The struggle to police zero-day exploits

The Dark Web is developing quicker than law enforcement’s ability to police it, and hackers are taking the opportunity to auction exploits to the highest bidder

  • By Aaran Fronda | Thursday, October 8th, 2015

Instead of alerting developers when they find a flaw in a website's architecture, many hackers are now choosing to list their zero-day exploit for auction anonymously on the Dark Web

Zero-day exploits are created when developers make a mistake while programming software. The more blunders a programmer makes, the more vulnerabilities there are to exploit. These holes in the software are problematic, not just because they leave the door wide open for those interested in breaching the program’s security and lifting things like credit card information, but also because the owner of the software is unaware of the structural weakness until a hacker finds it. Once the exploit is identified, the hacker can do one of three things: altruistically alert the vendor of the vulnerability; sell the exploit to the company that owns the software for a fee; or list the zero-day for auction anonymously on the Dark Web.

Such exploits were once relatively rare, with many malware security companies identifying only a few vulnerabilities each month. Nowadays, however, more and more holes are being found. The primary cause of this surge is the expansion of the software sector, but it’s also partly down to the rising demand for and increasing ease with which these exploits can be bought and sold on the Dark Web. This trend is driven by government intelligence agencies, criminal networks, terrorist organisations, and potentially other private companies looking to crush competitors.

A lot of these companies rely on security
by obscurity

While a market for zero-day exploits has existed for many years, a new online bazaar recently sprang up on the dark net, referring to itself as the ‘TheRealDeal Market’. Its purpose is to act as a perverse form of eBay; brokering deals between the hackers holding highly valuable vulnerabilities and those looking to exploit them. What is more, the anonymity afforded through the use of services such as the Tor network and the decentralised digital currency of Bitcoin make it almost impossible to track this illicit trade.

While a number of other sites on the Dark Web sell relatively modest hacking tools and the stolen financial information of individual users, this new marketplace is looking to attract the ‘higher end’ of the market, appealing to sellers of highly prized source code and zero-hour exploits that have the capability to expose vendors and entire user bases to the mercy of those with the necessary capital to purchase them. The rise of TheRealDeal Market raises a number of legal and ethical issues that, for the time being, appear impossible to resolve.

TheRealDeal Market
The online news site DeepDotWeb claimed to have conducted a short interview with one of TheRealDeal Market’s administrators. “We have a lot of experience dealing in the clearnet when it comes to zero day exploit code, databases and so on… But the problem is that 90 percent of these dealers are scammers”, said the anonymous interviewee. “People with a lot of experience can always do their best to determine if what they are buying is real based on technical information and demos, but some of these ‘vendors’ are very clever and very sneaky. We decided it would be much better if there was a place where people can trade such pieces of information and code, combined with a system that will prevent fraud and also provide high anonymity.”

But it isn’t just zero-day exploits and access to high-level hacking tools that are for sale. According to the website Wired, the TheRealDeal Market is also home to “a variety of money laundering services, stolen accounts and drugs”. It appears to be a one-stop shop for a plethora of illegal goods and services, and yet another successor to the Silk Road, which was seized in a joint operation by the FBI, Homeland Security, Europol and Eurojust two years ago. Despite this, the administrator of TheRealDeal Market claimed, in the interview with DeepDotWeb, they were looking to remove these items from their site.

The expectation that any aspect of the Dark Web economy, which, through high-levels of anonymity, is able to offer a market that is not constrained by laws and regulation, will exhibit morals and ethics is asking a lot. But not everyone is so concerned about the moral ambiguity shown by those on the Dark Web.

“I think, in one way or another, these things have always existed”, said Andrew Hilton, Chief Technology Officer of Boomf. “Be it from the innocence of something like the Magic Circle, to general espionage that has been happening for hundreds of years. I see it as nothing more than an evolution of these things into the digital space.”

Ethics of exploits
Though there is something inherently ugly about zero-day exploits being sold for hundreds of thousands of dollars, the individuals with the necessary capital and desire to purchase them are likely to be the very companies whose software has been compromised in the first place. Those selling the exploits are effectively holding these private entities to ransom over their own software’s exposed vulnerabilities. But, rather than feel too much pity for the companies that fall prey to such exploits, Hilton argues the hackers are providing a valuable service.

“Generally, a lot of these companies do not open their source code for inspection, and rely on security by obscurity”, he said. “While this may have worked in the past, I do not believe it does now. Bug bounties and programmes that reward people that find vulnerabilities seem to work much better, as too does open source software with many eyes on it.

“Personally I would prefer the companies to get bitten than my privacy; their job is to build secure products. If they have succeeded, they do not have much to worry about.”

More must be done to compensate ‘white hat’ hackers, as without reward systems and open ways of reporting bugs, the companies that control such vast amounts of data are at risk, and so are their users. Without these markets, there is less incentive for tech companies and governments around the world to ensure the information they hold is adequately protected.

“People have been cracking software since the Enigma”, said Hilton. “The anonymity of the internet just makes it easier to expose it to the public. I think the real question is: ‘Now that they are more in the open, should the public care?’ I would say no. These cat and mouse games have always been there, they are just evolving, and, because it is easier to hide in plain sight, people are finally starting to learn about their existence.”

Successors to the Silk Road share a striking resemblance to Napster – decentralising power and democratising information and goods in a manner of which many could never have dreamed, let alone comprehended how to control. Whenever new tools for informational freedom are built, it seems some will misuse them. In the end, critics and advocates of the Dark Web economy must accept the genie is out of the bottle.