SlideShare una empresa de Scribd logo

StHack 2014 - Raoul Chiesa The evolution of 0days market

StHack
StHack

What has happened during the last 15 years ? This presentation will introduce the audience to the 0days market, a very complex ecosystem with different actors, being sellers, buyers or middle-entities. The speaker will initially provide an high view analysis of this market, then he will zoom into the known and the unwritten rules. BIO: Raoul "Nobody" Chiesa was born in Torino, Italy, in 1973. After being among the first italian hackers back in the 90's (1986-1995), Raoul decided to move to professional InfoSec, establishing back in 1997 the very first vendor-neutral Italian security advisory company. Raoul is among the founder members of CLUSIT (Italian Information Security Association, est. 2000) and he is a Board of Directors member at ISECOM, CLUSIT, OWASP Italian Chapter, Italian Privacy Observatory (AIP/OPSI). Both Raoul and its security team work on research areas such as X.25 and PSDN networks, VoIp Security, Malware Analysis, Cybercrime Intelligence, Threat Agents Profiling, Social Engineering, SCADA & Industrial Automation/Home Automation, Satellite communication, Mobile Security, SS7 threats, Cloud Computing and much more. Raoul publishes books and white papers in English and Italian language as main author or contributor, and he's a regular contact for worldwide media (newspapers, TV and bloggers) when dealing with Information Security issues and IT security incidents.

