Welcome to the Malware-Industrial Complex

By Tom Simonite

malware.complexx299_0

The U.S. government is developing new computer weapons and driving a black market in “zero-day” bugs. The result could be a more dangerous Web for everyone.

Every summer, computer security experts get together in Las Vegas for Black Hat and DEFCON, conferences that have earned notoriety for presentations demonstrating critical security holes discovered in widely used software. But while the conferences continue to draw big crowds, regular attendees say the bugs unveiled haven’t been quite so dramatic in recent years.

One reason is that a freshly discovered weakness in a popular piece of software, known in the trade as a “zero-day” vulnerability because the software makers have had no time to develop a fix, can be cashed in for much more than a reputation boost and some free drinks at the bar. Information about such flaws can command prices in the hundreds of thousands of dollars from defense contractors, security agencies and governments.

This trade in zero-day exploits is poorly documented, but it is perhaps the most visible part of a new industry that in the years to come is likely to swallow growing portions of the U.S. national defense budget, reshape international relations, and perhaps make the Web less safe for everyone.

Zero-day exploits are valuable because they can be used to sneak software onto a computer system without detection by conventional computer security measures, such as antivirus packages or firewalls. Criminals might do that to intercept credit card numbers. An intelligence agency or military force might steal diplomatic communications or even shut down a power plant.

It became clear that this type of assault would define a new era in warfare in 2010, when security researchers discovered a piece of malicious software, or malware, known as Stuxnet. Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have yet to publicly acknowledge a role but have done so anonymously to the New York Times and NPR), Stuxnet was carefully designed to infect multiple systems needed to access and control industrial equipment used in Iran’s nuclear program. The payload was clearly the work of a group with access to government-scale resources and intelligence, but it was made possible by four zero-day exploits for Windows that allowed it to silently infect target computers. That so many precious zero-days were used at once was just one of Stuxnet’s many striking features.

Since then, more Stuxnet-like malware has been uncovered, and it’s involved even more complex techniques (see “The Antivirus Era Is Over”). It is likely that even more have been deployed but escaped public notice. Meanwhile, governments and companies in the United States and around the world have begun paying more and more for the exploits needed to make such weapons work, says Christopher Soghoian, a principal technologist at the American Civil Liberties Union.

“On the one hand the government is freaking out about cyber-security, and on the other the U.S. is participating in a global market in vulnerabilities and pushing up the prices,” says Soghoian, who says he has spoken with people involved in the trade and that prices range from the thousands to the hundreds of thousands. Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.

Exploits for mobile operating systems are particularly valued, says Soghoian, because unlike desktop computers, mobile systems are rarely updated. Apple sends updates to iPhone software a few times a year, meaning that a given flaw could be exploited for a long time. Sometimes the discoverer of a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered. “As long as Apple or Microsoft has not fixed it you get paid,” says Soghioan.

No law directly regulates the sale of zero-days in the United States or elsewhere, so some traders pursue it quite openly. A Bangkok, Thailand-based security researcher who goes by the name “the Grugq” has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and western Europe. In a discussion on Twitter last month, in which he was called an “arms dealer,” he tweeted that “exploits are not weapons,” and said that “an exploit is a component of a toolchain … the team that produces & maintains the toolchain is the weapon.”

The Grugq contacted MIT Technology Review to state that he has made no “public statement about exploit sales since the Forbes article.”

Some small companies are similarly up-front about their involvement in the trade. The French security company VUPEN states on its website that it “provides government-grade exploits specifically designed for the Intelligence community and national security agencies to help them achieve their offensive cyber security and lawful intercept missions.” Last year, employees of the company publicly demonstrated a zero-day flaw that compromised Google’s Chrome browser, but they turned down Google’s offer of a $60,000 reward if they would share how it worked. What happened to the exploit is unknown.

No U.S. government agency has gone on the record as saying that it buys zero-days. But U.S. defense agencies and companies have begun to publicly acknowledge that they intend to launch as well as defend against cyberattacks, a stance that will require new ways to penetrate enemy computers.

General Keith Alexander, director of the National Security Agency and commander of the U.S. Cyber Command, told a symposium in Washington last October that the United States is prepared to do more than just block computer attacks. “Part of our defense has to consider offensive measures,” he said, making him one of the most senior officials to admit that the government will make use of malware. Earlier in 2012 the U.S. Air Force invited proposals for developing “Cyberspace Warfare Attack capabilities” that could “destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage.” And in November, Regina Dugan, the head of the Defense Advanced Research Projects Agency, delivered another clear signal about the direction U.S. defense technology is heading. “In the coming years we will focus an increasing portion of our cyber research on the investigation of offensive capabilities to address military-specific needs,” she said, announcing that the agency expected to expand cyber-security research from 8 percent of its budget to 12 percent.

