🔑 Key Takeaways
- Vulnerabilities and exploits are sold on a legal but secretive grey market, with NDAs in place to keep them unknown. Attackers targeting journalists go to dangerous lengths to access their sources.
- The New York Times hack was a turning point in acknowledging the severity of online attacks and the need for strong defenses despite treaties and agreements. Online security remains crucial in protecting sensitive information and sources.
- Zero-day exploits allow hackers to exploit vulnerabilities in software unknown to its makers and sell them to governments and front companies for malicious activities. Argentine has become a hub for exploit development, as investigative work can be a dangerous profession.
- Young exploit developers are choosing to sell their skills to governments and front companies for personal gain, jeopardizing the fairness and balance of ethical hacking and vulnerability disclosure. This could lead to serious security threats worldwide.
- Companies must take proactive measures towards cybersecurity and prioritize it before their data is compromised. Offering bug bounties can help incentivize hackers to report vulnerabilities instead of exploiting them.
- Governments are willing to pay big bucks for exploits, which poses ethical concerns for security researchers and software makers, but the allure of government contracts can be challenging for companies trying to retain their employees.
- To maintain dominance in intelligence gathering, the US government had to enter the zero-day market and develop new exploitation capabilities. Other countries also seek this ability, making it an ongoing competition.
- Former NSA hackers turned independent contractors by selling zero-days exploits to their former employers and other agencies. This phenomenon is not exclusive to NSA, as bug hunters in the software industry can earn more by selling their skills on the outside.
- In order to avoid compromising public trust and prevent dangerous security breaches, private industry and government entities must prioritize transparency and ethical considerations in their communication and technology development strategies.
- With advanced technology, governments conduct digital espionage, leaving individuals vulnerable. Personal responsibility and knowledge are crucial as asymmetrical access to resources is a significant threat to digital security.
📝 Podcast Summary
The Secretive World of the Grey Market for Exploits and Zero-Day Brokers
The grey market for exploits is legal and secretive with NDAs behind each deal where the people who bought it want the exploit to remain as unknown as possible. People who find vulnerabilities and sell those exploits to governments or companies that will use it to attack people with are not interviewed for cybercrime shows. Zero-day brokers are knowledgeable in the secret world of zero-day vendors. The focus of attackers who attack journalists is looking through the reporters' computers and getting access to their sources. The lengths that nation states would go to try to get access to journalist sources is dangerous.
The New York Times Hack and the Shift in Online Attack Conversation
When The New York Times admitted that they were hacked by Chinese hackers, it changed the conversation around online attacks from victim-blaming to addressing a major problem that many companies were facing. It led to other news agencies admitting the same and highlighted the need for deterrents, penalties, and defense. Despite an agreement between the US and China to not hack into companies in the other nation, China ignored the rules by staging attacks. This incident made Nicole Perlroth highly cautious about protecting her sources and led her to write a book about it. However, she later became the target of online attacks herself, which highlights the ongoing need for online security measures.
The Dark World of Zero-Day Exploits
A zero-day exploit is a vulnerability in software that is still unknown to its makers. The vendor remains unaware of such vulnerabilities, giving room for hackers to develop and sell exploits to governments and front companies for their stockpiles of offensive cyber-espionage tools. These exploits can be used for malicious activities like cyber-attacks against individuals, businesses, or governments. Nicole, the investigative journalist, traveled around the world to research the zero-day market and found that Argentine had become the outsourcing hub for exploit development. However, her investigation was cut short when someone broke into her hotel room and opened her safe, which contained a burner laptop. She could not confirm whether they did anything with the laptop or just left the door open to scare her.
The Rise of Young Exploit Developers Selling to Governments and Front Companies
There is a growing group of young exploit developers who are selling their capabilities to governments or front companies for a high price instead of using them for ethical hacking or penetration testing. They can make tax-free money and live pretty large by exploiting vulnerabilities in enterprise applications, cars, or the latest apps to be sold on the underground grey market for zero-day exploits. However, it is hard to get them talking about it, and even the most experienced reporters can only get a glimpse of their world. These significant activities of those young hackers could affect the security of systems worldwide because they destroy the balance and fairness that ethical hacking and vulnerability disclosure create.
