Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: How Squid Hear |
| Computer Forensics: An Example »
April 2, 2012
Buying Exploits on the Grey Market
This article talks about legitimate companies buying zero-day exploits, including the fact that "an undisclosed U.S. government contractor recently paid $250,000 for an iOS exploit."
The price goes up if the hack is exclusive, works on the latest version of the software, and is unknown to the developer of that particular software. Also, more popular software results in a higher payout. Sometimes, the money is paid in instalments, which keep coming as long as the hack does not get patched by the original software developer.
Yes, I know that vendors will pay bounties for exploits. And I'm sure there are a lot of government agencies around the world who want zero-day exploits for both espionage and cyber-weapons. But I just don't see that much value in buying an exploit from random hackers around the world.
These things only have value until they're patched, and a known exploit -- even if it is just known by the seller -- is much more likely to get patched. I can much more easily see a criminal organization deciding that the exploit has significant value before that happens. Government agencies are playing a much longer game.
And I would expect that most governments have their own hackers who are finding their own exploits. One, cheaper. And two, only known within that government.
Here's another story, with a price list for different exploits. But I still don't trust this story.
Posted on April 2, 2012 at 7:56 AM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Were I a shadowy government agent with a team of security experts working at finding exploits for me around the clock, I might be tempted to grab an exploit or two that don't quite pass muster (easy to trace or likely to be patched quickly) and sell them to one of these gray marketeers through some front. That way, we they start selling it around the world, I can identify his more aggressive customers and then leak the exploit to the software's developers.
I think that should be criminal organization? Guessing autocorrect reared its ugly head...
You say they are only of value till patched but that can be a long time for some organizations especially as I still see ms08-067 regularly in the wild.
For Government it seems simpler to compell some company with autoupdate to install their software on the target pc.
e.g. Your favorite malware scanner's update function could easily dispach the backdoor to control your pc.
Why buy an exploit for ths if you just can use a company?
governments are incompetent to deal with their actual problems..
governments don't pay much to their employees (compared to private industry)..
governments are too bureaucratic to even tie their shoes before walking..
so what makes you think that they can afford to have their own hackers doing exploit research?
It's a scary world when Defense gets privatized because it's cheaper, faster, or better. Even if it's cyber-defense, it'll make the hair on the back of your neck stand up.
Didn't the H.B. Gary leak show they were in a similar business.
@Dexter > Along similar lines, you think they have the organization and political will to purchase grey-market exploits?
Are manufacturers and developers quick about patching exploits? I wouldn't be surprised if some companies wait to patch holes until the exploit becomes widely known.
@ Bruce Schneier
I'm surprised by your viewpoint. The fact is that there are a number of companies making bank off selling exploits. That alone proves people are paying some good money for them. Past that, we've historically had organizations like Tipping Point paying almost six digits for a reliable zero day for extremely popular software. Why wouldn't the grey market ask for a similar amount? Or more for exclusivity and element of surprise?
That they refuse to sell to Russia, China and the Middle East makes their story more believable to me. It's what I would expect of their market research. I believe it was your blog that once contained an article about the US companies making rootkits & stuff for the government. They were leasing their stuff out for around $1 million a year. If govt and companies pay $1 mil for a rootkit, you think they wont pay $5k-100k for a zero day to install it? I think they will if the target is valuable enough.
One other thought. The guy said one of his customers was using a zero day for a proof of concept for marketing. I thought that was interesting b/c I was thinking about buying one for the same reason, proving AV useless & a particular IPS effective. I chose to use an old exploit on a dated version of the software. A 0 day would have been better & more psychologically effective, but it was a more expensive strategy & I don't have that much capital.
It's also known that the government is throwing a lot of money at the problem. Inevitably, much of that will go toward contractors and COTS solutions to the "cyberweapon" problem.
@Christian - companies are more complex that governments.
In the good old days the government could rely on their relationship with eg. IBM to ensure a particular 'fix'
Now the government doesn't have that much behind the scenes pull with an international company with shareholders and internal audits. Even if they did manage to get a patch through it would soon be leaked and the company would be finished.
"so what makes you think that they can afford to have their own hackers doing exploit research?"
If they cannot find their own exploits then they do not have the skills or knowledge to protect their systems from being compromised by other governments/criminals.
"Are manufacturers and developers quick about patching exploits? I wouldn't be surprised if some companies wait to patch holes until the exploit becomes widely known." (Vanessa N)
She has a good point, too. Many known holes remain open for quite a while. Many unknown holes remain open even longer. There have been holes that were unnoticed and unpatched for over a decade. This was a problem when the story below was published. The motivations/incentives haven't changed much, so I doubt the patching situation has improved a lot. An unknown exploit could still retain value for quite sometime, even in targeted use.
