logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: news | Posted by Avatar Staff 188 days ago
Via: http://lists.jammed.com | Tags: isn black market code industry comments Discuss  






From: InfoSec News <alerts_at_private>




Date: Thu, 3 Jul 2008 03:43:36 -0500 (CDT)






http://www.fastcompany.com/magazine/127/nexttech-fear-of-a-black-hat.html



By Adam L. Penenberg

Fast Company

Issue 127 | July 2008



Inside the shadowy underworld where rogue employees sell holes in their 

companies' software. The buyers: security firms, mobsters, and -- 

surprise -- the U.S. government.



Juergen Marester, a 24-year-old French network consultant, needed seed 

capital to start his own computer-security company. So he turned to his 

off-hours hobby -- black-hat hacking -- and did what a growing number of 

hackers are doing: selling "0days" (pronounced "oh-days" or "zero days," 

it generally refers to unknown, or zero-hour, software threats). These 

are recipes and code for penetrating the software run by governments, 

corporations, and private citizens. When properly deployed, 0days can 

result in minor disruptions such as a Web site's temporary paralysis. At 

their extreme, they grant an attacker total control over a network.



In August 2007, Marester announced on a popular computer-security forum 

that he had 0days for Linux, HP-UX (the computer maker's popular Unix 

database software), Microsoft Windows, and Apache. "Please let me 

message by mail if you are interested," he typed. By mid-September, he 

also offered 0days for SAP, Mozilla Firefox, Microsoft's Office 2003 and 

2007, and Internet Explorer. "For any interest, please mail me to this 

adress [sic]. Good bye and have a good day."



The posts weren't unusual for this forum, except, perhaps, for their 

politeness. They provide a window into a thriving black market for 

hackerware, where computer-security firms, mobsters, corporate spies, 

cybercrime rings, and government agents rub shoulders with code jockeys 

looking to score quick bucks. Any company or government entity running 

popular programs, such as the ones on Marester's list of targeted 

software, is at risk, and governments -- both allies and enemies of the 

United States -- are among the biggest buyers. According to the 

Electronic Frontier Foundation, as a general rule, it isn't illegal to 

offer vulnerabilities (the holes in software) and exploits (the code 

that does the actual penetration) for sale. What's different about 

Marester's case, as I would learn, is that the seller worked for one of 

the companies whose code he promised to compromise.



I first learned of Marester from an American computer-security 

consultant, who had been taken aback by the sheer number of 0days -- 

some of them very powerful -- that Marester was hawking. In the interest 

of protecting his own clients, the security professional and some 

colleagues posed as buyers and, over the course of four months, won the 

hacker's confidence. Eventually, Marester revealed his true identity in 

order to collect his bounty. The security pros, who requested anonymity 

for this article, turned over their evidence to me, including an 

extensive email trail.



[...]





_______________________________________________      

Attend Black Hat USA, August 2-7 in Las Vegas, 

the world's premier technical event for ICT security experts.

Featuring 40 hands-on training courses and 80 Briefings 

presentations with lots of new content and new tools.

Network with 4,000 delegates from 50 nations.  

Visit product displays by 30 top sponsors in 

a relaxed setting. http://www.blackhat.com



Received on Thu Jul 03 2008 - 01:43:36 PDT
addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security