Security optimize

Guess who's buying zero-day vulnerabilities?

Finding vulnerabilities in software has become a thriving business. Michael Kassner reports on what that means to users.

Back in 2007, I participated in a panel discussion about full disclosure. Half the members wanted software vulnerabilities kept secret -- give the developer time to fix the problem. The other half argued for making the vulnerabilities public -- force the developers' hand.

The moderator didn’t like a tie, and tried as hard as he could to change the outcome, but the members were resolute.

Fast forward to 2010.

Sometime during November of 2010, one of the panel members (and friend) called, "Everything's changed. Google's paying to keep vulnerabilities quiet. I sent you the link."

Sure enough, Google is buying vulnerabilities. Still, my friend was not completely accurate. Google was paying for what they call "responsible disclosure," not complete secrecy, but that's splitting hairs.

Back to the present

Early this year, the "keep secret" versus "full disclosure" versus "pay-for-vulnerability" debate lost its relevance. There's a new and lucrative way to monetize vulnerabilities. Christopher Soghoian was among the first to shed light on the issue. In this ZDNet interview, Ryan Naraine quotes Soghoian:

"VUPEN, FinFisher, and HackingTeam are among a handful of companies that buy and sell zero-day vulnerabilities, exploits, and remote monitoring tools to governments around the world."

Really, to governments? Naraine continues:

"Soghoian said these companies are purchasing vulnerabilities and exploits at prices ranging from $50,000 to $100,000 and work hard to keep them a secret forever. It's well known that companies like VUPEN never report vulnerabilities to vendors like Microsoft or Adobe."

I'm thinking that keeping the exploits zero-day does not bode well for us.

Kiss full disclosure goodbye

Towards the end of March 2012, Andy Greenberg of Forbes wrote two articles about the new vulnerability market: "The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)"and "Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits." Greenberg even assembled a price list.

The dollar amount is per qualified vulnerability. According to Greenberg:

"Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software's vendor. Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit."

Who has that kind of money?

What I really wanted was corroboration for Soghoian, and Greenberg provided it. He asked a security trader (The Grugq) deeply involved in trading vulnerabilities, "Who's paying these prices?"

"Western governments and specifically the U.S., says Grugq, a native of South Africa. He limits his sales to the American and European agencies and contractors not merely out of ethical concerns, but also because they pay more."

Greenberg then points out who isn't buying:

"Selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money, Grugq says, explaining that he has no contacts in the Russian government. Russia is flooded with criminals. They monetize exploits in the most brutal and mediocre way possible, and they cheat each other heavily."

Nor the Chinese:

"As for China, Grugq says the country has too many hackers who sell only to the Chinese government, pushing down prices. The market is very depressed. Other regions like the Middle East and the rest of Asia can't match Western prices either."

That was March, and I've been trying to figure out what it all means since.

More to it than we think

I shouldn't need to introduce Bruce Schneier. If you read my stuff, you know I value his opinion. And, he has a pretty good idea where this latest trend is heading. In this Forbes article, he mentions:

"Regardless of the motivations, a disclosed vulnerability is one that -- at least in most cases -- is patched. And a patched vulnerability makes us all more secure."

Schneier continues:

"This is why the new market for vulnerabilities is so dangerous; it results in vulnerabilities remaining secret and unpatched. That it's more lucrative than the public vulnerabilities market means more hackers will choose this path."

Remember my mentioning that Schneier has an idea where this will lead, well here it is:

"And unlike the previous reward of notoriety and consulting gigs, it gives software programmers within a company incentive to deliberately create vulnerabilities in the products they're working on -- and then secretly sell them to some government agency."

