There's a convicted felon out there whose sole mission is to hack major companies and products, so he can then sell the security vulnerabilities he discovers back to those businesses and governments. And guess what? Organizations are willing to pay a lot of money for the information. But now there's word he's willing to sell some secrets to the highest bidder.
Six months ago, Kevin Mitnick started Mitnick's Absolute Zero Day Exploit Exchange. He describes it as an "Amazon wish list of exploits." It's basically an online marketplace where companies and governments can purchase security vulnerabilities that don't have any fixes yet, called zero-day exploits.
If Mitnick's name sounds familiar it's because he led the FBI on a manhunt in the mid-1990s. Back then, he was one of the most notorious "black hat" hackers in the world and hacked into a bunch of large corporations. He was eventually caught and spent over four years in prison.
Since he served his time, Mitnick has seemed to reform and has worked as a "white hat" hacker to help companies discover security problems in their own systems and fix them. But, this new business venture makes it sound like he's not quite as reformed as we thought. He's not doing anything technically illegal that we know of, but the business is definitely shady.
Mitnick's Absolute Zero Day Exploit Exchange
The Exchange works with exploits developed by his own team of hackers and other outside hackers that he purchases information from. He then marks up the price and sells it to companies or governments willing to pay at least $100,000. But, the price could be much higher - even $250,000!
Mitnick says the company will screen buyers before selling to them. For instance, he won't sell to oppressive governments, such as Syria, or to criminals. He's also less likely to sell to governments at all, due to his history. But, that doesn't mean everything is aboveboard. One company could purchase secrets about another, and Mitnick doesn't know what they'll do with the information.
And what will his clients do with those exploits? “When we have a client that wants a zero-day vulnerability for whatever reason, we don’t ask, and in fact they wouldn’t tell us,” Mitnick tells WIRED in an interview. “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.”
The best thing you can do to protect yourself is stay informed about hacks, malware and other vulnerabilities by subscribing to my newsletters, so you'll know if a company you use is exploited. Also, make sure you have up-to-date security software on your gadgets and strong passwords protecting all of your accounts.