Friday, April 6, 2012

The incredible business security flaws

Security is not a market like any other. Every year in early March, meet in Vancouver people around the world show and exploit weaknesses of the major browsers. For each vulnerability exploited, participants leave with an average of $ 10 000. Pwn2Own but, this is sort of the Olympics in this industry. Of glory, but little money! Because with a security breach, it is possible to earn much more money....
A flaw on Mac OS X is trading between 20,000 and 50,000 U.S. dollars, on a Windows 60 000 to $ 120 000 while a flaw in Firefox or Safari can sell between 60 000 and $ 150 000. But the best of the best is to find a flaw in IOS. You can then pocketing between $ 100 000 and $ 250 000. 

Forbes explains that there is a real gray market of security vulnerability. There are brokers who are responsible for selling the flaws in question. Their customers? Mainly, the European authorities and Americans. Grugq, which lends itself to this game for over ten years, explains that it was the Europeans and Americans who pay the best. His job, he says, is similar to that of a software company. He must sell a flaw as if it were a finished product with extensive documentation. "The only difference is that you sell only one license and that everyone is calling you the devil."

The man born in South Africa explains that some customers are better than others. He likes neither the Chinese nor the Russians, who do not pay enough. There are many hackers in China who work for the authorities, so that prices are not high. On the other hand, it seems that working with the Russians is not a matter of cake. And this is apparently the best way to make a flaw public.

 This is anyway a very profitable business. Just for the month of December, he pocketed $ 250,000 with government buyers. Grugq says take a 15% commission per sale and says not to sell a flaw within $ 50 000. This year his goal is to spend a million dollars.

Of course, this type of trade is far from unanimous. Chris Soghoian, an activist of the Open Society Foundations, describes this activity as "modern merchants of death" selling "the bullets of cyberwar". "Once one of these weapons sold to a government will end up in someone's hands to be malicious and used to attack U.S. infrastructure of the utmost importance, that's where the trouble will really begin," said he related. And to qualify these brokers "cowboys" who go in his darkening the entire industry security. Adriel Desautels, founder of Netragard which also sells security vulnerabilities to the highest bidder. This market is booming for a year. There he says more and more buyers with more and more resources. Previously, a loophole was sold a few months. Now it is a matter of weeks or even days.

He explains that all the flaws may not be sold used. Adriel Desautels suggests that one of its private sector clients in a recently purchased for marketing purposes to be used as proof of concept. The person in question has still paid $ 125 000.

And ethics in all this? Adriel Desautels said not to sell its flaws to anyone and is extremely selective, "we reject more people than we accept. Let's face it, we sell cyber weapons".

One thing is certain, these companies are willing to work with many people, except those directly affected. The prices are not commensurate with the rates posted by the editors when prompted with a security hole. Google, the most generous in the matter, pays up to $ 3,133.70, for a bug. The Mozilla Foundation and Facebook also have similar programs ...

While some are possibly as grugq prepared to discuss whether a company like Google aligns with market prices, others will not listen. This is the case of French Vupen Security. The winner of the 2012 edition of Pwn2Own, which states that not even for a million dollars, he would sell anything to Google. It would kill his business somehow.

 "We do not want to share our know-how that could help to correct a flaw or similar. We want to keep this for our customers." Vupen developing techniques for finding "flaws in the chain" and therefore each of them to sell very expensive. We understand better now why the company does not wish to disclose its know-how to Google.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.