Page 32 - index
P. 32
Sometimes these researchers get their bounties, along with 15 minutes of fame, and other times
they do not. When this latter scenario occurs, things begin to turn a bit greyer, as jilted
researchers sometimes opt to disclose to the public without the affected company’s consent.
In situations like this, the company is usually spurred to action – but whether users are safer
than they would have been if no one ever knew is a hot topic of debate. You can’t know what
you don’t know, and with zero days, this means that there is always the chance that someone
malicious has discovered it too. For the surveillance wary, this ‘malicious someone’ even
extends to the government; in fact, in recent months, some have even suggested that the NSA
knew about Heartbleed.
Zero days, get your zero days!
So, who else finds zero days? Well, a better question might be: what happens when zero days
become a commodity? What happens when a few entrepreneurial actors come along and
recognize that the spectrum outlined above represents much more than just a collection of ways
in which software flaws are discovered and disclosed? When they realize, with glee, that this
spectrum is a real-life environment, overflowing with unmet economic demand?
Enter the world of for-profit zero day research. Here, vulnerabilities are bought and
sold to the highest paying bidder.
Here, vulnerabilities aren’t just casually researched by security enthusiasts hoping to
make the world of software a better place, and maybe make a few bucks while they’re at it.
Here, zero day flaws are aggressively sought after – and when they’re found the danger of
public disclosure is used as a very effective sales mechanism.
It works like this:
Someone comes to your place of business and tells you they have discovered a secret
way to exploit your product that will allow whoever uses it to leech money and
personal information off of you and your customers.
They tell you that you can have access to this secret information, but only at a price. You freak
out, but then you think: should I take this person seriously? Then you consider slamming the
door on them. Then you realize: if what they’re saying is true, what’s stopping them from selling
this supposedly secret knowledge to someone else?
From a legal standpoint, nothing is stopping them. For-profit zero day research, and even
brokering, is completely legal. This is because the knowledge of a zero day is not the same
thing as the exploitation of a zero day. Knowing a flaw exists is not illegal to know, and
for companies that have such flaws this knowledge can help prevent security
disasters. The problem, though, is that this knowledge isn’t always sold to the
companies it affects. It’s sold to whoever is willing to pay, based on the seller’s
discretion.
32 Cyber Warnings E-Magazine – November 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
