tag:theconversation.com,2011:/au/topics/zero-days-19197/articlesZero-days – The Conversation2021-05-21T15:44:48Ztag:theconversation.com,2011:article/1612262021-05-21T15:44:48Z2021-05-21T15:44:48ZA Chinese hacking competition may have given Beijing new ways to spy on the Uyghurs<figure><img src="https://images.theconversation.com/files/402132/original/file-20210521-23-z2uzc3.jpeg?ixlib=rb-1.1.0&rect=0%2C0%2C5184%2C3888&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/companies-hacked-by-chinese-hackers-cyber-1261948831">Herr Loeffler/Shutterstock</a></span></figcaption></figure><p>When Apple announced in a 2019 <a href="https://www.apple.com/newsroom/2019/09/a-message-about-ios-security/">blog post</a> that it had patched a security vulnerability in its iOS operating system, the company sought to reassure its customers. The attack that had exploited the vulnerability, Apple said, was “narrowly focused” on websites featuring content related to the Uyghur community.</p>
<p><a href="https://www.technologyreview.com/2021/05/06/1024621/china-apple-spy-uyghur-hacker-tianfu/">It has since emerged</a> that the vulnerability in question was discovered at China’s principal hacking competition, <a href="https://www.theregister.com/2020/11/09/tianfu_cup/">the Tianfu Cup</a>, where a professional hacker won a prize for his work in uncovering it. The normal protocol would be to inform Apple of the vulnerability. But it’s alleged that, instead, the breach was kept secret, with the Chinese government acquiring it to <a href="https://www.technologyreview.com/2021/05/06/1024621/china-apple-spy-uyghur-hacker-tianfu/">spy on the country’s Muslim minority</a>.</p>
<p>Hacking competitions are an established way for technology companies like Apple to locate and attend to weaknesses in their software’s cybersecurity. But with <a href="https://www.itpro.co.uk/security/zero-day-exploit/358760/microsoft-exchange-zero-day-hack">state-backed hacks</a> on the rise, the suggestion that the Tianfu Cup is feeding Beijing new ways to perform surveillance is concerning – especially seeing as Chinese competitors have dominated international hacking competitions for years.</p>
<h2>Hacking competitions</h2>
<p>When software is hacked, it’s often because attackers have found and exploited a cybersecurity vulnerability that the software vendor didn’t know existed. Finding these vulnerabilities before they’re spotted by <a href="https://www.zdnet.com/article/cybercrime-and-cyberwar-a-spotters-guide-to-the-groups-that-are-out-to-get-you/">cyber-criminals or state-backed hackers</a> can save technology providers a huge amount of money, time and public-relations firefighting.</p>
<p>That’s why hacking competitions exist. Tech companies provide the <a href="https://www.zerodayinitiative.com/blog/2021/1/25/announcing-pwn2own-vancouver-2021">prize money</a> and cybersecurity researchers – or professional hackers – compete to win it by finding the security weaknesses hidden in the world’s most-used software. The likes of Zoom and Microsoft Teams were <a href="https://www.forbes.com/sites/thomasbrewster/2021/04/08/microsoft-teams-and-zoom-hacked-in-1-million-competition/">successfully hacked</a> in April’s Pwn2Own event, for instance, which is regarded as the top hacking competition in North America.</p>
<p>Until 2017, Chinese hackers walked away with a <a href="https://news.cgtn.com/news/3d59544e32417a4d/share_p.html">high proportion of prizes</a> offered at Pwn2Own. But after a Chinese billionaire <a href="https://tech.sina.cn/i/gn/2017-09-12/detail-ifykusey8931658.d.html?vt=4">argued</a> that Chinese hackers should “stay in China” because of the strategic value of their work, Beijing responded by <a href="https://www.cyberscoop.com/pwn2own-chinese-researchers-360-technologies-trend-micro/">banning Chinese citizens</a> from competing in overseas hacking competitions. China’s Tianfu Cup was set up shortly after, in 2018.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"444519072299233280"}"></div></p>
<p>In its first year, a hacker competing in the Tianfu Cup produced a prize-winning hack he called “<a href="https://threatpost.com/chaos-iphone-x-jailbreak/141104/">Chaos</a>”. The hack could be used to remotely access even the latest iPhones – the kind of breach that could easily be used for surveillance purposes. <a href="https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html">Google</a> and <a href="https://www.apple.com/newsroom/2019/09/a-message-about-ios-security/">Apple</a> both spotted the hack “in the wild” two months later, after it had been used in a targeted way against Uyghur iPhone users.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/JznReTetgOI?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">A video demonstration of the ‘Chaos’ iPhone hack.</span></figcaption>
</figure>
<p>Though Apple mitigated the hack within two months, this case shows that exclusive national hacking competitions are dangerous – especially when they take place in countries that <a href="https://www.hrw.org/world-report/2020/country-chapters/global">require citizens to cooperate</a> with government demands. </p>
