Forgot your password?
typodupeerror
Security Businesses Government IT

Business Is Booming In the 'Zero-Day' Game 97

Posted by timothy
from the pat-I'd-like-to-buy-an-exploit dept.
HonorPoncaCityDotCom writes "Nicole Perlroth and David E. Sanger write in the NY Times that all over the world, from South Africa to South Korea, business is booming in zero days. The average attack persists for almost a year before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or 'weaponized' by both criminals and governments to spy on, steal from, or attack their targets. Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free in exchange for a T-shirt, but increasingly the market for 0-day exploits has begun to migrate into the commercial space (PDF) as the market for information about computer vulnerabilities has turned into a gold rush. Companies like Vupen charge customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale to countries who want to use the flaws in pursuit of the kind of success that the United States and Israel achieved three summers ago when they attacked Iran's nuclear enrichment program with a computer worm that became known as 'Stuxnet.' Israel, Britain, Russia, India and Brazil are some of the biggest spenders but North Korea is also in the market, as are some Middle Eastern intelligence services."
This discussion has been archived. No new comments can be posted.

Business Is Booming In the 'Zero-Day' Game

Comments Filter:
  • by databeast (19718) on Sunday July 14, 2013 @12:16PM (#44278021) Homepage

    ....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....

    (* cyber 'war' is a ridiculous term for something we already have words for - espionage and sabotage, both of which have been achieved using only information, for centuries now).

    • by khasim (1285) <brandioch.conner@gmail.com> on Sunday July 14, 2013 @12:38PM (#44278183)

      We need rules for these articles in the future.

      Cyber-war/Cyber-warfare - take a drink
      Cyber-weapon - take a drink
      Cyber-warrior/Cyber-soldier - chug
      Cyber-command - chug
      Others?

      Anyway, if this is such a big risk (aside from alcohol poisoning) then why aren't other countries switching to Linux and training their own programmers so that they can "harden" it?

      If they have to use something that they did not write/audit themselves then that should be completely isolated.

      Wouldn't the intelligent thing to do (if this is really a threat) be to develop a 5 year goal of moving off of software written by your potential cyber-emenies (take a shot).

      • by databeast (19718)

        ...yes, that would absolutely solve the matter, because never in the history of the world have people managed to obtain software and source code that did not belong to us! "Sorry, you can't analyze our software for vulns, because we're not going to give you a license for it!". Brilliant :-P

      • by DarkOx (621550)

        I suspect the ones that don't fit the first world template largely are switching. The rest don't because cozy international relationships are a nice way to do an end run around their own laws. They can share exploits more easily if everyone is using the same software. Then they don't have to worry about pesky Constitutional problems like our fourth amendment. NSA not allowed to gather than intel; no problem call a buddy a MI6, and vice versa.

        If there is one thing the Snowden experience has proven once a

      • You really need to appreciate the scale when advocating a company or government to migrate to another OS. Replacing all internal and customer targeted applications is a big job. The time and costs for even a small to medium sized company is a guaranteed budget buster. Re-training the users, re-training the existing IT staff, and hiring the new IT staff needed to support and develop on the new platform is also as huge undertaking. If you do spend the money and time you will soon realize that you are no safer

    • by gl4ss (559668)

      yeah so bitching about zero day bugs on forums would then be a felony?

      • by databeast (19718) on Sunday July 14, 2013 @12:58PM (#44278325) Homepage

        you can't sell something for profit that will be used in hostile actions, if you've already disclosed the information in public, now can you? The issue is profiteering from things that will /not/ be fixed, and specifically used to the detriment of another.

        • by gl4ss (559668)

          it's exporting/distribution even if you don't charge for it...

          • by databeast (19718)

            good point, I concur that laws are full of gotchas, and I was using ITAR as an example that a precedent has already been set once, not that ITAR is the hammer that should be used this time around...

        • The issue is profiteering from things that will /not/ be fixed, and specifically used to the detriment of another.

          At least some of these companies get around that problem (from a legal perspective) by doing checks on customers, like making sure the subscriber is a member of NATO (really, on of them does that). Essentially what it means is, if you want to buy these as a criminal, you're going to need to at least set up a shell company that makes you look legit. Given the high price of the exploits, that shouldn't be a problem for anyone who can afford it.

    • by v1 (525388) on Sunday July 14, 2013 @03:18PM (#44279279) Homepage Journal

      ....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....

      Zero-day exploits are a bit farther down the road than even munitions. At least I can claim I need a gun for self-defense. There's really no "legal use" for a zero-day. It's only immediate purpose is to bypass computer security, which is illegal in almost every corner of the globe. (the biggest three applications being theft, corporate espionage, and spying)

      The interesting twist here I think though is that entire governments are doing business with these guys, because they want it just as bad as the more traditional criminals. Normally when you're a government, you simply spend money to get your way. Things you want to have but not let your people have you just make illegal for civilian use.

