#HITBGSEC

Описание: PRESENTATION MATERIALS:
http://gsec.hitb.org/materials/sg2015/

PRESENTATION ABSTRACT:
Zero-day vulnerabilities are gaining a prominent role in the modern-day intelligence, national security, and law enforcement operations. At the same time, trading vulnerability information or zero-day exploits is considered a risky ordeal. Players in the secretive zero-day market face some inherent obstacles related to time-sensitiveness of traded commodities, trust, price fairness, and possibility of defection.

To alleviate some of these hurdles, it was suggested to:

1. Use punishment (i.e., public disclosure of vulnerabilities) to discourage a buyer from defecting;

2. Resort to the use of trusted-third parties (e.g., escrow services), as crucial entities for enabling cooperation of market participants; and

3. Build a reputation system (e.g., reputation score) as an instrument to establish trust relationships between distrustful players.

This work presents the first results of an ongoing study on extortion and cooperation in zero-day markets through the lens of game theory.

The questions motivating this research are: a. Can the zero-day market achieve cooperation and efficiency even in absence of trusted-third parties? b. Can punishment discourage the buyer from defecting? c. Under which conditions a player can extort the opponent? d. Can cooperation be sustained also in fully anonymous or semi-anonymous settings? The talk will address these questions and others, by providing an analysis of the zero-day trading strategies applicable to each scenario.

Learn which strategies allows to maximize the profits while trading zero-days in today’s marketplaces. Find out how to avoid getting extorted by zero–day traders. Learn how to extort an unwit market participant. Gain a deeper knowledge about the emergence, sustainability, and breakdown of cooperation. Discover under which conditions the zero-day markets can achieve efficiency.

ABOUT ALFONSO DE GREGORIO

Alfonso De Gregorio is a security technologist, founder of BeeWise, the first cyber security prediction market, and Principal Consultant at secYOUre. He started his career in information security in the late 1990s. Since then he never stopped contributing his little share to the discussion and practice of security engineering. Among the positions held, he served as Chief Security Architect at an HSM vendor, Expert at European Commission, and Visiting Scholar at the Computer Security and Industrial Cryptography (COSIC) research group, K.U. Leuven. In his career as a public speaker, Alfonso addressed a wide range of audiences across the globe, including industry executives, academics, security practitioners, and hackers, speaking about security economics, software security, intelligence support systems, cryptography engineering, cryptographic backdooring. Alfonso researches solutions for building cybersecurity incentives, tweets @secYOUre, and generally does not speak of himself in the third person.