<p>Hacking competitions are designed to expose “zero-day” vulnerabilities – security weaknesses that software vendors haven’t located or foreseen. Prize-winning hackers are supposed to share the techniques they used so that the vendors can devise ways to patch them up. But keeping zero-day exploits private, or passing them on to government institutions, significantly increases the chance they’ll be used in state-backed zero-day attacks.</p>
<h2>Zero-day attacks</h2>
<p>We’ve seen examples of such attacks before. <a href="https://www.csoonline.com/article/3616699/the-microsoft-exchange-server-hack-a-timeline.html">Early in 2021</a>, four zero-day vulnerabilities in the Microsoft Exchange server were used to launch widespread attacks against <a href="https://www.wsj.com/articles/china-linked-hack-hits-tens-of-thousands-of-u-s-microsoft-customers-11615007991?mod=tech_lead_pos1">tens of thousands of organisations</a>. The attack has been <a href="https://www.itpro.co.uk/security/zero-day-exploit/358760/microsoft-exchange-zero-day-hack">linked with Hanium</a>, a Chinese government-backed hacking group.</p>
<p>A year earlier, <a href="https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?op=1">the SolarWinds hack</a> compromised the security of multiple US federal agencies, including the <a href="https://www.bbc.com/news/world-us-canada-55265442">Treasury and Commerce Department</a> and the <a href="https://www.chathamhouse.org/2021/02/solarwinds-hack-valuable-lesson-cybersecurity?gclid=Cj0KCQjwo-aCBhC-ARIsAAkNQivQecAKCMQKg23wXNavyLrz5r6xn9tFy2XUwmYK08r5GT0ReriiKOwaAqtKEALw_wcB">Energy Department</a>, which is in charge of the country’s nuclear stockpile. The hack has been linked to <a href="https://attack.mitre.org/groups/G0016/">APT29</a>, also known as “<a href="https://www.independent.co.uk/news/uk/home-news/cozy-bear-russia-hacking-coronavirus-vaccine-oxford-imperial-college-a9623361.html">Cozy Bear</a>”, which is the hacking arm of Russia’s foreign intelligence service, the <a href="https://www.bbc.com/news/10447308">SVR</a>. The same group was reportedly involved in the <a href="https://www.wired.co.uk/article/russia-hack-coronavirus-vaccine">attempted hacking</a> of organisations holding information about COVID-19 vaccines in July 2020. </p>
<p>In Russia and China at least, <a href="https://www.ibtimes.co.uk/nation-state-hackers-vs-cybercriminal-gangs-separation-tactics-no-longer-exists-1611556">evidence suggests</a> that gangs of cybercriminals are working closely, and sometimes interchangably, with state-sponsored hacking groups. With the advent of the Tianfu Cup, China appears to have access to a new talent pool of expert hackers, motivated by the competition’s prize money to produce potentially harmful hacks that Beijing may be willing to use both at home and abroad.</p><img src="https://counter.theconversation.com/content/161226/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Elochukwu Ukwandu received funding from Scottish Entreprise. </span></em></p><p class="fine-print"><em><span>Chaminda Hewage does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>In its inaugural contest, the Tianfu Cup produced an iPhone hack that was allegedly used to spy on China’s Uyghur minority.Chaminda Hewage, Reader in Data Security, Cardiff Metropolitan UniversityElochukwu Ukwandu, Lecturer in Computer Security, Department of Computer Science, Cardiff Metropolitan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/777702017-05-19T01:02:23Z2017-05-19T01:02:23ZShould spies use secret software vulnerabilities?<figure><img src="https://images.theconversation.com/files/170032/original/file-20170518-12257-625y70.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">When is it okay for the government to keep a secret?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/whispering-words-145530742">sharpshutter via shutterstock.com</a></span></figcaption></figure><p>The 2017 WannaCry ransomware attack <a href="http://www.cbsnews.com/news/cyberattack-wannacry-ransomware-north-korea-hackers-lazarus-group/">infected about 300,000 computers in 150 countries</a>, and cost computer users <a href="http://www.nbcnews.com/tech/security/total-paid-malware-ransom-how-exploit-spread-n759531">thousands of dollars in ransom money</a> and <a href="http://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/">billions in lost productivity</a>. </p>
<p>The attack took advantage of a vulnerability in the Windows operating system that the federal government had been aware of for years but had chosen not to tell Microsoft about until just months before the WannaCry attack began. That history and the potential for <a href="https://www.engadget.com/2017/05/16/shadow-brokers-nsa-june/">more releases in the coming weeks</a> have intensified the debate around how governments and spy agencies should act when they discover weaknesses in computer software. </p>
