NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0473 Black Market for Software Vulnerabilities:
The black market for software vulnerabilities is booming, with bugs regularly being sold
for thousands of dollars apiece online, occording to an online press report. Speaking at this
week's IT 360 show in Tronoto, IT security expert David Rice said that one of the only ways to
reduce this steady stream of hacks is for software companies to simply write better code.
The fact that all software comes shipped with security threats just waiting to be discovered,
he said, has facilitated a vast open market among hackers looking to discover the next "zero-day"
- that is not-yet-patched - vulnerability that the public does not know about. "Reported bugs
may go unfixed by manufacturers for months or years, but unreported vulnerabilities go unfixed
period," Rice said. They give hackers ... access to critical networks and systems and hackers
can make a lot of money by not reporting these bugs
The prices paid for vulnerabilities on the black market are indicative of the size of these online
criminal syndicates and the challenges they pose to software developers, according to Rice. "A
recent Internet Explorer exploit was priced at $100,000, while some bugs have even reached upwards
of $250,000. Some of these cyber lords even have better research facilities than Symantec and MacAfee
right now."
Companies like iDefense Labs and TippingPoint Technologies often purchase vulnerabilities off the
black market in order to help companies against potential attacks, and others, such as Mozilla, offer
rewards for "white hat" hackers who discover and report bugs in their software. Rice feels larger
rewards may be an effective way to counter the black market - but it will take much bigger bounties
to motivate widespread ethical reporting, he said. "The rewards being offered won't stray too many
hackers away from the hundreds of thousands a month they can make on the black market," he said.
(www.arnnet.com.au 11APR08)