Feeds

Forget black hats – the best hackers are going grey and getting legit

Bug bounties make going legit a tempting proposition

  • alert
  • submit to reddit

Reducing security risks from open source software

A report from the Rand Corporation suggests the increasing market for software vulnerabilities that can be sold legitimately is tempting the most 1337 hackers and crackers to go legit, rather than suffer the vagaries of the black market in code and credentials.

"There's an economic seesaw in the market," Michael Callahan, VP of security products at Juniper Networks, told The Register. "At a point it becomes more attractive to sell on the legitimate market verses selling them to online arms dealers. It's driven by economics."

The black market can be as lucrative as the drugs trade, the Rand report notes, but the risks are also high, and not just from the police. While law enforcement is improving its abilities to catch cyber criminals the report notes that the attackers have the upper hand, but double-crossing within the industry is rife.

The study states that around 30 per cent of sellers in black market bazars for stolen credit cards and credentials are rippers – those who take the money and run. Of these, less than a fifth are caught and forced to complete the transaction.

Rand says that the increasing use of bug bounty programs offers an increasingly attractive form of revenue for security specialists, and one that provides a legitimate source of income., While rewards for such programs are still low, the report notes that some very high prices can be got for major undiscovered vulnerabilities from security organizations and from government buyers.

The report lists prices of up to $250,000 quoted for a solid iOS zero-day flaw (the top price for OS X is just $50,000) or $120,000 for a serious Windows flaw. The price depends a lot on how recent and effective the flaw is, but it's widely recognized in the community that the American government will outspend almost anyone else in the market.

Other revenue streams traditionally used by hackers and crackers on the dark side are also under pressure. Malware generation and exploit kits used to be a solid source of illicit revenue but the market is increasingly flooded and there are plenty of dodgy practices.

Last year 33 new exploit kits were detected online, the report states, and 42 more that are revamped versions of older code. But sellers are increasingly ripping off code of more successful kits and some, at the cheaper end of the market, are of little use against up-to-date security software.

Overall, the report finds that the prices for traditional purloined online goods like credit card numbers are falling rapidly, due to oversupply in the market. Those hackers working on the illegal side of the market are seeing revenues squeezed and this to could provide more of an incentive to go legit for the best players. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.