Wednesday, September 23, 2015

The business of “zero day” vulnerabilities these unknown manufacturers … – Le Monde

Business and government are fighting for these vulnerabilities have not yet been made public, and a real market has been formed, with its shadows.

One million euros. It is the sum has promised, Monday, September 21, the company Zerodium who find a loophole in iOS computer 9, the new software that equips iPhones. Zerodium is a newcomer to the market of information security, but not unknown. Emanation of the French company Vupen, it specializes in the faults called “zero day” , purchased from hackers then resells to the highest bidder, usually large Western intelligence agencies looking for a way to spy on their targets – Vupen and Zerodium, claimed not to work with authoritarian regimes

What is a zero-day flaw.

The sum of one million dollars is unprecedented, but shows the value of this type of flaw in a surconnecté world. Vulnerability zero day is a software flaw that has not been discovered by the manufacturer. “It can then be exploited before the manufacturer does noticing and correcting emergency. This attack is then called attack zero day , under the terms of the security company Symantec. “There is almost no defense against an attack zero day , two researchers explained the company’s laboratories in a study published in 2012.

Read also: Are spyware weapons?

These issues are by definition very rare. Based on data on 11 million Windows users between 2008 and 2011, two Symantec researchers identified 18 attacks using vulnerabilities zero day . In its latest white paper, the company specialized in computer security FireEye has listed 11 computer attacks such discoveries during the year 2013.

Several markets are organized flaws zero day , whose mode of operation often depends on the intentions of one who discovers them.

The “gray market”

There is a market first gray vulnerabilities. This is the one aimed Zerodium with its promise of a million. Often, customers are no longer criminals … but companies and governments. In 2012, Forbes magazine has questioned such a computer security researcher based in Bangkok who put in relation hackers possess flaws and governments. “Put simply, you sell them as commercial software. It must be well presented and accompanied by documentation “ says Grugq The pseudonym used by this intermediary. It specifies sale mainly in the US and claims that various markets have formed with their advantages and disadvantages. “Russia is flooded with criminals. They monetize the flaws in the most brutal way possible, and poor, and they make them cheap shots “ says for example The Grugq. As for the Chinese market, it would not yield enough because of too much competition

.

Indeed States relies on vulnerabilities to use some solutions surveillance, especially in the context of anti-terrorism. The Italian manufacturer of spyware Hacking Team, the victim of a brutal piracy in early summer, selling its solutions to several governments, police and intelligence services, and used a number of flaws to deploy its tools. When publishing by pirates hundreds of thousands of emails stolen from the company, several vulnerabilities have been discovered in Adobe Flash software, widely used to display videos and animations on the Internet. These flaws were exploited by Hacking Team and its customers to infect computers or smartphones they want to spy

Read also:. Facebook and Firefox prey on Adobe Flash after discovery of new security holes

Following Hacking Team of piracy, many emails posted online gave an overview of IT vulnerabilities purchases made by the company. Hacking Team bought vulnerabilities to hackers, but also specialized companies. A Russian hacker named Vitaliy Toropov has managed to sell such a flaw to 45,000 dollars.



Researchers good Samaritans

Conversely, some experts computer security software warns the designer when they discover faults so they are repaired. This is notably what was done this year Charlie Miller and Chris Valasek, two researchers working for years on the safety of connected cars. They distinguished themselves in the last few weeks by hacking away a Jeep and cutting its engine. This coup was carried out using several flaws zero day , particularly in the entertainment system integrated with certain vehicles

Read also.: Two researchers can hack a remote car

Far from being malicious, they were in touch with the manufacturer for more than nine months and have kept secret the discovery holes. Only after the publication of a fix by the manufacturer, Fiat Chrysler, the two experts decided to reveal their press survey. The details of the vulnerabilities exploited was then released at the Black Hat hacker conference in Las Vegas in early August. This mode, which is to advise the company in danger when a vulnerability is discovered prior to release details to the public, is very common in the world of computer security.



Award Programs

Finally, software vendors, who have no interest in allowing loopholes uncorrected or that they end up in the wrong hands, can also have a proactive attitude. Thus, many companies offer “Bounty Programs” , ie a bonus system for any person discreetly indicating a serious and verified vulnerability. Facebook, for example, boasted last year to have paid millions of dollars to hackers. “The best thing we did [for the security of Facebook] is to have implemented a bonus program for many years” , said Sheryl Sandberg, Facebook’s director of operations, in an interview with magazine Fortune in October.

This reward system is also the one adopted by Zerodium, the difference being that it is not for its own account but as “wholesaler” who will sell at a high price, the fault to its customers.

United Airlines as it offers a reward program with very specific conditions (available in French). Two hackers have recently received an award of nearly one million “miles” free flights each for spotting major flaws. Surprisingly, the guide also states that it is forbidden to physically assault an employee of United Airlines, a partner company or a client, for discovering a flaw … Several “Bounty programs” have the same warning, such as AT & amp; T, GitHub, GoDaddy or Riot Games.



To encourage hackers to work

Microsoft offers different rates depending on the nature and dangerousness of the fault. Originally this program, a reputed cyber security researcher, Katie Moussouris. She worked for seven years at Microsoft, where his main task was to find ways to work with the hacker community.



“I started to dig the track premiums in 2010, and I have created models that could be used by Microsoft, especially because it is an old company with many different products and we could not just go and say we would put Premiums for all bugs. “

Today, Katie Moussouris no longer works for Microsoft, but is Director of Public Affairs for HackerOne. Founded in 2012 by several computer security experts, the San Francisco startup in its ranks of former Symantec and Facebook. It connects businesses and hackers might find vulnerabilities. The objective of HackerOne is to encourage those who discover security vulnerabilities to head the company to report their find. By simplifying this process, the company limits the risk of attacks. Its customers include Snapchat found, Twitter, Yahoo, Dropbox and Airbnb.



“Some of our clients have reward programs, some not, but they all use our platform to better manage and treat what happens to them in the hacker community. We do this to help response teams to have the best possible reporting of faults. “

HackerOne has also built a reputation system for hackers. Clearly, if an expert sends several vulnerability reports found on the platform, its alerts will be given priority by businesses. The most famous hackers are also invited to participate in programs by invitation.

Since these flaws are so valuable, companies are well advised to find themselves. Some have set up internal modules to track down faults. In July 2014, Google launched Project Zero, a team headed by the “Mr. Security” Chrome browser, Chris Evans (who is now a consultant for HackerOne). Hackers and computer security specialists are tasked to track vulnerabilities that can hide in the Google products but also other services. Each discovered fault is then notified to the undertaking concerned, and reported on the blog of Project Zero once it has been repaired. The team counted in its ranks including the famous hacker George Hotz, known for hacking the iPhone and Playstation 3.

LikeTweet

No comments:

Post a Comment