<p>It’s a choice of how best to protect the public: <a href="https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html">Exploit software vulnerabilities to collect intelligence information</a> that may help keep people safe? Or disclose the flaw, letting the software company fix it and <a href="https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/">protect millions of regular computer users from malicious attacks</a> by hackers?</p>
<h2>Exposing WannaCry</h2>
<p>For years, <a href="https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html">the U.S. National Security Agency used a flaw in the Windows operating system</a>, nicknamed “EternalBlue,” to spy on intelligence targets, gathering information from their computer files and electronic communications. But the NSA didn’t tell Microsoft about the flaw in the company’s software until early 2017. The company <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx">quickly issued a fix</a> users could download and install. <a href="https://theconversation.com/why-installing-software-updates-makes-us-wannacry-77667">Many people didn’t</a>, though.</p>
<p>In April, a hacking group called the <a href="https://www.engadget.com/2017/04/14/shadow-brokers-dump-windows-zero-day/">Shadow Brokers reported that it had breached the network</a> of, and stolen information from, computers used by the Equation Group, which has not identified itself but is <a href="http://www.reuters.com/article/us-usa-cyberspying-idUSKBN0LK1QV20150216">widely believed to be part of the NSA</a>. The Shadow Brokers revealed <a href="https://theconversation.com/after-the-nsa-hack-cybersecurity-in-an-even-more-vulnerable-world-64090">information about extremely sophisticated digital tools</a> for attacking military, political and economic targets worldwide. One of those tools was “EternalBlue.”</p>
<p>In May, a hacker or hacking group released a piece of malicious software using “EternalBlue” to hijack computers, encrypt the data on them and charge victims a ransom to restore access to their information. </p>
<p>If the NSA had told Microsoft about the flaw five years ago, things could have unfolded differently. In particular, users could have had much more time to update their software – which would have <a href="https://theconversation.com/why-installing-software-updates-makes-us-wannacry-77667">substantially increased the number of people protected</a> against the vulnerability.</p>
<h2>Using ‘zero days’</h2>
<p>The most serious cyberattacks are those that use previously unknown vulnerabilities. They are called “zero day” exploits because the developers had no time to fix it before trouble began, and nobody is protected. The NSA may know of <a href="https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process">hundreds, or even thousands, of them</a>. Spy agencies of other countries, including <a href="https://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html?_r=1">China, Russia, Iran and North Korea</a>, are also working to find zero-day vulnerabilities.</p>
<p>Using these vulnerabilities can be effective. For instance, the NSA used four zero-day vulnerabilities as part of a series of cyberattacks on Iran’s nuclear enrichment sites. That effort, officially code-named “Olympic Games,” created the program known to the public as “<a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">Stuxnet</a>,” which damaged about 1,000 centrifuges and <a href="https://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html?_r=1">may have helped force Iran to negotiate</a> with the U.S. about its nuclear program.</p>
<h2>Should they keep the secret?</h2>
<p>By not telling software companies about newly identified vulnerabilities, government agencies such as the NSA and CIA serve their own purposes of finding ways to gather intelligence undetected. But they also <a href="https://fcw.com/articles/2017/03/13/zero-day-stockpile-carberry.aspx">endanger critical systems of governments and regular users alike</a>. </p>
<p>The U.S. does not have strong and clear policies with which to handle this problem. In January 2014, the <a href="https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process">Obama administration ordered spy agencies</a> to <a href="https://www.wired.com/2014/04/obama-zero-day/">disclose weaknesses they find</a> – but with a significant loophole: If a software flaw has “a clear national security or law enforcement” use, the government can <a href="http://www.reuters.com/article/us-apple-encryption-review-idUSKCN0WW2OL">keep the flaw secret</a> and exploit it.</p>
