funsec mailing list archives
To the Highest Bidder, Hackers Ready to Pounce
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Mon, 29 Jan 2007 21:52:02 -0500
http://www.nytimes.com/2007/01/30/technology/30bugs.html?ei=5094 <http://www.nytimes.com/2007/01/30/technology/30bugs.html?ei=5094&en=8a3ee79 9331ee282&hp=&ex=1170133200&partner=homepage&pagewanted=print> &en=8a3ee799331ee282&hp=&ex=1170133200&partner=homepage&pagewanted=print January 30, 2007 To the Highest Bidder, Hackers Ready to Pounce By <http://topics.nytimes.com/top/reference/timestopics/people/s/brad_stone/ind ex.html?inline=nyt-per> BRAD STONE <http://www.nytimes.com/mem/MWredirect.html?MW=http://custom.marketwatch.com /custom/nyt-com/html-companyprofile.asp&symb=MSFT> Microsoft says its new operating system, Windows Vista, is the most secure in the company's history. Now the bounty hunters will test just how secure it is. When its predecessor, Windows XP, was released five years ago, software bugs were typically hunted by hackers for fame and glory, not financial reward. But now software vulnerabilities - as with stolen credit-card numbers and spammable e-mail addresses - carry real financial value and are commonly bought, sold and traded online, both by legitimate security companies, who say they are providing a service, and by nefarious hackers and thieves. Vista, which will be installed on millions new PCs starting today, provides the latest target. This month, iDefense Labs, a subsidiary of the technology company <http://www.nytimes.com/mem/MWredirect.html?MW=http://custom.marketwatch.com /custom/nyt-com/html-companyprofile.asp&symb=VRSN> VeriSign, said it was offering $8,000 for the first six researchers to find holes in Vista, and $4,000 more for the so-called exploit, the program needed to take advantage of the weakness. IDefense sells such information to corporations and government agencies, which have already begun using Vista, so they can protect their own systems. Companies like Microsoft do not endorse such bounty programs, but they have even bigger problems: the willingness of Internet criminals to spend large sums for early knowledge of software flaws that could provide an opening for identity-theft schemes and spam attacks. The Japanese security firm <http://www.nytimes.com/mem/MWredirect.html?MW=http://custom.marketwatch.com /custom/nyt-com/html-companyprofile.asp&symb=TMIC> Trend Micro said in December that it had found a Vista flaw for sale on a Romanian Web forum for $50,000. Security experts say that the price is plausible, and that they regularly see hackers on public bulletin boards or private online chat rooms trying to sell the holes they have discovered, and the coding to exploit them. Especially prized are so-called zero-day exploits, bits of disruption coding that spread immediately because there is no known defense. Software vendors have traditionally asked security researchers to alert them first when they find bugs in their software, so that they could issue a fix, or patch, and protect the general public. But now researchers contend that their time and effort are worth much more. "To find a vulnerability, you have to do a lot of hard work," said Evgeny Legerov, founder of a small security firm, Gleg Ltd., in Moscow. "If you follow what they call responsible disclosure, in most cases all you receive is an ordinary thank you or sometimes nothing at all." Gleg sells vulnerability research for more than $10,000 to a dozen corporate customers around the world. Mr. Legerov says he regularly turns down the criminals who send e-mail messages offering big money for bugs they can use to spread malicious programs like spyware. ...
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- To the Highest Bidder, Hackers Ready to Pounce Richard M. Smith (Jan 29)