Slashdot Mirror

← Back to Stories (view on slashdot.org)

Business Is Booming In the 'Zero-Day' Game

Posted by timothy on from the pat-I'd-like-to-buy-an-exploit dept.

HonorPoncaCityDotCom writes "Nicole Perlroth and David E. Sanger write in the NY Times that all over the world, from South Africa to South Korea, business is booming in zero days. The average attack persists for almost a year before it is detected, according to Symantec, the maker of antivirus software. Until then it can be exploited or 'weaponized' by both criminals and governments to spy on, steal from, or attack their targets. Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google free in exchange for a T-shirt, but increasingly the market for 0-day exploits has begun to migrate into the commercial space (PDF) as the market for information about computer vulnerabilities has turned into a gold rush. Companies like Vupen charge customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale to countries who want to use the flaws in pursuit of the kind of success that the United States and Israel achieved three summers ago when they attacked Iran's nuclear enrichment program with a computer worm that became known as 'Stuxnet.' Israel, Britain, Russia, India and Brazil are some of the biggest spenders but North Korea is also in the market, as are some Middle Eastern intelligence services."

7 of 97 comments (clear)

  1. So if 'cyberWar' is actually a thing... by databeast · · Score: 5, Interesting

    ....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....

    (* cyber 'war' is a ridiculous term for something we already have words for - espionage and sabotage, both of which have been achieved using only information, for centuries now).

    1. Re:So if 'cyberWar' is actually a thing... by khasim · · Score: 3, Interesting

      We need rules for these articles in the future.

      Cyber-war/Cyber-warfare - take a drink
      Cyber-weapon - take a drink
      Cyber-warrior/Cyber-soldier - chug
      Cyber-command - chug
      Others?

      Anyway, if this is such a big risk (aside from alcohol poisoning) then why aren't other countries switching to Linux and training their own programmers so that they can "harden" it?

      If they have to use something that they did not write/audit themselves then that should be completely isolated.

      Wouldn't the intelligent thing to do (if this is really a threat) be to develop a 5 year goal of moving off of software written by your potential cyber-emenies (take a shot).

    2. Re:So if 'cyberWar' is actually a thing... by databeast · · Score: 3, Insightful

      you can't sell something for profit that will be used in hostile actions, if you've already disclosed the information in public, now can you? The issue is profiteering from things that will /not/ be fixed, and specifically used to the detriment of another.

    3. Re:So if 'cyberWar' is actually a thing... by v1 · · Score: 4, Informative

      ....when do we start treating these folks like arms dealers? It's not a stretch, ITAR classified cryptography as munitions....

      Zero-day exploits are a bit farther down the road than even munitions. At least I can claim I need a gun for self-defense. There's really no "legal use" for a zero-day. It's only immediate purpose is to bypass computer security, which is illegal in almost every corner of the globe. (the biggest three applications being theft, corporate espionage, and spying)

      The interesting twist here I think though is that entire governments are doing business with these guys, because they want it just as bad as the more traditional criminals. Normally when you're a government, you simply spend money to get your way. Things you want to have but not let your people have you just make illegal for civilian use.

      But this is different. Money doesn't directly GET you a zero day, any more than money can get you nuclear weapons. They require specialized knowledge and skills. So you either spend a huge amount of money to R&D it, or you just go out and buy it. Buying nuclear isn't easy because currently only big governments have it, and they don't want to water down their exclusivity, so they won't sell it at any price. But right now the black market has better R&D on zero-days than any government, and they're completely fine with selling it to anyone, for a high price of course. Also unlike nukes, it's not a matter of needing specialized materials and resources, anyone can R&D it, all they need is a lot of bored skilled nerds ;)

      So it just makes sense that the black market is playing both sides. Everyone wants it, and they are by far the cheapest source. It's a supplier's dream come true.

      --
      I work for the Department of Redundancy Department.
  2. Was the Internet a mistake? by ebno-10db · · Score: 3, Insightful

    Sometimes I think that using the Internet for anything other than publicly available static HTML (e.g. Wikipedia) is a mistake. Nice idea, but not every good idea works out well.

  3. Re:Expensive AV waste of money. by ulatekh · · Score: 4, Insightful

    Any AV is a waste of money and of CPU cycles, there are no viruses on GNU/Linux.

    Then why does rkhunter exist?

    --
    "Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
  4. Re:0-day exploit = NSA coded backdoor by databeast · · Score: 4, Insightful

    If these developers are so good at consciously creating vulns, you'd think they'd be better at NOT creating them too, now wouldn't you? After all, software shouldn't require /hundreds/ of these backdoors, just a handful that were constructed carefully enough.. They certainly shouldn't be getting discovered by independent researchers without all these necessary criminal and Military Industrial connections you describe.

    Reality does not support your hypothesis here I'm afraid, I think your tinfoil hat might have been backdoored...