Page 31 - index
P. 31
Is it ethical to sell zero day exploits?
Zero day flaws are the application vulnerabilities that nobody knows about until it’s too late.
They’re the things like Heartbleed, or Shellshock, or most recently POODLE that allow hackers
and attackers to execute malicious code on machines that aren’t theirs. They’re also the things
like Sandworm and Operation Snowman: previously unknown entry points into a PC through
end user software that allow malware writers to infect their victims in new and often unprotected
ways.
Zero days are dangerous because once they are announced users literally have “zero days” to
apply a patch. Once a zero day is made public, you can already assume it’s being exploited by
cybercriminals in the wild. For this reason, the biggest concern in the world of zero day research
is never an issue of when – as bugs will always be discovered. Much more pertinent is the
uneasy question of how.
How Zero Days are Disclosed
Zero day research is a very big deal, and it involves a lot of money.
On one end of the spectrum, you have internal researchers, employed by software
companies, who actively look for security flaws in the company’s product, so that they
can stay ahead of attackers. If zero days are ever found, the software receives "just
another round of updates" and the problem is more or less silently fixed, without a
scary security announcement to users.
This is, for example, what happens with your Windows-based PC on the second “Patch”
Tuesday of every month. Patches like these are by no means perfect, as there is always a small
time window between release and automated update that attackers can exploit, but ‘good guy’
zero days more or less make the best of what’s already a bad situation.
On the other end of the spectrum, things get much worse. Here, you have financially
motivated hackers who uncover new vulnerabilities all on their own.
They have no ties to the company or the users their discovery will affect, and they simply want
to make as much money as they can, regardless of others (or the law). In this ‘bad guy’
scenario, a profitable course of action is keeping one's mouth shut and silently adopting the
zero day in a new malware distribution campaign. In this way, a bot master can infect thousands
of new victims in a matter of days. His in-the-wild zero day will of course eventually be
discovered by one systems administrator or another, and eventually announced, and eventually
patched – but all of that takes time.
Go between these two endpoints, and things start to get interesting. Sometimes,
the good guys aren’t official employees – sometimes they’re independent researchers
applying for bug bounties, which at big companies like Facebook and Microsoft can be
as large as $150,000.
31 Cyber Warnings E-Magazine – November 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
