A zero day bug in several versions of the Windows operating system has been found by a hacker and put up for sale on a popular cybercrime forum. Zero day bugs are those that are previously unknown – new bugs that are unknown even the the developers of the software itself. These vulnerabilities have become more and more popular these days as bug bounty programs increase in price.
These types of vulnerabilities have been in the news lately because of their growing role in foreign and domestic government conflicts. Most recently the FBI purchased a zero day vulnerability to access the iPhone of the San Bernardino terrorist. It was the only alternative to forcing Apple in court to open up a backdoor – a conflict that had many in the security community up in arms. But Apple didn’t need to create the backdoor – someone else did. And it’s considered a zero day bug because of the unknown nature — it’s out there, but only the person (or persons) who found it and the FBI are privy to the details. Apple still, apparently, doesn’t know how they did it.
These zero day bugs carry a large bounty. And thus the different roles of hackers were born: white, grey, and black. Those that just give up the bug for the sake of education and public interest are known as white hat hackers. They ply their trade as a hobby, knights in shining armor of the security community. They like to find the bugs first before the bad guys. They give up their secrets for free (or sometimes reward) to the companies that publish the software.
Grey hat hackers are those that find vulnerabilities and sell them to governments. It’s unknown whether or not the government will use those vulnerabilities for good or ill, hence they “grey” nature of their deeds.
Black hat hackers use their knowledge to inflict damage on others and software itself. They are the vandals and bandits of the cyber community. The recent zero day Windows bug was found by a Black Hat hacker and was put up for sale on the cyber crime forum exploit[dot]in. As reported by Krebs On Security, it appears that rather than get a larger sum of money from Microsoft for the bug bounty, the hacker was willing to take a smaller financial sum in exchange for the reputation points that selling such a vulnerability on the forum would bring.
It’s an interesting conflict of interests, and a study in human nature. But one thing is for certain – zero day flaws are fast becoming a very profitable commodity and there is big business in cyber warfare. As more and more of our daily lives and business are conducted online and through computers, the greater in value these security holes will become–whether for good use or ill.
What do you think should happen? Should the government begin to subsidize bug bounty programs? Should companies step it up and offer even greater sums of money to try to turn grey or black hat hackers towards the white side?