Market for zero-day exploits

Last updated

The market for zero-day exploits is commercial activity related to the trafficking of software exploits.

Contents

Software vulnerabilities and "exploits" are used to get remote access to both stored information and information generated in real time. When most people use the same software, as is the case in most of countries today given the monopolistic nature of internet content and service providers, one specific vulnerability can be used against thousands if not millions of people. In this context, criminals have become interested in such vulnerabilities. A 2014 report from McAfee's Center for Strategic and International Studies estimates that the cost of cybercrime and cyberespionage is somewhere around $160 billion per year. [1] Worldwide, countries have appointed public institutions to deal with this issue, but they will likely conflict with the interest of their own government to access people's information in order to prevent crime. [2] As a result, both national security agencies and criminals hide certain software vulnerabilities from both users and the original developer. This type of vulnerability is known as a zero-day exploit.

Much has been said in academia and regular media about the regulation of zero-day exploits in the market. However, it is very difficult to reach a consensus because most definitions for zero-day exploits are rather vague or not applicable, as one can only define the use of certain software as malware after it has been used. [2] In addition, there is a conflict of interest within the operations of the state that could prevent a regulation that can make mandatory the disclosure of zero-days. Governments face a trade-off between protecting their citizens' privacy through the reporting of vulnerabilities to private companies on one hand and undermining the communication technologies used by their targets—who also threaten the security of the public—on the other. [3] The protection of national security through exploitation of software vulnerabilities unknown to both companies and the public is an ultimate resource for security agencies but also compromises the safety of every single user because any third party, including criminal organizations, could be making use of the same resource. [4] Hence, only users and private firms have incentives to minimize the risks associated with zero-day exploits; the former to avoid an invasion of privacy and the latter to reduce the costs of data breaches. These include legal processes, costs related to the development of solutions to fix or "patch" the original vulnerability in the software and costs associated with the loss of confidence of clients in the product. [5]

Description

Ablon, Libicki and Golay [6] have explained to a great extent the inner workings of the zero-day market. The main findings can be separated into five components: Commodity, Currency, Marketplace, Supply and Demand. These components and their relationship with pricing will be described. The definition given to the demand component will also be challenged because it is paramount to understand the nature of the markets (i.e. white, gray and black) and its regulation or lack thereof.

Commodity

Exploits are digital products, which means that they are information goods with near-zero marginal production costs. [7] However, they are atypical information goods. Unlike e-books or digital videos, they do not lose their value because they are easy to replicate but due to the fact that once they are exposed, the original developer will "patch" the vulnerability, decreasing the value of the commodity.

The value will not go to zero for two reasons: (1) the distribution of the patch is asymmetric and (2) developers could use the original bug to create a variant at a decreased cost. They are also atypical because they are time-sensitive commodities. Companies are updating their software on a regular basis and a patch is only useful during the lapse between versions; sometimes a vulnerability can be corrected without any external report. Third, even in confidential transactions, the use of the exploit itself can create a dysfunction on the user-end, exposing the vulnerability and leading to its loss of value. In this sense, exploits are non-excludable but they can or can not be non-rivalrous, as the more users use a zero day exploit after a certain point, the more visible its impact will be to the company in question. This could result in the company being more likely to patch the exploit, resulting in a limited period of time where the exploit is available for all users.

Currency

In most cases, transactions are typically designed to protect the identity of at least one of the parties involved in the exchange. While this is dependent on the type of market—white markets can use traceable money—most purchases are made with stolen digital funds (credit cards) and cryptocurrencies. While the latter has been the dominant trend in the last few years, prices in the gray market are set in dollars, as shown by the leaks of Hacking Team's email archive. [8]

Marketplace

Classically, black markets—like illegal weapons or narcotics—require a huge network of trusted parties to perform the transactions of deal-making, document forgery, financial transfers and illicit transport, among others. As it is very difficult to enforce any legal agreement within these networks, many criminal organizations recruit members close to home. [9] This proximity element increases the cost of transaction as more intermediaries are required for transnational transactions, decreasing the overall profit of the original seller.

Zero-days, on the other hand, are virtual products and can be easily sold without intermediaries over the internet as available technologies are strong enough to provide anonymity at a very low cost. Even if there is a need for intermediaries, "unwitting data mules" can be used to avoid any evidence of wrongdoing. [10] This is why the black market is so lucrative compared to gray markets. Gray markets, which involve transactions with public institutions in charge of national security, usually require the use of third parties to hide the traces of their transactions. The Hacking Team archive, for example, contains alleged contracts with the Ecuadorian National Secretariat of Intelligence where they used two intermediaries: Robotec and Theola. In the same archive, it is said that third-party companies Cicom and Robotec negotiated the contracts on behalf of the FBI and DEA respectively. [11] It is less likely that white markets face the same problem as it is not in their interest to hide the transaction, it is quite the opposite because companies actively promote the use of their new patches.

