News & Politics





9
MEMBERS
1
ONLINE
Created: Jun 18, 2012

"...modern-day merchants of death” selling “the bullets of cyberwar.”

Thread created Jun 16, 2012.
This thread has been viewed 602 times.

Disturbo 50/M
Sat. Jun 16, 2012 @ 2:22 PM
"...modern-day merchants of death selling the bullets of cyberwar.



That iOS exploit price represents just one of the dozens of deals the Grugq (pictured above) has arranged in his year-old side career as a middle man for so-called zero-day exploits, hacking techniques that take advantage of secret vulnerabilities in software. Since he began hooking up his hacker friends with contacts in government a year ago, the Grugq says hes on track to earn a million in revenue this year. He arranged the iOS deal last month, for instance, between a developer and a U.S. government contractor. In that case, as with all of his exploit sales, he wont offer any other details about the buyer or the seller.

Even with the $250,000 payout he elicited for that deal, he wonders if he could have gotten more. I think I lowballed it, he wrote to me at one point in the dealmaking process. The client was too happy. A six-figure price for a single hacking technique may sound extravagant, but its hardly unique. Based on speaking with sources in this secretive but legal trade, Ive assembled a rough price list for zero-day exploits below.



Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the softwares vendor. Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit. In some cases the techniques would need to be used in combination to be effective.

An exploits price factors in both how widely the target software is used as well as the difficulty of cracking it. A technique that allows a hacker to gain control of a Mac OSX machine after hacking an application might earn only a fraction of one that targets Windows, for instance, because of Windows greater market share. But an iOS exploit pays more than one that targets Android devices partly because it requires defeating Apples significantly tougher security features. That means most agencies can simply develop their own Android attacks, the Grugq says, while ones that can penetrate the iPhone are rare and pricey. For the Jailbreakme 3 iOS exploit created by the hacker Comex last year, the Grugq says he heard agencies would have been eager to pay $250,000 for exclusive use of the attack.

Whos paying these prices? Western governments, and specifically the U.S., says the Grugq, who himself is a native of South Africa. He limits his sales to the American and European agencies and contractors not merely out of ethical concerns, but also because they pay more. Selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money, he says, explaining that he has no contacts in the Russian government. Russia is flooded with criminals. They monetize exploits in the most brutal and mediocre way possible, and they cheat each other heavily.

As for China, he says that the country has too many hackers who sell only to the Chinese government, pushing down prices. The market is very depressed, he says. Other regions like the Middle East and the rest of Asia cant match Western prices either.

As a result, the Grugq earns 80% of his revenue from the U.S., though occasionally the developers who work with him have asked that he sell only to Europeans. Over more than a decade in the hacker scene, hes met enough federal agents to have contacts at multiple U.S. agencies, and he knows how to package his developers exploits for sale to those buyers, with professional marketing and support. Youre basically selling commercial software, like anything else. It needs to be polished and come with documentation, he says. The only difference is that you only sell one license, ever, and everyone calls you evil.

Full article: --
http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/" rel='nofollow' target="_parent">http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/" rel='nofollow' target="_parent">http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/


A clever hacker today has to make tough choices. Find a previously unknown method for dismantling the defenses of a device like an iPhone or iPad, for instance, and you can report it to Apple and present it at a security conference to win fame and lucrative consulting gigs. Share it with HPs Zero Day Initiative instead and earn as much as $10,000 for helping the firm shore up its security gear. Both options also allow Apple to fix its bugs and make the hundreds of millions of iPhone and iPad users more secure.

But any hacker who happens to know one Bangkok-based security researcher who goes by the handle the Grugqor someone like himhas a third option: arrange a deal through the pseudonymous exploit broker to hand the exploit information over to a government agency, dont ask too many questions, and get paid a quarter of a million dollarsminus the Grugqs 15% commission.



That iOS exploit price represents just one of the dozens of deals the Grugq (pictured above) has arranged in his year-old side career as a middle man for so-called zero-day exploits, hacking techniques that take advantage of secret vulnerabilities in software. Since he began hooking up his hacker friends with contacts in government a year ago, the Grugq says hes on track to earn a million in revenue this year. He arranged the iOS deal last month, for instance, between a developer and a U.S. government contractor. In that case, as with all of his exploit sales, he wont offer any other details about the buyer or the seller.

Even with the $250,000 payout he elicited for that deal, he wonders if he could have gotten more. I think I lowballed it, he wrote to me at one point in the dealmaking process. The client was too happy. A six-figure price for a single hacking technique may sound extravagant, but its hardly unique. Based on speaking with sources in this secretive but legal trade, Ive assembled a rough price list for zero-day exploits below.



Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the softwares vendor. Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit. In some cases the techniques would need to be used in combination to be effective.

An exploits price factors in both how widely the target software is used as well as the difficulty of cracking it. A technique that allows a hacker to gain control of a Mac OSX machine after hacking an application might earn only a fraction of one that targets Windows, for instance, because of Windows greater market share. But an iOS exploit pays more than one that targets Android devices partly because it requires defeating Apples significantly tougher security features. That means most agencies can simply develop their own Android attacks, the Grugq says, while ones that can penetrate the iPhone are rare and pricey. For the Jailbreakme 3 iOS exploit created by the hacker Comex last year, the Grugq says he heard agencies would have been eager to pay $250,000 for exclusive use of the attack.

Whos paying these prices? Western governments, and specifically the U.S., says the Grugq, who himself is a native of South Africa. He limits his sales to the American and European agencies and contractors not merely out of ethical concerns, but also because they pay more. Selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money, he says, explaining that he has no contacts in the Russian government. Russia is flooded with criminals. They monetize exploits in the most brutal and mediocre way possible, and they cheat each other heavily.

As for China, he says that the country has too many hackers who sell only to the Chinese government, pushing down prices. The market is very depressed, he says. Other regions like the Middle East and the rest of Asia cant match Western prices either.

As a result, the Grugq earns 80% of his revenue from the U.S., though occasionally the developers who work with him have asked that he sell only to Europeans. Over more than a decade in the hacker scene, hes met enough federal agents to have contacts at multiple U.S. agencies, and he knows how to package his developers exploits for sale to those buyers, with professional marketing and support. Youre basically selling commercial software, like anything else. It needs to be polished and come with documentation, he says. The only difference is that you only sell one license, ever, and everyone calls you evil.

Full article: -- [url]http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/





Edited Jun 16, 2012 by Disturbo



Disturbo 50/M
Sat. Jun 16, 2012 @ 2:35 PM
I triple checked my embed codes. WTF?



the-java-jive-changito 44/M
Sat. Jun 16, 2012 @ 2:47 PM
Ha... its just like that Neuromancer book I've read as a kid....

neuromancer imb


Neuromancer : Plot

Production Charts Case was the hottest computer cowboy cruising the information superhighway,jacking his consciousness into cyberspace,soaring through tactile lattices of data and logic, rustling encoded secrets for anyone with the money to buy his skills. Then he double-crossed the wrong people,who caught up with him in a big way -- and burned the talent out of his brain,micron by micron. Banished from cyberspace,trapped in the meat of his physical body,Case courted death in the high-tech underworld. Until a shadowy conspiracy offered him a second chance -- and a cure -- for a price.


profile.k 35/M
Sat. Jun 16, 2012 @ 2:48 PM
Government agencies buying back doors into OSs so they can install a Magic Lantern type trojan, or whatever has replaced it, is that the general jist? That's not terribly surprising.
The empty, I has it.


You must login or join Zocialized to reply to this thread.

Login Join us!
You must join this group to be able to reply to this thread.



Please Wait...