Kevin Mitnick Selling 0-day Exploits Is A Good Idea



Kevin Mitnick 1OK, so here is my take on the recent hatchet job by WIRED Magazine.

I have been aware of Kevin's new 0-day business venture for more than 6 months. Kevin told me about the idea early this year and I saw beta versions of his new website before they went live. There is a market for these types of 0-days, and no reason not to jump into that market if you are able to assess the value of a 0-day correctly. (Note that the 0-day trade is done within Mitnick Security, not KnowBe4).

The actual problem is that there are many hundreds of unknown zero-day threats out there, that NO antivirus engine can protect against. These 0-days are spread over dozens of popular apps. And as we recently saw, even AV engines themselves are riddled with 0-days.

Various organizations buy these from specialized companies like British/German FinFisher, the French company Vupen, and an Italian company called "Hacker Team" (yes, really). Cyber mafias buy them from independent criminal researchers. The spear-phishing attacks that target your company are laced with these 0-days. No AV is going to be effective against that. We need to get more of these 0-days above water.

Hacking can be used for good and bad, it's a matter of intent.  If security researchers are spending months to dig up a major 0-day, and want to monetize this by selling it to the software vendor that wrote the offending code, I'm all for it. Often software companies offer bug bounties inviting people to do just that. The WIRED article sensationalized Kevin's idea, and made it look controversial. What else is new with the press. There's actually a benefit the WIRED article overlooked, and that's that this has the potential to pull (part of) the black market for 0-days into a legit sphere.  Kevin commented: "Yes, our plan is to sell bugs to the software vendor that created it. Not to NSA and foreign entities, etc. The buyers are vetted as well-known reputable companies. This is really a private bug bounty but we pick the price not the vendor."

My take is that you cannot buy this kind of advertising. Any PR expert will tell you that any press is better than no press, even if it is controversial. WIRED magazine just provided Kevin with millions of free advertising for this new sideline.

So, in short, tempest in a teacup. :-D

Warm regards,

Stu 


Topics: KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews