From Economist: It is a type of software sometimes described as “absolute power” or “God”. Small wonder its sales are growing. Packets of computer code, known as “exploits”, allow hackers to infiltrate or even control computers running software in which a design flaw, called a “vulnerability”, has been discovered. Criminal and, to a lesser extent, terror groups purchase exploits on more than two dozen illicit online forums or through at least a dozen clandestine brokers, says Venkatramana Subrahmanian, a University of Maryland expert in these black markets. He likens the transactions to “selling a gun to a criminal. . . .”
Exploits themselves are generally legal. Several legitimate businesses sell them. A Massachusetts firm called Netragard last year sold more than 50 exploits to businesses and government agencies in America for prices ranging from $20,000 to more than $250,000. Adriel Desautels, Netragard’s founder, describes some of the exploits sold as “weaponised”. The firm buys a lot from three dozen independent hackers who, like clients, are carefully screened to make sure they are not selling code to anyone else, and especially not to a criminal group or unfriendly government.
More than half of exploits sold are now bought from bona fide firms rather than from freelance hackers, says Roy Lindelauf, a researcher at the Netherlands Defence Academy. He declines to say if Dutch army or intelligence agencies buy exploits, noting that his government is still figuring out “what we’re allowed to do offensively. . . .”
Several governments want firms to develop exploits. In 2010 a computer worm called Stuxnet was revealed to have attacked Iran’s nuclear kit. It used four main exploits to get in; at least one appears to have been bought rather than developed in-house by the government that launched the attack (presumably America or Israel), says David Lindahl, an IT expert at the Swedish Defence Research Agency, a government body in Stockholm. An unprecedented weapon, Stuxnet remained undetected for years by quietly erasing its tracks after “planting sabotage charges at exactly the right place” in Iran’s uranium-enrichment centrifuges, Mr Lindahl says.
Nearly all well-financed intelligence agencies buy exploits, says Eric Filiol, a lieutenant-colonel in computer intelligence for France’s army until 2009. Computer experts who years ago would reveal software vulnerabilities for mere prestige have realised that they were treating “diamonds as pebbles”, says Mr Filiol, now head of the Operational Cryptography and Computer Virology Lab in Laval. His lab is partly financed by France’s defence ministry to provide it with exploits.
The price of exploits has risen more than fivefold since 2004, Mr Filiol says, referring to a confidential document. . . .
[R]eputable customers, such as Western intelligence agencies, often pay higher prices. Mr Lindelauf reckons that America’s spies spend the most on exploits. Vupen and other exploit vendors decline to name their clients. However, brisk sales are partly driven by demand from defence contractors that see cyberspace as a “new battle domain”, says Matt Georgy, head of technology at Endgame, a Maryland firm that sells most of its best exploits for between $100,000 and $200,000. He laments a rise in sales by unscrupulous vendors to dangerous groups.
On March 12th the head of the Pentagon’s Cyber Command, General Keith Alexander, warned the Senate Armed Services Committee that state-sponsored groups are stepping up efforts to steal and destroy data using “cybertools” purchased in illicit online markets. As an American military-intelligence official points out, governments that buy exploits are “building the black market”, thereby bankrolling dangerous R&D. For this reason, governments appear increasingly keen to develop exploits in-house. Paulo Shakarian, a cyberwar expert at West Point, an American military academy, says China appears to be moving in this direction. (graphic: Economist) (via Edward Lucas)