OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


Why government cyber attacks hurt us

The most dangerous cracks in our computers, phones and tablets are called "Zero Day Exploits." These are the vulnerabilities that were not discovered before being found in the wild being used as exploits.

In the old model hackers would find these exploits and sometimes win a prize. They would report the vulnerability to the vendor and give them a few months to fix it. Then make an announcement, get some glory, get speaking engagements and consulting contracts and help make a safer world because these flaws were revealed and fixed.

The new model is that they sell these exploits to government agencies or contractors for very large prices and never let the vendor know about them. Forbes recently published an article about this including some prices for previously unknown exploits.
  • Adobe Reader: $5,000-$30,000
  • Mac OSX: $20,000-$50,000
  • Flash or Java: $40,000- $100,000
  • Firefox or Safari: $ 60,00$150,000
  • Windows: $60,000 to $120,000
  • IOS: $100,000 to $250,000
They interviewed an agent who represents sellers (for a 15% commission) as they contract with government agencies and defense contractors like Northrup Grumman and Raytheon. He talked a little about a recent $250,000 sale. These middle-men will sometimes act as agent and sometimes buy and then re-sell security holes that allow the owners to design software to take over the vulnerable computers. A number of companies have sprouted up to act as intermediaries between governments and hackers.

The scary part about this, is that instead of revealing and fixing the vulnerabilities, they are hidden and exploited. Furthermore, you are putting some frightening incentives in front of programmers who are writing software for Microsoft, Adobe, Apple or Oracle. If they put a backdoor into the software, an exploit that would be very hard to find, it could function as an insurance policy or pension fund should they ever lose their job. Won't some programmers be tempted by a six digit payday? Our world keeps changing.

An article on this by Bruce Schneier is here, and an article in Business Week also explores it. Finally, Forbes has interviews with some of the hackers. One quote from that article with regards to a vulnerability found in Google's Chrome: "We wouldn’t share this with Google for even $1 million," says Bekrar. "We don't want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers." Apparently, his company sells subscriptions for $100,000/yr. which will give the subscriber the right to shop for items in its catalog of exploits.

Date: June 2012

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster