InfoAnda - Google attack highlights 'zero-day' black market

Pakistanis angry over detentions in Times Sq. case
Monday, May 24, 2010
ISLAMABAD – Relatives of three men detained by Pakistan for alleged links to the suspect in the attempted Times Square bombing say the men are innocent.
They

Taiwan denies boycotting Australian film festival
Thursday, August 6, 2009

AFP - Thursday, August 6TAIPEI (AFP) - - Taiwan's Beijing-friendly government on Wednesday denied boycotting an Australian film festival amid a row over the e

Merkel's support dips, regional ally resigns International
Thursday, September 3, 2009

By Sarah Marsh and Noah Barkin

BERLIN (Reuters) - Chancellor Angela Merkel suffered a double blow on Thursday as a senior party ally in east German

Minister seeks closure of anti-Berlusconi websites
Wednesday, December 16, 2009
ROME (AFP) - – The Italian government moved Tuesday to close down Internet sites encouraging further violence against Prime Minister Silvio Berlusconi, who

Asian markets mixed after Wall Street rally
Wednesday, March 18, 2009

By ELAINE KURTENBACH,AP Business Writer AP - Wednesday, March 18SHANGHAI - Asia's stock market rally seemed to be running out of steam Wednesday, despite an

Three killed in C.Europe floods, hundreds moved | 3 June 2010
Late-night wars heat up in countdown to Leno | Entertainment | | 14 August 2009
UN welcomes green initiative in stimulus packages | 23 January 2009

Pakistan militants kill aides of cleric: military | 6 June 2009

Forum Views () Forum Replies ()

Read more with google mobile : Google attack highlights 'zero-day' black market

Yahoo! My Yahoo! Mail More Yahoo! Services Account Options New User? Sign Up Sign In Help Yahoo! Search web search Home Singapore Asia Pacific World Business Entertainment Sports Technology Singapore Asia Pacific World Google attack highlights 'zero-day' black market By JORDAN ROBERTSON,AP Technology Writer - Friday, January 29 Send IM Story Print SAN FRANCISCO – The recent hacking attack that prompted Google's threat to leave China is underscoring the heightened dangers of previously undisclosed computer security flaws _ and renewing debate over buying and selling information about them in the black market. Because no fix was available, the linchpin in the attack was one of the worst kinds of security holes. Criminals treasure these types of "zero day" security vulnerabilities because they are the closest to a sure thing and virtually guarantee the success of a shrewdly crafted attack. The attackers waltzed into victims' computers, like burglars with a key to the back door, by exploiting such a zero-day vulnerability in Microsoft Corp.'s Internet Explorer browser. Microsoft rushed out a fix after learning of the attack. How did the perpetrators learn about the flaw? Likely, they merely had to tap a thriving underground market, where a hole "wide enough to drive a truck through" can command hundreds of thousands of dollars, said Ken Silva, chief technology officer of VeriSign Inc. Such flaws can take months of full-time hacking to find. "Zero days are the safest for attackers to use, but they're also the hardest to find," Silva said. "If it's not a zero day, it's not valuable at all." The Internet Explorer flaw used in the attack on Google Inc. required tricking people into visiting a malicious Web site that installed harmful software on victims' computers. The attack, along with a discovery that computer hackers had tricked human-rights activists into exposing their Google e-mail accounts to outsiders, infuriated Google and provoked a larger fight over China's censorship of the Internet content. Google has threatened to shut down its censored, Chinese-language search engine and possibly close its offices in China. Pedram Amini, manager of the Zero Day Initiative at the security firm TippingPoint, estimated that the IE flaw could have fetched as much as $40,000. He said even more valuable zero-day flaws are ones that can infect computers without any action on the users' part. Zero days refer to security vulnerabilities caused by programming errors that haven't been "patched," or fixed, by the products' developers. Often those companies don't know the weaknesses exist and have had zero days to work on closing the holes. In this case, Microsoft actually knew about the flaw since September but hadn't planned to fix it until February, as companies sometimes prioritize fixing other problems and wait on the ones they haven't seen it used in attacks. Microsoft often fixes multiple vulnerabilities at once because testing patches individually is time-consuming and costly, said Chris Wysopal, co-founder of security company Veracode Inc. But criminals know how the patch cycle works, and Wysopal said the Google attackers may have realized their zero-day flaw was getting old _ and thus struck in December just before they thought Microsoft was going to fix it. "They likely thought the bug would be fixed in January or February," he said. "They were right." Microsoft certainly could have fixed the bug earlier and prevented it from being used on Google, but security experts caution that an adversary that is well-funded or determined could have easily found another bug to use. "Zero days aren't difficult to find," said Steve Santorelli, a former Microsoft security research who now works with Team Cymru, a nonprofit research group. "You don't have to have a Ph.D. in computer science to find a zero-day exploit. It really is a factor of the amount of energy and effort you're willing to put in." In fact, such exploits are widely available for the right price. VeriSign's iDefense Labs and 3Com Corp.'s TippingPoint division run programs that buy zero-day vulnerabilities from researchers in the so-called "white market." They alert the affected companies without publicly disclosing the flaw and use the information to get a jump on rivals on building protections into their security products. There's also another, highly secretive market for zero days: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses. TippingPoint's Amini said he has heard of governments offering as high as $1 million for a single vulnerability _ a price tag that private industry currently doesn't match. Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment. One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system. Whether to pay _ and seek payment _ is hotly debated among researchers. "I basically had to make a choice between doing something that would protect everybody and remodeling my kitchen _ as terrible as that is, I made that choice, and it's hard," Miller said. "It's a lot of money for someone to turn down." Companies whose products are vulnerable generally won't pay outside researchers for bugs they've found. Microsoft said offering payment "does not foster a community-based approach to protecting customers from cybercrime." The company declined further comment on its practices and the timing of the fix for the flaw used in the Google attack. On Thursday, Google announced that it will start paying at least $500 to researchers who find certain types of bugs in its Chrome browser, calling the program an "experimental new incentive." That mirrors a reward that Mozilla has been offering for critical bugs found in its Firefox browser. Computer vulnerabilities are so dangerous that one day private companies such as Microsoft might be pressured into buying from the black market to prove they're doing all they can to keep customers secure _ especially the most critical ones such as the military and power companies. "I think it's only a matter of time," said Jeremiah Grossman, founder of WhiteHat Security Inc. "Something really bad has to happen first, and it hasn't yet. When a virus runs through a children's hospital and causes loss of life, it's going to matter a lot." ___ On The Net: Charlie Miller's paper on selling zero-day vulnerabilities: http://weis2007.econinfosec.org/papers/29.pdf VeriSign's bug-buying program: http://labs.idefense.com/vcp TippingPoint's bug-buying program: http://www.zerodayinitiative.com Google's bug-buying program: http://blog.chromium.org/2010/01/encouraging-more-chromium-security.html Mozilla's bug-buying program: http://www.mozilla.org/security/bug-bounty.html Recommend Send IM Story Print Related Articles Mizuho back to profit for April-Dec, keeps outlook Reuters - 1 hour 4 minutes ago TABLE-Gemini Communication Oct-Dec net down 24 pct Reuters - 1 hour 6 minutes ago Hurt by recalls, Toyota expected to lose US sales AP - 1 hour 7 minutes ago Korea Life Insurance wins IPO approval -report Reuters - 1 hour 8 minutes ago Nikkei sheds 2.1 pct on exporters, Advantest drags Reuters - 1 hour 10 minutes ago News Search Top Stories Bernanke wins new term as Fed chief Reclusive US novelist J.D. Salinger dies at 91 Clinton makes Haiti plea to big business US new jobless claims dip US durable goods orders up 0.3% More Top Stories » Related Full Coverage China Economychina economy All Full Coverage » ADVERTISEMENT Most Popular Most Viewed Most Recommended Overweight septuagenarians live longer: study New York woman falls, rips Picasso painting Clinton makes Haiti plea to big business Reclusive US novelist J.D. Salinger dies at 91 US new jobless claims dip More Most Viewed » Woman who saved Anne Frank's diary dead at 100 Scientists praise Obama as Doomsday clock reset More Most Recommended » Elsewhere on Yahoo! Financial news on Yahoo! Finance Stars and latest movies Best travel destinations More on Yahoo! News Home Singapore Asia Pacific World Business Entertainment Sports Technology Subscribe to our news feeds Top StoriesMy Yahoo!RSS » More news feeds | What are news feeds? Also on Yahoo Answers Groups Mail Messenger Mobile Travel Finance Movies Sports Games » All Yahoo! Services Site Highlights Singapore Full Coverage Most Popular Asia Entertainment Photos Copyright © 2010 Yahoo! Southeast Asia Pte. Ltd. (Co. Reg. No. 199700735D). All Rights Reserved. Terms of Service | Privacy Policy | Community | Intellectual Property Rights Policy | Help