<p>These are <a href="http://dx.doi.org/10.1080/01972243.2016.1177764">complex trade-offs</a> involving many questions: What might spies learn by exploiting the vulnerability? How likely is it that adversaries could find it? What might happen if they use it? <a href="https://www.wired.com/2017/05/governments-wont-let-go-secret-software-bugs/">Can the secret be kept securely and reliably</a>? Regardless of the <a href="http://dx.doi.org/10.1145/2535813.2535818">ethics questions</a> about how these agencies should best carry out their duty of protecting the public, the decision will likely end up as a political one, about <a href="https://jia.sipa.columbia.edu/online-articles/healey_vulnerability_equities_process">how the government should use its power</a>.</p><img src="https://counter.theconversation.com/content/77770/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>What’s the best way for spy agencies to protect the public: secretly exploit software flaws to gather intelligence, or warn the world and avert malicious cyberattacks?Nir Kshetri, Professor of Management, University of North Carolina – GreensboroLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/653482016-09-16T01:57:44Z2016-09-16T01:57:44ZiPhone hack attack shows why we need to rein in the trade in spyware<figure><img src="https://images.theconversation.com/files/137901/original/image-20160915-30617-12pqlsr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Apple didn't know about the vulnerability until the iPhone hack.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/matsuyuki/8444605636/">Flickr/Toshiyuki IMAI</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>Downloading security updates for computers and mobile devices is a regular routine for most of us.</p>
<p>But not all such updates are created equal. Apple’s recent <a href="https://support.apple.com/en-au/HT207107">iOS 9.3.5 update</a> (and a related update to parts of OS X) was one of the more significant in recent memory. </p>
<p>The update fixed three security flaws which, used in combination, could give an attacker full control over an iPhone if the phone’s user clicked on a malicious link.</p>
<p>The discovery of these security flaws brought to light a relatively new, low-profile and ethically questionable business: selling potent hacking tools, and information about security flaws that make them effective, to government agencies and private companies around the world. </p>
<h2>Zero-day exploits – a hacker’s wild card</h2>
<p>In the world of information security, a vulnerability is a flaw in an IT system with security implications. A zero-day vulnerability is simply one that is unknown to the developers of an IT system. This means there is no fix available for the it.</p>
<p>An exploit is a computer program that takes advantage of one or more vulnerabilities to make an IT system to do something its administrator didn’t intend it to do. </p>
<p>A zero-day exploit is an exploit that uses an zero-day vulnerability. If an zero-day exploit is in the hands of an attacker, there is little a user or system administrator can do to stop them. </p>
<p>Exploits vary greatly in the scope of things they enable an attacker to do to a system. The most potent exploits are “root” exploits, which give an attacker complete control over the system.<br>
Similarly, exploits vary in the ways that they can be delivered. A remote exploit is one that can be transmitted to the target device over a network.</p>
<p>The most insidious remote exploits happen without any user involvement, but even remote exploits that require tricking a user to click on a link, for instance, are often effective.</p>
<h2>Spying on a human rights activist</h2>
<p>The vulnerabilities in iOS came to light when an internationally recognised Emirati human rights activist, <a href="https://twitter.com/ahmed_mansoor">Ahmed Mansoor</a>, received an odd-looking text message on his iPhone. </p>
<p>Mansoor was sufficiently sceptical to forward the message to security researchers, who investigated the message and discovered the exploit and its origins. Detailed reports are available from the researchers at <a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">Citizen Lab</a> and <a href="https://blog.lookout.com/blog/2016/08/25/trident-pegasus/">Lookout Security</a>.</p>
<p>The attempted attack against Mansoor’s iPhone was extremely potent. It used a combination of three zero-day vulnerabilities that were unknown to Apple and would have given the attackers complete control over his iPhone and the data on it. </p>
<p>It was sent to his phone as a text message. Its one weakness was that it required that Mansoor actually click on the malicious link in that message. It is the first known such attack against the iPhone.</p>
<h2>NSO Group, spyware exporters extraordinaire</h2>
<p><a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">According to Citizen Lab researchers</a>, the software used to target Mansoor’s iPhone was probably the work of NSO Group, an Israel-based company that is <a href="http://www.bloomberg.com/research/stocks/private/snapshot.asp?privcapId=257152480">reportedly</a> American-owned. </p>
<p>The <a href="https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/">Citizen Lab report on the Mansoor case</a> says:</p>
<blockquote>
<p>The high cost of iPhone zero-days, the apparent use of NSO Group’s government-exclusive Pegasus product, and <a href="https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/">prior known targeting of Mansoor</a> by the UAE government provide indicators that point to the UAE government as the likely operator behind the targeting.</p>
</blockquote>