This market is not "grey", it is black.
One could imagine a positive motive for this. If the US govt. buys an exclusive on an exploit, it means other governments and bad guys don't get it (assuming one develops a relationship with the seller and can trust them on the exclusive.) Of course, in this case the ideal recipient is the vendor who will patch -- but see below.
Exploits are of course valuable to spies even after they are patched because so many systems are not kept up to date. And that's why some exploits might not be best given to the vendor until you can figure a patch that doesn't disclose the exploit.
But on the dark side, there's lots that spy agencies can do with these in their short exclusive lifetime. I have to believe that some of the botnets out there are secretely run by spy agencies (possibly without the knowledge of the underground cracker who thinks they are running the botnet.) Expanding that net and seeing who it traps and what info they have is always interesting to spooks.
First of a zero day is a tool just like any other, and thus is agnostic, it's the user who decides the what when and why of it's use.
Look at it this way what's the difference between a locksmith opening your door because you have lost your keys, a skilled burglar using exactly the same technique, a bailif or repo man similarly opening your door, the police with a warrant or a person working for an intel organisation?
Now we know that in any "war" be it hot / cold / phoney / political one of the most important things is intel, this has been true for thousands of years with the likes of. Sun Tzu's "The Art of War" all the way through to modern combat training for even junior officers and senior NCO's. We have expressions in common usage such as "Know your enemy" and "keep your friends close but your enemies closer".
History has taught us that spys and agents can earn good money from their intel officers, irespective of what their actual motivation ideological or otherwise. In fact it has been said that a man prepared to sell his country for money is more reliable than a man of ideology, because he knows his morals better than a dreamer.
During WWII we know that both sides employed "criminals" to break into diplomatic missions and other buildings where intel could be gathered and they would be well paid. Thirty years ago we know that various "contractors" were paid several thousand pounds to get information about Union Leaders for the then British Government. And prior to that the Labour Government illegaly went to tax and other records to dig up dirt on the then Liberal party leader and his close associates (this was done by Jack Straw who later went on under the last Labour government to become the Home Office Minister and was involved heavily in the initial stages of setting up a UK wide surveillance database into which all phone and other communications records would be placed, Something that the Conservative element of the current Government has just anounced they are going to re-start.
Thus it's not just entirely feasible that Governments would pay good money for Zero Days, it would given their past track records be highly surprising if they were not.
Operatives were used to spread Stuxnet.
The internet isn't used because the signals (intelligence) agencies can track and trace code.
The best hacks are not internet-based.
stuxnet used an unprecedented 4 zero day exploits. bruce is right i can't see governments paying for zero day since they can just find their own. how could they trust the guy selling it won't turn around and sell it to russian blackhats. corporations sure but no intel agencies. not very difficult to find your own exploits if you are paid to do it all day and have a team to help write the mundane launchers/root kits and set up servers.
modern software is such junk any monkey can manipulate cpu registry pointers. the mantra is release it as fast as possible not take your time and audit the code
LOl @ those guy's in the linked articles claiming they are directly dealing with Intel agencies and governments.
They are dealing with EX intel agency and government technocrats who went on to start their own for-profit intel corporations like Statfor, and countless others. These guy's are always some sort of ex management they aren't elite warriors or top brass that make decisions. Just report writing and paper shuffling dead weight that was cleaned out and took their collection of private market business contacts with them.
Imagine if there was a guy who found the four Stuxnet zero day and sold it to Israeli intel? Well as soon as that story hit the press he'd be all over Al Jazeera telling their journalists how he originally found the exploits and sold it via middlemen to a "government agency". Now a serious problem. For intel agencies to buy zero day they'd have to kill the author to prevent any press leaks. You use zero day to do your clandestine "cyberwar" which you can conveniently deny deny deny when somebody points the finger at you (Lol China, amirite?). Hard to deny when the guy who found the bug and has docs to prove he sold it is all over the news after your government uses it for some blackop
@dexter at April 2, 2012 9:04 AM
"so what makes you think that they can afford to have their own hackers doing exploit research?"
when is the last time you looked at budgets for NSA, CIA, DIA, and official splinter groups/divisions which may or may not be mentioned in print?
they probably have the very best. for more information on "affording" projects, search google and wikipedia for:
PROJECT (gov/mil proj here, like MKULTRA)
OPERATION (gov/mil op name here)
“It would be a slippery slope to stop detecting government trojans,”
"AV vendors split over FBI Trojan snoops"
"Impressed by FBI trojan, Germans write their own"
We should not forget:
Magic Lantern (USA):
"The Computer and Internet Protocol Address Verifier (CIPAV) is a data gathering tool that the Federal Bureau of Investigation (FBI) uses to track and gather location data on suspects under electronic surveillance. The software operates on the target computer much like spyware"
and the large number of Wikileaks articles with companies and software/hardware listed as more 'traps.' and the number and frequency of remote exploits discovered in Adobe Flash, Java, Microsoft Windows, web browsers open and proprietary.
@Andrew Wallace at April 2, 2012 2:06 PM
"The best hacks are not internet-based."
The best hacks may be anywhere at any time on many levels.
I feel most computers are tapped via SatCom and mirrored as individual .iso files. The frequency depending on level of interest in the 'mark' (organization or individual[s]).
-- more --
"The FBI now is installing super spyware on people’s personal computers. They are using “Computer, and Internet Protocol Address Verifiers”, or CIPAV to infiltrate personal computers, or systems, download all files, and upload to government servers in Virginia It sounds somewhat “1984ish”, but imagine with everything covered so far, and taking into context what COINTEL did by replacing words, or meanings, imagine what they can upload to your own computer without the users ever knowing.
It’s not just the FBI with their fancy CIPAV, but the actual giant Internet companies who’ve been bought out are complicit with this ever increasing war for our Hearts, and Minds; through information. Google is catering to the CIA, NSA, FBI, and to most other Government agencies by offering the tools necessary to scavenge stored data, and other electronic media. They are also offering a closed “Intellipedia, a Wikipedia knock off for spooks. Not only Google, but most US social networks have been caught selling private chats, photos, and emails to Governments."
-- more --
deception and psyops are the name of the game
Am I the only person wondering how much is paid for the intentional creation of an exploit?
seems easy to find what you planned in the first place. you can even protect the exploit by requiring improbable enable sequences and than seed the FIX community with solutions that simply disable ONE enable sequence. lets you get much more life out of a single exploit.
Really makes you wonder what new types of malware are possible when the firmware & software developers collaborate on exploit development
Perhaps the article itself is the intel 'bait'. Imagine if you would the ability to map who looked at a specific webpage (or a news story or even the text from story). (Not too tough.) Now over time you map the community, find individuals, and perhaps occasionally release pseudo-stories targeted at specific groups to find niche individuals. Thus in this case, I imagine it wouldn't take a super-duper electronic brain to get a pretty good of just who's within the community that would be interested in 'buying exploits'. (Of course, when the story goes big time in Schneier your models are hosed because of massive signal and noise overload). Sure 'they' are watching us but its with something petty like with Google Analytics on steroids. (Not SatCom & .iso's) Most real & useful intel is mundane... but take over time becomes rather useful.
"Sure 'they' are watching us but its with something petty like with Google Analytics on steroids. (Not SatCom & .iso's) Most real & useful intel is mundane... but take over time becomes rather useful."
Sounds like a quick cointelpro disinfo response to me, imo. our cpus are capable of much more than you may know. one anonymous post to pastebin claiming to be an intelligence agency warned anonymous their cpu information was mirrored in one or more locations, this hints at the SatCom mirroring, I've noticed this on Windows systems using special monitoring tools, and sweeps on Linux systems, too, sometimes using tools to hide the additions to the ELF files from antivirus scanners like clamav which is popular on linux.
what could be true is baiting followup posts waiting for the fish to report back to the baited reply. i'll bite on that possibility.
OT Question for greybeards and even salt-and-pepper beards like Bruce:
All this talk about crypto assumes that the American paradigm of crypto is the one that obtains in Russia and China. Surely to decrypt American crypto they have to understand it. But is their own research and their own internal crypto in the same groove?
"Really makes you wonder what new types of malware are possible when the firmware & software developers collaborate on exploit development"
I doubt we really need to wonder. Academics and black hats into esoteric have been talking about it for a long time. Matter of fact, they've been doing it too. The low end is BIOS attacks that can reinfect a cleaned machine & more. Then you have peripheral firmware attacks, malware in the wild using CPU errata for obfuscation (clever), my proposed smartfone firmware rootkits, and maybe even subverting some of these manufacturer's firmware/OS backdoors through a downloaded app. So many possibilities.
I haven't even mentioned covert channels. Gotta love those. And utterly hate them. "Covert channels: turning your every optimization against you since the 80's." :)
Am I the only person wondering how much is paid for the intentional creation of an exploit?