Other News on Friday, 29 January 2010
Cameron: Afghan w/d only after basic security met
Motorola forecasts loss; shares plunge
US new jobless claims dip
US durable goods orders up 0.3%
France's Villepin acquitted in Sarkozy smear trial
Iran hangs two in wake of election unrest |
Key infrastructure often cyberattack target: survey
Startpage launches anonymous Web search service
Obama backs Israel, also sympathetic to Palestinians |
ICC prosecutor expects Bashir genocide charge |
Motorola forecasts loss; shares plunge
Sister: Drew Peterson's 4th wife feared for life
Obama speech fails to break health care logjam
Dad: Stepmom suspected Neb. teen was abused
Navy sued to halt training near endangered whales
Father: Man who set self on fire mentally ill
Obama starts Fla. trip with stop at Air Force base
Bangladesh executes killers of leader Mujib
Police: SC man used hostage hoax to rob bank
China says it wants to cooperate with US
Nokia, Motorola win smartphone share; outlook weighs |
Alito disparages Obama's Supreme Court criticism
Philippine government meets rebels in Malaysia
Pelosi: Health bill must pass regardless of time
Terror suspects in Malaysia from Mideast, Africa: activists
Defendant testifies he killed Kan. abortion doctor
Myanmar's Suu Kyi rejects minister's release comment: lawyer
US troops shoot and kill Afghan cleric near Kabul
Sri Lankan president hails election victory
NATO troops kill Afghan cleric, officials say
China demands EU lift arms embargo
Military plane crash kills 9 in the Philippines
China city denies renaming mountain after "Avatar"
G20 leader Lee says time for 'post-crisis agenda'
Nintendo says price cut, new games lift Wii sales
Ford halts some China production after Toyota's woes
Philippines says economy rebounding after 11-year low
Ford halts some China vehicle production
Aggressive tightening unlikely in S.Korea-adviser
Beyonce? Taylor? Lady Gaga? The AP's Grammy Picks
Toyota recalls show price of too rapid growth
Japan OKs second extra budget to spur weak economy
Noted African-American art collector dies in Ga.
Pakistan's forex reserves fall to $15.10 bln
Comcast, NBC promise to keep news, free TV
Comcast, NBC promise to keep news, free TV |
Metallica posts condolences on Va. fan found dead
Kristen Bell's rising career takes her to Rome |
Grammy nod adds leverage to Melanie Fiona's career
Cheryl Cole to support Black Eyed Peas on UK tour |
A Minute With: Joseph Gordon-Levitt at Sundance |
Taiwan to ban junk food ads on children's TV
Obama Holds Town Hall Meeting In Tampa
Visionary Chekhov lives on in modern Russia
German beer sales at 20-year low: statistics
Inmate Faces Felony Charges In "Armed" Assault
China's "Confucius" struggles against "Avatar"
Creator of hit iMussolini iPhone app sets sights on iPad
Miami Man Promises Gum Enhances Sexual Performance
NASA Confirms Endeavor Shuttle Launch Next Month
Anti-Illegal Immigration Advocates Support "Racist" Councilman
Economic Pain Of Americans Hurting Democrats Politically
Hate Crime Has Ohio College On High Alert
In Reversal, Bloomberg Questions Holding 9/11 Terror Trial In Big Apple
India adds record 19 million mobile users in December
West backs fund for Taliban as UN meets Afghan militants
Former French PM acquitted in Sarkozy smear trial
Karzai government invites Taliban to peace meeting |
Cyber spies and thugs attacking power-water plants
Bernanke wins new term as Fed chief
North Korea fires more artillery towards South |
Evictions amid winter freeze spark outrage in Russia
Critics, fans weigh in on Apple's iPad
Tony Blair braced for grilling over Iraq war
Reclusive US novelist J.D. Salinger dies at 91
Author J.D. Salinger Dies At 91
Clinton makes Haiti plea to big business
Gunmen holed-up in building in southern Afghanistan |
Iran hangs 2 for allegedly aiming to topple state
Kindle helps Amazon book strong fourth quarter
Mobs disrupt some Haiti quake food handouts |
US: Key al-Qaida leader killed in Iraq
US-TECH Summary
Israel kills top Hamas commander in Dubai: Hamas |
Ke$ha, Taylor Swift Top Billboard Hot 100 Chart
Oracle claims firm stole its intellectual property
Hamas says killed Israeli civilians by mistake
Top US lawmakers demand hacker probe
Human rights group: Hamas targeted civilians
Painful Wii price cut keeps Nintendo in the game
"Hope For Haiti Now" Album Debuts At #1 On Billboard
China still leery on U.S. sanctions push for Iran |
Chinese Woman To Undergo Plastic Surgery To Look Like Jessica Alba
Microsoft net profit soars to 6.66 billion dollars
AT&T profit rises 26 percent, plans more spending
Nokia tops earnings forecasts
Nokia tops earnings forecasts
Nepal VP to be reinstated after language fight
North Korea fires more artillery toward South
13 countries craft plan to save tigers
Google row threatens China web development: analysts
Vietnam crackdown continues as dissident on trial
Pilot considered the only ace Tuskegee Airman dies
Senate votes to impose even more sanctions on Iran
Global Weather-Celsius
Medical marijuana lab says it was raided by DEA
Oracle claims firm stole its intellectual property |
SKorea leader says he's ready to meet NKorea's Kim
Factories may close to clear air for Shanghai Expo
Bill renews Calif. ban on felons owning body armor
New China-Tibet talks prompt speculation on shift
Update: Obama Announces $8 Billion for High-Speed Trains
