NY Times: Governments are interested in 0day
The topic of using zero-day vulnerabilities for operations conducted with the knowledge of government agencies and involving special security companies or contractors working for them is becoming increasingly popular and, in part, less informative. Popular, because this information has been discussed in the media for more than one year, but less informative, because the ongoing projects are classified and no one is interested in disclosing them, because big money is involved in such contracts. One of the reasons for the relevance of this topic is the connection of such vulnerabilities with the appearance of threats, which have become known as "cyberweapon" ( cyberweapon ). The connection lies in the fact that the detection of these vulnerabilities occurred with the investigation of cases of getting the threat on the victim's computers. It is obvious that cyber weapons are detected by large AV companies, or rather, a small AV company can initially detect it, but only large companies with relevant experience, large customers, and a threat landscape can see the threat as cyber weapon. Names like Stuxnet, Flame are already known to almost everyone, except for this, as part of targeted campaigns, ordinary malware is also used, which can be “reoriented” for their purposes.
One of the most important attributes of a targeted attack or cyber weapon can be considered the use of 0day vulnerabilities, which are used to covertly install malware into the system. The information that has emerged over the past few years from both the AV companies themselves, which are engaged in cases of investigations of threats to computers, and from other security companies that are engaged in security, clearly hints that 0day vulnerabilities are being exploited in attacks conducted under the guise of state security organs of specific states, and with the permission of the government. On the organizations that provide such services, as well as an explanation of some models of such a business, published an article by the NY Times newspaper, information from which, with our comments, we would like to cite.
ReVuln
http://revuln.com/
https://twitter.com/revuln
')
Location : headquarters in Malta.
Profile: study of vulnerabilities in software, ICS (ACS) and provision of information about them to customers (by subscription). The customers are large organizations, including the National Security Agency (NSA).
Vupen
http://www.vupen.com/
https://twitter.com/VUPEN
Location : France, Montpellier.
Profile: software vulnerability research, exploit development. He works, including, with large organizations and organizations working for the governments of different countries (according to their own words). Subscription $ 100k.
Exodus intelligence
https://www.exodusintel.com/
https://twitter.com/ExodusIntel
Location : USA, Austin (TX).
Profile: study of "exclusive" vulnerabilities in software, exploit development.
Netragard
http://www.netragard.com/
https://twitter.com/Netragard
Location : USA, Massachusetts.
Profile: penetration testing, vulnerability research.
Of course, none of these companies will disclose the names of their customers. Shauki Bekrar (CEO VUPEN) said that their company does not sell exploits for countries that have problems or conflicts (embargoed) with countries in Europe and the United States.
The controversy on this issue can be reduced to the statement of Howard Schmidt (former coordinator of the cybersecurity group of the White House) - “In order to protect your country, you need to find vulnerabilities in other countries. But the problem is that we all become less secure. ” According to data published by Edward Snowden, companies working with the US government were among the buyers of 0day vulnerabilities. According to the Center for Strategic and International Studies in Washington, such states as Russia, the United Kingdom, Israel, and India are particularly interested countries in this matter.
The search for vulnerabilities in modern web browsers and other software itself is quite profitable for reporters, albeit very labor intensive. Such large companies as Google, Microsoft and Facebook have special bug bounty programs that regulate the price for detecting a dangerous vulnerability (as a rule, a vulnerability that can be used for remote code execution). Microsoft recently launched their bug bounty program and already paid the first $ 50k to Ivan Fratric reseller for valuable information as part of BlueHat Bonus for Defense (they were introduced to the ROPGuard exploration and prevention system ROPGuard).
From the beginning of the opening of its bug bounty program in 2010, Google paid over $ 3 million to the supervisors for searching vulnerabilities in the Chrome web browser. Facebook opened a similar program in 2011 and paid more than $ 1 million. It should be noted that Apple, unlike other companies, does not have a similar program. But vulnerabilities for iOS are among the most expensive. In one of the cases, the vulnerability for iOS was sold for $ 500 thousand .
