A recent proposal 67 to track underground market indices in IRC channels to

A recent proposal 67 to track underground market

This preview shows page 37 - 39 out of 114 pages.

A recent proposal [67] to track ‘underground market indices’ in IRC channels to feed forecasting and threat prediction tools may sound a bit daring: these markets operate as exchange platforms for stolen credit card and identity details, hacked accounts, spam distribution and related services. Yet the ‘street price of drugs’ is commonly used as a signal for the effectiveness of enforcement; and in information security, too, the price of contraband goods such as stolen credit cards is considered important by some players. However, the signals are not straightforward. Officials of one bank remarked to one of us that a fall in the ‘street value’ of their credit card numbers to under a euro was a good thing. They believed that this was not signalling that the market was flooded with their customers’ credentials, but rather that their back-end fraud-prevention mechanisms were good enough to prevent significant value extraction from a stolen credit card number alone. 37
Image of page 37
Many ideas have been put forward to use markets to extract security-related informa- tion – most of them having been designed to counter security market failures. They seek not just to align incentives, but also to provide new security metrics. The literature distinguishes various forms of so-called ‘vulnerability markets’, of which various kinds can already be observed in practice [15, 129, 100]: black markets, vulner- ability brokers, bug bounties, and bug auctions. There are also suggested innovations, such as exploit derivatives. Meanwhile, the price of cyber-insurance provides an indirect market measure of overall systems vulnerability. We will now look at each of these briefly. The vulnerability black market is a catch-all term for the unregulated vulnerability markets, which are how some security researchers currently extract revenue from discover- ing flaws. Although referred to as a ‘black market’, the business per se is not illegal under most jurisdictions, although selling an exploit to someone the researcher knows is likely to make criminal use of it is an offence in most countries, as is blackmailing a vendor. Selling an exploit to a national intelligence agency, or to a firm that sells keylogger software to police forces, or to a firm that reverse-engineers protected software on behalf of lawyers conducting intellectual property disputes, or even to a firewall vendor who wants advance warning of exploits, is generally legal. However, market participants point to a lack of transparency in pricing; difficulties in finding buyers and sellers; and possible difficulties faced by a seller in ensuring a buyer’s bona fides. Successful dealmaking largely depends on personal contacts. The market also suffers from the typical problems of information goods. Vulnerabilities are often easily-duplicated experience goods, in that a seller who demonstrates one to a potential buyer may give away the secret. Also, a recipient may sell a vulnerability onward, and a seller may sell the same vulnerability to multiple buyers despite giving each of them an assurance to the contrary. (Such contracts are difficult to enforce as vulnerabilities are
Image of page 38
Image of page 39

You've reached the end of your free preview.

Want to read all 114 pages?

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

Stuck? We have tutors online 24/7 who can help you get unstuck.
A+ icon
Ask Expert Tutors You can ask You can ask You can ask (will expire )
Answers in as fast as 15 minutes