Portfolio 2 - Criteria B

There are many trends and developments made that have been made in the recent years that help minimize the threat of zero-day attacks. One of these developments is simply called ‘zero-day protection’. This is simply the ability to protect against zero-day exploits. It entirely relies on knowing when a particular venerability is going to occur ahead of time, therefore creating signatures in case of any attempt to take advantage of the vulnerability.

In addition, buffer overflow is another development that has been created to limit the effectiveness of zero-day memory corruption risks. It is a programming error that has a few factors behind it, one of them being a possible breach in the security system. Latest operating systems have these zero-day protections built-in in them, such as Mac OS X, Microsoft Windows Vista, Linux, UNIX, and Sun Microsystems Solaris.

Adding onto that, the legitimate trade programs of zero-day code software encourages the talented hackers to use their skills to help detect dangers and improve security of loopholes instead of taking advantage of it.

On the contrary, these protections are not guaranteed. A worm good enough could manage to fit itself through a small time window between the discovery of vulnerability and the release of a new worm trying to take advantage of it.

Portfolio 2 - Criteria A

This portfolio addresses the issue of buying and selling zero-day (zero-hour) code software of loopholes in the black market. Zero-day code software is the missing ingredient that a talented hacker would need to actually steal the information that they have managed to breach into. This is simply because they only know how to get to the data, but understanding it isn’t their area of expertise. Hence, this makes zero-day code software a problem that involves business, since it is mainly used to steal information such as credit card and banking information. Referring to the article which quotes a hacker saying “online payment systems such as PayPal, which can provide users with more anonymity that bank transfers, have given the black market an enormous boost by providing sellers with an anonymous way to collect”.

Zero-day code, however, has a positive side to it. “The practice is so widespread it’s even spawned a legitimate market”, states the article. Some legitimate researchers register for programs, such as Zero Day Initiative, to sell their discoveries to security companies and software vendors eager to improve their services and products. Looking at the negatives, zero-day finally gives hackers that chance to get through the recently increased sophistications that have been made in firewalls and many other computer protection methods. Leading online fraud and theft to increase.

The act of theft and fraud is an ethical issues related to zero-day code software. And another ethical issue connected to zero-day code is obtaining software, music, movies etc. before their official release date by taking advantage of zero-day exploits and stealing the wanted files.  These ethical issues are significant due to their big negative effects on the both the business world and society.

Chosen Article

Black Market In Bad Code

January 21, 2008

Time is the hacker's enemy. The countdown starts as soon as a hacker learns about a security loophole that makes an Internet site vulnerable to a break-in. Security and software firms have, by and large, succeeded in shortening this period, but hackers have responded in kind. They've created a brisk underground market for buying and selling "zero day" code–software that can be used instantly to exploit an as-yet-unsecured loophole.

Zero-day code is a reaction to the increased sophistication of firewalls and other computer protections. Many individuals and groups wanting to commit online fraud or theft no longer possess the skills needed to compromise computers. Likewise, many talented zero-day programmers lack the know-how to turn a computer intrusion into cash by, say, laundering money stolen from corporate pension-payment systems. Zero-day code bridges these two talent pools. It can be used to steal credit-card and banking information and install malicious software. "There are a lot of slow-burners out there that are generating large amounts of income and trying to remain under the radar," says Steve Santorelli, a former Scotland Yard computer-crime investigator now at Team Cymru, a Seattle computer-security consultancy to corporations and law-enforcement agencies. Online payment systems such as PayPal, which can provide users with more anonymity than bank transfers, have given the black market an "enormous" boost by providing sellers with an anonymous way to collect, says a Romanian hacker who would agree to be identified only by his online name, flo_flow.

This division of labor is making hacking a more productive industry. The market harnesses the expertise of hackers who have qualms about committing certain types of fraud or theft but are willing to sell zero-days to others who do the dirty work. Prices can reach tens of thousands of dollars for code that exploits vulnerabilities in widely used Internet browsers and PC operating systems, and Web-server software.

Many of the big-ticket sales pass through brokers with a reputation for honoring agreements. Some act as escrow agents, collecting purchase money and providing it to sellers (minus a commission) only after confirming that zero-days work. One broker in Bangkok, who spoke to NEWSWEEK on condition of anonymity because his work is illegal, says there is a "very, very large network" of middlemen. Some, including himself, broker licensing deals whereby sellers receive a monthly fee until security firms or software vendors discover and patch the vulnerability.

The practice is so widespread it's even spawned a legitimate market. Last July, the Swiss security firm WabiSabiLabi opened a legal online zero-day auction. Chief technology officer Giacomo Paoni says that more than 1,000 legitimate researchers have registered to sell their discoveries to security companies and software vendors eager to improve their services and products. TippingPoint and iDefense, two American firms, purchase zero-days from researchers to enhance their own security offerings.

These firms argue that by buying zerodays, they're keeping loopholes from criminals, thereby improving security. Critics say the practice only encourages the development of dangerous software–and who's to say how many buyers are hackers working incognito? There may not be many options to playing along: it's virtually impossible to stop trading by shutting down illicit marketplace Web sites and forums, says Mikko Hypponen, a computer-security expert in Helsinki who conducts training workshops for the Finnish Army. "They simply pop up somewhere else."

More Stocks

I have also chosen to buy stocks for Apples, Dell, and General Electric, in addition to my previous choice of E-Bay.

Stock Market

Ebay was my stock choice (the symbol is EBAY). It is currently at the price of $30.44. The reason I chose it was because it is at a low price, since I am looking to make money in a time period of approximately two months. It has a typical decreasing trend, however, it's expected to start rising again.