Tecnología
1 de 32
Descargar para leer sin conexión
The evolution of zerodays market Raoul «Nobody» Chiesa St. Hack, Bordeaux, March 14th, 2014
Agenda • # whoami • Once upon a time… • The scenario • The actors • The «pricing debate» • Rules? – Good sense – NSA – Vupen – SB • Risks • Conclusions Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
3 Disclaimer
Disclaimer ● The information contained within this presentation do not infringe on any intellectual property nor does it contain tools or recipe that could be in breach with known laws. ● The statistical data presented belongs to the Hackers Profiling Project by UNICRI and ISECOM. ● Quoted trademarks belongs to registered owners. ● The views expressed are those of the author(s) and speaker(s) and do not necessary reflect the views of UNICRI or others United Nations agencies and institutes, nor the view of ENISA and its PSG (Permanent Stakeholders Group). ● Contents of this presentation may be quoted or reproduced, provided that the source of information is acknowledged. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
 President, Founder, Security Brokers  Principal, CyberDefcon Ltd.  Independent Senior Advisor on Cybercrime @ UNICRI (United Nations Interregional Crime & Justice Research Institute)  PSG Member, ENISA (Permanent Stakeholders Group @ European Network & Information Security Agency)  Founder, Board of Directors and Technical Commitee Member @ CLUSIT (Italian Information Security Association)  Steering Committee, AIP/OPSI, Privacy & Security Observatory  Member, Co-coordinator of the WG «Cyber World» @ Italian MoD  Board of Directors, ISECOM  Board of Directors, OWASP Italian Chapter  Supporter at various security communities The speaker Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Once upon a time… • I joined the wonderful world of hacking around 1985. • Back in 1996, after the operation «Ice Trap» which leaded to my (home) arrest in 1995, I jumped back to the underground «scene». • My hackers friends told me they just began doing something named «Penetration Test». – I had no idea WTF that thing was. – Then I realized someone was glad to pay you in order to «hack» into something. – With rules, tough. It was legal. – Paid in order to do what I mostly liked?!? Risks-free?? – «You must be kidding», LOL  Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Once upon a time… • Still on those years, we used to find bugs on our own: – Sun Solaris (we [still] love you so much) – HP/UX (harder) – VAX/VMS, AXP/OpenVMS (very few ones) – Linux (plenty of) – etc… • No one was paying us for those findings. It was just phun. • No one was «selling» that stuff. – We used to keep ‘em for us, and occasionally «exchange» the exploits with some other (trusted) hackers. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Years later… • A couple of things happened. • Money slowly got involved in this research- based thing. – And, the whole world got «always-on», «interconnected», IT&TLC fully-addicted. • Then, Cybercrime moved to its prime-time age. • Money quickly got involved in this exploits-race thing. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
The scenario, • Guys, we’ve «evolved», somehow… • Here’s what United Nations says (Hacker’s Profiling Project): Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
And, it’s not just «us» Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
WHAT’S HAPPENING RIGHT NOW • Cybercrime and Information Warfare have a very wide spectrum of action and use intrusion techniques which are nowadays, somehow, available to a growing amount of Actors, which use them in order to accomplish different goals, with approaches and intensity which may deeply vary. • All of the above is launched against any kind of targets: Critical Infrastructures, Governative Systems, Military Systems, Private Companies of any kind, Banks, Medias, Interest Groups, Private Citizens.… – National States – IC / LEAs – Organized Cybercrime – Hacktivists – Industrial Spies – Terrorists – Corporations – Cyber Mercenaries Everyone against everybody
X X
WTF… Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Making “Cyber War”… • „dummy list“ of „ID-10T“ for phishing • background info on organisation (orgchart etc.) • Primer for sector-specific social-engineering • proxy servers • banking arrangements • purchase attack-kits • rent botnets • find (trade!) good C&C server • purchase 0-days / certificates • purchase skill-set • bespoke payload / search terms •Purchase L2/L3 system data • equipment to mimic target network • dummy run on similar network • sandbox zerodays Alexander Klimburg 2012
Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
 http://rt.com/usa/snowden-leak-black-budget-176/  http://rt.com/usa/us-hacking-exploits-millions-104/  http://www.lemonde.fr/technologies/visuel/2013/08/27/plongee-dans-la-pieuvre-de-la- cybersurveillance-de-la-nsa_3467057_651865.html  PRISM and other secret project’s scandals (“the Snowden case”)  NSA’s budgets for black operations revealed WTF 3
Scenarios • OK, you’re smart, you’ve found the most ever l33t 0day of your life. • Who could buy that stuff from you? – Some hacker folks. • (which, eventually, may resell it to one of the following) – IT Vendors – Security Vendors – Big Internet players – 0days «brokers» – Law Enforcement Agencies (LEAs) – Intelligence Agencies (IAs) – Cybercrime / Organized Crime – Pwoning contests, CTFs, etc. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Who do you wanna sell to? Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
The pricing debate • I think all of you remember this: Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR) Source: Forbes, “Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits”, 2012, in http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret- software-exploits
The pricing debate • What about this? (CHEAP but LAME, India’s ones) Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Where’s the truth? What’s the right approach with pricing? Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
→ 0-day Markets 0-day Software «Bug» Vendors CERT (ICS-CERT) National Institutions Patch Software Rel x.y.z Black Market (Cybercrime)Black Market (underground) Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
A different (more serious?) approach Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR) Public Knowledge of the vulnerability Buyer’s typology IS = IT Security companies INT = Intelligence Agencies for Governmental use (National Security protection) MIL = MoD/related actors for warfare use OC = Cybercrime 0-day Exploit code + PoC Cost: Min/Max Y IS 10K – 50K USD Y INT 30K – 150K USD Y MIL 50K – 200K USD Y OC 5K – 80K USD N ALL X2 – X10
Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR) Public Knowledge of the vulnerability Vulnerability relays on: Operating System ( OS) Major General Applications (MGA) SCADA-Industrial Automation (SCADA) Buyer’s typology IS = IT Security companies INT = Intelligence Agencies for Governmental use (National Security protection) MIL = MoD/related actors for warfare use OC = Cybercrime 0-day Exploit code + PoC Cost: Min/Max Y OS OC 40K – 100K Y MGA INT 100K – 300K Y SCADA MIL 100K – 300K N OS MIL 300K – 600K N SCADA MIL 400K – 1M A different (more serious?) approach
Rules • Use good sense. Always. • Don’t be grady. • Be serious. • Be conscient. • Be true. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Rules: NSA Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR) ?!? Wow, I feel better now…
Rules: Vupen • They claim the 0day is «exclusive» (AFAIK). • But, they can «rent it» (not just «sell») i.e. for 10, 30, 60, 90 days (AFAIK). • Rumors say they are used to sell the same stuff to 5 – 10 customers, tough. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Rules: SB Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Risks • Your goldie stuff may be underpaid. • Your stuff maybe be used in repressive countries. • It may be used for mass-surveillance (Hacking Team docet). • Buyer may learn your (real) identity. • Broker may fool you and disclose your real identity. • Your Government may learn what you sold to who, and may be not too happy with that. • You may make the world worse. – Or better  Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Conclusions • Hunting for bugs is fun. • Getting in troubles is not. • Think smart, be paronoid. • Trust no one. It’s your life. • Relay on nice ppl. • Use your brain. • Don’t exagerate. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Acknowledgements • Florian Gaultier for inviting me here and taking the risk - LOL • Damien for offering me a glass of wine without knowing me (I’m from Turin, Piedmont: this is important stuff to us ;) • All of the sponsors: we’ll drink out all of your money tonight, don’t worry! • The city of Bordeaux for the wine and the beautiful town. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
Contacts, Q&A • Need anything, got doubts, wanna ask me smth, wanna sell? – rc [at] security-brokers [dot] com – Pub key: http://www.security-brokers.com/keys/rc_pub.asc Thanks for your attention! QUESTIONS? Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)

