Zero days, cyber weapons – and Microsoft’s latest mission
Katie Moussouris doesn’t look like the kind of person who’d pay a bounty hunter: but then, chasing parole-dodgers over chain-link fences isn’t quite what she’s after.
Moussouris heads up Microsoft’s bug bounty programme and as such has a unique eye on a weapons market you probably never knew existed – the trade in cyber weapons.
It works like this: those who are smart enough to spot a security flaw in the code behind Microsoft’s products (or anyone else’s for that matter) have a number of options. They can report it to the company which makes the product, which in days gone by has yielded little profit.
Or they can hawk their discovery on the black market, or to one of a number of “exploit buyers”. The sums involved are beefy: some buyers will offers tens if not hundreds of thousands of dollars, but the critical factor is that the flaw must be as-yet undiscovered by anyone else – a so-called “zero-day”. This means the anti-virus companies and software makers won’t yet have rumbled the flaw, giving hackers a vital window of opportunity to use the glitch before it gets fixed.
So advanced has this market become that there are now intermediaries who connect flaw-finders with buyers, and arrangements are made for the money to keep flowing for as long as the security hole remains open for use.
It’s not just criminals who are buying. Companies like Vupen have made little secret of the amounts they’ll pay to secure such hacker tools for governments and law enforcement agencies.
Moussouris is leading Microsoft’s attempts to disrupt this market. The company offers up to $100,000 to hackers who hand over their finds – and is now rolling this out to security companies who can prove they’ve found malicious code that can work against Microsoft’s latest operating software.
It’s one of several attempts across the industry to change the economics of hacking – only time will tell if it starts to change the trade in the little-known but highly influential market in cyber weapons.
Follow @geoffwhite247 on Twitter