Final thoughts

For once, I'm hoping Bruce Schneier is wrong. But, I doubt it. I've already read where high-level contestants who normally compete in Pwn2Own aren't any more. They would rather keep what they found secret, and make the big bucks.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

82 comments
lehnerus2000
lehnerus2000

So this points out another reason (apart from "re-election funding") that Governments won't legislate against shoddy software coding.

pgit
pgit

Of course the 'full disclosure' vs 'big secret' debate would be settled the wrong way. It's getting so bad out there in this world that all one need do is fathom the worst possible outcome of a given situation in order to accurately predict the future. I second the idea that disclosure of these exploits would be a good target of a wikileaks-type operation. Who determined it's within the purview of governments to buy this things, anyway? And who's in charge of what gets done with them? Anyone seeing the value of open source yet? I've used Linux for years, and with (admittedly big) the exception of flash cookies and the like, I've known exactly what the system is saying to the world-wide web about me, which has been basically nothing. Nothing has gotten in, either, though I've seen a lot of script-kiddie brute force knocking on ftp or secure shell servers. The worst in all of this is the thought that someone would intentionally create an exploit, in order to sell it to the highest bidder. Back to predicting outcomes; you can bet more than one developer has succumbed to the temptation. If you think about it in the context of present culture, you could conclude a developer would be an idiot to not do such a thing. Where's the good news anymore?

d_g_l_s
d_g_l_s

As I deal with clients that range from retirees to home owners to business owners, I have come to realize that there is a lot of naivet?? and gullibility out there. One would think it wise to be cognizant of what is happening as news can be had about how to protect oneself. I can't believe how many fall for a virus (like the fake antivirus series) and have paid good money to these goons. One client paid twice before calling me as his tech to come clean up his PC. And this is known to the whole world of developers and others who would take advantage of this for the sake of megabucks. That's where the lack of integrity shows up. It's a global disaster no longer looking for a place to happen. Bottom line is no longer help your neighbor but now help yourself to anyone else's hard-earned cash since they are known to be naive and gullible. Reminds one of the old saying, "Gullible isn't in the dictionary."

JoeS28
JoeS28

Whose money are these govts really using to buy all these secrets from. During a time when the economy is depressed and needs help our lovely govts stick it to us again and throw our hard earned money at criminals. Thanks, glad you idiots have nothing better to do with our money then continue to give it to your criminal buddies. Just so you can stick it to eachother in the long run. And these morons are the ones guiding our future, God help us all.

AnsuGisalas
AnsuGisalas

Let's get the Information-be-free enthusiasts on this: we need to get these databases leaked and proliferated. It's true, this development does make the secrecy/disclosure debate pointless: Immediate full disclosure is now the only way to ensure that the info gets out before MIBs arrive.

Slayer_
Slayer_

Hackers may be less inclined to actually exploit these vulnerabilities, as they may make more money selling the vulnerability than actually exploiting it. It also makes Hackers seem less evil, Hacking for legitimate money.

HAL 9000
HAL 9000

It sort of points out that they Demand it. ;) Col

JCitizen
JCitizen

much about IT security. I have to dig for Michael's articles all the time. It seems the whole industry puts a lazy eye toward it - even the banking industry for crying out loud! X-(

JCitizen
JCitizen

as they have one distro as their national recommended operating system. ( I forget which one) And really that is no wonder, after they saw how easy it was to get into our shorts on proprietary software. However - now the hardware is being exploited as well - no FOSS solution can prevent that. Personally I think we need to task Texas Instruments to become our national hero and start building chips in the good 'ol USA again. With factory automation at the level it is now, it really doesn't matter what you pay your workers, because they have so few of them now, that it really isn't the cost factor it once was. I see one manufacturer after another announcing their decision to move manufacturing to different vendors, like India or somewhere else in the Pacific rim. I predict the ones who continually choose the PRC will find the same shenanigans going on as before. It would take costly oversight to keep the Chinese from continuing their exploitation of our hardware/software vulnerabilities.