<p>It says the same NSO Group software was also used to target journalists in Mexico, and had also been used in Kenya. </p>
<p>Israeli newspaper <a href="http://www.ynetnews.com/articles/0,7340,L-4851719,00.html">YnetNews</a> reports that the Defense Export Controls Agency (DECA) granted the NSO Group a license to sell its espionage program, Pegasus, to a private company in an Arab state, despite some strong objections.</p>
<p>The news report goes on to say that Foreign Ministry officials stress the NSO Group was not involved in any data breach itself. </p>
<h2>The spyware bazaar</h2>
<p>NSO Group is but one of a number of companies domiciled in wealthy American-allied democracies offering similar hacking tools to government agencies, including undemocratic governments known for systematic human rights violations. </p>
<p>One such company, Italy-based Hacking Team, <a href="http://motherboard.vice.com/read/here-are-all-the-sketchy-government-agencies-buying-hacking-teams-spy-tech">was itself hacked</a> in 2014. Its customer list was leaked to media outlets, and included the Sudanese and Saudi Arabian governments.</p>
<p>As well as the trade in complete spyware products, another group of companies trade in information about zero-day vulnerabilities. One company, <a href="https://www.zerodium.com/">Zerodium</a>, has even posted a <a href="https://www.zerodium.com/program.html">“reward list”</a>, indicating what it will pay for different zero-day exploits against different software platforms. Apple iOS exploits can fetch up to US$500,000.</p>
<p>Zerodium <a href="https://www.zerodium.com/ios9.html">claims to have purchased</a> a zero-day remote exploit against the iPhone, similar in its effects to the NSO Group hack, in November 2015. </p>
<p>It is unknown whether the vulnerabilities used by the exploit (if it indeed exists) are common to the NSO Group hack, and therefore whether it still works on iOS 9.3.5 and 10.</p>
<p>Zerodium’s client list is known only to Zerodium and the governments that permit it to operate. But spyware vendors such as NSO Group need a steady supply of exploits for their tools to remain functional, so they would be plausible customers.</p>
<h2>Leaving the rest of us exposed</h2>
<p>Police forces and intelligence agencies do have legitimate reasons for wanting to get covert access to IT systems. But the current trade in hacking tools and zero-day vulnerabilities should, in my view, be drastically reined in.</p>
<p>First, Western democracies are far too willing to permit the sale of these tools to undemocratic governments that use them to spy on political opponents.</p>
<p>Second, by stockpiling and exploiting vulnerabilities rather than assisting software developers to fix them, this trade leaves the rest of us unprotected if other parties discover and exploit the same zero-days.</p>
<p>While core government defence and intelligence infrastructure might get its own, secret protection against such attacks, there are a broad range of other targets who are potentially at risk of highly sophisticated attacks, even by state-sponsored hackers, and do not have the benefit of such protection.</p>
<p>Russian state-sponsored hackers, for instance, have been accused of attacking high-profile non-government organisations, such as the <a href="http://www.nytimes.com/2016/07/27/us/politics/spy-agency-consensus-grows-that-russia-hacked-dnc.html">organisational wing of the US Democratic Party</a>, and even the <a href="http://www.abc.net.au/news/2016-09-14/doping-wada-systems-hacked-by-russian-cyber-espionage-group/7842644">World Anti-Doping Agency</a> (WADA).</p>
<p>The WADA hack was <a href="http://www.bbc.com/news/world-37352326">apparently the result</a> of <a href="http://au.norton.com/spear-phishing-scam-not-sport/article">spearphishing</a> and probably did not involve use of a zero-day exploit. But zero-days could easily be used for similar attacks. </p>
<h2>‘NOBUS’ for the NSA, but not for the private sector</h2>
<p>The US government’s own hacking agency, the National Security Agency, reportedly has a <a href="https://www.washingtonpost.com/news/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/">“Nobody But Us” policy</a> that guides a decision whether to reveal vulnerabilities it finds to software developers, or keep them secret for exploitation. </p>
<p>As former NSA director Michael Hayden put it:</p>
<blockquote>
<p>If there’s a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think “NOBUS” and that’s a vulnerability we are not ethically or legally compelled to try to patch – it’s one that ethically and legally we could try to exploit in order to keep Americans safe from others.</p>
</blockquote>
<p>Whether the NSA is actually following the spirit of this stated policy is <a href="https://www.schneier.com/blog/archives/2016/08/the_nsa_is_hoar.html">open to doubt</a>. </p>
<p>But there is no such principle guiding the broader trade in hacking tools between private companies and governments around the world. It appears to be disturbingly close to open slather. </p>
