Feeds

Forget black hats – the best hackers are going grey and getting legit

Bug bounties make going legit a tempting proposition

  • alert
  • submit to reddit

Remote control for virtualized desktops

A report from the Rand Corporation suggests the increasing market for software vulnerabilities that can be sold legitimately is tempting the most 1337 hackers and crackers to go legit, rather than suffer the vagaries of the black market in code and credentials.

"There's an economic seesaw in the market," Michael Callahan, VP of security products at Juniper Networks, told The Register. "At a point it becomes more attractive to sell on the legitimate market verses selling them to online arms dealers. It's driven by economics."

The black market can be as lucrative as the drugs trade, the Rand report notes, but the risks are also high, and not just from the police. While law enforcement is improving its abilities to catch cyber criminals the report notes that the attackers have the upper hand, but double-crossing within the industry is rife.

The study states that around 30 per cent of sellers in black market bazars for stolen credit cards and credentials are rippers – those who take the money and run. Of these, less than a fifth are caught and forced to complete the transaction.

Rand says that the increasing use of bug bounty programs offers an increasingly attractive form of revenue for security specialists, and one that provides a legitimate source of income., While rewards for such programs are still low, the report notes that some very high prices can be got for major undiscovered vulnerabilities from security organizations and from government buyers.

The report lists prices of up to $250,000 quoted for a solid iOS zero-day flaw (the top price for OS X is just $50,000) or $120,000 for a serious Windows flaw. The price depends a lot on how recent and effective the flaw is, but it's widely recognized in the community that the American government will outspend almost anyone else in the market.

Other revenue streams traditionally used by hackers and crackers on the dark side are also under pressure. Malware generation and exploit kits used to be a solid source of illicit revenue but the market is increasingly flooded and there are plenty of dodgy practices.

Last year 33 new exploit kits were detected online, the report states, and 42 more that are revamped versions of older code. But sellers are increasingly ripping off code of more successful kits and some, at the cheaper end of the market, are of little use against up-to-date security software.

Overall, the report finds that the prices for traditional purloined online goods like credit card numbers are falling rapidly, due to oversupply in the market. Those hackers working on the illegal side of the market are seeing revenues squeezed and this to could provide more of an incentive to go legit for the best players. ®

Intelligent flash storage arrays

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.