mla_ca520
mla_ca520

Good points Joe! I suppose the question here is whom does our Govt. plan to use these vulnerabilities against? Domestic surveillance? or Cyber warfare? Is this a buildup of arms to perpetrate further exploits against Iran as we did with their manufacturing plants or is this something to help our Govt. keep track of its citizens when our economy collapses and people get restless? Is our money being used to protect us or to control us when the manure hits the fan?

jdayman
jdayman

I recall reading a quote last year from Julian Assange, founder of Wiki Leaks. As Assange was facing some pretty serious legal troubles a journalist had asked him a question, which included some kind of comparison between him and Facebook founder Mark Zuckerberg. Assange resented any comparison between himself and Zuckerberg. He explained to the clueless reporter that Wiki Leaks was all about taking information that governments and corporations wanted to keep secret, and disclosing that information to the public. They do this for zero profit because they think that people have a right to know what the governments and corporations are up to. Facebook on the other hand is all about taking personal information that the public might wish to keep private, and selling that information for a huge profit to corporations and governments. That's a huge difference! (And a big reason why I allow my Facebook account stay dormant for months at a time.) I apologize if this is too far off the discussion. Excellent article Michael. Really disturbing, but excellent.

AnsuGisalas
AnsuGisalas

Would-be crackers will definitely think twice about tainting a valuable exploit with use, especially since using the exploit requires work, and carries risk. Selling out the world to Governments is easy and safe.

Deadly Ernest
Deadly Ernest

I can't believe the buyers are totally benign in their intended usage.

lehnerus2000
lehnerus2000

They could demand "rock solid" software with "rock solid" back doors. :D

AnsuGisalas
AnsuGisalas

When I want to find this blog, I just type zero into the search field. A very nice change.

bobc4012
bobc4012

Read an interesting article not too long ago that another reason that companies are manufacturing overseas isn't always because of "cheap labor", it also has to do with obtaining the materials required. It turns out China has vast resources of raw materials that the US does not have (or no longer has). I wouldn't be surprised if the companies are told they either make it in China or pay higher prices on the open market. This may have to do with Apple making I-Pads there because it needs the material for their screens. It can get quite interesting, I seem to recall reading that the US purchases Titanium from Russia - which is used in airplane manufacture - including our fighter jets.

AnsuGisalas
AnsuGisalas

All one could do would be to dump the hardware soon as the dirt shows... But how does it even get that far, by the way? I mean, we use checksums and hashes on other stuff; why not on chips? Something tells me it should be possible to know if the components do what they're meant to do, and only what they're meant to do. Also: The US gov't needs to forget all that spygame shilt about having hardware back doors of their own, and instead focus on developing ways to foil those hardware back doors. Can't have cake and eat it too.

Michael Kassner
Michael Kassner

I wish I had more information on the process and his motives. He's back in the news fighting more legal battles.

AnsuGisalas
AnsuGisalas

Which mistakes do you think we need to learn from this time?

Michael Kassner
Michael Kassner

When I first heard of this, I didn't know what to think.

Michael Kassner
Michael Kassner

I did not find any credible information as to what happened after a deal was made. I believe Greenberg in one of his articles mentioned that was an off-limits subject.

Slayer_
Slayer_

But, I'd have to believe that the amount of money that can be safely scammed per vulnerability is less than can be gotten by just selling the vulnerability back to the company.

AnsuGisalas
AnsuGisalas

Dunno if that's what has happened, but it even finds usernames/profiles now!

AnsuGisalas
AnsuGisalas

A few years ago, the Russian threatened a huge toll on exports of timber to Finland. They wanted the Finnish industries to set up factories on their side of the border, not just buy the cheap raw ingredients. That sort of makes sense, they don't want to just be supplying the raw materials and let others reap the profits, but when it gets coupled with industrial espionage or chip poisoning, it's gone too far.