Supply

The supply chain is complex and involves multiple actors organized by hierarchies, where administrators sit at the top, followed by the technical experts. Next are intermediaries, brokers and vendors which can or can not be sophisticated, finally followed by witting mules. Within this chain of command, one can find multiple products. While zero-day exploits can be "found" or developed by subject matter experts only, other exploits can be easily commercialized by almost any person willing to enter the black market. There are two reasons for this. First, some devices use outdated or deprecated software and can be easily targeted by exploits that otherwise would be completely useless. Second, these "half-day exploits" [12] can be used through graphical interfaces and learned through freely available tutorials, which means that very little expertise is required to enter the market as a seller.

The coexistence of zero-day and half-day markets influences the resilience of the black market, as developers keep moving towards the more sophisticated end. While take-downs on high organized crime has increased, the suppliers are easily replaced with people in lower levels of the pyramid. It can take less than a day to find a new provider after a take-down operation that can easily last months.

Getting to the top, however, requires personal connections and a good reputation, in this the digital black market is no different from the physical one. Half-day exploits are usually traded in more easily accessible places but zero-days often require "double-blind" auctions and the use of multiple layers of encryption to evade law enforcement. This can not be done in forums or boards, hence these transactions occur in extremely vetted spaces.

Demand

Who buys zero-day exploits defines the kind of market we are dealing with. Afidler [4] differentiates between white, gray and black markets following the market-sizing methodology from Harvard Business School as a guide. Here they differentiate between white markets, gray markets and black markets.

White markets are those where the original developers reward security researchers for reporting vulnerabilities. On average, prices reported until 2014 were less than ten thousands of dollars but special offers up to $100,000 were made to certain vulnerabilities based on the type, criticality, and nature of the affected software. [13] Fourteen percent of all Microsoft, Apple and Adobe vulnerabilities in the past ten years came through white market programs. [14]

Criminals buy in the black market; however, governments can be occasional buyers if their offer can not be satisfied in the gray market or if they find impediments to acquire zero-days due to international regulations. Hacking Team states in their website that they "do not sell products to governments or to countries blacklisted by the U.S., EU, UN, NATO or ASEAN", although they have been found infringing their own policy. Prices are usually 10–100 times higher in this market when compared to the white market [6] and this changes depending on the location of the buyer; The United States being the place where the best prices are offered. Potential sellers which are not allowed to sell in specific territories, like Cuba and North Korea in the case of the U.S., are likely to operate in the black market as well.

Gray markets buyers include clients from the private sector, governments and brokers who resell vulnerabilities. The information regarding these markets is only available through requests of confidential information from governments, where the price is usually redacted for safety purposes, and information leaked from both national security agencies and private companies (i.e. FinFisher and Hacking Team).

Tsyrklevich reported on the transactions made by Hacking Team. [8] To date, this represents the best evidence available on the inner workings of the gray market. However, it is likely to be the case that some of these procedures are applied in both white and black markets as well:

Buyers follow standard technology purchasing practices around testing, delivery, and acceptance. Warranty and requirements negotiations become necessary in purchasing a product intrinsically predicated on the existence of information asymmetry between the buyer and the seller. Requirements—like targeted software configurations—are important to negotiate ahead of time because adding support for new targets might be impossible or not worth the effort. Likewise warranty provisions for buyers are common so they can minimize risk by parceling out payments over a set time frame and terminating payments early if the vulnerability is patched before that time frame is complete. Payments are typically made after a 0day exploit has been delivered and tested against requirements, necessitating sellers to trust buyers to act in good faith. Similarly, buyers purchasing exploits must trust the sellers not to expose the vulnerability or share it with others if it's sold on an exclusive basis.

Vlad Tsyrklevich, Hacking Team: a zero-day market case study, https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/

Controversies

Typically the parties opposed to gray markets are the retailers of the item in the market as it damages its profits and reputation. As a result, they usually pressure the original manufacturer to adjust the official channels of distribution. The state also plays an important role enforcing penalties in the case of law infringement. However, the zero-day exploit market is atypical and the way it operates is closer to the workings of the black market. Brokers and bounty programs, which could be seen as retailers of zero-days, have no control whatsoever on the original producers of the "bad" as they are independently discovered by different, and often anonymous, actors. It is not in their interest to change the channel of distribution as they can profit from both the white and gray markets, having much less risk in the former.

