Talk on the zero-day vulnerbaility market, delivered at NLNOG day 2015. Video at https://www.youtube.com/watch?v=oz5VoCRCNt0&list=PLZZnjVUUZQgQkSGy1fVlOkeJDXHLIPL3e
2. No more free bugs - NLNOG 2015 - Pine Digital Security
This talk
To shed some light on a shady side of the internet
ā¢ Some background on 0days
ā¢ What does the 0day market look like?
ā¢ How is this relevant to us?
ā¢ So now what?
3. No more free bugs - NLNOG 2015 - Pine Digital Security
About
Christiaan Ottow
CTO of Pine Digital Security
christiaan.ottow@pine.nl
@cottow
4. What we do
Security services
Performing
penetration tests,
code audits and
consulting/training
Managed hosting
Managed secure
hosting services for
customers (AS12854)
Secure development
Developing software
for customers with a
high security or
privacy demand
No more free bugs - NLNOG 2015 - Pine Digital Security
5. No more free bugs - NLNOG 2015 - Pine Digital Security
Zero Day (0day) vulnerability: a vulnerability that has not been
publicly disclosed
6. No more free bugs - NLNOG 2015 - Pine Digital Security
A Bugās Life
Source: Stefan Frei, āThe Known Unknownsā [1]
7. No more free bugs - NLNOG 2015 - Pine Digital Security
A Bugās Life
Source: Stefan Frei, āThe Known Unknownsā [1]
2013
8. No more free bugs - NLNOG 2015 - Pine Digital Security
A Bugās Life
ZDI, 2015
ā¢ Over 2000 disclosed vulnerabilities
ā¢ Thatās Ā± 600 in the last 18 months
ā¢ 2010: > 30% took > 365 days to patch
ā¢ 180-day automatic disclosure implemented
ā¢ 2013: only 6 vendors > 180 days, 5 > 120 days
ā¢ 2014: 120 day automatic-disclosure implemented
Source: ZDI@10: 10 fascinating facts about 10 years of bug hunting [10]
9. No more free bugs - NLNOG 2015 - Pine Digital Security
A Bugās Life
Source: Bilge et al, āBefore we knew itā [12]
0days live 312 days on average in the wild before disclosure
10. No more free bugs - NLNOG 2015 - Pine Digital Security
Suppliers
ā¢ VUPEN
ā¢ Raytheon
ā¢ Northrop Grumman
ā¢ Endgame Systems
ā¢ Exodus Intelligence
ā¢ VBI
ā¢ Netragard
ā¢ ReVuln
ā¢ Mitnick Security
ā¢ Zerodium
11. No more free bugs - NLNOG 2015 - Pine Digital Security
Growth
Subtitle
ā¢ Content
Source: Cisco IBSG [8]
12. No more free bugs - NLNOG 2015 - Pine Digital Security
13. No more free bugs - NLNOG 2015 - Pine Digital Security
Growth drivers
ā¢ Number of targets
ā¢ Government interest
ā¢ ROI per target
ā¢ Skill required
14. No more free bugs - NLNOG 2015 - Pine Digital Security
Hacking Team
āWhat you need is a way to bypass encryption, collect
relevant data out of any device, and keep monitoring
your targets wherever they are, even outside your
monitoring domain.
Remote Control System does exactly that.ā
Source: http://www.hackingteam.it/images/stories/galileo.pdf
15. No more free bugs - NLNOG 2015 - Pine Digital Security
Hacking Team
ā¢ Surveillance software
ā¢ Audio recording (phone, Skype, ā¦)
ā¢ Keystroke logging
ā¢ GPS tracking
ā¢ Impressive list of customers, including oppressive regimes
ā¢ Bahrein, Kazakhstan, Azerbaijan [10]
ā¢ Breached in July 2015, 400GB dumped (inc. mail spools,
source code, contracts)
16. No more free bugs - NLNOG 2015 - Pine Digital Security
Suppliers
ā¢ VUPEN
ā¢ Vulnerabilities Brokerage International (VBI)
ā¢ Netragard
ā¢ Vitaliy Toropov
Source: Vlad Tsyrklevichās analysis of HT dump
17. No more free bugs - NLNOG 2015 - Pine Digital Security
Pricing
The grugq, 2012
Source: Andy Greenberg in Forbes, 2012 [3]
18. No more free bugs - NLNOG 2015 - Pine Digital Security
Pricing
Hacking Team, 2015
ā¢ Adobe Reader + sandbox escape: $100k list price ($80.5k ļ¬nal)
ā¢ Sandbox escape non-exclusive: $90k - $100k
ā¢ Netragard
ā¢ Three Flash Player 0days: $39k - $45k
ā¢ Vitaliy Toropov
Source: Andy Greenberg in Forbes, 2012 [3]
19. No more free bugs - NLNOG 2015 - Pine Digital Security
Catalogs
Source: Vlad Tsyrklevichās analysis of HT dump
20. No more free bugs - NLNOG 2015 - Pine Digital Security
Source: https://twitter.com/Zerodium/status/644107653745016832
21. No more free bugs - NLNOG 2015 - Pine Digital Security
Business model
ā¢ Acceptance testing
ā¢ Replacement if patched
ā¢ Support on implementation
ā¢ Phased payments
22. No more free bugs - NLNOG 2015 - Pine Digital Security
Actors
Researcher
Broker
VBI
Netragard
Endgame Systems
VUPEN
The Grugq
Exodus Intelligence
ReVuln
Northrop Grumman
Raytheon
Vitaliy Toropov
Kevin Mitnick
Zerodium
Defensive
products
vendor
HP ZDI
iDefense VCP
Rich
Intelligence
Agency
NSA
GHCQ
Offensive
products
vendor
Hacking Team
Gamma International
Dark
Markets
Poor
Intelligence
Agency or
LEA
Sudan
Ethiopia
Bahrein
KLPD
?
Vendor of
vulnerable
product
Pentesting
companies
Exploit pack
vendors
Intevydis
ExploitHub
bounties
full disc.
google p0
23. No more free bugs - NLNOG 2015 - Pine Digital Security
So what?
ā¢ 0days are much like weapons
ā¢ Only, they are almost exclusively interesting for offensive
purposes
ā¢ Who beneļ¬ts from having them and who beneļ¬ts from ļ¬xing
them?
24. No more free bugs - NLNOG 2015 - Pine Digital Security
So what?
ā¢ Stopping 0day sales will not stop all spies and criminals
ā¢ But it will stop the likes of HackingTeam
25. No more free bugs - NLNOG 2015 - Pine Digital Security
Now what?
ā[..] Are vulnerabilities in software dense or sparse? If they are
sparse, then every one you ļ¬nd and ļ¬x meaningfully lowers the
number of avenues of attack that are extant.
If they are dense, then ļ¬nding and ļ¬xing one more is essentially
irrelevant to security and a waste of the resources spent ļ¬nding it.ā
Source: Dan Geer, BlackHat 2014 [8,4]
26. No more free bugs - NLNOG 2015 - Pine Digital Security
Corner the market
ā¢ USG buys them all
ā¢ Reports all to vendors
ā¢ USG then controls the market
27. No more free bugs - NLNOG 2015 - Pine Digital Security
Drain the offensive stockpile
ā[..] People deserve to use the internet without fear that
vulnerabilities out there can ruin their privacy with a single website
visit
If we increase user conļ¬dence in the internet in general, then in a
hard-to-measure and indirect way, that helps Google tooā
Source: Wired interview with Chris Evans of Google Project Zero [5]
28. No more free bugs - NLNOG 2015 - Pine Digital Security
Tweak the levers
Source: Katie Moussouris, āThe Wolves of Vuln Streetā, RSA Conference 2015 [6]
29. No more free bugs - NLNOG 2015 - Pine Digital Security
Regulation
ā¢ Wassenaar, a town in Europe
ā¢ Intrusion malware
ā¢ Intrusion exploits
ā¢ IP surveillance
30. No more free bugs - NLNOG 2015 - Pine Digital Security
Regulation
ā¢ The problem with dual use
ā¢ Itās the internet, stupid
ā¢ ACLU is for, EFF has reservations
31. No more free bugs - NLNOG 2015 - Pine Digital Security
Bugs are dense
ā[..] Which is: you don't chase and ļ¬x vulnerabilities, you design a
system around fundamentally stopping routes of impact. For
spender it is eradicating entire bug classes in his grsecurity project.
