Sell Out Hackers: The Zero-Day Exploit Market

Sell Out Hackers: The Zero-Day Exploit Market

Oct 3, 2012 | News

Exploit sellers arm governments and businesses, but are they harming security for everyone else?

Remember the final battle scene in Star Wars: A New Hope? Remember how Luke Skywalker slotted a bomb from his X-Wing down the Death Star’s exhaust port to blow the spherical space-station apart? Well that port is much like a zero-day vulnerability, and the rebel force’s attack was a carefully constructed zero-day exploit.

Despite the Force being so strong in him, Darth Vader managed to commission a ship with a glaring flaw in it.  In the same way, developers often create, and proudly deliver, software covered in holes. When they are exploited, and attackers fire malware or some other nasty code through them, owners of that software can be blown apart too.

Death Star Design Flaw - a motivational poster from Sharenator Intelligence on such weaknesses, and the tools needed to exploit them, now sell for considerable sums. That’s because of what can be achieved with zero-days. As seen with super-virus Stuxnet, which took advantage of four zero-day flaws, weaponised vulnerabilities can have a major real-world impact. In that case, the malware disrupted Iran’s uranium enrichment project by sending centrifuges potty. It was said to have set the process back by two years.

Governments of both east and west, and large private businesses, are thought to be spending vast portions of their budgets on acquiring zero-day exploits. Meanwhile, vendors and users of their wares never learn of them. It’s bad news for Internet security, many argue.

Regardless of their quarrels, a bustling market has emerged, and it is one that has caused ruptures in the security community.

The good old days?

Yet it’s a far cry from what researchers had hoped it would become. Back in 2002, industry experts felt Internet security was in desperate need of a shot in the arm. They thought the best way to get companies and software vendors interested in improving the security of their estates was to make vulnerability hunting a more prosperous activity. They started talking openly about a more formal approach to introducing market incentives for security flaws.

Just after the turn of the Millenium, Jean Camp from Harvard University and Catherine Wolfrom from Berkeley wrote a paper entitled ‘Pricing Security’. In it, they argued that the Internet and “the larger information infrastructure” was awash with easily exploitable flaws. “The only ubiquitous testing of Internet security is done by egocentric hackers,” they said.

Camp and Wolfrom argued that security should be viewed as an “externality”, where if one party is hit, another can be affected either positively or negatively, but without compensation. To counter this, they suggested looking at vulnerabilities as goods, items to be bought and sold. Those who discovered vulnerabilities would effectively own them.

cyber war weapon crime © Roman Sigaev

The researchers had a vision of a credit system, where each Internet-connected machine would be given vulnerability credits by a government body. When a machine was compromised by known flaws, the owner of the machine would relinquish their credits, or pay out in cash if they had no credits left. Those who discovered vulnerabilities, whether exploited or not, could “demand  some form of payment or validation of credit ownership”. Perhaps because of the somewhat inchoate ideas put forward by Camp and Wolfrom, their vision never became a reality.

At what cost?

But start-ups did emerge in the early 2000s who did treat vulnerabilities as commodities. The most notable one was TippingPoint, which founded the Zero-Day Initiative (ZDI), a program that rewarded researchers for responsibly disclosing vulnerabilities, which were reported to vendors as soon as the flaw was validated. TippingPoint was subsequently bought by HP, but ZDI still operates today, as do many other bug bounty programmes, run by the likes of Google and Facebook.

They offer decent money – usually between $1,000 and $10,000 for each flaw found. Researchers get both monetary and reputational rewards, meaning they fill their pockets and bolster their CV for future consulting gigs.

Yet some believe they can and should make much more money from selling zero-days. Even back in 2002, this publication understands an iTunes vulnerability was sold for $13,000. But now much more is up for grabs.

On the one side, private firms are willing to pay significant fees because they want to gain an advantage over rivals, either by being better protected or by launching attacks themselves. On the other, governments want to buy in preparation for cyber warfare. Now they have seen the damage cyber tools can do, from Stuxnet to the super-sophisticated spy tool Flame, governments know what is at stake.

One industry insider, who preferred to remain anonymous, told TechWeekEurope a single zero-day can sell for anything between $5,000 and $500,000. Often, the higher-cost vulnerabilities can be bought as a package with the tools and services needed to exploit them, the insider added.

“It depends on the quality. They sell for what they are worth,” the source said. “The growing need, coupled with the shrinking availability and the time it takes to find and write, sets the price for exploits. Its just basic supply and demand.”

‘Security for the one percent’

Zero-day merchants take a variety of forms. Major government contractors such as Lockheed Martin, Harris Corporation, Northrop Grumman and Raytheon are thought to be involved, but a host of specialised firms have emerged over the last decade, including Netragard, Errata Security and Vupen. It is the latter group who have been involved in a vituperative war of words with Internet activists and the more vocal members of the security industry.

The main criticism of zero-day sellers is an obvious one. By not sharing their information with the wider community, a flaw is known to a select few, often government bodies and big businesses, whilst the majority go unprotected.

This lack of what is widely-known as “responsible disclosure” is what perturbs many. “It’s security for the one percent and it makes the rest of us less safe,” the Electronic Frontier Foundation said in an essay earlier this year. “These companies are basically selling burglary tools,” claims Professor Ross Anderson, of the University of Cambridge.

When Vupen decided not to tell Google about a zero-day in the Chrome browser, even though it claimed $60,000 in CanSecWest prize money for finding it, it became the bete noire of an industry that had already attracted a lot of bad publicity. Chrome users would be placed at risk, all because one company wanted to keep its handful of customers happy, onlookers moaned.

Even though he said he would only sell to NATO governments and partners, Chaouki Bekrar, CEO of Vupen, told Forbes magazine that he wouldn’t share the information with Google, even for $1 million. “We don’t want to give them any knowledge that can help them in fixing this zero-day exploit or other similar exploits. We want to keep this for our customers.”

Open source troubles?

But there may be an even more pernicious side-effect of the market’s growth. Anderson believes open source projects are now threatened by people wanting to profit from weaknesses.

Researchers are purposefully placing bugs in open source software during the development stages, so that when code appears in completed products,  those same researchers can highlight the flaws and profit from them where companies are willing to pay, Anderson has told TechWeekEurope. He claimed to know of several projects where this has happened, but declined to name names.

“That’s now happening. I’ve seen it in the last four months,” Anderson said. Imagine if Linux had flaws purposefully written into it, he ponders. “Intelligence agencies would be willing to pay an extraordinary amount for zero-days for Linux.”

Those against “irresponsible” vulnerability sellers want tighter regulation. Globally, there is little restriction on the practice. Germany, which is known for having strict rules when it comes to data, is one of the only nations to have made it illegal to sell exploits. It’s even illegal there to research zero-day exploits at all.

In the UK, Anderson says he wants more controls over who UK-based zero-day merchants can sell to overseas. He doesn’t want repressive regimes using British technology to carry out mass surveillance on citizens, as has allegedly occurred in the case of Andover-based Gamma International, whose FinSpy tool has appeared tracking dissidents in Syria and Bahrain. Privacy International has threatened the UK government with legal action, if it fails to introduce tighter checks.

Fight night

Now, having been criticised ad infinitum, zero-day hunters are biting back at critics. And at journalists. Is your article going to be another piece of “troll journalism”, Vupen’s CEO asked your reporter, while this article was in progress. He declined to answer any of TechWeekEurope’s questions. Indeed, he has been wary of journalists since that infamous Forbes article.

But others are happy to speak out. When asked about the open source issue, zero-day sellers say they have heard rumours of such subterfuge, but never have they seen it.

When it comes to regulation, they believe they are, at heart, no different from coders. And there shouldn’t be laws stymying the work of coders, they argue. Those calling for legislation, they say, are just jealous, because they don’t have the skills to find the zero-days and subsequently profit from them.

“The recent industry obsession with doting on vulnerability markets is an unproductive campaign with improperly informed champions striving for idealistic, and ultimately useless, regulations,” says Aaron Portnoy, vice president of research and co-founder of Exodus Intelligence. Portnoy was one of the big-shots of the HP TippingPoint ZDI, running it for two years out of the six he was there.  The rest of his five-man team is from ZDI too.

His company has a slightly different model to others, selling a feed of data on zero-days and related exploits, and promising to eventually disclose vulnerabilities to vendors for free. It finds vulnerabilities, but also pays external researchers when they hand Exodus their findings. Portnoy might run things differently to the more controversial players in the industry, but he has similarly strong views on those calling for governments to tighten their grip on the market.  Security for the one percent? Nonsense, Portnoy says.

“If the ability to sell an exploit suddenly disappeared the Internet would not be a safer place, and individuals would not cease their research into discovering innovative ways to break code,” he told TechWeekEurope. “Those who believe regulation or transparency into this market seem to think otherwise, and that is likely because they themselves aren’t the ones finding the bugs.

“By fixing a single vulnerability, you protect one piece of software from one flaw… by providing enterprises and vendors insight into what attackers are capable of, you enable them to better design their defenses and hopefully develop solutions that are wider in scope.

“If people are concerned about the safety of their Internet, they should stop focusing on trying to stop curious people from being curious.”

Many exploit experts would rather see the software development industry better regulated. They believe vendors should be held more accountable when holes in their software cause harm to Internet users. That’s what Charlie Miller, one of the most noted flaw finders in the world, backs. “Exploits aren’t the problem, vulnerable programs are. Let’s make our devices unbreakable and end the discussion,” he recently tweeted.

Inner turmoil

cyber war crime - Shutterstock: © Olivier Le QueinecBut whilst zero-day dealers have been lashing out at critics, the market is prone to infighting too. Unlike the traditional security market, where anti-virus vendors at least ostensibly work closely with one another and willingly share threat information, exploit dealers are considerably more antagonistic.

Earlier this month, Bekrar sent a message to Netragard CEO Adriel Desautels, accusing the latter of “trolling” Vupen. “Stop promoting yourself and your s**t by trolling about us, you don’t know a s**t about us nor our customers, teenager,” read one message. “We’re a 100% research compny while u’re just another broker compny without balls to do your own 0Ds,” read another.

Desautels says the argument was over ethics. Netragard offers penetration testing services and claims to do plenty of its own research on the exploit side. It also acts as a broker of exploits, selling other researchers’ work on to the highest bidder.

The company chief tells TechWeekEurope he is far from fond of the Vupen model, in particular its unwillingness to inform vendors. “I couldn’t believe he was talking like that in public,” Desautels says. “Vupen says it won’t sell to a vendor. In my opinion that is both irresponsible and unethical. It’s unethical because if a vendor approaches you willing to pay an exclusive price for a zero-day, it’s the same thing as anyone else willing to pay for a zero-day.

“It’s irresponsible because look at who is in NATO. There are a lot of countries in NATO that don’t like each other.”

Desautels, whilst against regulation of coding, is in favour of tighter rules on brokering, even for a more dirigiste approach. Much like Anderson, he wants to see governments put stronger controls on who brokers sell to. At the same time, however, he does not believe researchers should be limited in who they can sell to.

“Legislation needs to keep its hands out of the research world because if they don’t they are going to drive it towards the black hat world and the underground. It’ll benefit the bad guys,” he adds.

“But there has to be some sort of a body that can keep brokers in check ethically… There has to be some way to control it. It will tick off a lot of the businesses that are doing it, and I understand why, because it means they won’t get easy money anymore.”

Just the beginning

In our Star Wars analogy, few people would argue that Princess Leia and the Rebel Alliance should have practised responsible disclosure and warned the Galactic Empire of the flaw in the Death Star, instead of smuggling the plans out in secret and using them for a destructive attack.

In that case moral issues came into the picture, and the issue of marketing the flaw did not arise. Perhaps that’s because there was no market at all.

