ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Management Toolkit

Vulnerability auctions compromising security

Munir Kotadia ZDNet Australia

Published: 19 Jul 2006 16:35 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

More security researchers are selling vulnerabilities to the highest bidder rather than disclosing them "responsibly" to the vendor whose products are affected.

At a breakfast briefing organised by email security firm MessageLabs on Wednesday, Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), said that a market where vulnerabilities in software are traded is hotting up and the rewards for researchers can be very tempting.

"I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under 'responsible disclosure' or pay off my mortgage, which one do I choose?"

Responsible disclosure occurs when a security researcher discovers vulnerabilities in a popular application and then reports them to the relevant vendor rather than publishing the details online or, as has become a trend recently, selling that information to the highest bidder.

"The economy on the marketplace is facilitating the sale of everything you want, from custom Trojans to rootkit, and moving through to things like vulnerabilities, which are a marketable commodity," said Ingram.

Last week, security firm Finjan published evidence, which was compiled by the company's Malicious Code Research Centre, which showed examples of vulnerabilities being sold online.

Finjan's chief technical officer, Yuval Ben-Itzhak, said that researchers will be even more likely to sell their discoveries as the demand — and therefore the price — goes up.

"The name of the game is money… we see a trend towards commercialisation of malicious code. Motivated by financial gain, hackers are honing their skills and becoming more ambitious, targeting the growing numbers of Internet users and stealing personal details and financial information, as well as compromising intellectual property," said Ben-Itzhak.

In Finjan's report, the company published screenshots of emails that seem to be already soliciting bids for vulnerabilities in Microsoft's IE 7 and Windows Vista, which is not going to be released until next year.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with HP

Did you find this article useful?
54 out of 120 people found this useful


Talkback

Post a comment


Full Talkback thread

1 comment

  1. Tip of the iceberg really. If I remember correctly... Arthur B.

Related Links

More In Management



Company/Topic Alerts

Create a new alert from the list below:





Related Jobs

Data Analyst*Entry level role*Banking*Career Progression*Ben\'s+Bonuses

Fantastic opportunity for a junior Data Analyst with strong Excel, Access, SQL and VBA scripting skills. A successful corporate bank seeks an ...

C#, C++ RESEARCHER / DEVELOPER SOUTH OXFORD

an outstanding Software Engineer with graduate or postgraduate qualifications, preferably with a Masters and PhD in a computing or numerate ...

Major Investment Bank seeks Quantitative Researcher

My client, one of the worlds leading Investment Banks, are seeking an exceptional candidate to provide quantitative research for their global ...