As much as programmers will try, there is no such thing as “absolutely safe” software out there; The reality is that, for the most part, they’re only safe until someone manages to find a vulnerability.
When these issues are discovered by the company itself, things are great and they’ll just roll out an update to fix the situation. Things are still somewhat great when they’re discovered by white hats for bug bounty programs where they get rewarded for finding problematic issues within the code for this or that software, or for Internet tools we all use, such as Facebook, Twitter, Google and so on.
Zero days, also known as 0-days, are undisclosed vulnerabilities that hackers can exploit before the vendor has any chance to fix the problem. Without them being publicly reported, there’s no way for the vendor to even know about them. Hackers, however, have a way of knowing.
The dark web is actually full of such vulnerabilities discovered by black hats or just budding coders who are flexing their muscles to find things that don’t work as they should or that they can exploit just for fun. Once the information is shared on the Internet, those who have an intent to harm can just find a way to dig through the software’s security and spread malware, steal credentials, leak databases and so on.
In recent years, there’s been a lot of talk about this type of vulnerabilities. Not only are hackers getting more daring, but they’re competing with government agencies. Ever since Edward Snowden blew the whistle on the National Security Agency and its tendency to hoard zero days, there’s been a heated discussion about this issue and the risks it brings for the world’s population.
Google, Microsoft and many other companies demanded that the NSA stop collecting these vulnerabilities after Snowden’s revelations. Former US President Barack Obama also reportedly told the NSA to share the zero days they discover rather than keep them for themselves. Wikileaks recently revealed that the NSA pretty much shrugged its shoulders and pretended not to listen since it continued doing the same thing.
The issue with these vulnerabilities is that if they are not shared with the vendors they pose a risk for millions of users. The longer intelligence agencies keep these security holes from the tech companies, the longer hackers have to find the same vulnerabilities and built exploits. We’re also going to mention that the NSA itself can leak information or be hacked and these exploits to be exposed to the world.
How could this happen? Well, the Shadow Brokers incident is more than enough proof. Earlier this year, this hacker group announced it was holding on to NSA classified documents, even tried to auction off the information. When that effort didn’t pay off, they just dumped the data online, exposing EternalBlue, a security vulnerability in Windows.
Microsoft must have been tipped off – either by the Shadow Brokers themselves, or the NSA when it figured its files were missing – since it released a Windows patch a month before the files were dumped online. That wasn’t too useful, though, since entirely too few people updated their systems.
While the NSA had kept this vulnerability a secret in order to build its own exploit, which was clearly revealed from the leaked files, millions of individuals were at risk. Once the Shadow Brokers revealed the stolen NSA files, hackers went to work and their work marks the start of a new era – a very dark time for cybersecurity, unfortunately.
What were the results of the work of hackers, you ask? WannaCry, the worst security threat to reach us thus far – a malware with a ransomware component, as well as worm capabilities. This means that while this ransomware will ask for your money after encrypting your files in order to unscramble them, it can also spread through your entire network via several open ports.
After infecting north of 200,000 computers, the WannaCry infection was stopped by chance. The world was told to update their systems and to install security software, but that didn’t work too well either as additional computers were infected by latter versions of WannaCry.
After the WannaCry nightmare ended, hackers went on and used the same EternalBlue exploit to build NotPetya. This is a malware that used some code from the Petya ransomware, but was actually built for an entirely different purpose – destruction. The infected computers couldn’t have been decrypted even if the authors of the malware had received the payment from the victims, something that was not possible to do just hours after the infection started spreading. The hackers had used an email address, asking victims to send details about their payment in order to receive the decryption key, but that address was shut down fast.
Now, the Shadow Brokers have created a subscription-based program in which they ask high rollers – tech companies, government agencies, hackers, researchers and so on – to pay a sum in ZDcash, an untraceable cryptocurrency, in order to get a monthly delivery of zero-day vulnerabilities. It is believed the files that will be shared in the next couple of weeks come from the NSA as well.
There’s a moral dilemma over whether or not tech companies should pay the money to get the data from the Shadow Brokers in order to secure their systems before hackers get to build an exploit. Then again, there are perfectly legitimate companies out there that have pretty much the same business model, discovering zero-days and sharing them with clients or picking them up off the dark web.
The bottom line of this issue, however, seems to be that intelligence agencies should be working with tech companies to make the Internet safer, not more dangerous.
On the bright side, over in Europe, there’s the Coordinated Vulnerability Disclosure Manifesto, which has been signed by dozens of organizations thus far. By doing this, they declare their support for the principle of having a point of contact to report IT vulnerabilities to. They also acknowledge the importance of research and the white hat communities, which are both working to make the Internet safer. If more of these are to come up in the years to come, then perhaps that pipe dream of a safer Internet might actually become reality.