'0-day exploit middlemen are cowboys, ticking bomb'

'0-day exploit middlemen are cowboys, ticking bomb'

Summary: Christopher Soghoian: What if a weaponized zero-day sold to a foreign government is used against critical infrastructure in the United States?

SHARE:

Prominent privacy rights advocate Christopher Soghoian is calling on the security research community to blackball middlemen companies that trade in vulnerabilities and exploits to governments.

During a presentation at the recent Kaspersky security analyst summit (see important disclosure), Soghoian warned of the risk of "blowback" if a weaponized zero-day sold to a foreign government is used against critical infrastructure in the U.S.

Soghoian (right) pinpointed VUPEN, FinFisher and HackingTeam among a handful of companies that buy and sell zero-day vulnerabilities, exploits and remote monitoring tools to governments around the world.

"As soon as one of these weaponized zero-days sold to governments is obtained by a 'bad guy' and used to attack critical U.S. infrastructure, the shit will hit the fan," Soghoian warned.

"It's not a matter of if, but when," he added.

follow Ryan Naraine on twitter

Soghoian said these companies are purchasing vulnerabilities and exploits at prices ranging from $50,000 to $100,000 and work hard to keep these a secret forever.  It's well known that companies like VUPEN never report vulnerabilities to vendors like Microsoft or Adobe and Soghoian said this presents a danger to the general public.

[ SEE: 'Offensive security research community helping bad guys' ]

"What if a low-paid, corrupt police officer sells a copy of one of these weaponized exploits to organized crime or terrorists?" Soghoian asked.  "What if 'Anonymous' hacks into a law enforcement agency's network and steals one of these weaponized exploits?"

Noting that the security industry is completely unregulated, Soghoian said the current free-for-all encourages anyone to create weaponized exploits and sell them to shady agencies around the world.  In addition to some of the companies he named, Soghoian said there are many middle-men vulnerability brokers who operate under the radar.

[ SEE: Ten little things to secure your online presence ]

"Governments are going to use zero-days, we have to deal with this," he declared. "But the middle-man firms that buy exploits and resell them to governments are a ticking bomb.   Security researchers should not be selling zero-days to middle man firms."

"This trade is not legitimate and we should not legitimize them.

"These firms are cowboys and if we do nothing to stop them, they will drag the entire security industry into a world of pain," Soghoian added.

Topics: Government, Malware, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • RE: '0-day exploit middlemen are cowboys, ticking bomb'

    These companies don't just buy and sell zero-day vulnerabilities, exploits and remote monitoring tools. Some of them discover vulnerabilities and craft exploits themselves. A good example being VUPEN's hack of Google's Chrome browser last year where they refused to release the details to Google.<br><br>And HP, having recently acquired Tipping Point, gave VUPEN legitimacy by inviting its participation at CanSecWest's 2011 pwn2own contest.
    Rabid Howler Monkey
  • What if... straw men are real!!!

    [quote]What if a low-paid, corrupt police officer sells a copy of one of these weaponized exploits to organized crime or terrorists? Soghoian asked. What if Anonymous hacks into a law enforcement agencys network and steals one of these weaponized exploits?[/quote]<br><br>As compelling a character as "low-paid-corrupt-police-officer' is, does this scenario even bear resemblance to reality? I mean, really!? It's preposterous. It's like saying the same cop is going to be selling his gun on the street and say it was stolen. (OMG, we need to get some legislation on that too!) The cyber team of a police force researching exploits (if one actually exists!) is paid quite well I'd think and generally don't fraternize with low-paid corrupt scum like our straw man. Also, said "corrupt scum" probably wouldn't know the first thing about where/who/how to sell the thing! He'd more likely be the target of a sting by his own department!<br><br>And if 'Anonymous' is hacking into computers and stealing weaponized exploits, seems that they don't really need the help now do they?<br>
    brunerd
    • Agree 100%

      @brunerd ... is this write up for real?? They're asking this after the China vs. Google, Assange, Anonymous affairs?

      Christopher Soghoian is supposed to have some credibility? He obviously assumes the bad guys don't already possess the means and will to carry out attacks (LOL!)

      Is this some early April's Fool practice stunt? It has to be ... this waste of screen real estate posing as a "news item" is a laughing joke.

      Ryan, i know it's a quiet day at the office, but for real ... please at least try to give some 'believable tripe' to digest.
      thx-1138_
  • Can I get an "Amen"?

    And, a "Hallelujah"?

    VUPEN and their ilk are the Internet equivalent to (sleazy) weapons dealers. They have no problem with making the world a WORSE place to live in.
    mwidunn