On the tiny Mediterranean island of Malta, two
Italian hackers have been searching for bugs — not the island’s many beetle
varieties, but secret flaws in computer code that governments pay hundreds of
thousands of dollars to learn about and exploit.
The hackers, Luigi Auriemma, 32, and Donato Ferrante, 28, sell
technical details of such vulnerabilities to countries that want to break into
the computer systems of foreign adversaries. The two will not reveal the
clients of their company, ReVuln, but big buyers of services like theirs
include the National Security Agency — which seeks
the flaws for America’s growing arsenal of cyberweapons — and American
adversaries like the Revolutionary Guards of Iran.
All over the world, from South Africa to South Korea, business is
booming in what hackers call “zero days,” the coding flaws in software like
Microsoft Windows that can give a buyer unfettered access to a computer and any
business, agency or individual dependent on one.
Just a few years ago, hackers like Mr. Auriemma and Mr. Ferrante
would have sold the knowledge of coding flaws to companies like Microsoft and
Apple, which would fix them. Last month, Microsoft sharply increased the amount
it was willing to pay for such flaws, raising its top offer to $150,000.
But
increasingly the businesses are being outbid by countries with the goal of
exploiting the flaws in pursuit of the kind of success, albeit temporary, that
the United States and Israel achieved three summers ago when they attacked
Iran’s nuclear enrichment program with a computer worm that became known
as “Stuxnet.”
The flaws get their name from the fact that once discovered, “zero
days” exist for the user of the computer system to fix them before hackers can
take advantage of the vulnerability. A “zero-day exploit” occurs when hackers
or governments strike by using the flaw before anyone else knows it exists,
like a burglar who finds, after months of probing, that there is a previously
undiscovered way to break into a house without sounding an alarm.
“Governments are starting to say, ‘In order to best protect my
country, I need to find vulnerabilities in other countries,’ ” said Howard
Schmidt, a former White House cybersecurity coordinator. “The problem is that
we all fundamentally become less secure.”
A
zero-day bug could be as simple as a hacker’s discovering an online account that asks for a password but does not
actually require typing one to get in. Bypassing the system by hitting the
“Enter” key becomes a zero-day exploit. The average attack persists for almost
a year — 312 days — before it is detected, according to Symantec, the maker of
antivirus software. Until then it can be exploited or “weaponized” by both
criminals and governments to spy on, steal from or attack their target.
Ten years ago, hackers would hand knowledge of such flaws to
Microsoft and Google free, in exchange for a T-shirt or perhaps for an
honorable mention on a company’s Web site. Even today, so-called patriotic
hackers in China regularly hand over the information to the government.
Now, the market for information about computer vulnerabilities has
turned into a gold rush. Disclosures by Edward J. Snowden, the former N.S.A.
consultant who leaked classified documents, made it clear that the United
States is among the buyers of programming flaws. But it is hardly alone.
Israel, Britain, Russia, India and Brazil are some of the biggest
spenders. North Korea is in the market, as are some Middle Eastern intelligence
services. Countries in the Asian Pacific, including Malaysia and Singapore, are
buying, too, according to the Center for Strategic and International Studies in
Washington.
To
connect sellers and buyers, dozens of well-connected brokers now market information on the flaws in exchange for a 15
percent cut. Some hackers get a deal collecting royalty fees for every month
their flaw is not discovered, according to several people involved in the
market.
Some
individual brokers, like one in
Bangkok who goes by “the Grugq” on Twitter, are well known. But after the Grugq
spoke to Forbes last year, his business took a hit from the publicity,
according to a person familiar with the impact, primarily because buyers demand
confidentiality.
A broker’s approach need not be subtle. “Need code execution
exploit urgent,” read the subject line of an e-mail sent from one contractor’s
intermediary last year to Billy Rios, a former security engineer at Microsoft
and Google who is now a director at Cylance, a security start-up.
“Dear Friend,” the e-mail began. “Do you have any code execution
exploit for Windows 7, Mac, for applications like Browser, Office, Adobe, SWF
any.”
“If yes,” the e-mail continued, “payment is not an issue.”
For
start-ups eager to displace more established military contractors, selling
vulnerabilities — and expertise about how to use them — has become a lucrative opportunity. Firms
like Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus
Intelligence in Austin, Tex.; and ReVuln, Mr. Auriemma’s and Mr. Ferrante’s
Maltese firm, freely advertise that they sell knowledge of the flaws for
cyberespionage and in some cases for cyberweapons.
Outside Washington, a Virginia start-up named Endgame — in
which a former director of the N.S.A. is playing a major role — is more elusive
about its abilities. But it has developed a number of tools that it sells
primarily to the United States government to discover vulnerabilities,
which can be used for fighting cyberespionage and for offensive purposes.
Like ReVuln, none of the companies will disclose the names of
their customers. But Adriel Desautels, the founder of Netragard, said that his
clients were “strictly U.S. based” and that Netragard’s “exploit acquisition
program” had doubled in size in the past three years. The average flaw now
sells from around $35,000 to $160,000.
Chaouki Bekrar, the founder of Vupen, said his company did not
sell to countries that are “subject to European Union, United States or United
Nations restrictions or embargoes.” He also said revenue was doubling every
year as demand surged. Vupen charges customers an annual $100,000 subscription
fee to shop through its catalog, and then charges per sale. Costs depend on the
sophistication of the vulnerability and the pervasiveness of the operating
system.
ReVuln
specializes in finding remote vulnerabilities in industrial control systems
that can be used to access — or disrupt — water treatment facilities, oil and gas pipelines and power plants. “They are
engaging in willful blindness,” said Christopher Soghoian, a senior policy
analyst at the American Civil Liberties Union.
Many technology companies have started “bug bounty” programs in
which they pay hackers to tell them about bugs in their systems rather than
have the hackers keep the flaws to themselves — or worse, sell them on the
black market. Nearly a decade ago the Mozilla Foundation started one of the
first bounty programs to pay for bugs in its Firefox browser. Since then,
Google, Facebook and PayPal have all followed suit. In recent months, bounties
have soared.
In
2010, Google started paying hackers up to $3,133.70 — the number is hacker code
for “elite” — for bugs in its Web browser Chrome. Last month, Google increased
its cash prize to $20,000 for flaws found in
some of its widely used products. Facebook began a similar program in 2011 and
has since paid out $1 million. (One payout included $2,500 to a 13-year-old.
The most it has paid for a single bug is $20,000.)
“The program undermines the incentive to hold on to a bug that
might be worth nothing in a day,” said Joe Sullivan, Facebook’s chief security
officer. It had also had the unintended effect of encouraging ethical hackers
to turn in others who planned to use its bugs for malicious use. “We’ve seen
people back-stab other hackers by ratting out a bug that another person planned
to use maliciously,” he said.
Microsoft, which had long resisted such a program, did an
about-face last month when it announced that it would pay hackers as much as
$150,000 for information about a single flaw, if they also provided a way to
defend against it.
Apple still has no such program, but its vulnerabilities are some
of the most coveted. In one case, a zero-day exploit in Apple’s iOS operating
system sold for $500,000, according to two people briefed on the sale.
Still, said Mr. Soghoian of the A.C.L.U., “The bounties pale in
comparison to what the government pays.” The military establishment, he said,
“created Frankenstein by feeding the market.”
In many ways, the United States government created the market.
When the United States and Israel used a series of flaws — including one in a
Windows font program — to unleash what became known as the Stuxnet worm, a
sophisticated cyberweapon used to temporarily cripple Iran’s ability to enrich
uranium, it showed the world what was possible. It also became a catalyst for a
cyberarms race.
When the Stuxnet code leaked out of the Natanz nuclear enrichment
plant in Iran in the summer of 2010, the flaws suddenly took on new value.
Subsequent discoveries of sophisticated state-sponsored computer viruses
named Flame and
Duqu that used flaws to spy on computers in Iran have only fueled interest.
“I think it is fair to say that no one anticipated where this was
going,” said one person who was involved in the early American and Israeli
strategy. “And today, no one is sure where it is going to end up.”
In
a prescient paper in 2007, Charlie Miller,
a former N.S.A. employee, described the profitable alternatives for hackers who
may have otherwise turned their information about flaws over to the vendor
free, or sold it for a few thousand dollars to programs like Tipping Point’s Zero Day
Initiative, now run by Hewlett-Packard, which used them to enhance
their security research.
He described how one American government agency offered him
$10,000 for a Linux bug. He asked another for $80,000, which agreed “too
quickly,” Mr. Miller wrote. “I had probably not asked for enough.”
Because the bug did not work with a particular flavor of Linux,
Mr. Miller eventually sold it for $50,000. But the take-away for him and his
fellow hackers was clear: There was serious money to be made selling the flaws.
At their conventions, hackers started flashing signs that read,
“No more free bugs.”
Hackers like Mr. Auriemma, who once gave away their bugs to
software vendors and antivirus makers, now sound like union organizers
declaring their rights.
“Providing professional work for free to a vendor is unethical,”
Mr. Auriemma said. “Providing professional work almost for free to security
companies that make their business with your research is even more unethical.”
Experts say there is limited incentive to regulate a market in
which government agencies are some of the biggest participants.
“If you try to limit who you do business with, there’s the
possibility you will get shut out,” Mr. Schmidt said. “If someone comes to you
with a bug that could affect millions of devices and says, ‘You would be the
only one to have this if you pay my fee,’ there will always be someone inclined
to pay it.”
“Unfortunately,” he said, “dancing with the devil in cyberspace
has been pretty common.”
No comments:
Post a Comment