company:endgame

The Vulnerabilities Market and the Future of Security
►http://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-the-future-of-security

This market is larger than most people realize, and it’s becoming even larger. Forbes recently published a price list for zero-day exploits, along with the story of a hacker who received $250K from “a U.S. government contractor” (At first I didn’t believe the story or the price list, but I have been convinced that they both are true.) Forbes published a profile of a company called Vupen, whose business is selling zero-day exploits. Other companies doing this range from startups like Netragard and Endgame to large defense contractors like Northrop Grumman, General Dynamics, and Raytheon.

This is very different than in 2007, when researcher Charlie Miller wrote about his attempts to sell zero-day exploits; and a 2010 survey implied that there wasn’t much money in selling zero days. The market has matured substantially in the past few years.

This new market perturbs the economics of finding security vulnerabilities. And it does so to the detriment of us all.

I’ve long argued that the process of finding vulnerabilities in software system increases overall security. This is because the economics of vulnerability hunting favored disclosure. As long as the principal gain from finding a vulnerability was notoriety, publicly disclosing vulnerabilities was the only obvious path. In fact, it took years for our industry to move from a norm of full-disclosure — announcing the vulnerability publicly and damn the consequences — to something called “responsible disclosure”: giving the software vendor a head start in fixing the vulnerability. Changing economics is what made the change stick: instead of just hacker notoriety, a successful vulnerability finder could land some lucrative consulting gigs, and being a responsible security researcher helped. But regardless of the motivations, a disclosed vulnerability is one that — at least in most cases — is patched. And a patched vulnerability makes us all more secure.

This is why the new market for vulnerabilities is so dangerous; it results in vulnerabilities remaining secret and unpatched. That it’s even more lucrative than the public vulnerabilities market means that more hackers will choose this path. And unlike the previous reward of notoriety and consulting gigs, it gives software programmers within a company the incentive to deliberately create vulnerabilities in the products they’re working on — and then secretly sell them to some government agency.

Lessons from Anonymous on #cyberwar - Opinion - Al Jazeera English
►http://english.aljazeera.net/indepth/opinion/2011/03/20113981026464808.html

The emails make it clear that #HBGary sold rootkits and keyloggers (tools to record and exfiltrate keystrokes surreptitiously) to government contractors for prices between $60,000 and $200,000 each.
(...)
Clearly cyber attacks against foreign nationals appear to be fair game.

Dans un email à propos de WikiLeaks :

(...) “the #Amazon to #OVH transition and helped #wikileaks provide access to information during the transition.
It is this level of support we need to attack. These are established proffessionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals.”

Et HBGary est loin d’être une « pomme pourrie » isolée dans le milieu de l’infosécurité para-étatique :

The email above indicates that the project to discredit WikiLeaks (and their supporters) was a joint operation by HBGary Federal, Palantir and BericoTechnologies, although the other companies involved were quick to distance themselves from HBGary after the Anonymous hack.

Endgame Systems, a company with almost no public footprint were also thrust into the spotlight, when several of their previously well-guarded reports and company presentations were shared amongst the emails.

In an early email to Aaron Barr, Endgame Systems made it clear that they had “been very careful NOT to have public face on our company”. The CEO of Endgame Systems was clear: “Please let HBgary know we don’t ever want to see our name in a press release.”

(via @booz)