A pair of Italian hackers who sell cyber secrets to foreign governments and large multinationals for hundreds of thousands of euros have been quietly operating from a small office in Valletta.
Luigi Auriemma, 32, and Donato Ferrante, 28, sell technical details of computer system vulnerabilities known as “Flaws” to buyers using mysterious brokers, who are reported to pocket as much as 15 per cent of the fee.
The two computer geniuses would not reveal details about their company, ReVuln, but major clients of services like theirs include the US National Security Agency (NSA) and the CIA.
The coding of Flaws in software like Microsoft Windows, known as “Zero Days”, can give a buyer unfettered access to any computer and the individual behind it. It is a criminal offence in Malta to access data, software or supporting documentation held on someone else’s computer, or to use, copy or modify any such data.
Last month Microsoft increased the amount it was willing to pay for such flaws, raising its top offer to €150,000
A few years ago, hackers like Mr Auriemma and Mr Ferrante would have sold the information of coding flaws to companies like Microsoft, which would then fix them. Last month Microsoft increased the amount it was willing to pay for such flaws, raising its top offer to €150,000. But increasingly the businesses are being outbid by countries interested in exploiting the flaws. In 2010 the US and Israel used flaws in Microsoft’s font selection programme to foil Iran’s nuclear enrichment programme.
Asked about the legality of what they do the two said: “There is nothing wrong with selling research.”
In Malta anyone found guilty of hacking into a computer could face up to four years in prison and a fine of as much as €23,000.
If the hacking is deemed to be detrimental to any function of government or impairs the provision of public services, the fine could reach €116,000 and the maximum prison term could reach 10 years.
Malta is also a member of the Budapest Convention on Cybercrime, the first international treaty seeking to address computer and internet crimes by harmonising national laws, improving investigative techniques and increasing cooperation among nations.
Discussion on establishing EU Data Protection Regulations are ongoing, with further talks in Brussels scheduled for later this week.
According to lawyer Antonio Ghio, an expert in IT law, a distinction should be made between those who hack computers with positive intentions and those who do so for nefarious means.
“Discovering a programming error is one thing; using such programming errors in order to commit a crime is a different thing, although it is very difficult to draw a straight line between the two,” Dr Ghio said.
“This was one of the first reasons why big tech firms started a prize programme offering financial incentives to entice individuals not to exploit vulnerabilities but to report them directly,” he added.