mercredi 22 janvier 2014

Lectures : le lucratif marché des failles Zero-Day

Le lucratif marché clandestin des failles zero-day est aujourd'hui très prisé par maints gouvernements et firmes. L'un des acteurs les plus en vue est la société française Vupen, sous contrat avec la NSA depuis l'automne 2013. Selon Wikipédia, « dans le domaine de la sécurité informatique, une vulnérabilité zero-day est une exploitation qui utilise une faille jusqu'ici méconnue du public. Une exploitation 0 day est susceptible d'engendrer la création d'un ver car, par définition, la grande majorité des utilisateurs ne sera pas protégée contre cette faille jusqu'à ce qu'elle soit découverte et corrigée ».


The Known Unknows (NSS Labs, PDF) : Recently, there has been increased interest in the way in which security vulnerability information is managed and traded. Vulnerabilities that are known only to privileged closed groups, such as cyber criminals, brokers, and governments, pose a real and present risk to all who use the affected software. With the use of empirical data, NSS has determined that on any given day over the past three years, privileged groups have had access to at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe. With specialized companies offering zero-day vulnerabilities for subscription fees that are well within the budget of a determined attacker, and with half a dozen boutique exploit providers jointly having the capacity to offer more than 100 exploits per year, privileged groups have the ability to compromise all vulnerable systems without the public ever being aware of the threats. Read on to learn more about the "known unknowns."


Secrecy surrounding ‘zero-day exploits’ industry spurs calls for government oversight (Washington Post) : But the use of such tools, known as “zero-day exploits,” is not reserved exclusively for the intelligence community. Instead, through a little-known and barely regulated trade, researchers around the world are increasingly selling the exploits, sometimes for hundreds of thousands of dollars a piece. [..] The industry is incredibly secretive. Most trades are conducted through middlemen, who closely guard their client list and require the researchers who sell to them to sign strict nondisclosure agreements. Several companies and researchers say they have sold exploits to government agencies or military contractors, although it is impossible to verify such assertions […] A French company, Vupen, caused an uproar at one such contest this year when it demonstrated a zero-day exploit that allowed it to break into Google’s Chrome browser — and then refused to hand over details of the exploit, thus forgoing the $60,000 prize money. The high-profile showmanship created a maverick overnight. “We wouldn’t share this with Google for even $1 million,” Vupen chief executive and head of research Chaouki Bekrar told Forbes. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”


Words Of War And Weakness : The Zero-Day Exploit Market (Techweek Europe) : Zero-day merchants take a variety of forms. Major government contractors such as Lockheed Martin, Harris Corporation, Northrop Grumman and Raytheon are thought to be involved, but a host of specialised firms have emerged over the last decade, including Netragard, Errata Security and Vupen. […] But there may be an even more pernicious side effect of the market’s growth. Anderson believes open source projects are now threatened by people wanting to profit from weaknesses. Researchers are purposed fully placing bugs in open source software during the development stages, so that when code appears in completed products, those same researchers can highlight the flaws and profit from them where companies are willing to pay, Anderson has told TechWeekEurope. He claimed to know of several projects where this has happened, but declined to name names. “That’s now happening. I’ve seen it in the last four months,” Anderson said. Imagine if Linux had flaws purpose fully written into it, he ponders. “Intelligence agencies would be willing to pay an extraordinary amount for zero-days for Linux.”

Zero-day Black Market: Governments are the biggest customers (Hplus Magazine) : The trend to exploit zero-day for offensive purposes has been followed by intelligenceagencies and also private companies, both of which have started to develop their own zero-day exploits. Private companies have also sprung up that hire programmers to do the grunt work of identifying vulnerabilities and then writing exploit code. The starting rate for a zero-day is around $50,000, some buyers said, with the price depending on such factors as how widely installed the targeted software is and how long the zero-day is expected to remain exclusive.” […] The choice of a government to acquire a zero-day exploit to use against a foreign government, carries serious risks since cyber terrorists, cyber criminals or state-sponsored hackers could reverse engineer the attack to compose new malicious agents to use against the attackers themselves. The most popular example is the case of Duqu malware, a powerful spyware designed “to steal industrial-facility designs from Iran.” which code was subsequently adopted by the cybercrime industry to be the components in the popular Blackhole and Cool exploit kits.

Battling against zero-day exploit black market, Microsoft expands $100,000 bug bounty (Network World) : Microsoft expands its $100k Bug Bounty program, opens up mitigation bypass submissions to 'thousands' in order to 'disrupt the vulnerability and exploit markets.' [...] So how can you try for a piece of the exploit money pie? "To participate in the expanded bounty program, organizations must pre-register with us before turning in a submission by emailing us at doa [at] Microsoft [dot] com. After you preregister and sign an agreement, then we'll accept an entry of technical write-up and proof of concept code for bounty consideration." The prequalification requirement before submitting could be "so that one black hat couldn't get paid for stealing from another black hat," said Wysopal. "They're trying to make sure that only white hat, legitimate incident responders, get the money."

The hypocrisy of the zero-day exploit trade (SCMagazine) : In the high-priced market of exploit sales, developers resist government regulations -- but are more than happy when one wants to open its coffers to them. [...] It's necessary to underscore the immensity of this fundamental shift. Researchers seemingly are becoming very incentivized to find vulnerabilities and create exploits that governments can use to launch attacks. As such, they appear to be becoming less incentivized to find these same vulnerabilities – and report them to the affected vendor for patching, even as bug bounty programs become more prominent. And what it has created is a new breed of researcher who is also part mercenary -- someone who can earn hundreds of thousands of dollars by selling their discoveries to the highest government bidder.

How spies, hackers, and the government bolster a booming software exploit market (Fast Company) : Exploit researchers come from a variety of backgrounds. Some are academics and students hoping to monetize their in-class information security research. Others are underemployed technology experts looking for potentially lucrative paydays and a chance to have their talents recognized. Even more are located in Russia, Eastern Europe, or Asia, and find that the grueling drudgery of finding software holes is the most lucrative security job available to them. [...] When unleashed into the wild, exploits can wreak havoc. A zero-day Java exploit was used by unknown hackers allegedly linked to China to penetrate Apple and Facebook's internal systems. Zero-day exploits obtained from Gamma Group , a British “technical surveillance and monitoring group,” were allegedly used to sneak powerful surveillance software onto the computers of Egyptian, Bahraini, Ethiopian, and Malaysian dissidents. Gamma's best known product, FinSpy, is also allegedly used by governmental customers in the United States, Mexico, and Australia--the company is currently being sued by the Mozilla Foundation  over claims that Gamma disguised their spy software as a Firefox product. 

Aucun commentaire: