Finweek English Edition - - INSIGHT: INTERNATIONAL - Jes­sica Hub­bard

un­der­world-type) can gain ac­cess to them.”

Do­minic White from SensePost, in­for­ma­tion se­cu­rity spe­cial­ists, says that although it is near im­pos­si­ble to know whether ex­ploits are be­ing sold in SA, “it wouldn’t sur­prise me if there were lo­cal peo­ple look­ing into it”. Po­ten­tial can­di­dates would be the mil­i­tary or cy­ber war­fare re­search units. If th­ese groups were par­tic­i­pants in the mar­ket for ex­ploits, how­ever, this would be kept strictly con­fi­den­tial. Ac­cord­ing to The Econ­o­mist, crim­i­nal and ter­ror groups pur­chase ex­ploits on more than two dozen il­licit fo­rums or, al­ter­na­tively, from at least a dozen se­cret bro­kers.

One bro­ker who is not so se­cret is in fact a South African hacker based in Bangkok, and who refers to him­self as ‘the Grugq’. In an in­ter­view with Forbes, the Grugq re­vealed that he has been sup­port­ing his salary as a se­cu­rity re­searcher by act­ing as a bro­ker for high-end ex­ploits, con­nect­ing hack­ers with buy­ers (most of them, he claims, work­ing for gov­ern­ments).

The Grugq re­port­edly takes a 15% com­mis­sion on sales and earned more than $1m from deals last year – bring­ing in a cool $250 000 from his government buy­ers in De­cem­ber alone. Yet for those who de­velop and sell their own ex­ploits – in­stead of merely play­ing mid­dle­man – t here i s fa r more l oot to be made. “Zero- days [the most highly val­ued ex­ploits] can fetch big bucks in the un­der­ground econ­omy… of­ten the po­ten­tial pay­off de­ter­mines the level of pric­ing, so the sky is the l imit,” Sy­man­tec’s Brown ex­plains. “It was es­ti­mated that an In­ter­net Ex­plorer or Chrome vul­ner­a­bil­ity would cost $80 000-$200 000 when sold to government agen­cies.”

Se­duced by the scent of sub­lime prof­its, sev­eral com­pa­nies al­ready spe­cialise in this opaque trade. One of the best known, and per­haps most loathed, is a French f irm called Vu­pen, which was named by Frost & Sul­li­van as the 2011 En­tre­pre­neur­ial Com­pany of the Year in vul­ner­a­bil­ity re­search. Ac­cord­ing to an­a­lysts at Frost, Vu­pen’s clients pay up to $100 000 an­nu­ally for a sub­scrip­tion plan, which gives them ac­cess to the firm’s tech­niques. And a sin­gle tech­nique from its cat­a­log re­port­edly costs far more than its six-fig­ure sub­scrip­tion fee.

To the dis­may of many who see ex­ploit trad­ing as in­her­ently evil and ex­tremely dan­ger­ous, Vu­pen ped­dles its po­tent prod­uct to mul­ti­ple government agen­cies, po­si­tion­ing cus­tomers against each other in an in­creas­ingly high-stakes game of cy­ber­spook­ing. Many wor­ried on­look­ers are call­ing for le­gal in­ter­ven­tion, but as Ste­fan Tanase, Se­nior Se­cu­rity Re­searcher at Kasper­sky Lab, points out, this would be ex­tremely dif­fi­cult to do. “There is no law that for­bids buy­ing and sell­ing ex­ploits, be­cause ul­ti­mately, com­puter code is a piece of knowl­edge,” he ex­plains. “In most cases, those who write the ex­ploits have no idea how they will be used. It’s like hav­ing a kitchen knife – com­pletely le­gal, but a lethal weapon when placed in the wrong hands.” Whether the law in­ter­cedes or not, one can surely ex­pect the some­what sin­is­ter trade in ex­ploits to get more so­phis­ti­cated – and more lu­cra­tive – over time.

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.