe you’re the one saying those bugs aren’t really an issue at the moment.
They’re so obscure, who could possibly think to exploit them?
You’d be surprised, actually. Have you ever wondered why security firms constantly disclose hacks and vulnerabilities? Why IT professionals make a hobby out of documenting and creating exploits?
Proof of concept. Vulnerabilities are documented to show that they exist – to show what an exploit can be used for, and how significant a threat it is. Vendors and enterprises are notified of the documentation first, of course, as it would be poor form to simply release a hack into the wild without giving people time to defend against it.
But eventually, once a professional has reason to believe that most businesses and vendors will have patched their systems, they’ll make the details of the exploit public. The discussion in this reddit thread explains the situation quite well, I think. Users there are discussing a vulnerability called dirtycow that ruined a young sysadmin’s Christmas.
“[This vulnerability] has existed in the Linux Kernel for a while,” writes one user. “When researchers discovered it, there is an assumption that, if they know it, others may have as well. Criminals and groups like the NSA…[white hat hackers] help people like me understand and respond to the vulnerability.”
“Having ready-made examples of exploits helps me get up to speed faster,” he adds.
Understandably, this approach can be something of a double-edged sword if your organization lags behind with its security patching. If these released exploits and hacks are publicly available, that means criminals have access to them. And if you haven’t applied the fix, that means you’re effectively giving them the key to your servers.
Unpleasant thought, right?
In the ever-raging war on cybercrime, white hat hackers – the people who research and make exploits like this public, along with their fixes – are the good guys. But that doesn’t mean that you won’t be burned by them if you’re careless. When they release a new bugfix or security notification, it is your responsibility to ensure you’re paying attention, and that you apply it.
Because if you don’t, why bother with security at all?