This entry covers the issue of 0day exploits being discovered and unethically used by some companies to gain profit, and touches upon state sponsored attacks.
We are basically kind of in the middle of a cyber cold war, and the evidence is kind of staring right at us. So let’s talk about, basically, the underground aspect of this, or really, what I would say, the not-so-underground – this is all there and you can find it all.There are a number of companies around the world that will find vulnerabilities, develop exploits for them and not disclose them with the vendor, and sell these exploits to single customers – usually governments (see right-hand image). In essence, they’re cyber weapon defense contractors. There’s a company in France that sells exclusively to NATO countries and agencies, and they have a catalogue of all these fabulous weapons, I think it’s 3 million; you have to spend 3 million just to see what they offer. It’s what many would call an ethically challenged industry. Nonetheless, it’s very similar to parallels of defense contractors, it just happens to be for cyber space. You see that there’s a war going on in cyber space right now. So, what’s the price for a 0day? Think about it. It depends on a lot of specifics (see left-hand image). Is that 0day? Is that exploit platform-specific? Does it only work on Windows? Does it only work on Windows XP 32-bit? Or Windows 8 32-bit? So will it work only on 64-bit? Does it work on any platform, Linux and Windows? Is it some huge fundamental thing that can appear as it’s just gone wrong? If it’s not that, it’s basically super-level exploit. What does it allow an attacker to do? Does it allow the attacker to execute remote code? Is it simply just a denial-of-service exploit? You run it and it will cause the service to crash? Or does it allow privilege escalations?
So I did some searching on my own, I found a contest run by vendors, and they pay $60,000 if you find a vulnerability in their systems. They throw people at Chrome, Firefox, IE, etc. This company is called VUPEN, they have a team of pros, and they wiped the floor. But they didn’t share any of their vulnerabilities with the vendors. The vendors were offering $60,000. They just showed them that your stuff sucks, you guys are noobs. And they said: “We wouldn’t share the details of an exploit with the vendor even for $1,000,000.” And essentially, the exploits at this contest were basically a combination of sandbox escape and remote code execution.To quote VUPEN’s Chief Executive, they said: “We don’t want to give them any knowledge that will help them in fixing this exploit or similar exploits. We want to keep this for our customers”. And so, here we are, a room full of security researchers, and it’s hard not to see the gorilla in the room, that not only is doing the bad stuff profitable, but you can establish a company and operate completely in the public, servicing a host government. Is this even really a black market at that point? They advertise their products on Twitter.
So, how fast does this market move? Hopefully it’s not that fast, hopefully we could gather on the cutting edge. Well, according to their Twitter feed, as they’ve already hacked Windows 8 and IE 10.So, let’s talk about Stuxnet, because that’s been extremely analyzed, and the great people at Symantec have done some amazing analysis of it, and just recently they announced that they discovered and have finished analyzing Stuxnet v.5. Stuxnet 1.0 had 4 Windows 0day exploits, and I have them listed here (see left-hand image) so you can look them up yourself. Essentially, three of them allow for remote code execution, and one allows for administrator privilege escalation (see right-hand image). Now, if you’re buying this on the black market, it’s super expensive, because they’re not willing to disclose these things for a million dollars to vendors, and there was obviously remote code execution plus sandbox escape. Symantec’s analysis of the missing link of Stuxnet found that it was in the wild before 2005 (see left-hand image). So, that means that we’re approaching 2015 and we’re ending the first decade of, essentially, cyber warfare, so much so we can have an hour-long lecture. Since we’re talking about that level of attacks, it’s important to know supply chain attacks (see right-hand image), because that very first event that I talked about, the Siberian sabotage, was actually a supply chain attack. Even though they were stealing from our supply chain to use in theirs, we sabotaged what they were stealing and caused that explosion.
So the supply chain attack does not mean basically running and gunning on the enemy’s convoy. It means, essentially, if they are using your products and you control that company, this manufacturer of the microchips, or you control the borders that it’s being transported through, you can manipulate that product. So you can install hardware backdoors, you can install remote kill switches.And so the state, if it controls the country, can influence that product’s design, its features, or perhaps secret features, and even perhaps have security backdoors, or a blatant lack of security to be easily exploited (see left-hand image). The problem with that is if you install backdoors, someone else finds out about them, it’s not just you.
There were a lot of rumors that a Chinese company called Huawei that does telecommunications technology does this, as secret backdoors, but I don’t know anything about that.There’s rumors of this going on, conceptually it’s not unprecedented – it happened in the Cold War. So, what happens if these backdoors get hijacked, perhaps by other nations? We’re buying those North Korean routers, and then actually Iran finds the backdoor, and they’re attacking us, and it looks like it’s actually North Korea. Who do we attribute and how? Aside from state sponsored supply chain attacks, there’s actually been instances of state sponsored personnel attacks (see left-hand image). In 2012 it was reported that while a CEO was going through a security checkpoint in an airport, where they take all the stuff and put it under an X-ray scanner, they took the smartphone he had, dumped all the data off of it, and stole his password and his enterprise credentials for his company, logged in as him and stole a ton of IPs, and then went on to actually use his account to perform spear phishing. And the victim was totally unaware of it until much later.