ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

'0-day exploit middlemen are cowboys, ticking bomb'

By | February 16, 2012, 10:19am PST

Summary: Christopher Soghoian: What if a weaponized zero-day sold to a foreign government is used against critical infrastructure in the United States?

Prominent privacy rights advocate Christopher Soghoian is calling on the security research community to blackball middlemen companies that trade in vulnerabilities and exploits to governments.

During a presentation at the recent Kaspersky security analyst summit (see important disclosure), Soghoian warned of the risk of “blowback” if a weaponized zero-day sold to a foreign government is used against critical infrastructure in the U.S.

Soghoian (right) pinpointed VUPEN, FinFisher and HackingTeam among a handful of companies that buy and sell zero-day vulnerabilities, exploits and remote monitoring tools to governments around the world.

“As soon as one of these weaponized zero-days sold to governments is obtained by a ‘bad guy’ and used to attack critical U.S. infrastructure, the shit will hit the fan,” Soghoian warned.

“It’s not a matter of if, but when,” he added.

follow Ryan Naraine on twitter

Soghoian said these companies are purchasing vulnerabilities and exploits at prices ranging from $50,000 to $100,000 and work hard to keep these a secret forever.  It’s well known that companies like VUPEN never report vulnerabilities to vendors like Microsoft or Adobe and Soghoian said this presents a danger to the general public.

[ SEE: 'Offensive security research community helping bad guys' ]

“What if a low-paid, corrupt police officer sells a copy of one of these weaponized exploits to organized crime or terrorists?” Soghoian asked.  ”What if ‘Anonymous’ hacks into a law enforcement agency’s network and steals one of these weaponized exploits?”

Noting that the security industry is completely unregulated, Soghoian said the current free-for-all encourages anyone to create weaponized exploits and sell them to shady agencies around the world.  In addition to some of the companies he named, Soghoian said there are many middle-men vulnerability brokers who operate under the radar.

[ SEE: Ten little things to secure your online presence ]

“Governments are going to use zero-days, we have to deal with this,” he declared. “But the middle-man firms that buy exploits and resell them to governments are a ticking bomb.   Security researchers should not be selling zero-days to middle man firms.”

“This trade is not legitimate and we should not legitimize them.

“These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain,” Soghoian added.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

4
Comments
Add Your Opinion

Join the conversation!

Just In

Can I get an "Amen"?
mwidunn 9th Mar
And, a "Hallelujah"?

VUPEN and their ilk are the Internet equivalent to (sleazy) weapons dealers. They have no problem with making the world a WORSE place to live in.
View in thread
0 Votes
+ -
RE: '0-day exploit middlemen are cowboys, ticking bomb'
Rabid Howler Monkey Updated - 16th Feb
These companies don't just buy and sell zero-day vulnerabilities, exploits and remote monitoring tools. Some of them discover vulnerabilities and craft exploits themselves. A good example being VUPEN's hack of Google's Chrome browser last year where they refused to release the details to Google.

And HP, having recently acquired Tipping Point, gave VUPEN legitimacy by inviting its participation at CanSecWest's 2011 pwn2own contest.
0 Votes
+ -
What if... straw men are real!!!
brunerd Updated - 16th Feb

What if a low-paid, corrupt police officer sells a copy of one of these weaponized exploits to organized crime or terrorists? Soghoian asked. What if Anonymous hacks into a law enforcement agencys network and steals one of these weaponized exploits?



As compelling a character as "low-paid-corrupt-police-officer' is, does this scenario even bear resemblance to reality? I mean, really!? It's preposterous. It's like saying the same cop is going to be selling his gun on the street and say it was stolen. (OMG, we need to get some legislation on that too!) The cyber team of a police force researching exploits (if one actually exists!) is paid quite well I'd think and generally don't fraternize with low-paid corrupt scum like our straw man. Also, said "corrupt scum" probably wouldn't know the first thing about where/who/how to sell the thing! He'd more likely be the target of a sting by his own department!

And if 'Anonymous' is hacking into computers and stealing weaponized exploits, seems that they don't really need the help now do they?
0 Votes
+ -
Agree 100%
thx-1138_@... 16th Feb
@brunerd ... is this write up for real?? They're asking this after the China vs. Google, Assange, Anonymous affairs?

Christopher Soghoian is supposed to have some credibility? He obviously assumes the bad guys don't already possess the means and will to carry out attacks (LOL!)

Is this some early April's Fool practice stunt? It has to be ... this waste of screen real estate posing as a "news item" is a laughing joke.

Ryan, i know it's a quiet day at the office, but for real ... please at least try to give some 'believable tripe' to digest.
0 Votes
+ -
Can I get an "Amen"?
mwidunn 9th Mar
And, a "Hallelujah"?

VUPEN and their ilk are the Internet equivalent to (sleazy) weapons dealers. They have no problem with making the world a WORSE place to live in.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix