Business Is Booming In the 'Zero-Day' Game 97
HonorPoncaCityDotCom writes "Nicole Perlroth and David E. Sanger write in the NY Times that all over the world, from South Africa to South Korea, business is booming in zero days. The average attack persists for almost a year before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or 'weaponized' by both criminals and governments to spy on, steal from, or attack their targets. Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free in exchange for a T-shirt, but increasingly the market for 0-day exploits has begun to migrate into the commercial space (PDF) as the market for information about computer vulnerabilities has turned into a gold rush. Companies like Vupen charge customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale to countries who want to use the flaws in pursuit of the kind of success that the United States and Israel achieved three summers ago when they attacked Iran's nuclear enrichment program with a computer worm that became known as 'Stuxnet.' Israel, Britain, Russia, India and Brazil are some of the biggest spenders but North Korea is also in the market, as are some Middle Eastern intelligence services."
So if 'cyberWar' is actually a thing... (Score:5, Interesting)
....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....
(* cyber 'war' is a ridiculous term for something we already have words for - espionage and sabotage, both of which have been achieved using only information, for centuries now).
Re: (Score:2, Informative)
nobdy else is using them? peered out from under that rock recently? Unless you're saying within this article in particular... in which case you're also blind if you don't realize it's part of the larger context. either way, I don't care, you probably don't work in infosec and have to get bombarded with cyberwar hype every 6 hours, and your comment makes very little sense no matter how much I strain to understand your perception of the matter.
Re: (Score:1)
Because it is the common term used to paint the broader picture here (and the source of much debate in my circles). I used it so people would know what I'm talking about - it's this thing called a framing device. I brought it up first because that the is the larger context of the topic discussed in this article. Is the written word a second language for you or something? If you don't understand this, you're not the demographic I'm speaking to anyway and are still probably happily ignorant of the whole issue
Re: (Score:1)
yet you remain blissfully unaware of my using it as a mechanism of irony to illustrate that if people are going to insist upon the term cyber -*war*, that perhaps some of the same perceptions and controls should apply to it equally? At least my brand of pedantry doesn't cause me to lose sight of the entire discussion as I crawl up my own asshole in sophistry.
Tl:Dr - "Whoosh!"
Re: (Score:1)
no, it was referencing the irony of something. You really aren't very good at this comprehension thing are you, so I think I'll take my leave of this thread now and give you some space for you and your bugbears to spend some time alone.
Re:So if 'cyberWar' is actually a thing... (Score:4, Interesting)
We need rules for these articles in the future.
Cyber-war/Cyber-warfare - take a drink
Cyber-weapon - take a drink
Cyber-warrior/Cyber-soldier - chug
Cyber-command - chug
Others?
Anyway, if this is such a big risk (aside from alcohol poisoning) then why aren't other countries switching to Linux and training their own programmers so that they can "harden" it?
If they have to use something that they did not write/audit themselves then that should be completely isolated.
Wouldn't the intelligent thing to do (if this is really a threat) be to develop a 5 year goal of moving off of software written by your potential cyber-emenies (take a shot).
Re: (Score:3)
...yes, that would absolutely solve the matter, because never in the history of the world have people managed to obtain software and source code that did not belong to us! "Sorry, you can't analyze our software for vulns, because we're not going to give you a license for it!". Brilliant :-P
Re: (Score:3)
I suspect the ones that don't fit the first world template largely are switching. The rest don't because cozy international relationships are a nice way to do an end run around their own laws. They can share exploits more easily if everyone is using the same software. Then they don't have to worry about pesky Constitutional problems like our fourth amendment. NSA not allowed to gather than intel; no problem call a buddy a MI6, and vice versa.
If there is one thing the Snowden experience has proven once a
Linux offers no heap, stack, ASLR, or even DEP .. (Score:2)
That's because only the Windows kernel really needs heap, stack, ASLR and DEP. Putting user-mode application in the kernel (to speed up graphical rendering) was the dumbest thing Microsoft ever did
Re: (Score:1)
MS has not done this since Windows 98/ME. Even IE is in userspace and has been for a long time. The graphical drivers are in kernel space because you can not talk to a highspeed video device without it and expect good performance. Linux too has nvidia and framebuffer drives in the kernel as well. No different.
All modern kernels need the above if they are expected to be on the internet. I think the Android kernels include some of these in patches.
Re: (Score:1)
Windows shill. You may stop talking now.
Re: (Score:1)
Because Linux is not more secure than Windows or MacOSX
BULLshit.
Insecure operating systems exist because they are written in C.
