Sunday, February 13, 2005
A glimpse of the black market
Have you ever wondered what happens to security problems between the time they're discovered and the time they're fixed?
If we're lucky, someone ethical finds the problem, they quietly notify the people who maintain the flawed product, and in due course a fix comes out. For example, Core Security Technologies discovered a severe problem in MSN Messenger, told Microsoft about it last August, and Microsoft released a fix this month.
What happens if a bad guy finds a security problem before it gets fixed? Security researcher Mark Loveless has some numbers about that. Infoworld quotes Loveless as saying that bad guys can sell the news of an unknown security hole (and a program to exploit it) for a few thousand dollars.
Who spends money buying attack tools, and why? Governments buy them(use your imagination). Organized crime can use the attack tools to take over computers and sell access to them. Zombified computers sell for 3 to 10 cents (US) each in lots of 5000.
Once you own someone else's computer you can send spam or simply display ads to the victim. Spyware and adware firms aren't illegal yet so we have firm numbers from them. Security Focus reports that spyware brings in around 3 dollars per infected machine per year.
Stolen credit card numbers, depending on how fresh they are, can range from 50 cents to 5 dollars each in lots of 1000. That seemed high to me: Loveless explains that the price has gone up since the US Secret Service shut down some suppliers.
Security's in terrible shape when security flaws and compromised machines are so plentiful that they sell so cheap.
|
If we're lucky, someone ethical finds the problem, they quietly notify the people who maintain the flawed product, and in due course a fix comes out. For example, Core Security Technologies discovered a severe problem in MSN Messenger, told Microsoft about it last August, and Microsoft released a fix this month.
What happens if a bad guy finds a security problem before it gets fixed? Security researcher Mark Loveless has some numbers about that. Infoworld quotes Loveless as saying that bad guys can sell the news of an unknown security hole (and a program to exploit it) for a few thousand dollars.
Who spends money buying attack tools, and why? Governments buy them(use your imagination). Organized crime can use the attack tools to take over computers and sell access to them. Zombified computers sell for 3 to 10 cents (US) each in lots of 5000.
Once you own someone else's computer you can send spam or simply display ads to the victim. Spyware and adware firms aren't illegal yet so we have firm numbers from them. Security Focus reports that spyware brings in around 3 dollars per infected machine per year.
Stolen credit card numbers, depending on how fresh they are, can range from 50 cents to 5 dollars each in lots of 1000. That seemed high to me: Loveless explains that the price has gone up since the US Secret Service shut down some suppliers.
Security's in terrible shape when security flaws and compromised machines are so plentiful that they sell so cheap.
# posted by Frederick @ 9:55 PM Email to a friend:
Haloscan: they provide trackback