Kevin Mitnik masters the profession of the future
During his youth, Kevin Mitnik became the most famous hacker in the world. For many, he became a role model. His method of penetrating the telecommunications company’s network by marrying an employee of this company is generally a classic of the genre.
But after leaving prison, Kevin Mitnik turned into a “white” hacker: he did pentesting, advised companies in the field of IT security, published books on social engineering, and lectured. However, this was not enough, and now Kevin, so to speak, is back to the roots: he is selling 0day exploits.
Mitnik has opened its own trading platform for exploits Mitnick's Absolute Zero Day Exploit Exchange .
Mitnik writes that the exploits, which he found himself, are also offered for sale, and from third-party researchers, at a price of $ 100 thousand.
In general, recently, exploit trading has become quite a normal business, no one considers this a crime. Although individual hackers may sell 0day vulnerabilities anonymously, they are not the ones who remove the cream. Other firms operate quite openly.
For example, the French company Vupen has been selling open-source exploits for several years to intelligence agencies and government intelligence agencies. It is authentically known that Vupen sold one of the 0day vulnerabilities in the IE browser to the NSA.
The joke happened at the Pwn2Own hacker contest in 2012, when Vupen won, but refused to receive a $ 60K reward and pass an exploit to hack Chrome. The company owners refused the money and said they would save an exploit for their customers. The same thing happened in 2012 with an exploit for IE 6-10 . It became approximately clear what this product is worth on the black market.
The official website of Vupen Security indicatesthat the company provides customers with “offensive exploit services”. Since such activity on the part of private companies or individuals is subject to the criminal code, there is only one thing left - Vupen Security's customers are government agencies, law enforcement agencies, and intelligence services. In theory, only they have the right to legally use such exploits. The Vupen Security website says that they carefully select customers; they can only be NATO countries, ANZUS and ASEAN.
Vupen is not the only exploit broker in the world market. In addition to it, several other companies, including Netragard, Endgame, Northrop Grumman and Raytheon, are engaged in the purchase of exploits from independent hackers for resale. But they do this as discreetly as possible in an atmosphere of absolute secrecy. Vupen company is distinguished by the fact that it conducts business on a grand scale and does not refuse such PR as participation in hacking contests.
One way or another, but the trade in exploits and 0day vulnerabilities seems to have finally gone out of the shadow and become a legal industry. The same Vupen pays taxes in France for every exploit sold. What is not the prospect of creating your own business?
Not only individual companies, but also private entrepreneurs can engage in this business. The main thing is to have good connections. A good example of a new wave entrepreneur is Grugq, which is engaged in exploit trading.
He uses his old hacker connections and works as an intermediary, buying exploits from hackers and selling them to government agencies. Grugq takes a commission of 15% and assures that in one month it can sell exploits for 250 thousand dollars.
By the way, the analytical company Frost & Sullivan awarded Vupen first place in the 2011 Entrepreneurial Company of the Year competition, that is, they were called the most promising business of 2011. In other words, taking into account the ever-growing demand for 0day exploits, companies can earn a lot of money by searching and selling exploits.