Slashdot Mirror

← Back to Stories (view on slashdot.org)

Business Is Booming In the 'Zero-Day' Game

Posted by timothy on from the pat-I'd-like-to-buy-an-exploit dept.

HonorPoncaCityDotCom writes "Nicole Perlroth and David E. Sanger write in the NY Times that all over the world, from South Africa to South Korea, business is booming in zero days. The average attack persists for almost a year before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or 'weaponized' by both criminals and governments to spy on, steal from, or attack their targets. Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free in exchange for a T-shirt, but increasingly the market for 0-day exploits has begun to migrate into the commercial space (PDF) as the market for information about computer vulnerabilities has turned into a gold rush. Companies like Vupen charge customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale to countries who want to use the flaws in pursuit of the kind of success that the United States and Israel achieved three summers ago when they attacked Iran's nuclear enrichment program with a computer worm that became known as 'Stuxnet.' Israel, Britain, Russia, India and Brazil are some of the biggest spenders but North Korea is also in the market, as are some Middle Eastern intelligence services."

15 of 97 comments (clear)

  1. So if 'cyberWar' is actually a thing... by databeast · · Score: 5, Interesting

    ....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....

    (* cyber 'war' is a ridiculous term for something we already have words for - espionage and sabotage, both of which have been achieved using only information, for centuries now).

    1. Re:So if 'cyberWar' is actually a thing... by khasim · · Score: 3, Interesting

      We need rules for these articles in the future.

      Cyber-war/Cyber-warfare - take a drink
      Cyber-weapon - take a drink
      Cyber-warrior/Cyber-soldier - chug
      Cyber-command - chug
      Others?

      Anyway, if this is such a big risk (aside from alcohol poisoning) then why aren't other countries switching to Linux and training their own programmers so that they can "harden" it?

      If they have to use something that they did not write/audit themselves then that should be completely isolated.

      Wouldn't the intelligent thing to do (if this is really a threat) be to develop a 5 year goal of moving off of software written by your potential cyber-emenies (take a shot).

    2. Re:So if 'cyberWar' is actually a thing... by databeast · · Score: 2

      ...yes, that would absolutely solve the matter, because never in the history of the world have people managed to obtain software and source code that did not belong to us! "Sorry, you can't analyze our software for vulns, because we're not going to give you a license for it!". Brilliant :-P

    3. Re:So if 'cyberWar' is actually a thing... by databeast · · Score: 3, Insightful

      you can't sell something for profit that will be used in hostile actions, if you've already disclosed the information in public, now can you? The issue is profiteering from things that will /not/ be fixed, and specifically used to the detriment of another.

    4. Re:So if 'cyberWar' is actually a thing... by DarkOx · · Score: 2

      I suspect the ones that don't fit the first world template largely are switching. The rest don't because cozy international relationships are a nice way to do an end run around their own laws. They can share exploits more easily if everyone is using the same software. Then they don't have to worry about pesky Constitutional problems like our fourth amendment. NSA not allowed to gather than intel; no problem call a buddy a MI6, and vice versa.

      If there is one thing the Snowden experience has proven once and for all is the tinfoil hat folks were right, and the once world government folks were right.

      When you have the vice president dismissing reasonable questions like "doesn't universal background checks effective create an ersatz national gun registry?" as black helicopters conspiracy crap, we can now conclusively know that is exactly what is intended no matter what the ostensible claims are.

      You can't trust anything these people are telling you. Don't think its odd that our "potential cyber enemies" that we are warned about by popular media so often our some of our biggest trade partners? Isn't strange that no matter how "strained" our relations supposedly are the trade deals someone always go thru? These guys are all in bed with each other, its the only explanation that makes sense; where China and most of the middle east, excluding Iran is concerned.

