July 15, 2013
Countries Pay Hackers Big Money To Find Rival Flaws
Michael Harper for redOrbit.com - Your Universe Online
Countries around the world are hiring hackers to find weaknesses in the computer networks of their adversaries, according to the New York Times.
Whereas these hackers may have previously sold these weaknesses to the companies that build the software, they now say they make more money selling to government agencies from all over the world. In particular, the National Security Agency (NSA) -- the agency that has recently been a source of some controversy concerning national surveillance -- is a customer of the company these hackers work for.
The Times piece highlights two specific hackers from Italy who pore through lines of code to discover flaws in software from companies such as Apple and Microsoft. The two young men, aged 28 and 32, work for a company called ReVuln, and while they won't say who their clients are, the Times says the NSA and the Revolutionary Guards of Iran have previously used the services of this company. The NSA, it is suggested, may have hired ReVuln to find weaknesses in America's growing store of cyberweapons.
The hackers are specifically looking for open vulnerabilities called "zero-days," exploits that are particularly dangerous and give the user very little time in which to discover the problem and fix it. Oracle's Java suffered a particularly troubling rash of zero-days earlier this year and late last year. With a zero-day exploit in hand, the hackers hope they can sell their clients the kind of access to enemy networks that America and Israel had when they injected Stuxnet into Iran's nuclear facilities. These nations can also use exploits found within their borders to shore up their security measures as well.
In a statement to the Times, former White House cybersecurity coordinator Howard Schmidt said this practice is becoming a standard way for countries to protect themselves.
"Governments are starting to say, 'In order to best protect my country, I need to find vulnerabilities in other countries,'" said Schmidt. "The problem is that we all fundamentally become less secure."
The Times report lists Brazil, Britain, India, Israel and Russia as some of the largest buyers of this information. North Korea and intelligence services from the Middle East and also the United States use this information. Edward Snowden, the former NSA consultant who leaked information about the agency's surveillance program called PRISM, also leaked documents that revealed the NSA as major buyers of information on zero-days.
Hackers have long been looking for flaws in the lines and lines of code that create a piece of software like Apple's Safari, Google's Chrome or Microsoft's Internet Explorer. Many of them did this as a way to help the developers who worked for these companies and protect those who use this software. In the beginning, companies offered hackers small compensation, such as honorable mention in the credits or a free tee-shirt. Recently the companies have been paying these hackers and even increasing the amount of money they offer for these flaws.
Yet the Times piece says government organizations are willing to pay more and more often. Other businesses have even sprung up around this practice, asking for a 15 percent cut. In an email to potential hackers obtained by the Times, one broker says money is no object for zero-day flaws.