States, which usually complement the labour of the original manufacturers to restrict gray markets, play a different role in the zero-day market as they are regular purchasers of exploits. Given the secretive nature of information security, it is not in their interest to disclose information on software vulnerabilities as their interest is, in this case, aligned with that of the criminals who seek to infiltrate devices and acquire information of specific targets. It can be argued that the presence of intelligence agencies as consumers of this "bad" could increase the price of zero-days even further as legitimate markets provide bargaining power to black-market sellers. [5]

Finally, private companies are unwilling to raise the prices of their rewards to those levels reached in the gray and black markets arguing that they are not sustainable for defensive markets. [15] Previous studies have shown that reward programs are more cost-effective for private firms as compared to hiring in-house security researchers, [16] but if the prize of rewards keeps increasing that might not be the case anymore.

In 2015, Zerodium, a new start-up focused on the acquisition of "high-risk vulnerabilities", announced their new bounty program. They published the formats required for vulnerability submissions, their criteria to determine prices—the popularity and complexity of the affected software, and the quality of the submitted exploit—and the prices themselves. This represents a mixture of the transparency offered by traditional vulnerability reward program and the high rewards offered in the gray and black markets. [17] Software developer companies perceived this new approach as a threat, primarily due to the fact that very high bounties could cause developer and tester employees to leave their day jobs. [15] Its effects on the market, however, are yet to be defined.

The NSA was criticized for buying up and stockpiling zero-day vulnerabilities, keeping them secret and developing mainly offensive capabilities instead of helping patch vulnerabilities. [18] [19] [20] [21]

See also

Related Research Articles

<span class="mw-page-title-main">Exploit (computer security)</span> Compromising a computer system

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack. In lay terms, some exploit is akin to a 'hack'.

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

A black hat is a computer hacker who violates laws or typical ethical standards for nefarious purposes, such as cybercrime, cyberwarfare or malice.

A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers.

A two-sided market, also called a two-sided network, is an intermediary economic platform having two distinct user groups that provide each other with network benefits. The organization that creates value primarily by enabling direct interactions between two distinct types of affiliated customers is called a multi-sided platform. This concept of two-sided markets has been mainly theorised by the French economists Jean Tirole and Jean-Charles Rochet and Americans Geoffrey G Parker and Marshall Van Alstyne.

A zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, like the vendor of the target software. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network. An exploit taking advantage of a zero-day is called a zero-day exploit, or zero-day attack.

<span class="mw-page-title-main">H. D. Moore</span> American businessman

H. D. Moore is a network security expert, open source programmer, and hacker. He is the founder of the Metasploit Project and was the main developer of the Metasploit Framework, a penetration testing software suite.

<span class="mw-page-title-main">Tails (operating system)</span> Linux distribution for anonymity and privacy

Tails, or "The Amnesic Incognito Live System," is a security-focused Debian-based Linux distribution aimed at preserving privacy and anonymity. It connects to the Internet exclusively through the anonymity network Tor. The system is designed to be booted as a live DVD or live USB and never writes to the hard drive or SSD, leaving no digital footprint on the machine unless explicitly told to do so. It can also be run as a virtual machine, with some additional security risks. The Tor Project provided financial support for its development in the beginnings of the project, and continues to do so alongside numerous corporate and anonymous sponsors.

Cyberweapon is commonly defined as a malware agent employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

The Java platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

<span class="mw-page-title-main">Tailored Access Operations</span> Unit of the U.S. National Security Agency

The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.

Vupen Security was a French information security company founded in 2004 and based in Montpellier with a U.S. branch based in Annapolis, Maryland. Its specialty was in discovering zero-day vulnerabilities in software from major vendors in order to sell them to law enforcement and intelligence agencies which use them to achieve both defensive and offensive cyber-operations. Vupen ceased trading in 2015, and the founders created a new company Zerodium.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

The cyber-arms industry are the markets and associated events surrounding the sale of software exploits, zero-days, cyberweaponry, surveillance technologies, and related tools for perpetrating cyberattacks. The term may extend to both grey and black markets online and offline.

NOBUS is a term used by the United States National Security Agency (NSA) to describe a known security vulnerability that it believes the United States (US) alone can exploit. As technology and encryption advance, entities around the globe are gravitating towards common platforms and systems, such as Microsoft, Linux, and Apple. This convergence in usage creates a conflict between patching system vulnerabilities to protect one's own information, and exploiting the same system vulnerabilities to discover information about an adversary. To handle this conflict, the NSA developed the NOBUS system in which they evaluate the likelihood that an adversary would be able to exploit a known vulnerability in a system. If they determine the vulnerability is only exploitable by the NSA for reasons such as computational resources, budget, or skill set, they label it as NOBUS and will not move to patch it, but rather leave it open to exploit against current or future targets. Broadly, the concept of NOBUS refers to the gap in signals intelligence (SIGINT) capabilities between the US and the rest of the world. Critics believe that this approach to signals intelligence poses more of a threat to the US than an advantage as the abilities of other entities progress and the market for buying vulnerabilities evolves.

EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability.

PLATINUM is the name given by Microsoft to a cybercrime collective active against governments and related organizations in South and Southeast Asia. They are secretive and not much is known about the members of the group. The group's skill means that its attacks sometimes go without detection for many years.

Zero Day Initiative (ZDI) is an international software vulnerability initiative that was started in 2005 by TippingPoint, a division of 3Com. The program was acquired by Trend Micro as a part of the HP TippingPoint acquisition in 2015.

References

  1. Losses, N. (2014). Estimating the Global Cost of Cybercrime. McAfee, Centre for Strategic & International Studies.
  2. 1 2 Bellovin, S. M., Blaze, M., Clark, S., & Landau, S. (2014). Lawful hacking: Using existing vulnerabilities for wiretapping on the Internet. Nw. J. Tech. & Intell. Prop., 12, i.
  3. Choi, J. P., Fershtman, C., & Gandal, N. (2010). Network security: Vulnerabilities and disclosure policy*. The Journal of Industrial Economics, 58(4), 868-894.
  4. 1 2 Afidler, M., Granick, J., & Crenshaw, M. (2014). Anarchy or Regulation: Controlling The Global Trade in Zero-Day Vulnerabilities (Doctoral dissertation, Master Thesis. Stanford University, URL: https://stacks.stanford.edu/file/druid:zs241cm7504/Zero-Day%20Vulnerability%20Thesis%20by%20Fidler.pdf).
  5. 1 2 Radianti, J., Rich, E., & Gonzalez, J. J. (2009, January). Vulnerability black markets: Empirical evidence and scenario simulation. In System Sciences, 2009. HICSS'09. 42nd Hawaii International Conference on (pp. 1-10). IEEE.
  6. 1 2 Ablon, L.; Libicki, M. C.; Golay, A. A. (2014). Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar. Rand Corporation.
  7. Chappell, H. W., Guimaraes, P., & Demet Öztürk, O. (2011). Confessions of an Internet Monopolist: Demand estimation for a versioned information good. Managerial and Decision Economics, 32(1), 1-15.
  8. 1 2 Tsyrklevich, V. (July 22, 2015). "Hacking Team: A zero-day market case study" . Retrieved October 20, 2015.
  9. Kinsella, D. (2006). The black market in small arms: examining a social network. Contemporary Security Policy, 27(01), 100-117.
  10. Appelbaum, J.; Gibson, A.; Guarnieri, C.; Muller-Maguhn, A.; Poitras, L.; Rosenbach, M.; Schmundt; Sontheimer, H. M. (17 January 2015). "The Digital Arms Race: NSA Preps America for Future Battle". Der Spiegel.
  11. Gonzalez, E. (2015, July 30). Explainer: Hacking Team's Reach in the Americas. Retrieved December 4, 2015, from http://www.as-coa.org/articles/explainer-hacking-teams-reach-americas-0
  12. Half-day exploits (also known as one-day or two-day exploits) are those where the software creator may know of the vulnerability and a patch may be available, but few users are aware and implementing those patches.
  13. Duebendorfer, T., & Frei, S. (2009). Why silent updates boost security. TIK, ETH Zurich, Tech. Rep, 302.
  14. Fidler, Mailyn. "Regulating the Zero-Day Vulnerability Trade: A Preliminary Analysis". I/S: A Journal of Law and Policy for the Information Society.
  15. 1 2 Hackett, R. (2015, September 21). Jailbreaks wanted: $1 million dollar iPhone hacks. Retrieved December 5, 2015
  16. Finifter, M., Akhawe, D., & Wagner, D. (2013, August). An Empirical Study of Vulnerability Rewards Programs. In USENIX Security (Vol. 13).
  17. In November of the same year, the firm announced they paid one million dollars as a reward for an iOS9 exploit, however there is widespread skepticism about the veracity of such report. Zerodium does not work with original developers and has not yet disclosed any specific about the alleged iOS9 exploit.
  18. Schneier, Bruce (24 August 2016). "New leaks prove it: the NSA is putting us all at risk to be hacked". Vox. Retrieved 5 January 2017.
  19. "Cisco confirms NSA-linked zeroday targeted its firewalls for years". Ars Technica. 17 August 2016. Retrieved 5 January 2017.
  20. Greenberg, Andy. "The Shadow Brokers Mess Is What Happens When the NSA Hoards Zero-Days". WIRED. Retrieved 5 January 2017.
  21. "Trump Likely to Retain Hacking Vulnerability Program". Bloomberg BNA. Archived from the original on 5 January 2017. Retrieved 5 January 2017.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.