Horseshit.
Windows 7 and 8 scramble the memory addresses and offer sandboxing support for browsers so you have no clue where each .dll is loaded in ram when you try to do a heap spray after you exploit a system.
Hereisabigpileoftechnobabblebullshittotryanddazzleyou.
Windows 7 is an unwiped ass.
Re: (Score:1)
That was pretty limp. Get a new writer.
Re: (Score:3)
You really need to appreciate the scale when advocating a company or government to migrate to another OS. Replacing all internal and customer targeted applications is a big job. The time and costs for even a small to medium sized company is a guaranteed budget buster. Re-training the users, re-training the existing IT staff, and hiring the new IT staff needed to support and develop on the new platform is also as huge undertaking. If you do spend the money and time you will soon realize that you are no safer
Re: (Score:2)
yeah so bitching about zero day bugs on forums would then be a felony?
Re:So if 'cyberWar' is actually a thing... (Score:4, Insightful)
you can't sell something for profit that will be used in hostile actions, if you've already disclosed the information in public, now can you? The issue is profiteering from things that will /not/ be fixed, and specifically used to the detriment of another.
Re: (Score:2)
it's exporting/distribution even if you don't charge for it...
Re: (Score:2)
good point, I concur that laws are full of gotchas, and I was using ITAR as an example that a precedent has already been set once, not that ITAR is the hammer that should be used this time around...
Re: (Score:2)
The issue is profiteering from things that will /not/ be fixed, and specifically used to the detriment of another.
At least some of these companies get around that problem (from a legal perspective) by doing checks on customers, like making sure the subscriber is a member of NATO (really, on of them does that). Essentially what it means is, if you want to buy these as a criminal, you're going to need to at least set up a shell company that makes you look legit. Given the high price of the exploits, that shouldn't be a problem for anyone who can afford it.
Re:So if 'cyberWar' is actually a thing... (Score:5, Informative)
Zero-day exploits are a bit farther down the road than even munitions. At least I can claim I need a gun for self-defense. There's really no "legal use" for a zero-day. It's only immediate purpose is to bypass computer security, which is illegal in almost every corner of the globe. (the biggest three applications being theft, corporate espionage, and spying)
The interesting twist here I think though is that entire governments are doing business with these guys, because they want it just as bad as the more traditional criminals. Normally when you're a government, you simply spend money to get your way. Things you want to have but not let your people have you just make illegal for civilian use.
But this is different. Money doesn't directly GET you a zero day, any more than money can get you nuclear weapons. They require specialized knowledge and skills. So you either spend a huge amount of money to R&D it, or you just go out and buy it. Buying nuclear isn't easy because currently only big governments have it, and they don't want to water down their exclusivity, so they won't sell it at any price. But right now the black market has better R&D on zero-days than any government, and they're completely fine with selling it to anyone, for a high price of course. Also unlike nukes, it's not a matter of needing specialized materials and resources, anyone can R&D it, all they need is a lot of bored skilled nerds ;)
So it just makes sense that the black market is playing both sides. Everyone wants it, and they are by far the cheapest source. It's a supplier's dream come true.
Re: (Score:2)
There's really no "legal use" for a zero-day.
There are certainly few legit uses of 0-day exploits. Anti-virus creators to name one.
Maybe part of the responsibility for current situation lies on the corporations and government agencies which often treat white-hat hackers, who try to inform them about their vulnerabilities, like criminals and throw legal actions on them. It's no wonder that some of the hackers turn their exploits to black market for money.
VUPON says they have standards. (Score:1)
Re: (Score:3)
There is no disclosure to these vulns, disclosing them would remove the value in them. These orgs aren't paying big money for vulns to have them /fixed/ people...the exact opposite.
Re: (Score:2)
certainly, if a government does it, it's not unlawful... and there's the rub. If interference and espionage with another nation's information systems are acts of aggression, will be ever see some updating of geneva/hague convention notions towards this? They both mention spies, but largely in the protection and treatment of them in habeus corpus situations... Do we even need such an updating? there is plenty of material on the legality of peacetime espionage, yet the sabotage issue remains murky as ever.
Re: (Score:2)
Also, when can there be a physical response to a non-physical attack?
Re: (Score:1)
42
Arches
Alaeda - Virus.Linux.Alaeda
Bad Bunny - Perl.Badbunny
Binom - Linux/Binom
Brundle
Bukowski
Re: (Score:1)
Oh yes, please do continue cherry-picking from a Wikipedia article you clearly don't understand. Did you see the disclaimer immediately before that list?