There are other important, but less noticeable players in the arena of sale and research 0day for the US government, for example, the startup Endgame (Virginia, USA). The former director of the NSA is closely associated with her. The company specializes in developing a number of special software tools that it sells primarily to the US government and that can be used in the fight against cyber espionage, as well as for offensive purposes.
Thus, we are talking about the market for the sale of various types of vulnerabilities, exploits and other means that can be used both for offensive and defensive purposes (offensive / defensive). The customers are the governments, and the sellers of the security company. Shauki Bekrarar points out that as a result of the increasing demand in this market, the price of such services actually doubles every year.
www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
One of the most important attributes of a targeted attack or cyber weapon can be considered the use of 0day vulnerabilities, which are used to covertly install malware into the system. The information that has emerged over the past few years from both the AV companies themselves, which are engaged in cases of investigations of threats to computers, and from other security companies that are engaged in security, clearly hints that 0day vulnerabilities are being exploited in attacks conducted under the guise of state security organs of specific states, and with the permission of the government. On the organizations that provide such services, as well as an explanation of some models of such a business, published an article by the NY Times newspaper, information from which, with our comments, we would like to cite.
ReVuln
http://revuln.com/
https://twitter.com/revuln
')
Location : headquarters in Malta.
Profile: study of vulnerabilities in software, ICS (ACS) and provision of information about them to customers (by subscription). The customers are large organizations, including the National Security Agency (NSA).
Vupen
http://www.vupen.com/
https://twitter.com/VUPEN
Location : France, Montpellier.
Profile: software vulnerability research, exploit development. He works, including, with large organizations and organizations working for the governments of different countries (according to their own words). Subscription $ 100k.
Exodus intelligence
https://www.exodusintel.com/
https://twitter.com/ExodusIntel
Location : USA, Austin (TX).
Profile: study of "exclusive" vulnerabilities in software, exploit development.
Netragard
http://www.netragard.com/
https://twitter.com/Netragard
Location : USA, Massachusetts.
Profile: penetration testing, vulnerability research.
Of course, none of these companies will disclose the names of their customers. Shauki Bekrar (CEO VUPEN) said that their company does not sell exploits for countries that have problems or conflicts (embargoed) with countries in Europe and the United States.
The controversy on this issue can be reduced to the statement of Howard Schmidt (former coordinator of the cybersecurity group of the White House) - “In order to protect your country, you need to find vulnerabilities in other countries. But the problem is that we all become less secure. ” According to data published by Edward Snowden, companies working with the US government were among the buyers of 0day vulnerabilities. According to the Center for Strategic and International Studies in Washington, such states as Russia, the United Kingdom, Israel, and India are particularly interested countries in this matter.
The search for vulnerabilities in modern web browsers and other software itself is quite profitable for reporters, albeit very labor intensive. Such large companies as Google, Microsoft and Facebook have special bug bounty programs that regulate the price for detecting a dangerous vulnerability (as a rule, a vulnerability that can be used for remote code execution). Microsoft recently launched their bug bounty program and already paid the first $ 50k to Ivan Fratric reseller for valuable information as part of BlueHat Bonus for Defense (they were introduced to the ROPGuard exploration and prevention system ROPGuard).
From the beginning of the opening of its bug bounty program in 2010, Google paid over $ 3 million to the supervisors for searching vulnerabilities in the Chrome web browser. Facebook opened a similar program in 2011 and paid more than $ 1 million. It should be noted that Apple, unlike other companies, does not have a similar program. But vulnerabilities for iOS are among the most expensive. In one of the cases, the vulnerability for iOS was sold for $ 500 thousand .
There are other important, but less noticeable players in the arena of sale and research 0day for the US government, for example, the startup Endgame (Virginia, USA). The former director of the NSA is closely associated with her. The company specializes in developing a number of special software tools that it sells primarily to the US government and that can be used in the fight against cyber espionage, as well as for offensive purposes.
Thus, we are talking about the market for the sale of various types of vulnerabilities, exploits and other means that can be used both for offensive and defensive purposes (offensive / defensive). The customers are the governments, and the sellers of the security company. Shauki Bekrarar points out that as a result of the increasing demand in this market, the price of such services actually doubles every year.
www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
Source: https://habr.com/ru/post/186580/
All Articles