Zero-Day vulnerabilities are a category of software flaws that are exploited by cyber criminals before the software developer comes to know of it and fixes it through a bug fixing patch or upgradation. Since such vulnerabilities are not known to security companies such as the anti virus or anti malware software providers, the criminals have the maximum productivity for such tools.
Honest citizens would find it disgusting to know that there is a thriving market for exploits where the “Zero Day” tag provides carries a premium. As long as this market thrives, control of Cyber Crimes becomes difficult. Unfortunately, even some law enforcement agencies appear to be buying these tools for surveillance purpose legitimizing these criminal operations. This is similar to the arms trade in the physical market where there are countries which thrive by supplying arms to terrorist organizations and rogue nations.
Recently one of these underground operators in Italy called the “Hacking Team” which was a supplier of “exploits” was exposed. This was a typical inter-gang war type of operations where another hacker hacked into the Hacking Team resources and placed voluminous data in public domain. This not only revealed the customer list of this company which called itself a “Security Company” but also revealed how the company marketed its capability to supply Zero Day exploits, how it priced these services, the kind of warranties it provided to its customers etc.
A Case Study on the information now available in public domain is now available here.
One of the interesting aspects is an observation that the Zero Day exploits have a price of around $45000/- per month and the Hacking Team has even provided free replacement of exploits which were patched quickly by the software vendor as a part of its “Warranty”. It is also to be noted that the Italian Government was aware of the operations of the Company and did not think it was against either immoral or illegal. It is also depressing to note that many law enforcement agencies have been customers of this “Cyber Arms Supplier”.
It has been reported that US is considering a new law that may classify Information Security products as “Cyber War Tools”. If this happens then the activities of Hacker Team and similar outfits will actually become outlawed.
It is time we as a society think how we react to such developments in the interest of the citizens. India being a major victim of Terrorism and an economy dependent on IT, needs to take up this issue with the UNO to formulate a strategy of dealing with “Cyber Arm Dealers”. Perhaps there should be an international treaty sponsored by UNO which prevents Governmental patronage to such hacking outfits who will find their illegal activities rewarded in monetary terms. The public on the other hand will be the victims of the experimentation of these Cyber War tools development sponsored by state actors. Environmentalists who fight against nuclear testing need to turn their attention on the damage to the E-Ecosystem with the testing and development of hacking tools by organizations with their supporting state actors.
Naavi
An Android App in Google Play Store