Kevin Mitnick mastering the profession of the future

During his youth, Kevin Mitnick became the most famous hacker in the world. For many, he has become a role model. His method of penetrating a network of a telecommunications company through marrying a female employee of this company is generally a classic of the genre.

But after being released from prison, Kevin Mitnick became a “white” hacker: he was involved in pentesting, advised companies in the field of IT security, published books on social engineering, and lectured. However, this was not enough, and now Kevin, so to speak, is returning to the roots: he sells 0day exploits.

Mitnick has opened his own trading platform exploits Mitnick's Absolute Zero Day Exploit Exchange .
')
Mitnick writes that exploits are offered for sale, which he found himself, and from outside researchers, at a price of $ 100,000 or more.

In general, recently the trade in exploits is becoming quite a normal business, no one considers it a crime. While individual hackers may sell 0day vulnerabilities anonymously, they are not the ones who take off the cream. Other firms operate quite openly.

For example, the French company Vupen has been openly selling exploits to intelligence agencies and state intelligence agencies for several years. It is reliably known that Vupen sold one of the 0day vulnerabilities of the IE browser to the NSA.

The joke happened at the Pwn2Own hacker competition in 2012, when Vupen won, but refused to receive the $ 60K reward and pass the exploit to Chrome for hacking. The owners of the company refused the money and said they would save the exploit for their clients. The same thing happened in 2012 with an exploit for IE 6-10 . It became approximately clear what this product is worth on the black market.

On the official website of Vupen Security , it is indicated that the company provides customers with “services in the use of exploits for the purpose of attack” (offensive exploit services). Since such activity on the part of private companies or individuals falls under the penal code, only one thing remains - Vupen Security's customers are government agencies, law enforcement agencies and intelligence services. In theory, only they have the right to legally use such exploits. The site Vupen Security says that they carefully select customers, they can only be NATO countries, ANZUS and ASEAN.

Vupen is not the only broker of exploits in the global market. In addition to it, several other companies are engaged in buying exploits from independent hackers for the purpose of resale, including Netragard, Endgame, Northrop Grumman and Raytheon. But they do this as covertly as possible in an atmosphere of absolute secrecy. Vupen company differs in that it does business on a large scale and does not refuse such public relations as participation in hacker contests.

One way or another, the trade in exploits and 0day vulnerabilities seems to have finally got out of the shadows and has become a legal industry. The same Vupen pays taxes in France for each exploit sold. What is not a prospect for creating your own business?

Not only individual companies, but also private entrepreneurs can be engaged in this business. The main thing is to have good connections. A good example of a new wave entrepreneur - Grugq, who is engaged in trade in exploits.


Grugq

He uses his old hacker connections and works as an intermediary, buying exploits from hackers and selling them to state agencies. Grugq takes a commission of 15% and assures that in one month he can sell exploits for 250 thousand dollars.

By the way, the analytical company Frost & Sullivan awarded Vupen first place in the 2011 Entrepreneurial Company of the Year competition, that is, they were called the most promising business in 2011. In other words, given the ever-increasing demand for 0day-exploits, companies can earn big money by finding and selling exploits.