Hackers Sell Vulnerabilities to Nations Around the World

Hackers sell flaws in code

The days of free giveaways of vulnerabilities have turned into a lucrative, gold-mine for hackers. Nations around the globe are lining up to acquire flaws in computer coding to protect their own interest.

Advertising has peaked for companies like ReVuln, owned and operated by two hacker geniuses:  Luigi Auriemma, 32, and Donato Ferrante, 28. The owners refuse to release any information about their client list but agree business is booming.

The National Security Agency (NSA) is reportedly a buyer of the company. From South Africa to North Korea, nations are offering steep payments to acquire coding flaws in software. The flaws is not in the nation’s own software. Correct, nations are purchasing vulnerabilities evident in neighboring or across the globe nations.

Former White House CyberSecurity Coordinator, Howard Schmidt acknowledges this is the wave of the future, “Governments are starting to say, ‘In order to best protect my country, I need to find vulnerabilities in other countries. The problem is that we all fundamentally become less secure.”

A decade ago hackers would have easily turned the information over to companies like Microsoft and Google for a product trade-in. Those times have changed as companies start to blossom, seeing a substantial payday in the process. Perhaps, these companies can thank Edward J. Snowden for the deepening interest and business increase. Now, hackers hold the power of selling these vulnerabilities to government agencies and private companies in many nations around the globe.

The buyers and sellers connect via brokers who receive 15 percent of the cut, hackers can see upwards of $60,000 or more per flaw. In addition, they can collect monthly royalties for every month their flaw is not located. An unnamed source shared the subject line of an e-mail regarding a transaction,

“Dear Friend,” the e-mail began. “Do you have any code execution exploit for Windows 7, Mac, for applications like Browser, Office, Adobe, SWF any. If yes,” the e-mail continued, “payment is not an issue.”

A popular flaw exposing company in Montpellier, France is Vupen. It’s founder Chaouki Bekrar stated many of the organizations who expose flaws do not sell to some locations. His own company does not sell to areas that are ““topic to European Union, United States or United Nations limits or embargoes.”

This of course calls to surface the level of confidentiality of consumer and taxpayer records. This may be the reason many of the vulnerability exposing companies refuse to disclose their client list. Many larger organizations like Microsoft refused to pay for the information, but seeing the success rate of governing entities has caused the Windows giant to reconsider.

Microsoft is now offering hackers as much as $150,000 for information regarding one incidental flaw and a resolution to defend against it.  Microsoft’s competitor, Apple, has not stepped into the action packed arena. They may be shortly, after an exploit mission located a flaw in Apple’s iOS. The secret high bidder paid $500,000 for the flaw.

Senior Policy Analyst of the American Civil Liberties, Christopher Soghoian stated what companies pay to these flaw exposing companies, “pale in comparison to what the government pays.” The government, states Soghoian, “created Frankenstein by feeding the market.”

It was the United States and Israel who discovered a series of flaws, one being in the Windows font program, to disable Iran’s ability to enrich uranium. In doing so, the power play showed exactly the level of sophistication possible for the cyber-arms race. This kick-off sent virtual waves throughout the nations for ways to protect their own interest by exposing their neighbors.

 Hackers are not concerned with the finite details, they simply correspond to their client demands. By selling vulnerabilities of computer codes to nations around the world, these companies may just create a firestorm of public demand of disclosure.

Angelina Bouc

Sources 1, 2
Exodus Intelligence was mentioned in this article per sources received, new information from VP of operations has amended that previous claim. Due to conflicting information, I withdraw the company name from the article. Exodus Intelligence assists clients in protecting their data and information and uphold ethics to the highest levels. Visit their site for more information: Exodus Intel– updated 10/10/2013

Leave a Reply

Your email address will not be published.