Arms Race In Zero Days Spells Trouble For Privacy, Public Safety

ID THREATPOST:4E345D523AA3EF8D5D06880D1063B0C6
Type threatpost
Reporter Paul Roberts
Modified 2013-07-18T19:20:47


_Editor’s Note: This is the second of a two-part podcast with independent security researcher Chris Soghoian. _

In the first part of our podcast with independent security researcher Chris Soghoian, we talked about the way that the proliferation of “free” applications have forced consumers into the position of increasingly trading privacy for access to cool new Web sites and tools. The market, Soghoian argued, has failed to provide choice to consumers who may want to participate in social networks, but don’t want their online activities passed along to advertisers.

In the second half of his interview with Threatpost Editor Paul Roberts, Chris switched focus from consumer protections from advertisers, to the fast-growing market for surveillance products.


As Soghoian sees it, the public sector – both government and law enforcement – have abrogated their responsibility to protect consumers from online predation. Why, you might ask? In Soghoian’s view, the government turns a blind eye to insecure computers because those same insecure systems might provide access to law enforcement or intelligence services, should they need it.

Its a daring claim, and one that’s difficult to prove, because so much of the dealing in undocumented (“zero day”) software vulnerabilities happens behind the scenes. Even published reports about information on exploitable holes in popular devices (like the recent Forbes report about an Apple iOS zero day that sold for $250,000) are often attributed to unnamed sources and impossible to verify. What is clear, Soghoian says, is that the discovery and publication of information on software holes in popular platforms like Internet Explorer has gone from an open and mostly volunteer activity by a small cadre of experts to a burgeoning and mostly underground market between researchers and software firms or, increasingly, indepedent middlemen. The market itself is worth tens- if not hundreds of millions of dollars.

Soghoian said the public expects intelligence agencies to engage in digital spycraft.

“I’m not nieve enough to believe governments can be stopped from doing this,” Soghoian said. “NSA is always going to be able to hack into people’s systems and there’s nothing we can do to stop this.”

But the global trade in exploits by private firms, such as Vupen Security and other firms is another matter, he claims.

“If you think of our own intelligence agencies can be trusted, maybe you don’t think foreign intelligence agencies can. And U.S. middleman firms are providing these flaws to these agencies.”

Soghoian is not the first authority to raise the red flag on for profit vulnerability and exploit sales. At the CANSECWEST security show in Vancouver, Chaouki Bekrar of VUPEN security defended his company’s sales of exploitable security holes to private customers. Bekrara told Threatpost at that show that VUPEN would be holding on to a memory corruption flaw in IE’s protected mode sandbox for itself and its customers. It can be reused in combination with other bugs in IE for future sales, much to the consternation of security researchers.

Just as troubling, Soghoian says, is the growing use of digital surveillance tools by even state and local authorities – a development that Soghoian finds troubling.

“The Keystone cop is not an expert in information security,” he said.

Rather than tolerate widespread insecurity on both laptop and mobile devices, governments – including the U.S. government – should use its full weight to encourage better online security, including automated patching and software updates to remove exploitable holes, he said.

Check out the rest of Threatpost’s interview with Chris Soghoian here.