JCitizen
JCitizen

As far as chip manufacture itself, you just need some Germanium and some other element, which escapes me at the moment. It takes very little of it to dope the silicon to get the functionality; however, even slight costs on a world wide market will motivate a big move for these massive global industrial interests. One of the reasons I promote using hydrogen power for cars, is that we have the world's largest deposits of borax, which oddly enough makes an excellent hydride storage medium. We could take over the world market, and never need batteries again. I recall reading that a US toy manufacturer solved the membrane contamination problems with hydrogen fuel cells and is selling a fantastic RC race car toy powered by hydrogen. You simply add water and plug the metal hydride batteries into the fish tank generator that makes the fuel, and voila! The videos on those things are phenomenal, they are way fast, and the cooling fans on board make a loud whistle sound!! Simply extraordinary. I can't wait to buy one of the kits to play with it! The military is already using UAVs powered by the same get up, to realize 15 hour or more deployments! They are exceeding the records for loiter time, for small to medium size UAVs!

JCitizen
JCitizen

at least if the company is in the US, a foreign government can't have undue influence on the employees. Undoubtedly the "plants"(individuals tasked to commit industrial espionage) the PRC puts in their domestic manufacturing are under pressure by their government to perform. In fact they are under duress from what human rights groups have been able to ascertain.

mla_ca520
mla_ca520

The only problem with this idea is that not only do the chips need to be made in the US, but the company also needs to be a US company, not a multi-national. When we look at the current trend, this is hard to obtain though. Unlimited political funding from multi-national corporations with no specific loyalty to the US. They are buying influence in Govt. why would they allow the Govt. to purchase security related devices from companies that won't yield a profit for them.

JCitizen
JCitizen

Lets put it this way. I saw a new addition to their chip factory in Texas, and it was HUGE!!!! It looked like it was two football field widths wide, and I could NOT see the end of the floor! It was at least three stories high! I say they see the future! Heh! Heh! ]:)

JCitizen
JCitizen

and I can't see why a simple video recognition algorithm couldn't work; I've also used circuit programs that check the design of simple circuits to determine if they work, and even put up a representation on the monitor screen. Something similar but more thorough might be able to catch the more brazen violations, but with so many "espionage" plants in an organization, a good deal would pass through anyway. It would be exceedingly difficult to oversee - this is why I say bring it back - especially for military contracts that are critical.

AnsuGisalas
AnsuGisalas

NMR is the same basic technology as MRI scans, but MRI scans look for just one molecule. NMR uses the same magnetic field/irradiation technique, but it looks at all the possible wavelengths of nuclear magnetic resonance (that's what NMR stands for). Basically the clamp a massive magnetic field down on the sample, then hit the sample with a radiation beam and pick up the refraction that was affected by the magnetic field. It's been a while since I read up on it, but anyway, due to the magnetic field, every atom in the molecules in the sample will send out a unique spectrum, and here comes the best part; each atom will be in resonance with its neighboring (bonded) atoms, giving a fingerprint that can be analyzed to piece together how the atoms of the molecule connect. I've crunched some of those spectrums by hand (with a ruler), and it's not that difficult for simple molecules. For very complex molecules it gets a lot harder. But anyway, we were talking about circuitry :^0 Something like that ought to be possible; holistic imaging, rather then point-by-point mapping.

AnsuGisalas
AnsuGisalas

They're already getting close to quantum levels too... But a checksum should at least work in checking against deliberate hardware "poisoning". Especially if it's not an actual handshake with the component, but more of a scan. I dunno. Something has to give, anyway.

Michael Kassner
Michael Kassner

Every piece would have to be inspected at that level.

JCitizen
JCitizen

Just a visual que though a microscope. If you understand circuit design, the anomalies can be readily seen. I've had industrial insiders telling me they are seeing the evidence, but can't get the OEMs to acknowledge the problem. I suspect it is easier for them to attempt to find a software end run; but then with software vulnerabilities, this gets ridiculous to control. Some of these labs I label "criminal" are so brazen, that they leave a logo etched on the chip where it is obvious they have cracked the circuit design!! With hardware chips reaching the nanometer scale, we will need an electron microscope to really get a look see at the new reality.

