IHT : Online Bazaar For Security Hacks

Tuesday, January 30, 2007

…..This month, iDefense Labs, a subsidiary of the technology company VeriSign, said it was offering $8,000 for the first six researchers to find holes in Vista, and $4,000 more for the so-called exploit, the program needed to take advantage of the weakness.  IDefense sells such information to corporations and government agencies, which have already begun using Vista, so they can protect their own systems.  The Japanese security firm Trend Micro said in December that it had found a Vista flaw for sale on a Romanian Web forum for $50,000.  Security experts say that the price is plausible, and that they regularly see hackers on public bulletin boards or private online chat rooms trying to sell the holes they have discovered, and the coding to exploit them.  Especially prized are so-called zero-day exploits, bits of disruption coding that spread immediately because there is no known defense…..”To find a vulnerability, you have to do a lot of hard work,” said Evgeny Legerov, founder of a small security firm, Gleg Ltd., in Moscow.  “If you follow what they call responsible disclosure, in most cases all you receive is an ordinary thank you or sometimes nothing at all.”  Gleg sells vulnerability research to a dozen corporate customers around the world, with fees starting at $10,000 for periodic updates.  Legerov says he regularly turns down the criminals who send e-mail messages offering big money for bugs they can use to spread malicious programs like spyware.  Misusing such information to attack computers or to aid others in such attacks is illegal, but there appears to be nothing illegal about the act of discovering and selling vulnerabilities.  Prices for such software bugs range from a couple of hundred dollars to tens of thousands.  Microsoft is not the only target, of course.  Legitimate security researchers and underground hackers look for weaknesses in all commonly used software, including Oracle databases and Apple’s Macintosh operating system.  The more popular a program, the higher the price for an attacking code. 

…..Throughout the 1990s, software makers and bug-hunters battled over the way researchers disclosed software vulnerabilities.  The software vendors argued that public disclosure gave attackers the blueprints to create exploitative programs and viruses.  Security researchers charged that the vendors wanted to hide their mistakes, and that making them public allowed companies and individual computer users to protect their systems.  The two sides reached an uneasy compromise.  Security researchers would inform vendors of vulnerabilities, and as long as the vendor was responsive, wait for the release of an official patch before publishing code that an attacker could use.  Vendors would give public credit to the researcher.  The détente worked when most researchers were motivated by acclaim and a desire to improve security.  But “in the last five years the glory seekers have gone away,” said David Perry, global education director at Trend Micro.  “The people who are drawn to it to make a living are not the same people who were drawn to it out of passion.”  In 2002, iDefense Labs became one of the first companies to pay for software flaws, offering just a few hundred dollars for a vulnerability.  It administered the program quietly for a few years, then answered early critics by arguing that it was getting those bugs out into the open and informing software makers, at the same time as clients, before announcing them to the general public…..In 2005, TippingPoint, a division of the networking giant 3Com, joined iDefense in the nascent marketplace with its “Zero-Day Initiative” program, which last year bought and sold 82 software vulnerabilities.  IDefense said its freelance researchers discovered 305 holes in commonly used software during 2006 — up from 180 in 2005 — and paid $1,000 to $10,000 for each, depending on the severity.  Security researchers warmed to the idea that vulnerabilities were worth real dollars.  In December 2005, a hacker calling himself “Fearwall” tried to sell on eBay a program to disrupt computers through Excel, Microsoft’s spreadsheet program.  Bidding reached a paltry $53 before the auction site pulled it.  Nevertheless, several Internet attacks in the following months exploited flaws in Excel, suggesting to security experts that its creator ultimately found other ways to sell it.

In January 2006, a Moscow-based security company, Kaspersky Labs, found more evidence of an emerging marketplace for software bugs.  Russian hacking gangs, it disclosed at the time, had sold a “zero-day” program aimed at the Microsoft graphics file format, Windows Metafile or WMF.  The price: $4,000.  The program was widely used that month and allowed criminals to plant spyware and other malicious programs on the computers of tens of thousands of unsuspecting Internet users.  Microsoft rushed out a patch…..Marc Maiffret, co-founder of eEye Digital Security, a computer security company, said prices in the evolving black market quickly proved higher than what legitimate companies would pay.  “You will always make more from bad guys than from a company like 3Com,” he said.  Even ethical researchers feel that companies like iDefense and TippingPoint do not adequately compensate for the time and effort needed to discover flaws in complex, relatively secure software.  And some hackers have little ethical compunction about who buys their research, or what they use it for.  In a phone interview last week arranged by an intermediary in the security field, a hacker calling himself “Segfault,” who said he was a college-age student in New York City, led a reporter on an online tour of a public Web site, ryan1918.com, where one forum is provocatively titled “Buy-Sell-Trade-0day.”  Segfault, who said he did not want to reveal his name because he engages in potentially illegal activity, said the black market for zero-days “just exploded” last year after the damaging Windows Metafile attack.  He claims he earned $20,000 last year from selling his own code — mostly on private chat channels, not public forums like Ryan1918 — making enough to pay his tuition.  Although he conceded that Microsoft had made significant strides with Vista’s security, he said underground hacker circles now had a powerful financial incentive to find its weak links.  “Vista is going to get destroyed,” he said.  That may be an exaggeration.  Microsoft has taken precautions such as preventing unauthorized programs from running at the most central part of the system, called the kernel, and creating an extra level of protection between the operating system and the browser.  Microsoft appears to wish the open market for flaws in their products would simply disappear.  “Our practice is to explicitly acknowledge and thank researchers when they find an issue in our software,” said Mike Reavey, operations manager of the company’s security response center.  “While that’s not a monetary reward, we think there is value in it.”  But independent security analysts say those days are over.  Raimund Genes, the Trend Micro researcher who found the Vista bug for sale on a Romanian Web site, said, “The driving force behind all this now is cash.”

Reference : http://www.iht.com/bin/print.php?id=4400581

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: