An article by Pierluigi Paganini:
Every day, we read about cyber-attacks and data breaches, incidents that represent in many cases a disaster for private companies and governments. Technology plays a significant role in our lives; every component that surrounds us runs a piece of software that could be affected by flaws and exploited by those with ill intentions.
Of course, the impact of these vulnerabilities depends on the nature and scope of the exposed software. Some applications are more commonly used, and their vulnerabilities could expose users to serious risks. Take for example the recent vulnerability discovered in Skype, in which a bug allowed an attacker to obtain full access to any Skype account by simply knowing the email address used by a victim during the creation of the account.
The possible damage that the exploit of a vulnerability could do depends on different factors such as the level of diffusion of the application compromised, the previous knowledge of the vulnerabilities, and the context in which the compromised application is used.
In the wide universe of vulnerabilities, zero-day vulnerabilities represent a real nightmare for security experts. Knowledge of any leak about them makes it impossible to predict how and when they could be exploited. This characteristic makes their use ideal in state-sponsored attacks and in the development of cyber weapons.
Interest in the discovery of unknown vulnerabilities for a widespread application has totally changed the role of hackers. In the past, they were figures who kept away from government affairs; today, the industry and even intelligence agencies have launched a massive recruitment campaign for this new type of expertise.
Profiting from these vulnerabilities can be done through different channels: flaws could be sold to the makers of the compromised application; a government interested in exploiting a flaw could acquire it to conduct cyber-attacks against hostile countries; or it could be sold in the underground market.
Around this concept of vulnerability grew a market in which “instantaneity” of any transactions is a fundamental factor. Once a new bug is found and exploited, the researcher must be to quickly identify possible buyers, contact them to negotiate a price, and then complete the sale. Timing is crucial; the value of the sale could decay to zero if any third party preemptively divulges information on the vulnerability.
Read more at the InfoSec Institue’s Blog