Nations Buying as Hackers Sell Flaws in Computer Code part2
Outside Washington, a Virginia start-up named Endgame — in which a former director of the N.S.A. is playing a major role — is more elusive about its abilities. But it has developed a number of tools that it sells primarily to the United States government to discover vulnerabilities, which can be used for fighting cyberespionage and for offensive purposes.
Like ReVuln, none of the companies will disclose the names of their customers. But Adriel Desautels, the founder of Netragard, said that his clients were “strictly U.S. based” and that Netragard’s “exploit acquisition program” had doubled in size in the past three years. The average flaw now sells from around $35,000 to $160,000.
Chaouki Bekrar, the founder of Vupen, said his company did not sell to countries that are “subject to European Union, United States or United Nations restrictions or embargoes.” He also said revenue was doubling every year as demand surged. Vupen charges customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale. Costs depend on the sophistication of the vulnerability and the pervasiveness of the operating system.
ReVuln specializes in finding remote vulnerabilities in industrial control systems that can be used to access — or disrupt — water treatment facilities, oil and gas pipelines and power plants. “They are engaging in willful blindness,” said Christopher Soghoian, a senior policy analyst at the American Civil Liberties Union.
Many technology companies have started “bug bounty” programs in which they pay hackers to tell them about bugs in their systems rather than have the hackers keep the flaws to themselves — or worse, sell them on the black market. Nearly a decade ago the Mozilla Foundation started one of the first bounty programs to pay for bugs in its Firefox browser. Since then, Google, Facebook and PayPal have all followed suit. In recent months, bounties have soared.
In 2010, Google started paying hackers up to $3,133.70 — the number is hacker code for “elite” — for bugs in its Web browser Chrome. Last month, Google increased its cash prize to $20,000 for flaws found in some of its widely used products. Facebook began a similar program in 2011 and has since paid out $1 million. (One payout included $2,500 to a 13-year-old. The most it has paid for a single bug is $20,000.)
“The program undermines the incentive to hold on to a bug that might be worth nothing in a day,” said Joe Sullivan, Facebook’s chief security officer. It had also had the unintended effect of encouraging ethical hackers to turn in others who planned to use its bugs for malicious use. “We’ve seen people back-stab other hackers by ratting out a bug that another person planned to use maliciously,” he said.
Microsoft, which had long resisted such a program, did an about-face last month when it announced that it would pay hackers as much as $150,000 for information about a single flaw, if they also provided a way to defend against it.
Apple still has no such program, but its vulnerabilities are some of the most coveted. In one case, a zero-day exploit in Apple’s iOS operating system sold for $500,000, according to two people briefed on the sale.
Still, said Mr. Soghoian of the A.C.L.U., “The bounties pale in comparison to what the government pays.” The military establishment, he said, “created Frankenstein by feeding the market.”
In many ways, the United States government created the market. When the United States and Israel used a series of flaws — including one in a Windows font program — to unleash what became known as the Stuxnet worm, a sophisticated cyberweapon used to temporarily cripple Iran’s ability to enrich uranium, it showed the world what was possible. It also became a catalyst for a cyberarms race.
When the Stuxnet code leaked out of the Natanz nuclear enrichment plant in Iran in the summer of 2010, the flaws suddenly took on new value. Subsequent discoveries of sophisticated state-sponsored computer viruses named Flame and Duqu that used flaws to spy on computers in Iran have only fueled interest.
“I think it is fair to say that no one anticipated where this was going,” said one person who was involved in the early American and Israeli strategy. “And today, no one is sure where it is going to end up.”
In a prescient paper in 2007, Charlie Miller, a former N.S.A. employee, described the profitable alternatives for hackers who may have otherwise turned their information about flaws over to the vendor free, or sold it for a few thousand dollars to programs like Tipping Point’s Zero Day Initiative, now run by Hewlett-Packard, which used them to enhance their security research.
He described how one American government agency offered him $10,000 for a Linux bug. He asked another for $80,000, which agreed “too quickly,” Mr. Miller wrote. “I had probably not asked for enough.”
Because the bug did not work with a particular flavor of Linux, Mr. Miller eventually sold it for $50,000. But the take-away for him and his fellow hackers was clear: There was serious money to be made selling the flaws.
At their conventions, hackers started flashing signs that read, “No more free bugs.”
Hackers like Mr. Auriemma, who once gave away their bugs to software vendors and antivirus makers, now sound like union organizers declaring their rights.
“Providing professional work for free to a vendor is unethical,” Mr. Auriemma said. “Providing professional work almost for free to security companies that make their business with your research is even more unethical.”
Experts say there is limited incentive to regulate a market in which government agencies are some of the biggest participants.
“If you try to limit who you do business with, there’s the possibility you will get shut out,” Mr. Schmidt said. “If someone comes to you with a bug that could affect millions of devices and says, ‘You would be the only one to have this if you pay my fee,’ there will always be someone inclined to pay it.”
“Unfortunately,” he said, “dancing with the devil in cyberspace has been pretty common.”
click here to go to page 1
No comments:
Post a Comment