      The USSR was considered as real threat and despite the size of their economy and the massive natural resource they controlled we never had trade relations with them. Now look at China and the middle east, its evident the PTBs want as to think of them as this threat to be feared but they don't actually take any steps to keep us at a safe distance, quite the opposite, when they do make a show of sanctions or export controls the implementation is always has more holes than a kitchen colander.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    5. Re:So if 'cyberWar' is actually a thing... by v1 · · Score: 4, Informative

      ....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....

      Zero-day exploits are a bit farther down the road than even munitions. At least I can claim I need a gun for self-defense. There's really no "legal use" for a zero-day. It's only immediate purpose is to bypass computer security, which is illegal in almost every corner of the globe. (the biggest three applications being theft, corporate espionage, and spying)

      The interesting twist here I think though is that entire governments are doing business with these guys, because they want it just as bad as the more traditional criminals. Normally when you're a government, you simply spend money to get your way. Things you want to have but not let your people have you just make illegal for civilian use.

      But this is different. Money doesn't directly GET you a zero day, any more than money can get you nuclear weapons. They require specialized knowledge and skills. So you either spend a huge amount of money to R&D it, or you just go out and buy it. Buying nuclear isn't easy because currently only big governments have it, and they don't want to water down their exclusivity, so they won't sell it at any price. But right now the black market has better R&D on zero-days than any government, and they're completely fine with selling it to anyone, for a high price of course. Also unlike nukes, it's not a matter of needing specialized materials and resources, anyone can R&D it, all they need is a lot of bored skilled nerds ;)

      So it just makes sense that the black market is playing both sides. Everyone wants it, and they are by far the cheapest source. It's a supplier's dream come true.

      --
      I work for the Department of Redundancy Department.
    6. Re:So if 'cyberWar' is actually a thing... by cavreader · · Score: 2

      You really need to appreciate the scale when advocating a company or government to migrate to another OS. Replacing all internal and customer targeted applications is a big job. The time and costs for even a small to medium sized company is a guaranteed budget buster. Re-training the users, re-training the existing IT staff, and hiring the new IT staff needed to support and develop on the new platform is also as huge undertaking. If you do spend the money and time you will soon realize that you are no safer than you were on your old OS. 99% of all malware and similar attack vectors are the result of poor system administration and social engineering to trick users into opening the door for an attack.

  2. Was the Internet a mistake? by ebno-10db · · Score: 3, Insightful

    Sometimes I think that using the Internet for anything other than publicly available static HTML (e.g. Wikipedia) is a mistake. Nice idea, but not every good idea works out well.

  3. Re:Maybe the technical community by databeast · · Score: 2

    There is no disclosure to these vulns, disclosing them would remove the value in them. These orgs aren't paying big money for vulns to have them /fixed/ people...the exact opposite.

  4. In a way by Anonymous Coward · · Score: 2, Insightful

    In a way this is proof that the existing approaches to computer security have gone completely bust. They're big business so there's money in keeping it that way, not so much in actually fixing anything. Besides, patching does not fundamentally improve the software. All it does is wipe away visible blemishes.

    This fits well with the blind leading the blind approach to reporting about computer security, where everybody and his dog is a "hacker" even if he's really a rent-a-cop trying to defraud his employer by sticking a usb keylogger stick into some machines*.

    There is nothing new going on here. Whether you're styling yourself a "white" or a "black" or even, superfluously, a "green" hat, you're no hacker. Green hats? Yes, they're in it for the money. Get it, green? Only both the white and the black hats are in it for the money too. Have been for a while. So that is a superfluous distinction.

    Doesn't matter that there are laws against "hacking", as they are equally vague. I'd say needlessly, but that isn't quite the word for it. Laws need to be precise, and using vague terms like "hacking" in the popularly uninformed "anything potentially bad vaguely involving something computer-y somehow" meaning, implies that the law can be applied inconsistently, at the attorney general's whim. And random justice is not justice. The Aaron Schwarz case is a clear case of AG bullying by piling up the accusations. Now imagine that enshrined in law. It usually doesn't go too spectactularly wrong, but if the law was a car it'd be neither street legal nor safe to drive.