Yet in the real world. the growth of the zero-day vulnerability market seems inexorable, despite the mounting criticisms of the market, and the bad etiquette of certain players in it. If researchers can make more by selling to governments and private firms, they will increasingly look at that route before going to vendors.

It doesn’t look like the cost of zero-days has hit a peak either. David Maynor, CTO of Errata Security, certainly doesn’t think so. “Do you think the cost of conventional weapons has hit a peak? We have seen the most someone is willing to pay for a jet fighter?”

And it’s unlikely governments will wrap more red tape around the market. After all, why would they want to mitigate the rise of an industry of which they are the chief beneficiaries?

via TechWeekEurope

PRIVACY SOS: Remote Monitoring & Access, Spy Tech Secretly Embeds Itself In Phones

PRIVACY SOS: Remote Monitoring & Access, Spy Tech Secretly Embeds Itself In Phones

Aug 23, 2012 | Black Technology, News

In 2008, a Reston, VA based corporation called Oceans’ Edge, Inc. applied for a patent. On March, 2012 the company’s application for an advanced mobile snooping technology suite was approved.

The patent describes a Trojan-like program that can be secretly installed on mobile phones, allowing the attacker to monitor and record all communications incoming and outgoing, as well as manipulate the phone itself. Oceans’ Edge says that the tool is particularly useful because it allows law enforcement and corporations to work around mobile phone providers when they want to surveil someone’s phone and data activity. Instead of asking AT&T for a tap, in other words, the tool embeds itself inside your phone, turning your device against you.

A former employee of Oceans’ Edge notes on his LinkedIn page that the company’s clients included the FBI, Drug Enforcement Agency, and other law enforcement.

Oddly enough, Oceans’ Edge, Inc. describes itself as an information security company on its sparsely populated website. The “About Us” page reads:

Oceans Edge Inc. (OE) is an engineering company founded in 2006 by wireless experts to design, build, deploy, and integrate Wireless Cyber Solutions.
Our team is composed of subject matter experts in the following areas:
  • Wireless Cyber Security
  • Mobile Application Development
  • Wireless Communication Protocols
  • Wireless Network Implementation
  • Lawful Intercept Technology
With this expertise, we deliver engineering services and wireless technology solutions in critical mission areas for our government and commercial customers.
But while the company may offer “cyber security” solutions to government and corporations, as the website claims, the firm only has one approved patent on file with the US Patent and Trademark Office.
Remote mobile spying

The patent is for a “Mobile device monitoring and control system.” The applicants summarize the technology thusly:

Methods and apparatus, including computer program products, for surreptitiously installing, monitoring, and operating software on a remote computer controlled wireless communication device are described.

In other words, the technology works to snoop on mobile phones by secretly installing itself on phone hardware. The targeted phone is thus compromised in two ways: first, the attacker can spy on all the contents of the phone; and second, the attacker can operate the phone from afar. That’s to say, it doesn’t just let the attacker read your text messages. It also potentially lets him write them.

The summary goes on:

One aspect includes a control system for communicating programming instructions and exchanging data with the remote computer controlled wireless communication device. The control system is configured to provide at least one element selected from the group consisting of: a computer implemented device controller; a module repository in electronic communication with the device controller; a control service in electronic communication with the device controller; an exfiltration data service in electronic communication with the device controller configured to receive, store, and manage data obtained surreptitiously from the remote computer controlled wireless communication device; a listen-only recording service in electronic communication with the device controller; and a WAP gateway in electronic communication with the remote computer controlled wireless communication device.

The technology therefore also enables automated data storage of all of a phone’s activity in the attacker’s database. So if someone used this technology to spy on your phone, they would be able to use the Oceans’ Edge product to automatically store everything you do on it, to go back to later.