The Evolution of Cybersecurity: From Ignoring Hacker Warnings to Offering Bug Bounties
The current world of secret exploits and their sale to secret entities under the table was not always like that. Initially, Microsoft was playing catch-up with Netscape and they missed the internet boom and security. Hackers found the errors and warned the companies, but they were ignored, thus hackers started dumping their findings on forums like Bugtraq to shame vendors. Microsoft took security seriously only after suffering major public failures, and Bill Gates wrote a memo called The Open Trustworthy Computing Memo in 2002, which made security a priority. Later, Google was hacked by China, and hence companies started improving their security and offering bug bounties to hackers.
The government's interest in buying exploits for offensive cyber-exploitation programs
Governments, including the US, are interested in buying exploits to use for offensive cyber-exploitation programs. The US government's project called Gunman, approved by President Reagan in 1984, aimed to find bugs in the machinery inside the US embassy in Moscow. Ethically, bugs should be sold to software makers, but on the grey market, potential buyers could pay much more. Companies offering bug prices cannot match government prices, but they do not want to incentivize their security engineers from leaving the company and making more money outside. James Gosler, the godfather of American cyber-war, had spent a large chunk of his career at the NSA and the CIA and could talk about the operation called Project Gunman, but he was careful not to tell anything classified.
The Evolution of US Government's Intel Collection Strategies
After the discovery of the Soviet bug by Project Gunman, the US government realized that they needed to find ways to embed themselves in communication devices to collect their intelligence. The NSA initially did not play in the zero-day market but later entered it because other agencies wanted to play the NSA's game but didn't have the same talent pool in-house. The US government had to find exploits in software and communication channels rather than backdoors as they are vulnerable. This capability is not unique to Russia and the US - many other countries in the world either have or want this ability. The evolving technology landscape compelled the NSA to develop new exploitation capabilities to stay ahead of other nations.
Insider Hackers Turn Into Contractors for Online Espionage Tools
Some of the best hackers within NSA turned into independent contractors, offering online espionage tools and exploiting zero-day vulnerabilities. They were able to buy zero-days from hackers in other countries, improving their arsenal and providing reliable click-and-shoot tools for their former employers and other agencies. The agencies had a catalogue for their arsenal but suffered the quality issues with their own zero-days' exploits. The top-secret location of the catalogue and the access to it are still questionable. This phenomenon is not only true for the NSA but also for the software industry. When companies start paying huge amounts for their bugs, internal bug hunters can quit to keep doing the same thing and make more money on the outside.
The fragile relationship between software companies and the government: transparency and trust.
The relationship between software companies like Microsoft and their own government can be fraught with difficulty, as shown by the use of exploits like Flame and the tension caused by the Snowden leaks. Microsoft's perceived complicity in government surveillance has damaged public trust, and the Shadowbrokers hack shows how dangerous it can be when such exploits fall into the wrong hands. This highlights the need for transparency and clear communication between private industry and government entities, as well as the importance of ethical considerations when developing and using technology for potentially sensitive purposes.
The Price of National Security: Vulnerability and Potential Catastrophic Digital Disasters
Governments all over the world use computers and exploits to break into communication channels for espionage and cyber-attacks, but the trade-off for national security has left Americans, and the world, more vulnerable. As technology continues to advance and become more complex, it is crucial for leaders to understand its nuances and make informed decisions about cybersecurity. The US has set a precedent for conducting digital espionage, which other nations are following, leading to a lack of accountability and a potential for catastrophic digital disasters. It is important for individuals to take personal responsibility for protecting their digital life, such as making backups and storing them securely. Asymmetrical access to resources and knowledge is a significant threat to digital security.