    There's irony here. Originally "hacking" had strong connotations of doing new and interesting things. Things that had you go "I didn't know it could do that!?!" -- bonus points if the original creator of the thing made to do new things had that reaction. Thus the first buffer overflow, the first SQL injection, the first remote code injection and succesful execution were "hacks". But the nine thousanth? Not so much.

    Yet what we're seeing here is a veritable industry with a thriving market on both sides of the legality fence. Plenty of people doing their often quite specialised thing and making money, somethimes quite a lot of money, out of it. That's not "hacking", and so nobody doing that is a "hacker". Worse, even the white hats are not meaningfully pushing the state of the art of computer security forward. It's all patching holes in the notional swiss cheese. No fundamental research, like research into model checking (which appears to be "strictly harder than NP", quite the intellectual challenge foregone), no nothing, Just churning, grinding, more of the same.

    That this is a confused field is clear from the "ethical hacker" term. No, if you need a prefix you're no hacker. Hacking is not inherently unethical, or ethical. If you need a prefix (or a hat) to defend what you're doing, you're doing it wrong.

    The black hats are doing us a disservice by exploiting us for their monetary gain. And the white hats? Likewise, plus they're not meaningfully contributing to research thwarting the black hats. Everyone is a green hat now. None are hackers.

    Semantics are important, and the semantics of the IT security industry mean that it's a racket dressed up in fancy words it hasn't earned. It's a racket full of FUD, that you can see in most every press release and blog. And until we understand the semantics, until we stop using the wrong words, and start recognising what is really going on, we can't even begin fixing the problem because we can't see it, we can't talk about it, we can't identify just what is bugging us. Semantics are important, and so far we have been doing it wrong.

    * Actual tech-rag reporting, indeed using the "hacker" moniker for describing exactly that.

  5. Re:Expensive AV waste of money. by ulatekh · · Score: 4, Insightful

    Any AV is a waste of money and of CPU cycles, there are no viruses on GNU/Linux.

    Then why does rkhunter exist?

    --
    "Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
  6. Re:I am SUCH an idiot. by ebno-10db · · Score: 2

    But my 18th birthday rolled around, and I decided to clean up my ethics, and only program for legitimate purposes.

    You turned down the job offer from the NSA?

  7. Re:0-day exploit = NSA coded backdoor by databeast · · Score: 4, Insightful

    If these developers are so good at consciously creating vulns, you'd think they'd be better at NOT creating them too, now wouldn't you? After all, software shouldn't require /hundreds/ of these backdoors, just a handful that were constructed carefully enough.. They certainly shouldn't be getting discovered by independent researchers without all these necessary criminal and Military Industrial connections you describe.

    Reality does not support your hypothesis here I'm afraid, I think your tinfoil hat might have been backdoored...

  8. New Programming Languages by theweatherelectric · · Score: 2, Informative

    All the more reason to consider using new programming languages like Rust which are built with memory safety in mind. Better programming languages are by no means a silver bullet for security problems, but they help.

  9. I think PC architecture was a mistake by Burz · · Score: 2

    Or at least the sort of computer design that deliberately walked away from having security built into all levels.

    With that said, the Web acquired some customs that are hostile to security: Routine execution of automatically retrieved code, coding pages as composites from many third party sites, and the ad industry's negligent attitude toward malware are a few.

    Also, neither PC nor Web architecture attempted to make certificates and keys into palpable first-class entities that users could more easily understand and manipulate, so the potential for verification and privacy were not realized.

    Right now, some of the best stopgaps against this miserable history are projects like Qubes, Tor and I2P. Qubes lets me handle each thing I do in separate hardware-and-GUI enforced domains. Tor enables privacy for web and is familiar to many people. I2P gives me more than web connectivity, and the expectation that sites I connect to won't need Javascript (hardly ever) and is more future-proof than Tor.