After what seemed to be a lifetime, Windows Vista finally hit the consumer market. For many, this is the start of a new experience in Windows; but for some, is a race to find vulnerabilities in Microsoft’s new OS.
Evgeny Legerov, founder of the security firm Gleg Ltd. in Moscow has been finding security flaws in web browsers and operating systems for years. “To find a vulnerability, you have to do a lot of hard work,” said Evgeny.
He’s not doing it for a smile or renowned fame; he’s in it for the money. Evgeny claims doing the responsible thing just doesn’t pay the bills, “If you follow what they call responsible disclosure, in most cases all you receive is an ordinary thank you or sometimes nothing at all.”
Gleg Ltd. sells vulnerability research to customers around the world for a minimum of $10,000; but claims their is a huge black market for such data. One example discovered by the Japanese antivirus company, TredMicro, is a case where a hacker on a Romanian Web forum was offering a Vista vulnerability for $50,000. Evgeny says he receives offers like this all the time, and has to reject them despite the financial gain. The price is in direct proportion to the popularity of the software.
In a similar scenario this month, iDefense, a Virginia based subsidiary of the technology company VeriSign, will be offering $8,000 to the first six researchers who uncover holes in Vista, and an additional $4,000 for the code that can be used to take advantage of Vista’s ‘back doors.’
This is obviously a small percentage of what can be made on the black market; but if you want to keep things legal, $8,000 is a fair offer. iDefense, in turn, sells this information to government agencies and corporations to protect their systems.
Microsoft does not endorse such bounty programs, and would rather the research come to them first. Exploiting any Vista weakness to the public could result in hackers abusing the information before a patch can be issued to the public.
“With the underground trading of vulnerabilities, software makers are left playing catch-up to develop updates that will help protect customers,” said Mark Miller, director of the Microsoft Security Response Center.
Vista, not having an antivirus program or support for legacy antivirus software seems like a security flaw to me; but I won’t be up all night trying to hack Microsoft’s most secure operating system in history.
No comments:
Post a Comment