World governments buying software security holes

A clandestine market for software security vulnerabilities is servicing governments around the world and producing enormous paydays for shadowy bug brokers.

Governments are paying hackers for security bugs

A clandestine market for software security vulnerabilities is servicing governments around the world and producing enormous paydays for shadowy bug brokers.

The New York Times ran a weekend article examining how governments including Brazil, Britain, India, Israel, Malaysia, Singapore, and even Iran and North Korea are in the market for vulnerabilities that can be exploited by their intelligences services to spy on other countries. These unpatched "zero day" exploits make it possible to covertly access, monitor, or even sabotage an adversary's information systems.

(Now, think back to the faux outrage directed at the United States over PRISM.)

A well-known occurrence of this approach to espionage happened when Israel and the United States allegedly used vulnerabilities named Duqu, Flame and Stuxnet to disrupt and gather intelligence on Iran's nuclear program. Its success is partly why so many nations are willing to pay tens of thousand of dollars to shadowy brokers and hackers as far away as Bangkok or even the small but storied nation of Malta.

Governments are starting to say, ‘In order to best protect my country, I need to find vulnerabilities in other countries,'" Howard Schmidt, a former White House cybersecurity coordinator told the Times. "The problem is that we all fundamentally become less secure."

The Times also explained how the economics of software security are changing. A few years ago, "white hat" hackers sold bug information to the software's vendors, who would then fix the security flaws. Now, governments are outbidding vendors, and companies, such as Microsoft, have upped their ante too. This is what's happening in the "light."

This comes as no surprise to WhiteHat Security's Jeremiah Grossman, who predicted the end of full disclosure to software makers in 2007. "The next step in this area will be governments imposing heavy regulation with respect to cyber-weapons, zero-days, and software exploits -- who wish to control international export. Very similar to traditional arms. This will do things. 1) Create a black market, which technically already exists, but making it far more lucrative. 2) Drive up the prices of 0-days by creating an artificial barrier to where government contractors serve as middlemen / brokers between governments and bug hunters," he said.

Grossman added that there is now an increased risk of espionage in the software supply chain. "All software applications these days borrow heavily from third-party libraries, as do those libraries. It is possible for a rogue agent to surreptitiously introduce extremely hard to find backdoors and flaws in the software supply chain, which can be later exploited," he said. The U.S. Congress has drawn up regulations for buying bugs.

Security vulnerabilities are big business for criminals. Botnets, which exploit zero day flaws, can enable activities such as advertising click fraud that generates millions of dollars. Illicit hackers also will commonly extort businesses. Malware, malicious software that exploits security vulnerabilities, is now made by very organized and sophisticated operations that function like corporations. Their technical skills are remarkable.

Now, there's another way for them to cash in too - depending on how dirty governments want their hands to be.

(image credit, HD Moore/CNET)

Related on SmartPlanet:

This post was originally published on