msgbartop
All about Google Chrome & Google Chrome OS
msgbarbottom

22 Mar 12 The Zero-Day Salesmen


At a Google-Run competition in Vancouver last month the search giant’s famously secure Chrome Web browser fell to hackers twice. Both of the new methods used a rigged ­website to bypass Chrome’s security protections and completely hijack a target computer. But while those two hacks defeated the company’s defenses, it was only a third one that actually managed to get under Google’s skin.

A team of hackers from French security firm Vupen were playing by different rules. They declined to enter Google
(
GOOG -

news
-

people
)’s contest and instead dismantled Chrome’s security to win an HP-sponsored hackathon at the same conference. And while Google paid a $60,000 award to each of the two hackers who won its event on the condition that they tell Google every detail of their attacks and help the company fix the vulnerabilities they had used, Vupen’s chief executive and lead hacker, Chaouki Bekrar, says his company never had any intention of telling Google its secret techniques–certainly not for $60,000 in chump change. “We wouldn’t share this with Google for even $1 million,” says Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”

Article Controls

Emailemail

imageprint

imagereprint

imagenewsletter

imagecomments

imageshare

imagedel.icio.us

imageDigg It!

imageyahoo

imageFacebook

imageTwitter

imageReddit

imagerss

Those customers, after all, don’t aim to fix Google’s security bugs or those of any other commercial software vendor. They’re government agencies who purchase such “zero-day” exploits, or hacking techniques that use undisclosed flaws in software, with the ­explicit ­intention of invading or disrupting the computers and phones of crime suspects and intelligence targets.

In that shady but legal market for security vulnerabilities, a zero-day exploit that might earn a hacker $2,000 or $3,000 from a software firm could earn 10 or even 100 times that sum from the spies and cops who aim to use it in secret. Bekrar won’t detail Vupen’s exact pricing, but analysts at Frost Sullivan, which named Vupen the 2011 Entrepreneurial Company of the Year in vulnerability research, say that Vupen’s clients pay around $100,000 annually for a subscription plan, which gives them the privilege of shopping for Vupen’s techniques. Those intrusion methods include attacks on software such as Micro­soft Word, Adobe
(
ADBE -

news
-

people
) Reader, Google’s Android, Apple
(
AAPL -

news
-

people
)’s iOS operating systems and many more–Vupen bragged at HP’s hacking competition that it had exploits ready for every major browser. And sources familiar with the company’s business say that a single technique from its catalog often costs far more than its six-figure subscription fee. Even at those prices, Vupen doesn’t sell its exploits exclusively. Instead, it hawks each trick to multiple government agencies, a business model that often plays its customers against one another as they try to keep up in an espionage arms race.

Bekrar claims that it carefully screens its clients, selling only to NATO governments and “NATO partners.” He says Vupen has further “internal processes” to filter out nondemocratic nations and requires buyers to sign contracts that they won’t reveal or resell their exploits. But even so, he admits that the company’s digital attack methods could still fall into the wrong hands. “We do the best we can to ensure it won’t go outside that agency,” Bekrar says. “But if you sell weapons to someone, there’s no way to ensure that they won’t sell to another agency.”

That arms-trade comparison is one Vupen’s critics are eager to echo. Chris Soghoian, a privacy activist and fellow at the Open Society Foundations, calls Vupen a “modern-day merchant of death,” selling “the bullets for cyberwar.” After one of its exploits is sold, Soghoian says, “it disappears down a black hole, and they have no idea how it’s being used, with or without a warrant, or whether it’s violating human rights.” The problem was starkly illustrated last year when surveillance gear from Blue Coat Systems
(
BCSI -

news
-

people
) of Sunnyvale, Calif. was sold to a United Arab Emirates firm but eventually ended up tracking political dissidents in Syria. “Vupen doesn’t know how their exploits are used, and they probably don’t want to know. As long as the check clears.”

Vupen is hardly alone in the exploit-selling game, but other firms that buy and sell hacking techniques, including Netragard, Endgame and larger contractors like Northrop Grumman
(
NOC -

news
-

people
) and Raytheon
(
RTN -

news
-

people
), are far more tight-lipped than Bekrar’s small firm in Montpellier, France. Bekrar describes his company as “transparent.” Soghoian calls it “shameless.”

“Vupen is the Snooki of this industry,” says Soghoian. “They seek out publicity, and they don’t even realize that they lack all class. They’re the ­Jersey Shore of the exploit trade.”

Even so, Bekrar won’t share revenue numbers, though he insists the firm is profitable. One person who will share those sales numbers is a South African hacker who goes by the name “the Grugq” and lives in Bangkok. For just over a year the Grugq has been supplementing his salary as a security researcher by acting as a broker for high-end exploits, connecting his hacker friends with buyers among his government contacts. He says he takes a 15% commission on sales and is on track to earn more than $1 million from the deals this year. “I refuse to deal with anything below mid-five-figures these days,” he says. In December of last year alone he earned $250,000 from his government buyers. “The end-of-year budget burnout was awesome.”

Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees)

Apple’s Deep Pocketsimage

Adobe Earnings Preview: Tablet and Cloud Initiatives in Focus

Walter Isaacson Discusses Steve Jobs’ Geniusimage

Article source: http://www.forbes.com/forbes/2012/0409/technology-hackers-government-security-zero-day-salesmen.html

Tags: , , ,

Comments are closed.