Governments Fuel Business of Selling Cyber Secrets

"Dancing with the devil in cyberspace has been pretty common"

From Nicole Perlroth and David E. Sanger, New York Times:  On the tiny Mediterranean island of Malta, two Italian hackers have been searching for bugs — not the island’s many beetle varieties, but secret flaws in computer code that governments pay hundreds of thousands of dollars to learn about and exploit.

The hackers, Luigi Auriemma, 32, and Donato Ferrante, 28, sell technical details of such vulnerabilities to countries that want to break into the computer systems of foreign adversaries. The two will not reveal the clients of their company, ReVuln, but big buyers of services like theirs include the National Security Agency — which seeks the flaws for America’s growing arsenal of cyberweapons — and American adversaries like the Revolutionary Guards of Iran.

All over the world, from South Africa to South Korea, business is booming in what hackers call “zero days,” the coding flaws in software like Microsoft Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.

Just a few years ago, hackers like Mr. Auriemma and Mr. Ferrante would have sold the knowledge of coding flaws to companies like Microsoft and Apple, which would fix them. Last month, Microsoft sharply increased the amount it was willing to pay for such flaws, raising its top offer to $150,000.

But increasingly the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three summers ago when they attacked Iran’s nuclear enrichment program with a computer worm that became known as “Stuxnet.”

The flaws get their name from the fact that once discovered, “zero days” exist for the user of the computer system to fix them before hackers can take advantage of the vulnerability. A “zero-day exploit” occurs when hackers or governments strike by using the flaw before anyone else knows it exists, like a burglar who finds, after months of probing, that there is a previously undiscovered way to break into a house without sounding an alarm.

“Governments are starting to say, ‘In order to best protect my country, I need to find vulnerabilities in other countries,’ ” said Howard Schmidt, a former White House cybersecurity coordinator. “The problem is that we all fundamentally become less secure. . . .”

[T]the market for information about computer vulnerabilities has turned into a gold rush. Disclosures by Edward J. Snowden, the former N.S.A. consultant who leaked classified documents, made it clear that the United States is among the buyers of programming flaws. But it is hardly alone.

Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North Korea is in the market, as are some Middle Eastern intelligence services. Countries in the Asian Pacific, including Malaysia and Singapore, are buying, too, according to the Center for Strategic and International Studies in Washington.

To connect sellers and buyers, dozens of well-connected brokers now market information on the flaws in exchange for a 15 percent cut. Some hackers get a deal collecting royalty fees for every month their flaw is not discovered, according to several people involved in the market. . . .

For start-ups eager to displace more established military contractors, selling vulnerabilities — and expertise about how to use them — has become a lucrative opportunity. Firms like Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln, Mr. Auriemma’s and Mr. Ferrante’s Maltese firm, freely advertise that they sell knowledge of the flaws for cyberespionage and in some cases for cyberweapons.

Outside Washington, a Virginia start-up named Endgame — in which a former director of the N.S.A. is playing a major role — is more elusive about its abilities. But it has developed a number of tools that it sells primarily to the United States government to discover vulnerabilities, which can be used for fighting cyberespionage and for offensive purposes.

Like ReVuln, none of the companies will disclose the names of their customers. But Adriel Desautels, the founder of Netragard, said that his clients were “strictly U.S. based” and that Netragard’s “exploit acquisition program” had doubled in size in the past three years. The average flaw now sells from around $35,000 to $160,000.

Chaouki Bekrar, the founder of Vupen, said his company did not sell to countries that are “subject to European Union, United States or United Nations restrictions or embargoes.” He also said revenue was doubling every year as demand surged. Vupen charges customers an annual $100,000 subscription fee to shop through its catalog, and then charges per sale. Costs depend on the sophistication of the vulnerability and the pervasiveness of the operating system. . . .

In one case, a zero-day exploit in Apple’s iOS operating system sold for $500,000, according to two people briefed on the sale.

Still, said Mr. [Christopher] Soghoian of the A.C.L.U., “The bounties pale in comparison to what the government pays.” The military establishment, he said, “created Frankenstein by feeding the market. . . .”

“If you try to limit who you do business with, there’s the possibility you will get shut out,” Mr. Schmidt said. “If someone comes to you with a bug that could affect millions of devices and says, ‘You would be the only one to have this if you pay my fee,’ there will always be someone inclined to pay it.”

“Unfortunately,” he said, “dancing with the devil in cyberspace has been pretty common.” 

From Tim Lloyd, VentureBeat:  [Jerusalem Venture Partners partner Yoav] Tzruya says that hackers sell their zero-day exploits on the black market through “Darknets,” or anonymous networks of computers where IP addresses are never revealed, at costs ranging anywhere from $50,000 to $250,000 per program, by his estimates. The market for these cyber-weapons includes rogue nation-states, terrorist groups, and crime syndicates, he said.

“If you want to take down your competitor’s website, you can do that today for hundreds of dollars,” he added.  (graphic: Steve Caplin/Guardian)

Image: guardian%201%202%2013%20Cyber-war-bomb_0.jpg