Michael Kassner
Michael Kassner

You seem to be doing quite well in understanding what's going on.

pgit
pgit

That's an interesting idea, I wonder if there is such a check. Problem is there may still be unforeseen functions a chip may be capable of. I just read about one of the latest MS security patches which fixes a flaw found in intel 64 bit chips. (Linux patched the same 6 years ago!) This was something not seen by the designers of the chip, i.e. they wouldn't have known to look for it, a checksum on their intended functions probably wouldn't have helped. This is a job for the math whizzes. I'd bet there's some way to determine that a chip does have undesirable functions, without having to identify or define them. For eg we know that there are X number of prime numbers below a given number Y, even though knowing this fact does not tell us what those prime numbers actually are. I love math. Too bad I can't 'do it.'

JCitizen
JCitizen

I should think. History is rife with stories about backstabbing and lack of support for whatever political system exists a any one point in the time line. Leaking information to one's own enemies is as old as the Bible or ancient Egyptian history - just for example.

Deadly Ernest
Deadly Ernest

in today's IT world there is not THAT big a distance between unbaised and appearing to be naively stupid.

Deadly Ernest
Deadly Ernest

be very surprised how many people would think the governments were buying them to be nice. Now, if you believe that, I've some lovely water-frontage land for sale in Florida I get a good commission off if I sell any. The local wild life control officers don't care how many of the gators you kill, either.

AnsuGisalas
AnsuGisalas

The sellers will not risk contaminating the merchandise. Besides, the Govs might pick up the trail of the conversation and suspect foul play... Even if they still pay up, it might bring down a cybernetic search warrant, and nobody wants that.

tom.marsh
tom.marsh

Right, but these days we live in a country that maintains a "kill-list" of foreign nationals that can be summarily executed anywhere on earth with zero oversight by... anyone. In that context, I would be extremely wary of this sort of business model. A government willing to engage in summary execution of anybody on earth, combatant or not, is more than willing to kill one computer nerd for selling his exploits to the "wrong" people, with wrong being defined as "anybody that isn't the U.S. or its selected allies."

Michael Kassner
Michael Kassner

Even bringing the subject up should set a software review in motion.

AnsuGisalas
AnsuGisalas

Adobe cannot match these prices. To adobe the bugs are worth what they are in terms of getting/keeping clients. To the spooks, the bugs' worth depends on the secrets they can give access to. Adobe will never be able or willing to match these prices. Nor can any other company that sells their products for profit. So, if people want to sell these bugs for profit, they will NEVER ask the author company.

Michael Kassner
Michael Kassner

That debate seems to be the root of most of the current problems.

Michael Kassner
Michael Kassner

I don't think the brokers are even thinking of selling the vulnerabilities back to the developers (Adobe). As Greenberg said, .govs are buying a vast majority of them. And, who prosecutes them? And, if I understand right many of the brokers are not US citizens.

Deadly Ernest
Deadly Ernest

jurisdiction involved. However, if the company concerned, like Adobe, did their coding and testing right, there would NOT be an such serious vulnerabilities - well, that's what my instructors on the software testing course I did years ago told me.

tom.marsh
tom.marsh

Since the implied ellipsis at the end of "Hey, Adobe, would you like to pay me $500,000 for this zero-day exploit I found in Acrobat Reader?" is "...or should I sell if to somebody who wants to use it to harm your customers?" It is dangerously close to extortion to attempt to "sell these bugs back" to the original author. Selling them to third-parties who don't intend to commit a crime seems like the only quasi-legal methodology for "selling" a zero-day exploit to anybody. If you sell to other countries, I mean you have to think about what might happen if they were to use that zero-day flaw to steal information from the U.S. government you'd have, technically, have aided and abetted the enemy, and we have a word for that: Treason.

Michael Kassner
Michael Kassner

Is that the fact that it's legal takes all the worry about getting caught and punished away.