Recomendados

The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...SignalSEC Ltd.
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketYury Chemerkin
 
Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Rafel Ivgi
 
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs BacsayShakacon
 
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...HackIT Ukraine
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comAlexander Leonov
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web VulnerabilityMiroslav Stampar
 

Recomendados

The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce... The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...
The Market for Cyber Weapons - NATO Cooperative Cyber Defence Centre of Exce...SignalSEC Ltd.
 
Alan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketAlan kakareka. insight into russian black market
Alan kakareka. insight into russian black marketYury Chemerkin
 
Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Webapplicationsecurity05 2010 100601100553 Phpapp02
Webapplicationsecurity05 2010 100601100553 Phpapp02Rafel Ivgi
 
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs Bacsay
0Day Hunting A.K.A. The Story of a Proper CPE Test by Balazs BacsayShakacon
 
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...
Alfonso De Gregorio - Vulnerabilities and Their Surrounding Ethical Questions...HackIT Ukraine
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comAlexander Leonov
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web VulnerabilityMiroslav Stampar
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
 
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashSthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashStHack
 
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...StHack
 
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...StHack
 
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...StHack
 
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practiceSthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practiceStHack
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack
 
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack
 
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coinStHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coinStHack
 
StHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy MimikatzStHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy MimikatzStHack
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
 
StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101StHack
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Más contenido relacionado

Más de StHack

Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
 
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashSthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashStHack
 
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...StHack
 
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...StHack
 
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...StHack
 
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practiceSthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practiceStHack
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack
 
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack
 
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coinStHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coinStHack
 
StHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy MimikatzStHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy MimikatzStHack
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
 
StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101StHack
 

Más de StHack (12)

Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
 
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashSthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
 
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
 
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
 
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
 
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practiceSthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
 
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
 
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coinStHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
 
StHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy MimikatzStHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
 
StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101
 

Último

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

StHack 2014 - Raoul Chiesa The evolution of 0days market

  • 1. The evolution of zerodays market Raoul «Nobody» Chiesa St. Hack, Bordeaux, March 14th, 2014
  • 2. Agenda • # whoami • Once upon a time… • The scenario • The actors • The «pricing debate» • Rules? – Good sense – NSA – Vupen – SB • Risks • Conclusions Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 4. Disclaimer ● The information contained within this presentation do not infringe on any intellectual property nor does it contain tools or recipe that could be in breach with known laws. ● The statistical data presented belongs to the Hackers Profiling Project by UNICRI and ISECOM. ● Quoted trademarks belongs to registered owners. ● The views expressed are those of the author(s) and speaker(s) and do not necessary reflect the views of UNICRI or others United Nations agencies and institutes, nor the view of ENISA and its PSG (Permanent Stakeholders Group). ● Contents of this presentation may be quoted or reproduced, provided that the source of information is acknowledged. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 5.  President, Founder, Security Brokers  Principal, CyberDefcon Ltd.  Independent Senior Advisor on Cybercrime @ UNICRI (United Nations Interregional Crime & Justice Research Institute)  PSG Member, ENISA (Permanent Stakeholders Group @ European Network & Information Security Agency)  Founder, Board of Directors and Technical Commitee Member @ CLUSIT (Italian Information Security Association)  Steering Committee, AIP/OPSI, Privacy & Security Observatory  Member, Co-coordinator of the WG «Cyber World» @ Italian MoD  Board of Directors, ISECOM  Board of Directors, OWASP Italian Chapter  Supporter at various security communities The speaker Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 6. Once upon a time… • I joined the wonderful world of hacking around 1985. • Back in 1996, after the operation «Ice Trap» which leaded to my (home) arrest in 1995, I jumped back to the underground «scene». • My hackers friends told me they just began doing something named «Penetration Test». – I had no idea WTF that thing was. – Then I realized someone was glad to pay you in order to «hack» into something. – With rules, tough. It was legal. – Paid in order to do what I mostly liked?!? Risks-free?? – «You must be kidding», LOL  Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 7. Once upon a time… • Still on those years, we used to find bugs on our own: – Sun Solaris (we [still] love you so much) – HP/UX (harder) – VAX/VMS, AXP/OpenVMS (very few ones) – Linux (plenty of) – etc… • No one was paying us for those findings. It was just phun. • No one was «selling» that stuff. – We used to keep ‘em for us, and occasionally «exchange» the exploits with some other (trusted) hackers. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 8. Years later… • A couple of things happened. • Money slowly got involved in this research- based thing. – And, the whole world got «always-on», «interconnected», IT&TLC fully-addicted. • Then, Cybercrime moved to its prime-time age. • Money quickly got involved in this exploits-race thing. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 9. The scenario, • Guys, we’ve «evolved», somehow… • Here’s what United Nations says (Hacker’s Profiling Project): Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 10. And, it’s not just «us» Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 11. WHAT’S HAPPENING RIGHT NOW • Cybercrime and Information Warfare have a very wide spectrum of action and use intrusion techniques which are nowadays, somehow, available to a growing amount of Actors, which use them in order to accomplish different goals, with approaches and intensity which may deeply vary. • All of the above is launched against any kind of targets: Critical Infrastructures, Governative Systems, Military Systems, Private Companies of any kind, Banks, Medias, Interest Groups, Private Citizens.… – National States – IC / LEAs – Organized Cybercrime – Hacktivists – Industrial Spies – Terrorists – Corporations – Cyber Mercenaries Everyone against everybody
  • 12. X X
  • 13. WTF… Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 14. Making “Cyber War”… • „dummy list“ of „ID-10T“ for phishing • background info on organisation (orgchart etc.) • Primer for sector-specific social-engineering • proxy servers • banking arrangements • purchase attack-kits • rent botnets • find (trade!) good C&C server • purchase 0-days / certificates • purchase skill-set • bespoke payload / search terms •Purchase L2/L3 system data • equipment to mimic target network • dummy run on similar network • sandbox zerodays Alexander Klimburg 2012
