Why government cyber attacks hurt us

The most dangerous cracks in our computers, phones and tablets are called "Zero Day Exploits." These are the vulnerabilities that were not discovered before being found in the wild being used as exploits.

In the old model hackers would find these exploits and sometimes win a prize. They would report the vulnerability to the vendor and give them a few months to fix it. Then make an announcement, get some glory, get speaking engagements and consulting contracts and help make a safer world because these flaws were revealed and fixed.

The new model is that they sell these exploits to government agencies or contractors for very large prices and never let the vendor know about them. Forbes recently published an article about this including some prices for previously unknown exploits.

Adobe Reader: $5,000-$30,000
Mac OSX: $20,000-$50,000
Flash or Java: $40,000- $100,000
Firefox or Safari: $ 60,00$150,000
Windows: $60,000 to $120,000
IOS: $100,000 to $250,000

They interviewed an agent who represents sellers (for a 15% commission) as they contract with government agencies and defense contractors like Northrup Grumman and Raytheon. He talked a little about a recent $250,000 sale. These middle-men will sometimes act as agent and sometimes buy and then re-sell security holes that allow the owners to design software to take over the vulnerable computers. A number of companies have sprouted up to act as intermediaries between governments and hackers.

The scary part about this, is that instead of revealing and fixing the vulnerabilities, they are hidden and exploited. Furthermore, you are putting some frightening incentives in front of programmers who are writing software for Microsoft, Adobe, Apple or Oracle. If they put a backdoor into the software, an exploit that would be very hard to find, it could function as an insurance policy or pension fund should they ever lose their job. Won't some programmers be tempted by a six digit payday? Our world keeps changing.

An article on this by Bruce Schneier is here, and an article in Business Week also explores it. Finally, Forbes has interviews with some of the hackers. One quote from that article with regards to a vulnerability found in Google's Chrome: "We wouldn’t share this with Google for even $1 million," says Bekrar. "We don't want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers." Apparently, his company sells subscriptions for $100,000/yr. which will give the subscriber the right to shop for items in its catalog of exploits.

Date: June 2012

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		Why government cyber attacks hurt us The most dangerous cracks in our computers, phones and tablets are called "Zero Day Exploits." These are the vulnerabilities that were not discovered before being found in the wild being used as exploits. In the old model hackers would find these exploits and sometimes win a prize. They would report the vulnerability to the vendor and give them a few months to fix it. Then make an announcement, get some glory, get speaking engagements and consulting contracts and help make a safer world because these flaws were revealed and fixed. The new model is that they sell these exploits to government agencies or contractors for very large prices and never let the vendor know about them. Forbes recently published an article about this including some prices for previously unknown exploits. Adobe Reader: $5,000-$30,000 Mac OSX: $20,000-$50,000 Flash or Java: $40,000- $100,000 Firefox or Safari: $ 60,00$150,000 Windows: $60,000 to $120,000 IOS: $100,000 to $250,000 They interviewed an agent who represents sellers (for a 15% commission) as they contract with government agencies and defense contractors like Northrup Grumman and Raytheon. He talked a little about a recent $250,000 sale. These middle-men will sometimes act as agent and sometimes buy and then re-sell security holes that allow the owners to design software to take over the vulnerable computers. A number of companies have sprouted up to act as intermediaries between governments and hackers. The scary part about this, is that instead of revealing and fixing the vulnerabilities, they are hidden and exploited. Furthermore, you are putting some frightening incentives in front of programmers who are writing software for Microsoft, Adobe, Apple or Oracle. If they put a backdoor into the software, an exploit that would be very hard to find, it could function as an insurance policy or pension fund should they ever lose their job. Won't some programmers be tempted by a six digit payday? Our world keeps changing. An article on this by Bruce Schneier is here, and an article in Business Week also explores it. Finally, Forbes has interviews with some of the hackers. One quote from that article with regards to a vulnerability found in Google's Chrome: "We wouldn’t share this with Google for even $1 million," says Bekrar. "We don't want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers." Apparently, his company sells subscriptions for $100,000/yr. which will give the subscriber the right to shop for items in its catalog of exploits. Date: June 2012 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk