There’s a very good chance that today’s Wired piece about Kevin Mitnick’s newest venture has a lot to do with the discovery of the Bash Bug within various Linux and Unix operating systems. This is a bug that could be considered a Zero Day exploit because of the fact that it is a security vulnerability within an application that is possible to exploit due to the fact that the software vendor has no knowledge of it yet or it has not been patched yet.
Either way, it is a vulnerability that someone can take advantage of. Now, Wired ran a piece about Kevin Mitnick and his security company which does security consulting which includes a whole host of internet and non-net consulting all pertaining to security. The Wired piece in question talks about one of Mitnick’s latest ventures which claims that his company is finding security researchers’ and hackers’ zero day exploits and selling them to the highest bidder.
“With his latest business venture, Mitnick has switched hats again: This time to an ambiguous shade of gray,” Wired wrote.
Late last week, Mitnick revealed a new branch of his security consultancy business he calls Mitnick’s Absolute Zero Day Exploit Exchange. Since its quiet inception six months ago, he says the service has offered to sell corporate and government clients high-end “zero-day” exploits, hacking tools that take advantage of secret bugs in software for which no patch yet exists. Mitnick says he’s offering exploits developed both by his own in-house researchers and by outside hackers, guaranteed to be exclusive and priced at no less than $100,000 each, including his own fee.
And what will his clients do with those exploits? “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells Wired in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”
Mitnick declined to name any of his customers, and wouldn’t say how many, if any, exploits his exchange has brokered so far. But the website he launched to reveal the project last week offers to use his company’s “unique positioning among security researchers and the hacker community” to connect exploit developers with “discerning government and corporate buyers.”
In fact, they interviewed Mitnick appearing to take many of his quotes out of context in order to sell their own agenda that he is selling these Zero Day exploits to whomever will pay him. In fact, it seems odd that they would include commentary from people on Twitter as part of their article when its merely an opinion and doesn’t actually add anything to the piece, other than mentioning that Mitnick responded to his tweet.
The reality of the situation is that for people that discover vulnerabilities in government and corporate infrastructure, there is a very difficult balance to strike. Many ethical hackers looking to notify companies of their security holes eventually become the targets of investigations and attacked for what they do. Sure, there are plenty of unethical hackers out there that might try to hold a company ransom for a fee to give them the Zero Day that they’ve found, but that has nothing to do with what Mitnick is doing. They are offering researchers and security minded people an intermediary to help those companies find and close Zero Day exploits and to reward the researchers for their work and at the same time protect them from frivolous lawsuits if they try to approach the company directly.
Mitnick’s company vigorously vets all of their potential clients and makes sure that no bad actors are being involved in the process. They are not selling Zero Day exploits to competitors of the companies that have the security holes and they aren’t selling Zero Day exploits to the government that might make a company vulnerable. The goal is to help companies see their problems and give them the opportunity to fix them before they become public.