In Russia, the market began to work for the sale of “gaps” in the software

As the “Kommersant”, Russia has earned the first exchange, on which developers and hackers will sell vulnerabilities in popular software such as Adobe Flash, Windows, Tor, iOS and others. The company, founded by a former employee of Federal Financial Monitoring Service, intends to resell the information to state bodies , companies in the field of information security and, according to sources, “b”, the secret services. The cost of some of the gaps in the software can be up to $ 500 thousand.

A team of former hackers and developers launched at expocod.com Russian stock exchange for the purchase of vulnerabilities in popular software (PO). For example, according to the information on the website for an exploit (a program that uses a vulnerability in the software for carrying out an attack on a computer system) in Adobe Flash company is willing to pay $ 55 thousand. And vulnerabilities in different browsers can be sold the site for $ 35-60 thousand., Hole in Tor anonymizer can be purchased for $ 80 thousand. and in the operating systems Windows, OS X, Linux, and others-for $ 35- $ 80 thousand. Resell bought exploits Expocod going to government agencies and companies in the field of information security (iS), according to the FAQ.

Founder Andrew Expocod Shorohov, which is associated with “b”, states that previously worked in the financial intelligence in the management of financial investigations Rosfinmonitoring, where he majored including investigating high-tech crime. “I am the only owner Expocod and the final beneficiary of this project, some investors, there is no secret, by all means invest in the development of the project I”, - says Mr. Shorohov. According to him, in Expocod team includes former hackers who have switched to “lighter side”, and experts from the information security industry. The main activity of the company is the sale of exploits. In addition, the company plans to search for and develop the vulnerability, as well as working to develop its software with a set of testirovochnyh exploits that allow to evaluate the degree of protection to any IT-system. “For example, we will be able to test for vulnerabilities ABS bank or the extent to which any defense enterprise is vulnerable to external threats”, - said Mr. Shorohov. He argues that the preliminary agreement on such a test has already been achieved with one of the Russian banks in the top 10. “His existence to want to show that vulnerability researchers can earn not only breaking through various objects, but also by giving their works in security,” - he says.

By the end of the year Expocod turnover from acquisitions of exploits from developers and hackers around 100-120 mln., The payment will be by bank transfer or Bitcoins, says Andrew Shorohov. Resell bought Expocod intends IB-based company that exploits needed to conduct penetration testing, as well as state agencies. “We reserve the right to choose who and what to sell - it’s a question of ethics and reputation Of course, some fighters for the independence of Somalia, North Korea, or similar regimes we sell exploits will not, and all the rest -. Why not?” - says Mr. Shorohov. Two companion “b” familiar with the project say that the FSB communicated with Expocod on the possible acquisition of exploits. The FSB did not respond to the request “b”. Andrew Shorohov notes that the use of government agencies exploits - a “necessity in today’s world to defend its strategic interests in the field of information security.” Inform vendors about vulnerabilities in their software in Expocod no plans. However, he emphasizes that the search for and disclosure of vulnerabilities in software (paid or free) is not illegal. “Do not confuse hackers who use the vulnerability in practice, with researchers who are engaged in the theoretical vulnerabilities”, - says Andrey Shorohov.

The most famous world sites for buying exploits are Zerodium, Zeronomicon, Zero Day Initiative, and Mitnick’s Absolute Zero-Day Exploit Exchange, created by a former hacker and current information security expert Kevin Mitnick. Zerodium in November 2015 released a set at the price for which the company acquires exploits, and on some points they exceed Expocod prices.

So, for the vulnerabilities in Android and Windows Phone the company is willing to pay up to $ 100 thousand, and in iOS -. To $ 500 thousand This information was made public in September 2013 that the NSA has worked with the predecessor Zerodium -. Company Vupen.

“In the world of about two dozen large sites for buying exploits steadily working exploits for modern browsers -. One of the most expensive, the cost can reach $ 500 thousand in the whole exploit -. It is a kind of digital weapons, and the final buyer can pursue different objectives,” - Wallarm says CEO Ivan Novikov. He noted that there are legal and black markets for the sale of vulnerabilities. “In the first case, the purchase of the exploit broker enters into a contract with the developer, which specifies all of its data,” - he says. Founder Zeronomicon Alfonso de Gregorio told “Kommersant” that the structures of the public sector “holes” in a certain software may be of strategic importance, and because when the value of transactions with them information about the vulnerabilities may be millions of euros. “Volumes in this market are growing rapidly We look shall monitor the activities and development of a site in the Russian Federation Regarding Cooperation -.. Probably not” - “Kommersant” reported by the hacker group “Anonymous International”.

ALT Linux CEO Alexei Smirnov notes that the activities of the companies for the purchase and sale of exploit is not contrary to the law. “Many vendors, for example, also buy vulnerability information, and not only in the software, for example, anti-virus companies are buying it to update their anti-virus database in the business of buying and selling exploits just big risks -.. Is likely to misuse information”, - says Mr. Smirnov.

1 June 2016

Facebook starts to follow the non-registered users
In Russia, for the first time created a secure operating system

• Kaspersky told reporters of the newspaper The New York Times, said that Russian programmers and hackers, the most skilful in the world »»»
Russian software makers, as well as cyberhawks from Russia are the most skilled in the world.
• "Security code: Inventory" on Webinar »»»
Oct. 14 held a webinar on “Security code: Inventory” - a solution for managing software in the organization’s infrastructure.
• State Duma: Russian IT-companies will receive preferential treatment in tenders of state corporations and their "daughters" »»»
Russian developers of IT-solutions will receive preferential treatment in tenders of state corporations and their "daughters".
• Google will pay for the identified errors on their websites »»»
Google Inc. will pay for Internet users who discovered the vulnerability on its site.
• Aichi possible only through the Crimea (Foreign IT-companies that refuse to work in the Crimea, could lose billions in government contracts) »»»
IT-companies to stop selling the software (SW) in the Crimea, on July 1, risk losing the right to supply their products to the Russian public sector.


Copyright © 2009
IT-Новости / Dig-Life