Business Is Booming In the 'Zero-Day' Game

HonorPoncaCityDotCom writes "Nicole Perlroth and David E. Sanger write in the NY Times that all over the world, from South Africa to South Korea, business is booming in zero days. The average attack persists for almost a year before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or 'weaponized' by both criminals and governments to spy on, steal from, or attack their targets. Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free in exchange for a T-shirt, but increasingly the market for 0-day exploits has begun to migrate into the commercial space (PDF) as the market for information about computer vulnerabilities has turned into a gold rush. Companies like Vupen charge customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale to countries who want to use the flaws in pursuit of the kind of success that the United States and Israel achieved three summers ago when they attacked Iran's nuclear enrichment program with a computer worm that became known as 'Stuxnet.' Israel, Britain, Russia, India and Brazil are some of the biggest spenders but North Korea is also in the market, as are some Middle Eastern intelligence services."

Re:So if 'cyberWar' is actually a thing...

[Billly+Gates]

Because Linux is not more secure than Windows or MacOSX regardless of what hte fanboys here say. Just because it is not from Microsoft doesn't mean it is secure by default. In fact (I maybe modded down for this), Linux is the least secure modern kernel out there. It offers no heap, stack, ASLR, or even DEP (It may offer this as of 3.0?)

Insecure operating systems exist because they are written in C. Not because they are from unpopular corporations. C has no buffer checks so once a data type gets all used it simply exists the next address in memory. OpenBSD is trying to change as is Microsoft as of XP Service Pack 2. Windows 7 and 8 scramble the memory addresses and offer sandboxing support for browsers so you have no clue where each .dll is loaded in ram when you try to do a heap spray after you exploit a system. I believe MacOSX now has this too as of Snow Leopard. It is also how Java applets compromise systems too.

I have seen clients servers turn into russan phising sites in major banks running it.

Sure as a consumer you are more protected as no one bothers with .5% of the market. As a government or major bank it is well worth it to be hacked. The problem with Linux users is the dangerous I am secure by default means another vulnerability where as Windows users kind of know better for the most part and are skeptical of just clicking on shit and know to keep things updated.