It rather depends on whatt you mean by that?
I saw two possabilities of that when I first read the Forbes article,
1, A placed / payed agent.
2, A developer looking to get rich on the side.
Nick P, You and I have discussed the first option in the past as a way of getting around "code signing" or for puting hardware macros in chip designss to "fritz" them.
The second option is the consequence of such a market coming into being. Put simply let us assume you are a code cutter for one of the big cross platform application companies that make one of the essential pieces of software for everyday use on everybodies desktop. And you have missed out on becoming a Share Option DotCom millionaire, but think you are as good if not better than those that did...
What better way to "stickit to the man" than by putting in a subtle bug or ten that gets through the code review process?
[As long term readers of this blog know I did just that many years ago (to leak the key info in some encrypted coms software) to make a point to managment that the best programers needed to be on the code review panel otherwise the panel was waisting not just it's own time but everybody elses as well.]
If you do it right then nobody suspects what you have done even if it does get found (plausable deniability is good ;). And apart from getting that all important but intangible "ego food" of beating the "ShareOp millionaires", you now get the very real and very tangable effect of doubling your pay. Providing of course you do it through trusted cut outs and know how to do the financial engineering to keep it all under wraps.
[And it's the last bit of "financial engineering" and consiquent "keeping your mouth shut" where nearly 100% of criminals go wrong with their perfect crimes]
But having the bug and transmission mechanism is not enough you have to collect data and this will be visable in a code review process. So it needs a "back story" to cover it's existance... The easiest way to hide this sort of malicious code is in plain sight as part of "testing code" to enable good "tech support", thus it's an integral function of the application...
This is as I've said already, because the tool is "agnostic" to it's use, it's simply shifting data for someone and they decide the why when and what. As a tool the more usefull it is for testing and diagnostics, the more useful it will also be for spying malware 8)
But the big problem with all "back doors" and "snoop ware" is it has to communicate data that is as I've said many times befor it has to do an ET "and phone home". And this is a problem as it creates traffic that can be found by a user or researcher with little difficulty unless you can hide it effectivly. There are only two ways to do the communications "in band" and "out of band" for mass surveillance "out of band" is not realy feasible. With "in band" you have the choice of "in traffic" or "out of traffic", in traffic means finding "usable redundancy" within the traffic protocol you can use and is thus generaly low bandwidth, ideal for leaking KeyMat but not Key Strokes. So the largish bandwidth is clearly in "plain sight" and thus needs a valid reason to exist, that is it requires it's own "back story".
Again test and diagnostics is a good way to go. Because for rare bugs and problems in complex environments it is almost impossible to recreate bugs for testing without good prior knowledge of what went wrong. This means activity logs that can be accessed after the bug causes the problem. And as befor a bug you don't know what "you need to know" you log everything. But where to put the logs... The best place is on a "testing server" external to the device which means you have to send all that lovely userd data over the network...
Thus the ideal test tool is the ideal snoop tool as they are one and the same thing.
The classic recent version was CarrierIQ code on smart and other phones. It was the perfect mass surveillance tool, buzy doing an end run around all the conventional security by sending in plain text everything the user typed across the network to CarrierIQ's servers... Now we know that the NSA has deep level network access not at the edges of the network as you would expect for "counter intel" but in the middle close to the back bone where recording all the CarrierIQ data would be a walk in the park. Thus the NSA would have logged every key stroke and in which applications etc etc of every US mobile phone user without having to do any work. Oh and at the same time having 100% deniability win-win for them.
Which is what Bruce may have been getting at with,
Government agencies are playing a much longer game
A@ Big Pic
OT Question for greybeards...
Does the OT mean "Old Time" or "On topic" :-)
More seriously the answer to your first question,
All this talk about crypto assumes that the American paradigm of crypto is the one that obtains in Russia and China
At a fundemental level all crypto currently in use is the same. That is it makes a reversable mapping between the plain text and cipher text, Aand for efficiency reasons it is almost always a one to one mapping. Not that it has to be, all that is actually required is that the plain text is correctly recoverable from the cipher text.
At a slightly higher level you can see that all symetric (one key) ciphers are based on a reversable mixing process (such as XOR) and a one way function. This holds true for block ciphers, stream ciphers and hashes.
Thus the general design process of ciphers is independant of human language and geopolitics.
Which also answers your other two questions because,
To be able to design good crypto you have to be able to break good crypto, or atleast know how it can be done.
