David Sancho, from Trend Micro, says buying bugs from reseachers encourages them to find more. Photo: Alex Schelbert. Cyber criminals are not the only ones buying software flaws, say sources.
The Australian government is buying computer security weaknesses found by hackers before they are sold on the black market, as part of its defence strategy, claim those at the coal face of cyber security. "The Australian government has developed these capabilities as part of ASIO, DSD [Defence Signals Directorate], CSOC [Cyber Security Operations Centre] and possibly others. But they are purely for research and defence," says an Australian security consultant who wishes to remain anonymous. He says while the government won't admit it, buying vulnerabilities is an obvious part of "gathering intelligence".
Eran Feigenbaum, director of security for Google Apps.
Trading in vulnerabilities is a moot point in technology circles. Security and software companies are suspected of buying them, while others like Google and Mozilla openly espouse organised contests where researchers, also dubbed "white hats", attempt to break their new applications and report on bugs so their engineers have a chance to fix them before malware writers exploit them.
"There is a trade in weaponised exploits being provided by hackers to the security vendors," confirms another source, a hacker, who spoke to Fairfax's IT Pro on the condition of anonymity. "These exploits are then sold on to governments after being packaged into one of the many exploitation frameworks." Exploitation frameworks provide a library of known exploit modules and the instructions on how to run them. They are a tool to help hackers launch exploits. With them, governments are better prepared for potential attacks.
"I would imagine the [Australian] CSOC would do the same, but it would certainly not be publicised or admitted," says the consultant. The Australian Government declined to comment specifically. A spokesman for the Office of the Prime Minister which is responsible for cyber security, would only say "cyber security is a national security priority and the Government has enhanced Australia's cyber security capabilities". It will release its first Cyber White Paper later this year.
Big payments
David Sancho, senior threat researcher at security vendor Trend Micro, says buying from security researchers encourages the research community to keep finding new vulnerabilities. He says Trend Micro found a Windows exploit selling for $50,000 through an underground discussion forum in 2006. "We don't believe [hackers] contact regular companies at all because their intent is not to help them fix the issue and because the affected companies will never agree to make big payments," Sancho says.
There are organisations overseas, such as Vupen in Europe, that conduct research to identify security vulnerabilities on behalf of governments and corporations, as does the EC-Council in the US, which also runs ethical hacking classes. "The companies reward researchers and they make sure that the vulnerabilities are finally solved so there's less probability those holes will be used in malicious attacks," Sancho says. "Some companies are radically opposed to this practice [because they think it's unethical]. There are software companies in both camps."
Rather than purchase vulnerabilities outright, Google has a variety of programs that reward people for finding bugs. The reward programs range from bonuses of $500 to $1000, but can offer up to $60,000 if people find bugs in Chrome, for example. Mozilla pays up to $3,000 for some critical vulnerabilities. Eran Feigenbaum, director of security for Google Apps told IT Pro via video link last year the company actively monitors security boards and chat forums for the latest vulnerabilities, and for signs of stolen personal and account information. "We learn lessons from them," Feigenbaum said. But when asked repeatedly if Google pays for zero-day vulnerabilities, he smiled and remained silent. A zero-day vulnerability lends itself to an exploit, or malicious computer attack that takes advantage of a security hole before the vulnerability is known to the software's owners and before they issue a patch.
How black hats [researchers with malicious intent] contact government agencies to sell their wares is not known, but there are hints the contact takes place, Sancho says. "The biggest hint we have is that Stuxnet used many zero-day exploits of unknown vulnerabilities." Stuxnet, a virus that is said to have crippled Iran's nuclear arms program in 2010, exploited four zero-day vulnerabilities in Windows. Iranian authorities and security researchers believed the US and Israeli governments were behind the attack.
Australia is not known for having a large market for purchasing vulnerabilities from black hats, says Drazen Drazic, managing director, Securus Global - a company that provides penetration testing. Drazic says people buy vulnerabilities for many reasons, including for competitive advantage and to develop mitigation tools, while hackers buy them to compromise systems.
Globally, the practice of purchasing vulnerabilities from hackers is well established, Sancho says. "Large sums of money exchange hands and high profile vulnerabilities are considered very powerful weapons due to their attack potential and therefore, they command high prices, Sancho adds. The Australian hacker who spoke to IT Pro says exploit framework documents cost businesses between $US3,500 and $US30,000 per user per year. "Or you can use the free public Metasploit Framework. The zero-day exploit packs are significantly more expensive. The governmental packs even more."
The Australian government is buying computer security weaknesses found by hackers before they are sold on the black market, as part of its defence strategy, claim those at the coal face of cyber security. "The Australian government has developed these capabilities as part of ASIO, DSD [Defence Signals Directorate], CSOC [Cyber Security Operations Centre] and possibly others. But they are purely for research and defence," says an Australian security consultant who wishes to remain anonymous. He says while the government won't admit it, buying vulnerabilities is an obvious part of "gathering intelligence".
Eran Feigenbaum, director of security for Google Apps.
Trading in vulnerabilities is a moot point in technology circles. Security and software companies are suspected of buying them, while others like Google and Mozilla openly espouse organised contests where researchers, also dubbed "white hats", attempt to break their new applications and report on bugs so their engineers have a chance to fix them before malware writers exploit them.
"There is a trade in weaponised exploits being provided by hackers to the security vendors," confirms another source, a hacker, who spoke to Fairfax's IT Pro on the condition of anonymity. "These exploits are then sold on to governments after being packaged into one of the many exploitation frameworks." Exploitation frameworks provide a library of known exploit modules and the instructions on how to run them. They are a tool to help hackers launch exploits. With them, governments are better prepared for potential attacks.
"I would imagine the [Australian] CSOC would do the same, but it would certainly not be publicised or admitted," says the consultant. The Australian Government declined to comment specifically. A spokesman for the Office of the Prime Minister which is responsible for cyber security, would only say "cyber security is a national security priority and the Government has enhanced Australia's cyber security capabilities". It will release its first Cyber White Paper later this year.
Big payments
David Sancho, senior threat researcher at security vendor Trend Micro, says buying from security researchers encourages the research community to keep finding new vulnerabilities. He says Trend Micro found a Windows exploit selling for $50,000 through an underground discussion forum in 2006. "We don't believe [hackers] contact regular companies at all because their intent is not to help them fix the issue and because the affected companies will never agree to make big payments," Sancho says.
There are organisations overseas, such as Vupen in Europe, that conduct research to identify security vulnerabilities on behalf of governments and corporations, as does the EC-Council in the US, which also runs ethical hacking classes. "The companies reward researchers and they make sure that the vulnerabilities are finally solved so there's less probability those holes will be used in malicious attacks," Sancho says. "Some companies are radically opposed to this practice [because they think it's unethical]. There are software companies in both camps."
Rather than purchase vulnerabilities outright, Google has a variety of programs that reward people for finding bugs. The reward programs range from bonuses of $500 to $1000, but can offer up to $60,000 if people find bugs in Chrome, for example. Mozilla pays up to $3,000 for some critical vulnerabilities. Eran Feigenbaum, director of security for Google Apps told IT Pro via video link last year the company actively monitors security boards and chat forums for the latest vulnerabilities, and for signs of stolen personal and account information. "We learn lessons from them," Feigenbaum said. But when asked repeatedly if Google pays for zero-day vulnerabilities, he smiled and remained silent. A zero-day vulnerability lends itself to an exploit, or malicious computer attack that takes advantage of a security hole before the vulnerability is known to the software's owners and before they issue a patch.
How black hats [researchers with malicious intent] contact government agencies to sell their wares is not known, but there are hints the contact takes place, Sancho says. "The biggest hint we have is that Stuxnet used many zero-day exploits of unknown vulnerabilities." Stuxnet, a virus that is said to have crippled Iran's nuclear arms program in 2010, exploited four zero-day vulnerabilities in Windows. Iranian authorities and security researchers believed the US and Israeli governments were behind the attack.
Australia is not known for having a large market for purchasing vulnerabilities from black hats, says Drazen Drazic, managing director, Securus Global - a company that provides penetration testing. Drazic says people buy vulnerabilities for many reasons, including for competitive advantage and to develop mitigation tools, while hackers buy them to compromise systems.
Globally, the practice of purchasing vulnerabilities from hackers is well established, Sancho says. "Large sums of money exchange hands and high profile vulnerabilities are considered very powerful weapons due to their attack potential and therefore, they command high prices, Sancho adds. The Australian hacker who spoke to IT Pro says exploit framework documents cost businesses between $US3,500 and $US30,000 per user per year. "Or you can use the free public Metasploit Framework. The zero-day exploit packs are significantly more expensive. The governmental packs even more."
No comments :
Post a Comment