Believe it or not, there is a thriving black market in bugs!
When I attended the second Workshop on Heuristics and Exploratory Techniques, we were bug hunting in open source office software, and I was impressed that Alan Jorgensen found bugs so quickly—after locating a file of error messages and using that to explore errors that had no matching messages. That was my first exposure to software attacks.
Soon afterward, Alan moved on to investigating hostile data streams, generating semi-random strings of characters fed into Adobe Acrobat trying to crash it. Back then I considered it specialist academic research. As part of his work with Scott Tilley, he wrote On the Security Risks of Not Adopting Hostile Data Stream Testing Techniques and included the alarming statement “Security flaws in modern software systems should no longer be treated as mere annoyances, but as the high level risks that they truly are.”
Now a decade later, I realize Alan was a pioneer in security attacks known as zero-day bugs or exploits, and his hostile data stream explorations are a tool of hacker and researcher alike. It wasn't until 2008 that serious preventive efforts began—e.g., the MAPP program linking Microsoft, their software partners, and antivirus or intrusion prevention vendors.
Many vendors have teams dedicated to locating security bugs, such as the Adobe Secure Software Engineering Team. Despite the efforts of the many teams involved, zero-day bugs remain very common. Nearly every major vendor has reported them at various times. Some exploits have even been traced to MAPP leaks. Recently exploits have been reported in Java 5, 6, and 7, Android, iPhone 4s, Internet Explorer, and Firefox. Oddly Safari no reports for Safari have been received.
In addition to the competitiveness between the hackers (black hats) and the researchers (white hats), there are regular competitions where researchers and others get together to compete for cash and bounty payments for new exploits.
The most famous competition, Pwn2Own, started in 2007 after some companies had not fixed exploits discovered up to two years earlier. It awards a cash prize, a white jacket, and the hacked device to the best exploit, though many people compete simply for the notoriety. Devices are kept in aluminum boxes, and everything is connected with cables so no one can steal other people's exploits.
Exploits are being used for corporate and international espionage, with attacks on military computers, corporations such as Google and RSA, and even an attack on Iranian uranium enrichment plants, reportedly approved by Presidents Bush and Obama.
Despite the worldwide focus on finding and patching the security vulnerabilities, a study using Symantec data found that zero-day bugs were typically exploited for ten months before being discovered and patched. Some hacker gangs seem to have almost unlimited supplies of bugs based on the fast pace at which they are introduced.
Former CIA director George Tenet said, "We have built our future upon a capability that we have not learned how to protect.”
If you or your company has secrets you don't want stolen, don't leave them on a networked computer. Chances are they will be stolen long before you have any idea they are gone. Security testing will be a growth area for many years to come. If you are clever, it could become your retirement fund!
Erik Petersen is a consultant based in Melbourne, Australia. Erik has helped build software systems across applications, telecommunications, and infrastructure for more than twenty years. He's unwittingly become an encyclopedia of software and test process and management, strategy, automation, and tools. Contact him at firstname.lastname@example.org.