To the Highest Bidder, Hackers Ready to Pounce

["Richard M. Smith" <rms () computerbytesman com>]

http://www.nytimes.com/2007/01/30/technology/30bugs.html?ei=5094
<http://www.nytimes.com/2007/01/30/technology/30bugs.html?ei=5094&en=8a3ee79
9331ee282&hp=&ex=1170133200&partner=homepage&pagewanted=print>
&en=8a3ee799331ee282&hp=&ex=1170133200&partner=homepage&pagewanted=print
 
January 30, 2007

To the Highest Bidder, Hackers Ready to Pounce 

By
<http://topics.nytimes.com/top/reference/timestopics/people/s/brad_stone/ind
ex.html?inline=nyt-per> BRAD STONE

 
<http://www.nytimes.com/mem/MWredirect.html?MW=http://custom.marketwatch.com
/custom/nyt-com/html-companyprofile.asp&symb=MSFT> Microsoft says its new
operating system, Windows Vista, is the most secure in the company's
history. Now the bounty hunters will test just how secure it is.

When its predecessor, Windows XP, was released five years ago, software bugs
were typically hunted by hackers for fame and glory, not financial reward.
But now software vulnerabilities - as with stolen credit-card numbers and
spammable e-mail addresses - carry real financial value and are commonly
bought, sold and traded online, both by legitimate security companies, who
say they are providing a service, and by nefarious hackers and thieves. 

Vista, which will be installed on millions new PCs starting today, provides
the latest target. 

This month, iDefense Labs, a subsidiary of the technology company
<http://www.nytimes.com/mem/MWredirect.html?MW=http://custom.marketwatch.com
/custom/nyt-com/html-companyprofile.asp&symb=VRSN> VeriSign, said it was
offering $8,000 for the first six researchers to find holes in Vista, and
$4,000 more for the so-called exploit, the program needed to take advantage
of the weakness. 

IDefense sells such information to corporations and government agencies,
which have already begun using Vista, so they can protect their own systems.

Companies like Microsoft do not endorse such bounty programs, but they have
even bigger problems: the willingness of Internet criminals to spend large
sums for early knowledge of software flaws that could provide an opening for
identity-theft schemes and spam attacks. 

The Japanese security firm
<http://www.nytimes.com/mem/MWredirect.html?MW=http://custom.marketwatch.com
/custom/nyt-com/html-companyprofile.asp&symb=TMIC> Trend Micro said in
December that it had found a Vista flaw for sale on a Romanian Web forum for
$50,000. Security experts say that the price is plausible, and that they
regularly see hackers on public bulletin boards or private online chat rooms
trying to sell the holes they have discovered, and the coding to exploit
them. 

Especially prized are so-called zero-day exploits, bits of disruption coding
that spread immediately because there is no known defense. 

Software vendors have traditionally asked security researchers to alert them
first when they find bugs in their software, so that they could issue a fix,
or patch, and protect the general public. But now researchers contend that
their time and effort are worth much more. 

"To find a vulnerability, you have to do a lot of hard work," said Evgeny
Legerov, founder of a small security firm, Gleg Ltd., in Moscow. "If you
follow what they call responsible disclosure, in most cases all you receive
is an ordinary thank you or sometimes nothing at all."

Gleg sells vulnerability research for more than $10,000 to a dozen corporate
customers around the world. Mr. Legerov says he regularly turns down the
criminals who send e-mail messages offering big money for bugs they can use
to spread malicious programs like spyware. 

...

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.