Among the most coveted pieces of information in the malware business are so-called zero-day vulnerabilities, weaknesses or flaws in computer software for which there is effectively no defense from exploitation. The market for zero-days has been booming as security companies and researchers sell vulnerabilities they’ve discovered to government organizations. The US military and intelligence community are believed to be some of the biggest buyers, and they’d prefer that other countries, particularly hostile ones, not acquire these building blocks of cyber weapons.
But how does a company know that it’s not unwittingly selling that information to Iran or North Korea, or to a Chinese spy? Or a terrorist? The Commerce Department has some tips for determining whether the buyer is on the up-and-up (at least as far as US interests are concerned) that may be useful.
Is the buyer “reluctant to offer information about the end-use of a product”? Does he decline routine services like installation and on-site maintenance that come with the product? Is the customer “willing to pay cash for a very expensive item when the terms of the sale call for financing”? According to the “Know Your Customer” program, which is part of the US export control regime, these are “red flags” that should alert a seller to investigate whom he’s actually doing business with.
The guidelines don’t apply specifically to information security or any single product or service.They’re meant to prevent sellers from allowing sophisticated or dangerous technology to fall into the hands of adversaries or hostile groups. Zero-days could easily fit on that list.
One company that sells zero-day exploits to governments, VUPEN, says it won’t do business with anyone that doesn’t fully comply with with the Know Your Customer guidelines. The company is based in France, but has adopted the US guidelines as a standard practice. American security firms, including anti-virus software manufacturers, are also covered by export controls on their products.
The guidelines advise sellers to proceed with caution if “the product’s capabilities do not fit the buyer’s line of business; for example, a small bakery places an order for several sophisticated lasers.” Is the final destination for the product “a freight forwarding firm”? Red flag. Is the customer “unfamiliar with the product’s performance characteristics but still wants the product”? (Think learning how to fly a jet aircraft without wanting to know how to land it.) Red flag.
Here is the full list of 12 warning signs:
Possible indicators that an unlawful diversion might be planned by your customer include the following:
1. The customer or purchasing agent is reluctant to offer information about the end-use of a product.
2. The product’s capabilities do not fit the buyer’s line of business; for example, a small bakery places an order for several sophisticated lasers.
3. The product ordered is incompatible with the technical level of the country to which the product is being shipped. For example, semiconductor manufacturing equipment would be of little use in a country without an electronics industry.
4. The customer has little or no business background.
5. The customer is willing to pay cash for a very expensive item when the terms of the sale call for financing.
6. The customer is unfamiliar with the product’s performance characteristics but still wants the product.
7. Routine installation, training or maintenance services are declined by the customer.
8. Delivery dates are vague, or deliveries are planned for out-of-the-way destinations.
9. A freight forwarding firm is listed as the product’s final destination.
10. The shipping route is abnormal for the product and destination.
11. Packaging is inconsistent with the stated method of shipment or destination.
12. When questioned, the buyer is evasive or unclear about whether the purchased product is for domestic use, export or reexport.