Thus looking for weaknesses in other peoples crypto strengthens your own crypto. And as far as we know in the open community our current crypto is sufficiently strong to defeat the currently known attacks.
Though as the various Governments (used to) employ the best mathematicians their closed community is probably further ahead by ten to twenty years.
The real point is that attacking the crypto it's self is not were the game is played, but in attacking the systems in which it is employed and the people who use them.
For instance the open community is only just starting to look into the problems of Keying Material (KeyMat) in terms of how you make it, distribute it, etc etc. If you look at some recen
@ Big Pic,
Hmm sorry the problem with using a mobile, mobile is it, mucks up.
To continue from my above post to you,
If you look at some recent research you will see we have very good reason to believe that many many systems in use are very poor at generating sufficient entropy in their random number generation process they use for generating KeyMat especialy in Public Key certificates, which as discussed on the blog a little while ago could well be fatal for many communications systems.
Many years ago Bruce made a comment about the design of cipher algorithms having reached a point where it was time to move onto more important things such as the more difficult task of Key Managment.
Sadly the open community did not, instead it got hung up on PKI and has hung twitching on the particular nasty hook like a fish out of water ever since.
But a lack of good cryptographic entropy is just one of many problems. There is issues to do with protocols, side channels and all sorts of other issues rearing their ugly heads.
Security is much much more than the sum of it's parts which is why it is a very hard problem and crypto algorithms are just one of a myriad of tiny parts in the mosaic.
" The low end is BIOS attacks that can reinfect a cleaned machine & more. "
I know that these attacks exist today but the ones that I'm aware of are more like combination malware. If you study Stuxnet code you can see many examples of the virus writers having an indepth knowledge of the target systems. and ONLY enabling virus propagation on target networks. Think about combining this with some long enable sequences embedded into infected BIOS's and nobody will ever be able to replicate the fault, outside of your target environment.
"I saw two possabilities of that when I first read the Forbes article,
1, A placed / payed agent.
2, A developer looking to get rich on the side."
I think placed agents is a much more common problem than anyone admits.
IMO the ideal agent seeds subtly faulty protocols / firmware / circuits rather than just creating back-door code. If you are first, this usually results in a verbatim copying of the protocol "as is" by all competitors. I've always wondered if the stolen code used by a certain Chinese Network equipment company was really stolen or maybe agent leaked. (Just to be sure that they got it right)
As we have talked about before, I have seen simple circuits (Digital, Analog and RF), code fragments and comms protocols, all seeded into the public domain, but all containing very subtle faults.
One system problem that comes to mind was a power supply resonance occurring at a harmonic of the sample frequency of the RNG. (actually exactly harmonically locked because they were sourced from the same divider) In this case the Bios firmware could be easily single bit altered to enable the switched mode power supply (SMPS) operation exactly at the RGN supply resonance. The strange thing was that the SMPS Frequency associated with this Register setting was documented (on the schematic) as an Invalid bit combination. Consequently it was never tested in the system compliance matrix test or in bench tests. However, if you went back to the SMPS manufactures web page they documented this "invalid" setting.
Hmmm what should I make of this, sloppy engineering or an intentional way to degrade the RNG on every system that copied this circuit?
I'm not suggesting (cough) that you're doing this, but I've noticed, especially on security sites and political sites, people linking to odd websites, many seemingly generic sounding.
I wonder, are these being seeded around the net in serious discussion arenas in order to make use of the browser's prefetch function if it's enabled?
I often wonder if these websites are fronts or funnels to track posters by using the prefetch ability in most browsers.
If you use Firefox, go into about:config and type in prefetch, disable the one which doesn't mention networking and you're good.
No it is not "agnostic". There is only one legitimate client for that: software vendor. Everything other is pure essential evil, like it or not, love your government or not.
The underlying question is : is it worth to provide your intelligence to a dumb government. Yes, since ww2 some "evil geniuses" work for governements, secret weapons are strategic assets and lethal technology agencies blossom especially in nato countries. Reagan wanted star wars tech (it sounds mad men).
Trading with criminals is a tactical move in a cold war or a revolution (i guess). So trading 0day exploits is really not a startup activity in principle.
What of the counterintelligence angle? Perfect for fishing expeditions. Also, with so much pirated software running in China...
I don`t have enough time to read all comments.
Do you sugest that Microsoft can sell or invent exploits?
One interesting thing this tells us is that, for a stuxnet-scale operation, a reasonable estimate of the required budget to purchase zero-day windows exploits is around 4*$120,000.
Very affordable for an organization that is even contemplating such things in the first place.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.