For network engineers it is understanding each and every
exļ¬ltration path on your network and segmenting accordingly.
Containment is the name of the game. Not prevention.ā
Source: Bas Alberts, rant on DailyDave, Aug ā15 [7]
32. No more free bugs - NLNOG 2015 - Pine Digital Security
Conclusions
ā¢ A new market has emerged that is at best shady
ā¢ Involves actors from govāt, commerce and crime mixed on all
sides
ā¢ Legal battle being fought together with Crypto Wars II
ā¢ Will have impact on what our kidsā internet will look like
33. No more free bugs - NLNOG 2015 - Pine Digital Security
Questions? Shoot!
34. No more free bugs - NLNOG 2015 - Pine Digital Security
Bibliography
ā¢ [1] Stefan Frei, Dec 2013, āThe Known Unknownsā, https://www.nsslabs.com/sites/default/ļ¬les/
public-report/ļ¬les/The%20Known%20Unknowns_1.pdf
ā¢ [2] Vlad Tsyrklevichās analysis of Hacking Team leak wrt 0day trading: https://tsyrklevich.net/
2015/07/22/hacking-team-0day-market/
ā¢ [3] Forbes/Andy Greenbergās proļ¬le on the grugq: http://www.forbes.com/sites/andygreenberg/
2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
ā¢ [4] Dan Geer, on density and counting of vulns, āFor Good Measureā: http://geer.tinho.net/fgm/
fgm.geer.1504.pdf
ā¢ [5] Interview with Chris Evans of Google Project Zero by Wired: http://www.wired.com/2014/07/
google-project-zero/
ā¢ [6] Kate Moussouris, āWolves of Vuln Streetā: https://hackerone.com/blog/the-wolves-of-vuln-
street and https://www.rsaconference.com/writable/presentations/ļ¬le_upload/ht-t08-the-wolves-
of-vuln-street-the-1st-dynamic-systems-model-of-the-0day-market_ļ¬nal.pdf
ā¢ [7] Bas Alberts, rant on disclosure, āThe Old Speakā: https://lists.immunityinc.com/pipermail/
dailydave/2015-August/000976.html
ā¢ [8] Cisco IBSG, # of Internet-connected devices: http://www.cisco.com/web/about/ac79/docs/
innov/IoT_IBSG_0411FINAL.pdf
ā¢ [9] Dan Geer, on cornering the market, BlackHat 2014: http://geer.tinho.net/geer.blackhat.
6viii14.txt NSAās TAO group accidentally off lining Syria: http://thehackernews.com/2014/08/
nsa-accidentally-took-down-syrias.html
35. No more free bugs - NLNOG 2015 - Pine Digital Security
Bibliography
ā¢ [10] ZDI ļ¬gures after 10 years: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/
ZDI-10-10-fascinating-facts-about-10-years-of-bug-hunting/ba-p/6770127#.VfqrprQVf8s
ā¢ [11] HackingTeam customer list: https://theintercept.com/2015/07/07/leaked-documents-
conļ¬rm-hacking-team-sells-spyware-repressive-countries/
ā¢ [12] Bilge et al (Symantec), āBefore we knew itā on 0days in the wild, 2012:https://
users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
ā¢ On 0days on the dark web: https://www.deepdotweb.com/2015/04/08/therealdeal-dark-net-
market-for-code-0days-exploits/
ā¢ Market size 2012: http://www.slate.com/articles/technology/future_tense/2013/01/
zero_day_exploits_should_the_hacker_gray_market_be_regulated.html
ā¢ Market size 2012: http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-
who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-ļ¬gure-fees/
ā¢ Market size 2012: http://moritzlaw.osu.edu/students/groups/is/ļ¬les/2015/06/Fidler-Second-
Review-Changes-Made.pdf
ā¢ Market size 2013: http://www.darkreading.com/vulnerabilities---threats/hacking-the-zero-day-
vulnerability-market/d/d-id/1141026
ā¢ Robert Graham, notes on Wassenaar: http://blog.erratasec.com/2015/05/some-notes-about-
wassenaar.html#.VfnEmbQVf8s
ā¢ Heartbleed discovery collision: http://readwrite.com/2014/04/13/heartbleed-security-
codenomicon-discovery