Le
lucratif marché clandestin des failles zero-day est aujourd'hui très
prisé par maints gouvernements et firmes. L'un des acteurs les plus
en vue est la société française Vupen, sous
contrat avec la NSA depuis l'automne 2013. Selon
Wikipédia,
« dans le domaine de la sécurité informatique,
une vulnérabilité zero-day est une exploitation qui
utilise une faille jusqu'ici méconnue du public. Une exploitation 0
day est susceptible d'engendrer la création d'un ver car,
par définition, la grande majorité des utilisateurs ne sera pas
protégée contre cette faille jusqu'à ce qu'elle soit découverte
et corrigée ».
The
Known Unknows (NSS Labs, PDF) : Recently, there has been
increased interest in the way in which security vulnerability
information is managed and traded. Vulnerabilities that are known
only to privileged closed groups, such as cyber criminals, brokers,
and governments, pose a real and present risk to all who use the
affected software. With the use of empirical data, NSS has determined
that on any given day over the past three years, privileged groups
have had access to at least 58 vulnerabilities targeting Microsoft,
Apple, Oracle, or Adobe. With specialized companies offering zero-day
vulnerabilities for subscription fees that are well within the budget
of a determined attacker, and with half a dozen boutique exploit
providers jointly having the capacity to offer more than 100 exploits
per year, privileged groups have the ability to compromise all
vulnerable systems without the public ever being aware of the
threats. Read on to learn more about the "known unknowns."
Secrecy
surrounding ‘zero-day exploits’ industry spurs calls for
government oversight (Washington Post)
: But the use of such tools, known as “zero-day exploits,”
is not reserved exclusively for the intelligence community. Instead,
through a little-known and barely regulated trade, researchers around
the world are increasingly selling the exploits, sometimes for
hundreds of thousands of dollars a piece. [..] The industry is
incredibly secretive. Most trades are conducted through middlemen,
who closely guard their client list and require the researchers who
sell to them to sign strict nondisclosure agreements. Several
companies and researchers say they have sold exploits to government
agencies or military contractors, although it is impossible to verify
such assertions […] A French company, Vupen, caused an uproar at
one such contest this year when it demonstrated a zero-day exploit
that allowed it to break into Google’s Chrome browser — and then
refused to hand over details of the exploit, thus forgoing the
$60,000 prize money. The high-profile showmanship created a maverick
overnight. “We wouldn’t share this with Google for even $1
million,” Vupen chief executive and head of research Chaouki Bekrar
told Forbes. “We don’t want to give them any knowledge that can
help them in fixing this exploit or other similar exploits. We want
to keep this for our customers.”
Words
Of War And Weakness : The Zero-Day Exploit Market (Techweek Europe)
: Zero-day
merchants take a variety of forms. Major government contractors such
as Lockheed Martin, Harris Corporation, Northrop Grumman and Raytheon
are thought to be involved, but a host of specialised firms have
emerged over the last decade, including Netragard, Errata Security
and Vupen. […] But
there may be an even more pernicious side effect of the market’s
growth. Anderson believes open source projects are now threatened by
people wanting to profit from weaknesses. Researchers are purposed
fully placing bugs in open source software during the development
stages, so that when code appears in completed products, those same
researchers can highlight the flaws and profit from them where
companies are willing to pay, Anderson has told TechWeekEurope.
He
claimed to know of several projects where this has happened, but
declined to name names. “That’s now happening. I’ve seen it in
the last four months,” Anderson said. Imagine if Linux had flaws
purpose fully written into it, he ponders. “Intelligence agencies
would be willing to pay an extraordinary amount for zero-days for
Linux.”
Zero-day
Black Market: Governments are the biggest customers (Hplus Magazine)
: The trend to exploit zero-day for offensive purposes
has been followed by intelligenceagencies and also private companies,
both of which have started to develop their own zero-day exploits.
“Private companies
have also sprung up that hire programmers to do the grunt work of
identifying vulnerabilities and then writing exploit code. The
starting rate for a zero-day is around $50,000, some buyers said,
with the price depending on such factors as how widely installed the
targeted software is and how long the zero-day is expected to remain
exclusive.” […] The choice of a government to acquire a zero-day
exploit to use against a foreign government, carries serious risks
since cyber terrorists, cyber criminals or state-sponsored hackers
could reverse engineer the attack to compose new malicious agents to
use against the attackers themselves. The most popular example is the
case of Duqu malware, a powerful spyware designed “to steal
industrial-facility designs from Iran.” which code was subsequently
adopted by the cybercrime industry to be the components in the
popular Blackhole and Cool exploit kits.
Battling
against zero-day exploit black market, Microsoft expands $100,000 bug
bounty (Network World) : Microsoft
expands its $100k Bug Bounty program, opens up mitigation bypass
submissions to 'thousands' in order to 'disrupt the vulnerability and
exploit markets.' [...] So how can you try for a piece of the exploit
money pie? "To participate in the expanded bounty program,
organizations must pre-register with us before turning in a
submission by emailing us at doa [at] Microsoft [dot] com. After you
preregister and sign an agreement, then we'll accept an entry of
technical write-up and proof of concept code for bounty
consideration." The prequalification requirement before
submitting could be "so that one black hat couldn't get paid for
stealing from another black hat," said Wysopal. "They're
trying to make sure that only white hat, legitimate incident
responders, get the money."
The
hypocrisy of the zero-day exploit trade (SCMagazine)
: In the high-priced market of exploit sales, developers resist
government regulations -- but are more than happy when one wants to
open its coffers to them. [...] It's necessary to underscore the
immensity of this fundamental shift. Researchers seemingly are
becoming very incentivized to find vulnerabilities and create
exploits that governments can use to launch attacks. As such, they
appear to be becoming less incentivized to find these same
vulnerabilities – and report them to the affected vendor for
patching, even as bug bounty programs become more prominent. And what
it has created is a new breed of researcher who is also part
mercenary -- someone who can earn hundreds of thousands of dollars by
selling their discoveries to the highest government bidder.
How
spies, hackers, and the government bolster a booming software exploit
market (Fast Company) : Exploit
researchers come from a variety of backgrounds. Some are academics
and students hoping to monetize their in-class information security
research. Others are underemployed technology experts looking for
potentially lucrative paydays and a chance to have their talents
recognized. Even more are located in Russia, Eastern Europe, or Asia,
and find that the grueling drudgery of finding software holes is the
most lucrative security job available to them. [...] When unleashed
into the wild, exploits can wreak havoc. A zero-day Java exploit was
used by unknown hackers allegedly linked to China to penetrate Apple
and Facebook's internal systems. Zero-day exploits obtained from
Gamma Group , a British “technical surveillance and monitoring
group,” were allegedly used to sneak powerful surveillance software
onto the computers of Egyptian, Bahraini, Ethiopian, and Malaysian
dissidents. Gamma's best known product, FinSpy, is also allegedly
used by governmental customers in the United States, Mexico, and
Australia--the company is currently being sued by the Mozilla
Foundation over claims that Gamma disguised their spy software
as a Firefox product.
Aucun commentaire:
Enregistrer un commentaire