Close

Forgot your password?

Choose a newsletter




Premium access provided by ENSTA

Your premium access provided by ENSTA

Enter your email to begin

Premium access granted to you by NRC Q

You been given free premium access to Worldcrunch for 8 weeks thanks to NRC Q.

Enter your email to begin

Premium access granted to you by EM-LYON

You been given free premium access to Worldcrunch for 8 weeks thanks to EM-LYON.

Enter your email to begin

Premium access granted to you by Goldsmiths

You been given free premium access to Worldcrunch for 8 weeks thanks to Goldsmiths.

Enter your email to begin

Premium access granted to you by MinnPost

You been given free premium access to Worldcrunch for 6 months thanks to MinnPost.

Enter your email to begin

Premium access granted to you by Expatica

You've been given FREE premium access to Worldcrunch

Enter your email to begin

Worldcrunch

Hackers Black Market: Selling System Flaws And Fixes To The Highest Bidder

Article illustrative image Partner logo Hackers have been dubbed "modern day merchants of death" by Google

PARIS – In 140 characters of hacker jargon, French security company Vupen tweeted on Oct. 30, 2012 that they had discovered a security flaw in Windows 8 and that they were selling it to the highest bidder.

Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8

Microsoft had just launched its new operating system for computers, phones and tablets. Thanks to this “vulnerability” (also called a “zero-day exploit”), Vupen – or another team of hackers – could create a malware to hijack any Windows 8 device remotely.

The firm, based in Montpellier, France, is famous in the field of software hacking. In March 2011, during the Pwn2Own hacker challenge held at the CanSecWest security conference in Vancouver, Canada, Vupen won by using a weakness in Apple’s Safari browser to hijack a Macbook.

At the time, Vupen’s co-founder, Chaouki Bekrar, had told Zdnet: "The victim visits a web page, he gets owned. No other interaction is needed."

Vupen did it again at the 2012 Pwn2Own challenge when it successfully hacked Google Chrome and Microsoft's Internet Explorer 9. Google had offered a $60,000 reward for Chrome-specific exploits, and full details of zero-day exploits used, but Chaouki Bekrar created controversy by refusing Google’s offer. He said he would be withholding the details of the exploit to sell to his better paying customers. Google replied by calling him “an ethically challenged opportunist.”

Who are these high-paying customers? When hackers find an exploit (or flaw), they are supposed to inform the software vendor or a security company that will verify the exploit and find a way to patch the software’s flaws. For a long time, software vendors enjoyed these services for free, but in the 2000s, U.S. hackers launched a movement to get paid. Since then, many software, Internet and telecommunication companies have been publishing the going rate they are willing to pay for security vulnerabilities: from $100 to $20,000 depending on complexity or originality. 

But some companies have chosen a more lucrative market. They deal in “offensive security” – a euphemism for spying and data theft. Instead of working with software vendors, these firms sell their exploits to the highest bidder, which are usually official organizations: police, army, secret services. These organizations use the exploits to track delinquents, monitor companies, foreign governments or their own citizens.

Some countries also use these tools to sabotage servers. This is what happened in Iran in 2010 when a uranium enrichment plant was attacked by the Stuxnet malware virus, which was assumably created by the U.S. and Israel. Because of this risk, countries need to be constantly aware of newly detected flaws in software and networks – and for this they turn to the private sector.

In the U.S., weapon manufacturers such as Raytheon and Northrop Grumman have opened “offensive computer security” departments. Several American companies have specialized in this field as well. The most famous is Immunity, based in Miami Beach, which organizes every year a security conference called “Infiltrate.” Immunity sells software packages with various infiltration methods, including fake websites that mimic Amazon, LinkedIn or Hotmail to trap the user.

Shady middlemen

There are new actors on this highly lucrative market – exploit brokers. They buy zero-day exploits from independent hackers and resell them to the highest bidder. The two best-known brokers are Netragard, from Massachussets and The Grugq, a South-African living in Bangkok, Thailand, who claims to make hundreds of thousands of dollars a year.

European firms are very active on this market. Gamma Group, an Anglo-German company sells software called Finfisher, which can remotely activate a smartphone's microphone to spy on conversations. The British government has announced that it would limit the sale of Finfisher, but that it wouldn't ban it. There is also a firm in Italy called the Hacking Team. But the most famous European company is Vupen. 

On its official website, Vupen claims that it doesn’t sell its products to just anyone. The firms says it respects the embargos enforced by the EU, the UN and the U.S., and only deals with “trusted” States, members of NATO, Anzus (in the Pacific region) and Asean (in the Asian region), as well as special “partner States” – meaning it still has plenty of countries to work with.

Despite these precautions, Vupen and other offensive security companies are making many enemies. In the U.S., the libertarian hackers, privacy rights organizations, security companies and Internet giants like Google have launched campaigns in which offensive security firms are compared to weapons smugglers, “modern-day merchants of death.” 

These activists and organizations are saying that the offensive security systems always end up  – one way or another – into the hands of authoritarian regimes, which use them extensively.

Canadian researcher Morgan Marquis-Boire, who works for Google, says he found spyware made by the Hacking Team in Dubai, in the laptop of an opponent to the regime, and also on a pro-democratic website in Morocco. He believes the two countries are exploiting a vulnerability discovered by Vupen. Marquis-Boire also says that the Finfisher spyware was sold to the Egyptian police, and also turned up in Bahrain, Kuwait, Turkmenistan, Ethiopia and Brunei.

The libertarian groups believe these companies are a threat to civil liberties – even when they are in the hands of western countries – and that democratic nations shouldn't use such tools.

U.S. activist Christopher Soghoian, of the American Civil Liberties Union (ACLU), accused his own government of being the best client of these zero-day salesmen: "Google and Microsoft can't outbid the U.S. government – they will never win a bidding war with the army, navy or NSA.”

He also says that Western countries are playing a dangerous game and warned of a risk of “blowback,” saying that weaponized zero-day exploits sold by Vupen to a foreign government could be sold over and over again, without any control – to be later used against the Western countries that bought them in the first place.

Eric Filiol, a former French secret services agent and cryptography expert doesn't agree. He says that Vupen is “one of France's technological jewels.” He believes that “Chaouki Bekrar is a true CEO and a patriot, working for his country.” Yes, he knows Vupen sells his exploits to foreign countries, “but that’s a good thing, it brings in foreign currencies.” 

Sign up for our weekly Global Biz & Innovation newsletter now


Be a part of the conversation. Click to show comments
About this article source Website: http://www.lemonde.fr/

This leading French daily newspaper Le Monde ("The World") was founded in December 1944 in the aftermath of World War II. Today, it is distributed in 120 countries. In late 2010, a trio formed by Pierre Berge, Xavier Niel and Matthieu Pigasse took a controlling 64.5% stake in the newspaper.

Worldcrunch brings top stories from the world's best news sources into English for the first time.

- Find out how we work
- Stay connected with our newsletter
- Try premium access for just $0.99

Want to get in touch or report a bug? Find us at info@worldcrunch.com

Load More Stories

Unlimited access to exclusive journalism, the best world news source across all your devices

Subscribe Now Photo of Worldcrunch on different devices

Your premium access to Worldcrunch is provided by

University of Central Lancashire

Please register to begin


By registering you agree to our terms of service and privacy policy.