On the second Tuesday of every month, PC users go through a familiar yet frustrating ritual; on this day, Microsoft publishes updates for Windows, Office, Internet Explorer and more. Most of the time on this “Patch Day”, downloading ten or more patches slows down a home or office’s Internet connection and installing them slows down the computer. These updates patch security loopholes, which are often extremely critical ones, like the one that appeared in November 2013: in Office versions 2003 to 2010, hackers could take advantage of an error, which would appear when playing TIFF graphics files, to install malware on the targeted PC.
Before such attacks are made, the digital trade centres witness a furious battle for the latest software loopholes and exploits, which are small programmes that use these loopholes to insert malware into a computer. Participants of these fights include security researchers, hackers and specialised exploit dealers as well as software manufacturers and government officials. Each with their own agenda: hunger for profit, attack options for cyber warfare or preventing poor PR. The security of the user is not their concern – or it takes lower priority at best.
This trade, which goes on at the cost of the user, flourishes only because software developers goof up with programming. In his bestseller “Code Complete”, ex-Microsoft employee Steve McConnell writes that 1000 lines of programme code contain between 15 and 50 errors (Windows 7 is made of a code that has about 40 million lines, so you can imagine the number of errors it can contain). Most of the errors will never cause any harm because they will never be discovered. Others lead to smaller programme errors or crashes. But there are some which pose a huge security risk: these loopholes can be identified by whether an attacker can use them only directly on the device (local) or via an Internet connection (remote). Plus there are different methods of attack. A typical one is Code Execution, where an attacker can run their own programmes on the targeted system. The same is done via Internet in the so-called Remote Code Execution method. This is a common method used in malware attacks and cyber warfare.
Finding the gold needle in a code haystack
Before making money with software errors, one has to look for them in the programme code. To do this, open-stage competitions take place, for example, the computer hacking contest Pwn2Own, which last took place in November at the PacSec Applied Security conference in Tokyo. In this contest, which was sponsored by HP, participants found new exploits in iOS 7, in the Chrome browser for Android and in IE 11 for Windows 8.1. They could use these to view photos from an iPhone and control a Google Nexus 4, Samsung Galaxy S 4 and a Microsoft Surface RT.
Those who use these methods to find new loopholes are just a step away from earning bundles of money, but the question is, who will they sell it to?
Finder’s reward for software errors or Security Loopholes
An obvious potential customer for a software loophole is the manufacturer of the software itself. Some manufacturers tempt hackers with a reward, the Bug Bounty. As part of such projects, companies pay between US$1,000 and 20,000 (RM3,277 – 65,553) for a single security loophole. “Such programmes give researchers an incentive to sell their discoveries to software companies instead of going underground”, says Christian Funk, virus analyst at Kaspersky. “The rewards too are no less compared to what they would get from other sources.” In June 2013, Microsoft also opened its cash boxes and has been paying up to US$100,000 (RM327,733) for new loopholes found in Windows 8.1. Google and Facebook have been resorting to such methods for much longer. Since 2010, Google has discovered more than 2,000 loopholes with this method and spent more than US$2 million (RM6 million) in the process. Facebook too has distributed more than US$1 million (RM3 million) to over 300 security researchers in the last two years. Two of them are even working for the security team at Facebook. Johnathan Nightingale, Vice President, Firefox Engineering at Mozilla too states that “Bug Bounty programmes are an essential part of our security endeavours”. Not just because they reward discoveries but also because they guarantee researchers that they would not face any legal consequences for taking software apart. But Nightingale knows that “Bug Bounties are not a panacea” because they are competing against wealthy opponent buyers in a free market.
Unlike software manufacturers, buyers in the free market are not just looking for security loopholes but also for exploits. These exploits can be used to spread malware, which makes them attractive for cyber criminals. But secret services and the military too need exploits because they are the ammunition in cyber wars. To add to this list of buying parties, we also have exploit brokers, who act as middlemen who buy security loopholes and zero-day exploits (for example, those for unpatched loopholes) from hackers and researchers and sell them to the highest bidder.
“This market has been in existence since the end of the nineties”, explains Candid Wüest, security researcher at Symantec. “But the number of exploits handled and the prices paid for them have gone up only recently.” Although the increasing cyber war activities of individual states are crucial factors for this increase, the changed malware market too has contributed to it. “Especially because Drive-by-Downloads have become standard attack methods”, says Christian Funk. And to initiate attacks one needs exploits, which can be used to manipulate websites and in this way find unpatched software loopholes in the system of the website visitor and install malware on his computer through these loopholes.
The risk involved in this market is that only a few know of such exploits. “That’s why loopholes remain unresolved for long and cannot be patched”, explains Candid Wüest from Symantec. And it is this exclusivity that exploit brokers capitalise on. Grugq, an anonymous exploit broker operating from Bangkok, divulged to Forbes that an exploit for iOS is worth up to US$250,000 (RM819,636). He revealed that he sells exploits primarily to the US government but only because Russia and China don’t pay enough dough. In China, too many hackers sell exclusively to the government there and hence the prices fall.
Apart from solitary operators like Grugq, there are many exploit dealers, who profit from their proximity to the US military. These include the company called Endgame, for which the Ex-NSA director Kenneth A. Minihan works, the armament firms Raytheon and Northrop Grumman and the American company Netragard (motto: “We protect you from people like us”). Netragard specialises in penetration testing, i.e., they are hired by companies to hack their systems to find security loopholes. In 2000, Netragard also started the Exploit Acquisition Program (EAP), which is designed to acquire Zero- Day exploits from security researchers and exploit developers for US$20,000 (RM65,575) and more. “These sellers need to identify themselves personally and register with us before we buy anything from them”, says Netragard founder Adriel Desautels. This is also applicable to buyers. “We sell exploits exclusively to customers in USA”, declares Desautels. “In our opinion, selling exploits to other countries is legallyquestionable because if these are used for an attack against our country, we could be accused for aiding and abetting it.”