Jul 15, 2013

    Zero-day bugs are hot espionage commodities

    ON THE tiny Mediterranean island of Malta, two Italian hackers have been searching for bugs - secret flaws in computer codes that governments pay hundreds of thousands of dollars to learn about and exploit.

    The hackers, Mr Luigi Auriemma, 32, and Mr Donato Ferrante, 28, sell technical details of such vulnerabilities to countries that want to break into computer systems of foreign adversaries. The two will not reveal the clients of their company, ReVuln.

    All over the world, from South Africa to South Korea, business is booming in what hackers call "zero days", coding flaws in software like Microsoft's Windows that can give a buyer unfettered access to a computer and any business, agency or individual dependent on one.

    Just a few years ago, hackers like Mr Auriemma and Mr Ferrante would have sold the knowledge of coding flaws to companies like Microsoft and Apple, which would fix them.

    Increasingly, however, the businesses are being outbid by countries with the goal of exploiting the flaws in pursuit of the kind of success, albeit temporary, that the United States and Israel achieved three summers ago when they attacked Iran's nuclear-enrichment programme with a computer worm that became known as "Stuxnet".

    The flaws get their name from the fact that once discovered, "zero days" exist for the user of the computer system to fix them before hackers can take advantage of the vulnerability.

    A zero-day exploit occurs when hackers or governments strike by exploiting the flaw before anyone else knows it exists, like a burglar who finds, after months of probing, that there is a previously undiscovered way to break into a house without sounding an alarm.

    "Governments are starting to say 'In order to best protect my country, I need to find vulnerabilities in other countries'," said Mr Howard Schmidt, former White House cybersecurity coordinator. "The problem is that we all become fundamentally less secure."

    Finding a zero-day bug could be as simple as a hacker discovering an online account that asks for a password but does not actually require typing one to get in. Bypassing the system by hitting the "Enter" key becomes a zero-day exploit.

    The average attack persists for almost a year - 312 days - before it is detected, according to Symantec, a maker of antivirus software. Until then, it can be exploited or "weaponised" by both criminals and governments, to spy on, steal from, or attack their target.

    Ten years ago, hackers would hand knowledge of such flaws to Microsoft and Google for free, in exchange for a T-shirt or, perhaps, an honourable mention on a company's website. Even today, so-called patriotic hackers in China hand over the information to the government regularly.

    Now, the market for information about computer vulnerabilities has turned into a gold rush.

    Disclosures by Mr Edward Snowden, the former American security-agency contractor who leaked classified documents, made it clear that the US is among the buyers of programming flaws. But it is hardly alone.

    Israel, Britain, Russia, India and Brazil are some of the biggest spenders. North Korea is in the market, as are some Middle East intelligence services. Countries in the Asia-Pacific are buying too, according to the Center for Strategic and International Studies in Washington.

    To connect sellers and buyers, dozens of well-connected brokers now market information on the flaws in exchange for a 15 per cent cut. Some hackers get a deal collecting royalty fees for every month that their flaw lies undiscovered, according to several people involved in the market.