Full Disclosure mailing list archives
Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 24 Mar 2012 22:20:00 -0400
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/ A clever hacker today has to make tough choices. Find a previously unknown method for dismantling the defenses of a device like an iPhone or iPad, for instance, and you can report it to Apple and present it at a security conference to win fame and lucrative consulting gigs. Share it with HP’s Zero Day Initiative instead and earn as much as $10,000 for helping the firm shore up its security gear. Both options also allow Apple to fix its bugs and make the hundreds of millions of iPhone and iPad users more secure. But any hacker who happens to know one Bangkok-based security researcher who goes by the handle “the Grugq”–or someone like him–has a third option: arrange a deal through the pseudonymous exploit broker to hand the exploit information over to a government agency, don’t ask too many questions, and get paid a quarter of a million dollars–minus the Grugq’s 15% commission. That iOS exploit price represents just one of the dozens of deals the Grugq (pictured above) has arranged in his year-old side career as a middle man for so-called “zero-day” exploits, hacking techniques that take advantage of secret vulnerabilities in software. Since he began hooking up his hacker friends with contacts in government a year ago, the Grugq says he’s on track to earn a million in revenue this year. He arranged the iOS deal last month, for instance, between a developer and a U.S. government contractor. In that case, as with all of his exploit sales, he won’t offer any other details about the buyer or the seller. Even with the $250,000 payout he elicited for that deal, he wonders if he could have gotten more. “I think I lowballed it,” he wrote to me at one point in the dealmaking process. “The client was too happy.” A six-figure price for a single hacking technique may sound extravagant, but it’s hardly unique. Based on speaking with sources in this secretive but legal trade, I’ve assembled a rough price list for zero-day exploits below. Image: http://blogs-images.forbes.com/andygreenberg/files/2012/03/exploitpricechart.jpg Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software’s vendor. Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit. In some cases the techniques would need to be used in combination to be effective. An exploit’s price factors in both how widely the target software is used as well as the difficulty of cracking it. A technique that allows a hacker to gain control of a Mac OSX machine after hacking an application might earn only a fraction of one that targets Windows, for instance, because of Windows’ greater market share. But an iOS exploit pays more than one that targets Android devices partly because it requires defeating Apple’s significantly tougher security features. That means most agencies can simply develop their own Android attacks, the Grugq says, while ones that can penetrate the iPhone are rare and pricey. For the Jailbreakme 3 iOS exploit created by the hacker Comex last year, the Grugq says he heard agencies would have been eager to pay $250,000 for exclusive use of the attack. Who’s paying these prices? Western governments, and specifically the U.S., says the Grugq, who himself is a native of South Africa. He limits his sales to the American and European agencies and contractors not merely out of ethical concerns, but also because they pay more. “Selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money,” he says, explaining that he has no contacts in the Russian government. ”Russia is flooded with criminals. They monetize exploits in the most brutal and mediocre way possible, and they cheat each other heavily.” As for China, he says that the country has too many hackers who sell only to the Chinese government, pushing down prices. “The market is very depressed,” he says. Other regions like the Middle East and the rest of Asia can’t match Western prices either. As a result, the Grugq earns 80% of his revenue from the U.S., though occasionally the developers who work with him have asked that he sell only to Europeans. Over more than a decade in the hacker scene, he’s met enough federal agents to have contacts at multiple U.S. agencies, and he knows how to package his developer’s exploits for sale to those buyers, with professional marketing and support. “You’re basically selling commercial software, like anything else. It needs to be polished and come with documentation,” he says. “The only difference is that you only sell one license, ever, and everyone calls you evil.” One of the most vocal of those critics is Chris Soghoian, a privacy activist with the Open Society Foundations, who has described the firms and individuals who sell software exploits as “the modern-day merchants of death” selling “the bullets of cyberwar.” “As soon as one of these weaponized zero-days sold to governments is obtained by a ‘bad guy’ and used to attack critical U.S. infrastructure, the shit will hit the fan,” Soghoian warned in a talk at the Kaspersky analyst summit in February. “Security researchers should not be selling zero-days to middle man firms…These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain.” ... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Shopping For Zero-Days: A Price List For Hackers' Secret Software Exploits Jeffrey Walton (Mar 24)