In case you aren’t sure who would want this kind of spook technology or why, Oceans’ Edge explains in the patent application:

A user’s employment of a mobile device, and the data stored within a mobile device, is often of interest to individuals and entities that desire to monitor and/or record the activities of a user or a mobile device. Some examples of such individuals and entities include law enforcement, corporate compliance officers, and security-related organizations. As more and more users use wireless and mobile devices, the need to monitor the usage of these devices grows as well. Monitoring a mobile device includes the collection of performance metrics, recording of keystrokes, data, files, and communications (e.g. voice, SMS (Short Message Service), network), collectively called herein “monitoring results“, in which the mobile device participates.

The application goes on to explain that the tool is beneficial to law enforcement or other customers because it allows them to avoid dealing with pesky mobile phone providers when they want to covertly spy on people’s mobile communications. Instead of the FBI going to AT&T or T-Mobile to get access to your cell data, they can just surreptitiously install this bug on your phone. They’ll get all your data — and your phone company might never know.
Mobile device monitoring can be performed using “over the air” (OTA) at the service provider, either stand-alone or by using a software agent in conjunction with network hardware such a telephone switch. Alternatively, mobile devices can be monitored by using a stand-alone agent on the device that communicates with external servers and applications. In some cases, mobile device monitoring can be performed with the full knowledge and cooperation of one of a plurality of mobile device users, the mobile device owner, and the wireless service provider. In other cases, the mobile device user or service provider may not be aware of the monitoring. In these cases, a monitoring application or software agent that monitors a mobile device can be manually installed on a mobile device to collect information about the operation of the mobile device and make said information available for later use. In some cases, this information is stored on the mobile device until it is manually accessed and retrieved. In other cases, the monitoring application delivers the information to a server or network device. In these cases, the installation, information collection, and retrieval of collected information are not performed covertly (i.e. without the knowledge of the party or parties with respect to whom the monitoring, data collection, or control, or any combination thereof, is desired, such as, but not limited to, the device user, the device owner, or the service provider). The use of “signing certificates” to authenticate software prior to installation can make covert installation of monitoring applications problematic. When software is not signed by a trusted authority, the software may not be installed, or the device user may be prompted for permission to install the software. In either case, the monitoring application is not installed covertly as required. Additionally, inspection of the mobile device can detect such a monitoring application and the monitoring application may be disabled by the device user. Alternatively, OTA message traffic may be captured using network hardware such as the telephone switch provided by a service provider. This requires explicit cooperation by the service provider, and provides covert monitoring that is limited to message information passed over the air. As a result, service provider-based monitoring schemes require expensive monitoring equipment, cooperation from the service provider, and are limited as to the types of information they can monitor.
The applicants describe some of the challenges they had to overcome, which include:
Additional challenges are present when the monitoring results are transmitted from a mobile device. First, many mobile devices are not configured to transmit and receive large amounts of information. In some instances, this is because the mobile device user has not subscribed to an appropriate data service from an information provider. In other instances, the mobile device has limited capabilities.
In other words, make sure you get that unlimited data plan, or else it’ll be really hard for the FBI to spy on your mobile phone! It’ll take up so much of your data usage that you’ll notice and maybe even complain to your mobile provider! That would be awkward.
Second, transmitting information often provides indications of mobile device activity (e.g. in the form of activity lights, battery usage, performance degradation).
Bad battery performance that the geeks at the Apple genius bar can’t explain? Maybe your device has been compromised.
Third, transmitting information wirelessly requires operation in areas of intermittent signal, with automated restart and retransmission of monitoring results if and when a signal becomes available.
The monitoring program has got to be clever enough to stop and restart every time you go out of range of your cell network, or you turn the phone off.
Fourth, many mobile devices are “pay as you go” or have detailed billing enabled at the service provider. The transmission of monitoring results can quickly use all the credit available on a pre-paid wireless plan, or result in detailed service records describing the transmission on a wireless customer’s billing statement.
When the snoops steal your information, you might have to pay for the pleasure of being spied on. That’s because your mobile phone provider might read the spying activity as your activity. After all, it’s coming from your phone.
Lastly, stored monitoring results can take up significant storage on a mobile device and the stored materials and the use of this storage can be observed by the device user.
Is there a large chunk of space on your phone that seems full, but you can’t figure out why? Perhaps a snoop tool like that devised by Oceans’ Edge, Inc. is storing data on your phone that it plans to later capture.
Given all of those potential problems, the technologists had a lot of work cut out for them. Here’s how they addressed those problems:
From the foregoing, it will be appreciated that effective covert monitoring of a mobile device requires the combination of several technologies and techniques that hide, disguise, or otherwise mask at least one aspect of the monitoring processes: the covert identification of the mobile devices to be monitored, the covert installation and control of the monitoring applications, and the covert exfiltration of collected monitoring results. As used herein, “covert exfiltration” refers to a process of moving collected monitoring results from a mobile device while it is under the control of another without their knowledge or awareness. Thus covert exfiltration processes can be those using stealth, surprise, covert, or clandestine means to relay monitoring data. “Collected monitoring results” as used herein includes any or all materials returned from a monitored mobile device to other devices, using either mobile or fixed points-of-presence. Examples of collected monitoring results include one or more of the following: command results, call information and call details, including captured voice, images, message traffic (e.g. text messaging, SMS, email), and related items such as files, documents and materials stored on the monitored mobile device. These materials may include pictures, video clips, PIM information (e.g. calendar, task list, address and telephone book), other application information such as browsing history, and device status information (e.g. device presence, cell towers/wireless transmitters/points-of-presence used, SIM data, device settings, location, profiles, and other device information). Additionally, the capability to covertly utilize a mobile device as a covertly managed camera or microphone provides other unique challenges. 
Thus covert monitoring of a mobile device’s operation poses the significant technical challenges of hiding or masking the installation and operation of the monitoring application, its command and control sessions, hiding the collected monitoring results until they are exfiltrated, surreptitiously transmitting the results, and managing the billing for the related wireless services. The exemplary illustrative technology herein addresses these and other important needs.
In short, Oceans’ Edge Inc., a company founded and operating in the heart of CIA country, says it has a technology that can secretly install itself on mobile phones and push all the contents of the devices to an external database, doing so entirely under the radar of both the target and the target’s mobile provider. It even boasts that the tool allows for covertly managing phone cameras and microphones.
What kind of contracts does this company have, and with which government agencies? A cursory internet search didn’t turn up much, except for a couple of bids to work on a military information operations program and a cyber defense project. Neither one of those programs has an obvious link to the mobile snooping device described in the patent application.

Since we don’t know which agencies are using this technology or how, it’s hard to say to what extent this kind of secret monitoring is taking place in the US. We have some evidence suggesting that the FBI and DEA are using this tool (thanks, Chris Soghoian, for the tip). If those agencies really are using this technology, they should get warrants before they compromise anyone’s phone.

Is the government getting warrants to use this tool? We don’t know.

Oceans’ Edge Inc., like many purveyors of surveillance products, claims that its technology is only deployed for “lawful interception,” but it makes no claims about what that actually means. There’s no mention of judicial oversight, warrants, or any kind of due process. As I’ve written elsewhere on this blog, given the state of the law concerning surveillance in the digital age, we shouldn’t let our guard down simply because a company claims its surveillance tools are used lawfully. That’s because we do not know how these tools are being deployed, and yet we know that the state of surveillance law in the US at present grants the government wide latitude to infringe on our privacy in ways that are often improper or even unconstitutional.

In most cases (with a few notable exceptions), lawmakers haven’t worked to address this issue.

As we can see, surveillance technologies are developing rapidly. It’s past time for our laws to catch up.

How NSA access was built into Windows

How NSA access was built into Windows

Jun 6, 2012 | Globalist Corporations, Government Agenda

Careless mistake reveals subversion of Windows by NSA?

A CARELESS mistake by Microsoft programmers has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors). The discovery comes close on the heels of the revelations earlier this year that another US software giant, Lotus, had built an NSA “help information” trapdoor into its Notes system, and that security functions on other software systems had been deliberately crippled.

The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA.

(more…)