Parole recommended for Manson family member Davis
North Korea fires more artillery towards South
Update: Obama, Biden Announce $8 Billion Grants For High-Speed Rail Projects
Senate Votes Clears Way For Bernanke To Stay At Fed
Recluse Author J.D. Salinger Dead At 91
Nominee to lead National Guard withdraws his name
U.S. embraces Copenhagen pact, Senators rework bill
Jogging Barefoot More Beneficial To Runners
Ex-NV deputy denies taking bribes in Francis case
Japan urges Toyota to secure consumer confidence
Samsung jumps back to profit in 4th quarter
Japan output rises but deflation threatens recovery
PAKISTAN
US-ENTERTAINMENT Summary
Avatar poised for seventh box office win |
Samsung Electronics profit tops $8 billion
Gay groups urge Grammys to denounce Buju Banton
Reclusive author J.D. Salinger dies at 91 |
Attractive cast wasted in Rome |
Ugly Betty cast may not be jobless for long |
S.Korean bonds rebound; economic data in focus
Music world celebrates its big event of the year
Caligula director to make 3D porn film |
Japan consumer prices down 1.3 pct in December on year
Is calling E.T. a smart move?
Sundance: More retreads than recharging |
John Travolta a blast in routine thriller Paris |
Seoul shares down; Samsung Elec falls, KDHC jumps
Sly & Family Stone founder alleges royalties fraud
Google attack highlights 'zero-day' black market
Horror film Buried an excruciating experience |
Bad-boy drama Hesher picked up at Sundance |
Oscar-winner shines light on corrupt US politics
Jay Leno says bad guy image unfair in Conan struggle |
The mystery grows: What's in Salinger's safe?
About 48 million watch Obama's State of the Union
Sly Stone sues ex-manager for $50 million
Good ol' boys talk of life, love, a lunar eclipse
Eurozone unemployment rate hits 10%
Russia unveils top secret new fighter
Dialogue on stalled Iran atom deal goes on
UK's Blair voices defiance over Iraq war |
Oklahoma, Texas Under Blanket Of Sleet And Snow
Officer Charged With Falsely Ticketing Minorities
Blair gives evidence to Iraq war inquiry
Palestinians irate over new Jerusalem tram
Nigerian leader not obliged to transfer power: court |
Police: Teen Killed In Canal Crash Under Influence Of Marijuana
U.S.-Led Coalition Forces In Afghanistan Apologize For Killing Muslim Cleric
No deal yet on Northern Ireland devolution talks |
Mobs disrupt some Haiti quake food handouts |
Iran, IAEA say nuclear proposal still on table |
New Russian stealth fighter makes first flight |
Sri Lanka police raid losing candidate's office |
Myanmar's Suu Kyi criticizes release date remarks
Microsoft profit beats on strong Windows 7 sales |
Housing complex in China 'open to foreigners only'
Vietnam jails writer for 4 years for 'propaganda'
Hong Kong apartment building collapses, 1 killed
Amazon blows by estimates, sees strong first quarter |
Phoenix-area policeman killed at traffic stop
Obama pushes for job creation and bipartisanship
Australia: Man vs. marauding crocodile over shark
US soldier dies in Iraq; death not combat related
AP Interview: Saakashvili offers US a supply route
Samsung Elec bullish on TV, chip demand |
Malaysia charges three over church attack
Obama retools tax credit idea for creating jobs
Indonesian police arrest suspected terrorist
Lawyer: Phone scheme meant to embarrass senator
N.Korea fires artillery near border for third day
Tag sale at NYC's Tavern on the Green restaurant
Down but not out, Sri Lanka's Fonseka to run again
Afghan troops battle Taliban militants in south
Colo. bar shooting suspect ordered to stand trial
General Motors gets $409M of loans in Thailand
Japan's Fujitsu says it made first 'iPad'
Taiwan dollar ends firmer, helped by local stocks
India's central bank hikes reserve requirements
Japan's ANA in the red amid recession
Mizuho earnings improve on economic recovery
Toyota races to fix accelerator glitch
All Nippon Airways posts $391M loss in April-Dec
UBS Taiwan sees client assets up 20-30 pct this yr
South Korea Dec output jumps but seen moderating
Indonesian-made rocket hits farm in test launch
"Little Fockers" release date shifts to December
'Ava-toad': 3D Aussie cane toads take Sundance by storm
Sundance: More retreads than recharging
"Avatar" poised for seventh box office win
"Caligula" director to make 3D porn film
Bad-boy drama "Hesher" picked up at Sundance
John Travolta a blast in routine thriller "Paris"
Attractive cast wasted in "Rome"
Horror film "Buried" an excruciating experience
Greece at new risk of being pushed off euro
Bodies of missing Tenn. mom, Jo Ann Bain, and daughter found
Female Breasts Are Bigger Than Ever
AMD Trinity Accelerated Processing Units Now in Volume Production
The Avengers (2012 film), made the second biggest opening- and single-day gross of all-time
AMD to Start Production of piledriver
Ivy Bridge Quad-Core, Four-Thread Desktop CPUs
Islamists Protest Lady Gaga's Concert in Indonesia
Japan Successfully Broadcasts an 8K Signal Over the Air
ECB boosts loans to 1 trillion Euro to stop credit crunch
Egypt : Mohammed Morsi won with 52 percent
What do you call 100,000 Frenchmen with their hands up
AMD Launches AMD Embedded R-Series APU Platform
Fed Should not Ignore Emerging Market Crisis
Fed casts shadow over India, emerging markets
Why are Chinese tourists so rude? A few insights

USD EUR - 1 year graph		BlogMeter 1.01