      But this is different. Money doesn't directly GET you a zero day, any more than money can get you nuclear weapons. They require specialized knowledge and skills. So you either spend a huge amount of money to R&D it, or you just go out and buy it. Buying nuclear isn't easy because currently only big governments have it, and they don't want to water down their exclusivity, so they won't sell it at any price. But right now the black market has better R&D on zero-days than any government, and they're completely fine with selling it to anyone, for a high price of course. Also unlike nukes, it's not a matter of needing specialized materials and resources, anyone can R&D it, all they need is a lot of bored skilled nerds ;)

      So it just makes sense that the black market is playing both sides. Everyone wants it, and they are by far the cheapest source. It's a supplier's dream come true.

      • by pantaril (1624521)

        There's really no "legal use" for a zero-day.

        There are certainly few legit uses of 0-day exploits. Anti-virus creators to name one.

        ....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....

        Maybe part of the responsibility for current situation lies on the corporations and government agencies which often treat white-hat hackers, who try to inform them about their vulnerabilities, like criminals and throw legal actions on them. It's no wonder that some of the hackers turn their exploits to black market for money.

  • by Anonymous Coward

    Only Available for trusted organizations

    Because of the sensitive nature of the information provided through this service, VUPEN Security has defined strict eligibility criteria for participants. VUPEN Security solely reserves the right to determine whether an organization or corporation meets the criteria.

    Eligible organizations are:

    - Trusted Security Vendors Providing Defensive Software or Hardware (Antivirus, IPS, IDS)
    - Governments, Law Enforcement, and CERTs (countries members of NATO, ANZUS, ASEAN)
    - Wor

  • They would trade mutated virus strains (specially the successful ones) without worrying about an incoming pandemy.
  • by ebno-10db (1459097) on Sunday July 14, 2013 @12:57PM (#44278315)

    Sometimes I think that using the Internet for anything other than publicly available static HTML (e.g. Wikipedia) is a mistake. Nice idea, but not every good idea works out well.

    • by Spykk (823586)
      Wikipedia is one of the interactive internet's biggest success stories. You do realize how content gets into Wikipedia?
    • Or at least the sort of computer design that deliberately walked away from having security built into all levels.

      With that said, the Web acquired some customs that are hostile to security: Routine execution of automatically retrieved code, coding pages as composites from many third party sites, and the ad industry's negligent attitude toward malware are a few.

      Also, neither PC nor Web architecture attempted to make certificates and keys into palpable first-class entities that users could more easily understa

    • by Hentes (2461350)

      No, it wasn't. Whether you get hacked or not is entirely up to you. Why would I care if other people using unsecure systems get hacked?

  • In a way (Score:2, Insightful)

    by Anonymous Coward

    In a way this is proof that the existing approaches to computer security have gone completely bust. They're big business so there's money in keeping it that way, not so much in actually fixing anything. Besides, patching does not fundamentally improve the software. All it does is wipe away visible blemishes.

    This fits well with the blind leading the blind approach to reporting about computer security, where everybody and his dog is a "hacker" even if he's really a rent-a-cop trying to defraud his employer by

    • by databeast (19718)

      Sad I blew mod points to comment on this article, but this reply deserves modding up. Your point about the redundancy of the term 'ethical hacker' is something I wrote about on Bloomberg last year (and was promptly libeled by Richard Stiennon in his column a day later)..

  • I was a teenage pinheaded computer hacker, back in the day. ("Pinheaded" in the sense that I never stole anything, or caused any damage...I would break into a system and then do the computer equivalent of bouncing around like Daffy Duck — "Woo hoo! Woo hoo! Woo hoo!" The owners of the system would quickly realize that someone had broken in, and then work to close the hole.)

    But my 18th birthday rolled around, and I decided to clean up my ethics, and only program for legitimate purposes.

    WHAT AN IDIO

    • But my 18th birthday rolled around, and I decided to clean up my ethics, and only program for legitimate purposes.

      You turned down the job offer from the NSA?

  • by theweatherelectric (2007596) on Sunday July 14, 2013 @06:09PM (#44280367)
    All the more reason to consider using new programming languages like Rust [rust-lang.org] which are built with memory safety in mind. Better programming languages are by no means a silver bullet for security problems, but they help.
  • When legal hackers get prosecuted it's no wonder they flock to the black markets.

God may be subtle, but he isn't plain mean. -- Albert Einstein

Working...