You've just been hacked by something the Government bought.

Posted on Posted in Security

How do governments & cyber criminals develop the zero day exploits that they then use to infect your computer systems to steal data or eavesdrop on you?  Simple…  they buy them.

The going rates for exclusive use are thus:

Application From ($)
To ($)
Adobe Reader 5,000 30,000
Mac OSx 20,000 50,000
Android 30,000 60,000
Flash or Java Plug-in 40,000 100,000
Microsoft Word 50,000 100,000
Windows 60,000 120,000
Firefox/Safari 60,000 150,000
Chrome or IE 80,000 200,000
IOS 100,000 250,000

 Source Forbes  

The market is made up of small companies such as Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln, in Malta.  There are also a range of brokers such as The Grugq who will act as intermediaries between the developers and the governments/crime syndicates as well as some major Defence Contractors such as Northrop Grumman and Raytheon.

In terms of how effective the exploits are:
The average Zero Day attack persists for 312 days before it’s detected, vulnerability purchase to public disclosure is between 133 and 174 days.

Attacks exploiting Zero Day before and after disclosure time

And how widespread?:
The Known Unknowns | NSS Labs has determined that on any given day over the past three years, privileged groups have had access to at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe.  The NSA has a budget of $25M to purchase this kind of kit and GCHQ can’t be that far behind.

 

Leave a Reply