Fear of a Black Hat

Adam L. Penenberg                                                                                                      Fast Company July 2008

JUERGEN MARESTER, A 24-YEAR-OLD French network consultant, needed seed capital to start his own computer-security company. So he turned to his off-hours hobby — black-hat hacking — and did what a growing number of hackers are doing: selling “0days” (pronounced “oh-days” or “zero days,” it generally refers to unknown, or zero-hour, software threats). These are recipes and code for penetrating the software run by governments, corporations, and private citizens. When properly deployed, 0days can result in minor disruptions such as a Web site’s temporary paralysis. At their extreme, they grant an attacker total control over a network.

In August 2007, Marester announced on a popular computer-security forum that he had 0days for Linux, HP-UX (the computer maker’s popular Unix database software), Microsoft Windows, and Apache. “Please let me message by mail if you are interested,” he typed. By mid-September, he also offered 0days for SAP, Mozilla Firefox, Microsoft’s Office 2003 and 2007, and Internet Explorer. “For any interest, please mail me to this adress [sic]. Good bye and have a good day.”

The posts weren’t unusual for this forum, except, perhaps, for their politeness. They provide a window into a thriving black market for hackerware, where computer-security firms, mobsters, corporate spies, cybercrime rings, and government agents rub shoulders with code jockeys looking to score quick bucks. Any company or government entity running popular programs, such as the ones on Marester’s list of targeted software, is at risk, and governments — both allies and enemies of the United States — are among the biggest buyers. According to the Electronic Frontier Foundation, as a general rule, it isn’t illegal to offer vulnerabilities (the holes in software) and exploits (the code that does the actual penetration) for sale. What’s different about Marester’s case, as I would learn, is that the seller worked for one of the companies whose code he promised to compromise.

I first learned of Marester from an American computer-security consultant, who had been taken aback by the sheer number of 0days — some of them very powerful — that Marester was hawking. In the interest of protecting his own clients, the security professional and some colleagues posed as buyers and, over the course of four months, won the hacker’s confidence. Eventually, Marester revealed his true identity in order to collect his bounty. The security pros, who requested anonymity for this article, turned over their evidence to me, including an extensive email trail.

To better understand the black-market trade in hacker code, I contacted several well-placed sources in information security, government, and law enforcement, most of whom wouldn’t speak on the record. A few provided access to black-hat sellers claiming to reap serious money from peddling vulnerabilities and exploits. Over time, I have been able to sketch a somewhat murky picture and was surprised to learn that the buyer who pays the most — by far — for black-market code is the United States government.

Prices for software vulnerabilities and exploits range from a few thousand dollars to the high six figures. Remote exploits that can pierce Microsoft’s soft skin often attract the highest bids. But virtually anything that can penetrate name-brand products — Apple’s operating system, Cisco router software, Oracle database code, email programs — has value.

Two computer-security firms in particular, iDefense, a subsidiary of VeriSign, and TippingPoint, are known code buyers. Last year, iDefense offered $8,000 to the first six people to find vulnerabilities in the latest versions of Microsoft Exchange Server and popular mail clients such as Outlook, and up to $4,000 for working exploits. It peddles the acquired information to its corporate and government clients at a steep markup so they can protect themselves (the company claims to inform the vendors first so they can prepare patches for the general public).

There’s even a Swiss-based eBay- like auction site, WabiSabiLabi, that matches buyers and sellers, bragging that it vets all code before it’s sold to ensure quality. Adding to the site’s cloak-and-dagger patina, its strategic director, Roberto Preatoni, was arrested in Italy last November on charges of spying on Brasil Telecom executives.

The governmental role in this digital free-for-all is more secretive. Although the idea of the Bush administration wheedling its way into corporate networks conjures images of high-tech spying, the United States, according to a source with ties to the government, is less interested in using black-market code for espionage than for stockpiling munitions in the event of cyberwar. “These things are powerful,” seconds Charlie Miller, a security researcher and former National Security Agency employee, who hacked a MacBook Air in less than two minutes at a competition earlier this year. “And compared with the price of a jet fighter, they’re very cheap.”

The purchases are a bulwark against the belief — widely held in government, computer-security, and intelligence circles — that the Chinese are treating American corporations as giant R&D labs, taking advantage of security holes to sneak into corporate databases and copy trade secrets and other fruits of technological innovation. Of course, the Russians are also quite sophisticated, so much so that one prolific seller told me that as an American citizen he’s concerned: “It’s like there’s this global fight, and the competitors’ skill levels are increasing. Russians have had hack schools for years; the Chinese started [one] recently. The capability gap for the [U.S.] is starting to be unmanageable.”

According to the consultant who snared Marester, his quarry’s skills appear quite sophisticated. His wares, if they performed as advertised, could help a hacker take down machines running that particular software anywhere in the world. His real name is Steve Rigano; he’s a self-employed network consultant from Grenoble, France, who works full time at HP, where he is listed in the switchboard and maintains an hp.com email address. He told me that he saw nothing wrong with offering tools and techniques that targeted the company providing his paycheck.

A self-taught hacker, Rigano says he discovered the vulnerabilities and coded the exploits on his own time, which he says is none of HP’s business. “I have the right to sell what I want,” he says. He told me he attracted mostly Chinese and Russian buyers, but claimed he never found takers for the HP or SAP “vulns” and exploits. He said he stopped selling black-market code in January but didn’t explain why.

An HP spokeswoman admitted the company has a rogue employee in France and said it was investigating along with the FBI. When I told Rigano this, he became incensed. “This is real bullshit,” he said, and threatened to sue anyone who claimed he was the target of any investigation.

He may be right: It’s possible the company has been investigating another Gallic code crasher whose online nickname is t0t0, and who in May 2007 posted offers for SAP 0days that were traceable through HP’s network. By connecting his various aliases with email addresses he has used over the years, I was able to track t0t0 to Paris’s Institut Supérieur d’Electronique, France’s premier high-tech college, where it appears he’s an instructor. T0t0 didn’t respond to repeated interview requests.

In keeping with the adage there’s no honor among hackers, Rigano called t0t0 a thief. Bragging he once worked with the Russian arm of Phrack, a notorious hacker group, Rigano sabotaged rivals’ PCs and intercepted emails — felonies in most places — that show t0t0 stealing exploit code to sell on the black market. (Even worse, he thought t0t0 might not be French at all, but Belgian.) “Fucking guy,” he said.

Copyright 2008 Adam L. Penenberg (penenberg.com)