Zero-day black market bolstered by 'malware industrial complex'

@ 2013/02/15
The US government's plans to develop new computer weapons is driving a black market in zero-day bugs which could make life more dangerous for the rest of us.

According to MIT's Technology Review, the methods by which governments, contractors, and researchers are developing cyber-weapons is putting internet users at risk.

For a while now hackers have become aware that the number of bugs being unveiled has dropped dramatically. The reason is that zero-day bugs can be cashed in to defence contractors, security agencies and governments who can use them in cyber weapons.

After Stuxnet, the United States and governments around the world have been paying more and more for the exploits needed to make such weapons work.

According to Christopher Soghoian, a principal technologist at the American Civil Liberties Union, on one hand, the US the government is freaking out about cyber-security, and on the other it is participating in a global market in vulnerabilities and pushing up the prices.

Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects' computers or mobile phones.

Currently the top dollar is being paid for zero day hacks into mobile phone operating systems which are rarely updated, meaing flaws can be exploited for a long time.

At the moment, whoever discovers a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered.

A Bangkok, Thailand-based security researcher who goes by the name "the Grugq" has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and Europe.

The French security company VUPEN demonstrated a zero-day flaw that compromised Google's Chrome browser, but turned down Google's offer of a $60,000 reward if they would share how it worked. The guess is that they had sold it to a government.

So far, no US government agency has gone on the record as saying that it buys zero-days. But they have begun to publicly acknowledge that they intend to launch as well as defend against cyberattacks. The only way to do that is buying zero days.

No comments available.