  • 15. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 16.  http://rt.com/usa/snowden-leak-black-budget-176/  http://rt.com/usa/us-hacking-exploits-millions-104/  http://www.lemonde.fr/technologies/visuel/2013/08/27/plongee-dans-la-pieuvre-de-la- cybersurveillance-de-la-nsa_3467057_651865.html  PRISM and other secret project’s scandals (“the Snowden case”)  NSA’s budgets for black operations revealed WTF 3
  • 17. Scenarios • OK, you’re smart, you’ve found the most ever l33t 0day of your life. • Who could buy that stuff from you? – Some hacker folks. • (which, eventually, may resell it to one of the following) – IT Vendors – Security Vendors – Big Internet players – 0days «brokers» – Law Enforcement Agencies (LEAs) – Intelligence Agencies (IAs) – Cybercrime / Organized Crime – Pwoning contests, CTFs, etc. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 18. Who do you wanna sell to? Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 19. The pricing debate • I think all of you remember this: Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR) Source: Forbes, “Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits”, 2012, in http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret- software-exploits
  • 20. The pricing debate • What about this? (CHEAP but LAME, India’s ones) Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 21. Where’s the truth? What’s the right approach with pricing? Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 22. → 0-day Markets 0-day Software «Bug» Vendors CERT (ICS-CERT) National Institutions Patch Software Rel x.y.z Black Market (Cybercrime)Black Market (underground) Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 23. A different (more serious?) approach Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR) Public Knowledge of the vulnerability Buyer’s typology IS = IT Security companies INT = Intelligence Agencies for Governmental use (National Security protection) MIL = MoD/related actors for warfare use OC = Cybercrime 0-day Exploit code + PoC Cost: Min/Max Y IS 10K – 50K USD Y INT 30K – 150K USD Y MIL 50K – 200K USD Y OC 5K – 80K USD N ALL X2 – X10
  • 24. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR) Public Knowledge of the vulnerability Vulnerability relays on: Operating System ( OS) Major General Applications (MGA) SCADA-Industrial Automation (SCADA) Buyer’s typology IS = IT Security companies INT = Intelligence Agencies for Governmental use (National Security protection) MIL = MoD/related actors for warfare use OC = Cybercrime 0-day Exploit code + PoC Cost: Min/Max Y OS OC 40K – 100K Y MGA INT 100K – 300K Y SCADA MIL 100K – 300K N OS MIL 300K – 600K N SCADA MIL 400K – 1M A different (more serious?) approach
  • 25. Rules • Use good sense. Always. • Don’t be grady. • Be serious. • Be conscient. • Be true. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 26. Rules: NSA Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR) ?!? Wow, I feel better now…
  • 27. Rules: Vupen • They claim the 0day is «exclusive» (AFAIK). • But, they can «rent it» (not just «sell») i.e. for 10, 30, 60, 90 days (AFAIK). • Rumors say they are used to sell the same stuff to 5 – 10 customers, tough. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 28. Rules: SB Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 29. Risks • Your goldie stuff may be underpaid. • Your stuff maybe be used in repressive countries. • It may be used for mass-surveillance (Hacking Team docet). • Buyer may learn your (real) identity. • Broker may fool you and disclose your real identity. • Your Government may learn what you sold to who, and may be not too happy with that. • You may make the world worse. – Or better  Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 30. Conclusions • Hunting for bugs is fun. • Getting in troubles is not. • Think smart, be paronoid. • Trust no one. It’s your life. • Relay on nice ppl. • Use your brain. • Don’t exagerate. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 31. Acknowledgements • Florian Gaultier for inviting me here and taking the risk - LOL • Damien for offering me a glass of wine without knowing me (I’m from Turin, Piedmont: this is important stuff to us ;) • All of the sponsors: we’ll drink out all of your money tonight, don’t worry! • The city of Bordeaux for the wine and the beautiful town. Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)
  • 32. Contacts, Q&A • Need anything, got doubts, wanna ask me smth, wanna sell? – rc [at] security-brokers [dot] com – Pub key: http://www.security-brokers.com/keys/rc_pub.asc Thanks for your attention! QUESTIONS? Raoul «Nobody» Chiesa, St. Hack, March 14th 2014, Bordeaux (FR)