Defense analysts say one reason for the shift is that talking about offense introduces an element of deterrence, an established strategy for nuclear and conventional conflicts. Up to now, U.S. politicians and defense chiefs have talked mostly about the country’s vulnerability to digital attacks. Last fall, for example, Defense Secretary Leon Panetta warned frankly that U.S. infrastructure was being targeted by overseas attackers and that a “digital Pearl Harbor” could result (see “U.S. Power Grids, Water Plants a Hacking Target”).

Major defense contractors are less forthcoming about their role in making software to attack enemies of the U.S. government, but they are evidently rushing to embrace the opportunity. “It’s a growing area of the defense business at the same time that the rest of the defense business is shrinking,” says Peter Singer, director of the 21st Century Defense Initiative at the Brookings Institution, a Washington think tank. “They’ve identified two growth areas: drones and cyber.”

Large contractors are hiring many people with computer security skills, and some job openings make it clear there are opportunities to play more than just defense. Last year, Northrop Grumman posted ads seeking people to “plan, execute and assess an Offensive Cyberspace Operation (OCO) mission,” and many current positions at Northrop ask for “hands-on experience of offensive cyber operations.” Raytheon prefaces its ads for security-related jobs with language designed to appeal to stereotypical computer hackers: “Surfboards, pirate flags, and DEFCON black badges decorate our offices, and our Nerf collection dwarfs that of most toy stores. Our research and development projects cover the spectrum of offensive and defensive security technologies.”

The new focus of America’s military and defense contractors may concern some taxpayers. As more public dollars are spent researching new ways to attack computer systems, some of that money will go to people like The Grugq to discover fresh zero-day vulnerabilities. And an escalating cycle of competition between U.S and overseas government agencies and contractors could make the world more dangerous for computer users everywhere.

“Every country makes weapons: unfortunately, cyberspace is like that too,” says Sujeet Shenoi, who leads the U.S.-government-sponsored Cyber Corps Program at the University of Tulsa. His program trains students for government jobs defending against attacks, but he fears that defense contractors, also eager to recruit these students, are pushing the idea of offense too hard. Developing powerful malware introduces the dangerous temptation to use it, says Shenoi, who fears the consequences of active strikes against infrastructure. “I think maybe the civilian courts ought to get together and bar these kinds of attacks,” he says.

The ease with which perpetrators of a computer attack can hide their tracks also raises the risk that such weapons will be used, Shenoi points out. Worse, even if an attack using malware is unsuccessful, there’s a strong chance that a copy will remain somewhere on the victim’s system—by accident or design—or accidentally find its way onto computer systems not targeted at all, as Stuxnet did. Some security firms have already identified criminal malware that uses methods first seen in Stuxnet (see “Stuxnet Tricks Copied by Criminals”).

“The parallel is dropping the atomic bomb but also leaflets with the design of it,” says Singer. He estimates that around 100 countries already have cyber-war units of some kind, and around 20 have formidable capabilities: “There’s a lot of people playing this game.”

Permalink | bit.ly/WHXi1P

236 thoughts on “Welcome to the Malware-Industrial Complex

  1. Pingback: Denver Uber

  2. Pingback: scott hands of steel smith

  3. Pingback: removals uk to ireland

  4. Pingback: Stonemason

  5. Pingback: download free

  6. Pingback: android games

  7. Pingback: Bilskrot Göteborg

  8. Pingback: Bilskrot Göteborg

  9. Pingback: Skrota bilen

  10. Pingback: brook stagles

  11. Pingback: gutters

  12. Pingback: joe weider training principles

  13. Pingback: t3 levothyroxine

  14. Pingback: mark curry partners

  15. Pingback: business directory South Africa

  16. Pingback: Tech CEO

  17. Pingback: hampton bay light kit

  18. Pingback: hire a lawyer

  19. Pingback: Dicito

  20. Pingback: newtown slot malaysia

  21. Pingback: economics tuition

  22. Pingback: whatsapp hack tool free download for pc without survey

  23. Pingback: how to get into someones facebook account

  24. Pingback: Free Adult Chat

  25. Pingback: check this out

  26. Pingback: find out more

  27. Pingback: get into social media account

  28. Pingback: trouver des gens sur telephone

  29. Pingback: mca scam

  30. Pingback: economics tuition singapore

  31. Pingback: is motor club america scam

  32. Pingback: Best Best Online News in the World

  33. Pingback: GVK BIO

  34. Pingback: Best Best Online News in the World

  35. Pingback: Free UK Chat Rooms

  36. Pingback: GVK Biosciences

  37. Pingback: GVK Biosciences

  38. Pingback: GVK Biosciences

  39. Pingback: Palm Jumeirah Escorts in Dubai

  40. Pingback: Switch Energy Supplier

  41. Pingback: story about Bentley Meeker

  42. Pingback: boite foulard hermes

  43. Pingback: maison pierre hardy

  44. Pingback: cheap vibram fivefingers

  45. Pingback: buy parajumpers online

  46. Pingback: prada bag sale

  47. Pingback: ECCO Online Shop

  48. Pingback: louis vuitton outlet store locations

  49. Pingback: LK Bennett Outlet store

  50. Pingback: new balance outlet

  51. Pingback: vibram 5 fingers sale

  52. Pingback: keen 4 online

  53. Pingback: patagonia outlet colorado

  54. Pingback: belstaff store online

  55. Pingback: rene caovilla wiki

  56. Pingback: north face womens jacket sale

  57. Pingback: balmain outlet online

  58. Pingback: discount michael kors

  59. Pingback: Nevada Musk

  60. Pingback: pierre hardy men

  61. Pingback: JD Roth

  62. Pingback: discount barbour jackets

  63. Pingback: ugg sale clearance

  64. Pingback: womens ugg boots on sale

  65. Pingback: coach factory store

  66. Pingback: herve leger outlet online

  67. Pingback: montres hermes

  68. Pingback: canada jackets on sale

  69. Pingback: hermes parfum

  70. Pingback: merrell outlet store online

  71. Pingback: canada goose logo

  72. Pingback: fitflop online store

  73. Pingback: Coach Bags Outlet store

  74. Pingback: canada goose online sale

  75. Pingback: Cheap Ecco shoes

  76. Pingback: cole haan oxfords womens sale

  77. Pingback: ceinture hermes contrefacon

  78. Pingback: site officiel hermes

  79. Pingback: karen millen outlet online

  80. Pingback: vendita online occhiali da sole ray ban

  81. Pingback: fake id picture

  82. Pingback: australia fake id

  83. Pingback: ray ban occhiali da sole modelli

  84. Pingback: chinese fake id

  85. Pingback: fake id templates

  86. Pingback: fake id names

  87. Pingback: occhiali da sole ray ban offerte

  88. Pingback: fake id usa

  89. Pingback: fake caller id

  90. Pingback: fake id card maker

  91. Pingback: oakleyt

  92. Pingback: fake id provisional

  93. Pingback: fake id ireland

  94. Pingback: canada goose online store

  95. Pingback: occhiali ray ban donna,ray ban wayfarer neri

  96. Pingback: using fake id

  97. Pingback: fake school id

  98. Pingback: how to get a fake id

  99. Pingback: factory coach online

  100. Pingback: bad fake id

  101. Pingback: fake id maker app

  102. Pingback: patagonia boys sale

  103. Pingback: mcm backpack for sale

  104. Pingback: parajumpers on sale

  105. Pingback: cole haan shoes clearance

  106. Pingback: vendeur chez hermes

  107. Pingback: adidas shoes sale online

  108. Pingback: ugg online outlet store

  109. Pingback: wisconsin fake id

  110. Pingback: us fake id

  111. Pingback: fake id usa

  112. Pingback: order fake id

  113. Pingback: fake id master

  114. Pingback: wisconsin fake id

  115. Pingback: fake id provisional

  116. Pingback: us fake id

  117. Pingback: drivers license fake

  118. Pingback: pierre hardy sizing

  119. Pingback: fake id cc

  120. Pingback: fake scannable id

  121. Pingback: create fake id

  122. Pingback: Callaway Golf outlet

  123. Pingback: emu boots sale

  124. Pingback: fake id cost

  125. Pingback: fake id washington

  126. Pingback: fake id guide

  127. Pingback: buy id

  128. Pingback: fitflop for sale

  129. Pingback: cheap new balance sale

  130. Pingback: fake id cheap

  131. Pingback: where to buy barbour

  132. Pingback: arkansas fake id

  133. Pingback: fake id online

  134. Pingback: Asics Outlet Online

  135. Pingback: north face jacket sale mens

  136. Pingback: arcteryx camosun sale

  137. Pingback: my fake id

  138. Pingback: merrell shoes womens

  139. Pingback: nordstrom stuart weitzman sale

  140. Pingback: patagonia in store sale

  141. Pingback: roberto cavalli sample sale

  142. Pingback: patagonia outlet seattle

  143. Pingback: barbour international sale

  144. Pingback: barbour quilted jackets for women

  145. Pingback: LasVegas fake id

  146. Pingback: fake id oregon

  147. Pingback: fake id penalty

  148. Pingback: i need a fake id

  149. Pingback: cheap oakley sunglass

  150. Pingback: ray ban outlet

  151. Pingback: illinois fake id

  152. Pingback: fake id maker

  153. Pingback: rayban sunglasses outlet

  154. Pingback: best fake id sites

  155. Pingback: ray ban uk cheap

  156. Pingback: ray bans sale cheap

  157. Pingback: really cheap ray bans

  158. Pingback: fake id online maker

  159. Pingback: fake id us

  160. Pingback: fake id god

  161. Pingback: ray ban uk cheap

  162. Pingback: buy Idaho fake id

  163. Pingback: where can u get a fake id

  164. Pingback: fake ids in nyc

  165. Pingback: Create a fake id

  166. Pingback: making fake ids online

  167. Pingback: fake id generator

  168. Pingback: fake id illinois for sale

  169. Pingback: good fakes

  170. Pingback: Delaware id fake

  171. Pingback: fake id felony

  172. Pingback: fake drivers license maker

  173. Pingback: online fake id generator

  174. Pingback: fake id Georgia

  175. Pingback: getting a texas id

  176. Pingback: Air max pas cher

  177. Pingback: Air max pas cher

  178. Pingback: Air max pas cher

  179. Pingback: Air max pas cher

  180. Pingback: Air max pas cher

  181. Pingback: Air max pas cher

  182. Pingback: fake id online

  183. Pingback: pass hologram fake id

  184. Pingback: fake license number

  185. Pingback: where to get fake ids

  186. Pingback: Connecticut fake id template

  187. Pingback: make a id

  188. Pingback: fake id creator online free

  189. Pingback: NorthCarolina fake id for sale

  190. Pingback: how to make a fake drivers license online

  191. Pingback: fake id in new york

  192. Pingback: how to buy a fake id online

  193. Pingback: fake Wisconsin can

  194. Pingback: fake id in Wyoming

  195. Pingback: fake id for free

  196. Pingback: fake Montana can

  197. Pingback: how to make a fake college id

  198. Pingback: back of illinois id

  199. Pingback: LasVegas fake id

  200. Pingback: fake NorthDakota identification card

  201. Pingback: fake Maryland id

  202. Pingback: what do i need for texas id

  203. Pingback: fake id with uv

  204. Pingback: Arkansas id fake

  205. Pingback: fake Pennsylvania id generator

  206. Pingback: fake id websites

  207. Pingback: fake state ids

  208. Pingback: ontario fake id

  209. Pingback: is it illegal to possess a fake id

  210. Pingback: fake id Vermont

  211. Pingback: fake Connecticut license

  212. Pingback: basket golden goose

  213. Pingback: hermes bolide

  214. Pingback: sac golden goose

  215. Pingback: Junior Final 2011

  216. Pingback: Vibro plates in Kells

  217. Pingback: i historien og i dag

  218. Pingback: Om företaget

  219. Pingback: Mark Jefferies

  220. Pingback: Full Menu

  221. Pingback: REDDASH PHOTOGRAPHY

  222. Pingback: Silverklockorna

  223. Pingback: Parallels H

  224. Pingback: Home

  225. Pingback: Gånsager Tømrer

  226. Pingback: LUDDINI

  227. Pingback: sac hermes pas chere

  228. Pingback: foulard hermes

  229. Pingback: hermes lait des merveilles

  230. Pingback: echarpes hermes

  231. Pingback: golden goose paris

  232. Pingback: golden goose deluxe brand

  233. Pingback: sac hermes kelly

  234. Pingback: golden goose basket

  235. Pingback: montre hermes arceau homme

  236. Pingback: nouvelle collection golden goose

Leave a Reply