[qoute]The following is a partial list of known Linux malware. However, few if any are in the wild, and most have been rendered obsolete by Linux updates or were never a threat.[/quote]
Yeah, the definition and implications of the term "virus" has evolved over the last couple of decades, but nothing you listed is actually an initial attack vector. At best, t
Re: (Score:1)
Android, it is linux by many standards, loads of incompetent users, loads of malware.
Re:Expensive AV waste of money. (Score:5, Insightful)
Any AV is a waste of money and of CPU cycles, there are no viruses on GNU/Linux.
Then why does rkhunter [sourceforge.net] exist?
Re: (Score:1)
Such ignorant posts like the grandparents truly scare me.
I would mod you higher if I had points.
I have seen Linux servers compromised and admins throwing a fit saying it is impossible because they run Linux! No such as a rootkit could possible exist. This was a major bank too.
Re: (Score:2)
geez, i updated this thing last year! how much maintenance does this thing need?!
Business as usual (Score:2)
Re: (Score:2)
SSH over PPP.
Because I like transmitting and receiving at .56kbits/sec.
Re: (Score:2)
I only use one time pads, flown by camouflaged carrier pigeons. Might be slow, but it's secure dammit!
~S
Was the Internet a mistake? (Score:4, Insightful)
Sometimes I think that using the Internet for anything other than publicly available static HTML (e.g. Wikipedia) is a mistake. Nice idea, but not every good idea works out well.
Re: (Score:2)
I think PC architecture was a mistake (Score:3)
Or at least the sort of computer design that deliberately walked away from having security built into all levels.
With that said, the Web acquired some customs that are hostile to security: Routine execution of automatically retrieved code, coding pages as composites from many third party sites, and the ad industry's negligent attitude toward malware are a few.
Also, neither PC nor Web architecture attempted to make certificates and keys into palpable first-class entities that users could more easily understa
Re: (Score:2)
Thanks, that looks interesting. And you're absolutely right about CA Roulette, though using I2P addresses that issue because every I2P address is a verifiable identity.
Re: (Score:2)
No, it wasn't. Whether you get hacked or not is entirely up to you. Why would I care if other people using unsecure systems get hacked?
Re: (Score:2)
Welcome to the self-hatred that is working in the infosec business - any illusions we held about trying to improve the state of things for the greater good fell away many years ago when people started realizing that there was no profit in working towards making ourselves obsolete - casualties be damned. When it comes to computers, you're either responsible for your own OPSEC 24/7, or you accept that your systems will be interfered with in perpetuity. Nobody is looking out for you, least of all the infosec b
In a way (Score:2, Insightful)
In a way this is proof that the existing approaches to computer security have gone completely bust. They're big business so there's money in keeping it that way, not so much in actually fixing anything. Besides, patching does not fundamentally improve the software. All it does is wipe away visible blemishes.
This fits well with the blind leading the blind approach to reporting about computer security, where everybody and his dog is a "hacker" even if he's really a rent-a-cop trying to defraud his employer by
Re: (Score:2)
Sad I blew mod points to comment on this article, but this reply deserves modding up. Your point about the redundancy of the term 'ethical hacker' is something I wrote about on Bloomberg last year (and was promptly libeled by Richard Stiennon in his column a day later)..
I am SUCH an idiot. (Score:1)
I was a teenage pinheaded computer hacker, back in the day. ("Pinheaded" in the sense that I never stole anything, or caused any damage...I would break into a system and then do the computer equivalent of bouncing around like Daffy Duck — "Woo hoo! Woo hoo! Woo hoo!" The owners of the system would quickly realize that someone had broken in, and then work to close the hole.)
But my 18th birthday rolled around, and I decided to clean up my ethics, and only program for legitimate purposes.
WHAT AN IDIO
Re: (Score:3)
But my 18th birthday rolled around, and I decided to clean up my ethics, and only program for legitimate purposes.
You turned down the job offer from the NSA?
Re:0-day exploit = NSA coded backdoor (Score:5, Insightful)
If these developers are so good at consciously creating vulns, you'd think they'd be better at NOT creating them too, now wouldn't you? After all, software shouldn't require /hundreds/ of these backdoors, just a handful that were constructed carefully enough.. They certainly shouldn't be getting discovered by independent researchers without all these necessary criminal and Military Industrial connections you describe.
Reality does not support your hypothesis here I'm afraid, I think your tinfoil hat might have been backdoored...
New Programming Languages (Score:3, Informative)
Because there is no legal way (Score:2)
When legal hackers get prosecuted it's no wonder they flock to the black markets.