<p>It’s time for this to change.</p><img src="https://counter.theconversation.com/content/65348/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Robert Merkel does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Rich rewards are on offer to people who can help private companies develop software to exploit vulnerabilities in technology such as smartphones. It might be legal but is it ethical?Robert Merkel, Lecturer in Software Engineering, Monash UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/574642016-05-04T10:11:05Z2016-05-04T10:11:05ZPanama Papers revelation: we must rethink data security systems<figure><img src="https://images.theconversation.com/files/120571/original/image-20160428-20160-vk1tyb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The attacker may already be inside.</span> <span class="attribution"><a class="source" href="http://www.shutterstock.com/pic-311055986/stock-photo-high-angle-view-of-hacker-stealing-information-from-computers-at-desk.html?src=FokqItq2wHW6ZY7OvqrBKg-1-4">Computer user image via shutterstock.com</a></span></figcaption></figure><p>The surge of information leaks from highly confidential sources in recent years demonstrates the futility of current cyber defenses. </p>
<p>The leaks of <a href="https://wikileaks.org/plusd/?qproject%5B%5D=cg&q=#result">U.S. diplomatic cables</a>, <a href="https://www.opm.gov/cybersecurity/cybersecurity-incidents/">Office of Personnel Management data</a>, <a href="https://wikileaks.org/cia-emails/">CIA operational documents</a> and most recently <a href="http://panamapapers.sueddeutsche.de/en/">client files from the Panamanian law firm of Mossack Fonseca</a> have created political turmoil on an international level. These dramatic breaches are confirmation that we need to fundamentally rethink our approach to data security. </p>
<p>Businesses and government agencies have spent much of the last two decades attempting to integrate disparate databases and information systems, seeking to improve efficiency. But that sort of consolidation is disastrous from a security point of view. It exposes vast swaths of organizational data to every intrusion, and to every insider with a password. It puts all the data on a big open field. Yes, the company builds a big wall around it all, but anyone who gets over the wall or is allowed in the door has access to everything.</p>
<p>Worse, the wall itself is useless. Beyond malicious insiders with broad access, other vulnerabilities render all defenses worthless. For example, “<a href="http://www.wired.com/2014/11/what-is-a-zero-day/">zero-day</a>” attacks exploit previously unknown software vulnerabilities that have not yet been fixed and are not yet guarded against by security software. (The name comes from the fact that the software’s authors have had zero days to address the problem.)</p>
<p><a href="http://lifehacker.com/why-social-engineering-should-be-your-biggest-security-1630321227">Social engineering</a> attacks, on the other hand, target weaknesses in humans rather than technical tools. They use carefully crafted phone conversations or email messages to trick authorized users into clicking on malicious links or voluntarily disclosing information that bypasses security defenses.</p>
<p>Given all of these vulnerabilities, breaches of confidential information are inevitable. But we can limit their size and scope, and therefore their damage. Rather than building useless walls around open spaces we imagine to be secure, we must understand that the interior cannot be fully protected. Instead, we must tighten control from within, particularly by tracking all data access and usage. The goal should not be preventing the unpreventable, but rather detecting incidents quickly, and minimizing the resulting harm.</p>
<h2>Seeking to limit damage</h2>
<p>In the specific case of the Panama Papers, 11.5 million customer documents were copied from Mossack Fonseca and revealed to a German newspaper, Suddeutsche Zeitung, which then shared them with other news outlets as well as the International Consortium of Investigative Journalists. <a href="http://wcfcourier.com/news/opinion/editorial/panama-papers-show-need-for-transparency/article_6f706f49-7da6-5a28-b9ac-c25fe10db9d0.html">These revelations</a> – 2.6 terabytes of stolen data – are a Rosetta Stone of the tax haven world. They focus on more than 3,500 people who owned shares in shell corporations that were created by Mossack Fonesca, including people with ties to 12 current or former world leaders, 143 politicians, as well as sports stars and drug lords.</p>
<p>While the leaker or leakers are still not identified, they may eventually be unmasked by electronic forensic work. Their points of entry, <a href="http://www.wired.co.uk/news/archive/2016-04/06/panama-papers-mossack-fonseca-website-security-problems">from what we know</a>, were remarkably basic: unencrypted emails on a version of Microsoft Outlook not updated since 2009, server vulnerabilities including a WordPress plugin known to be buggy and a customer portal running on a <a href="http://fortune.com/2016/04/09/bad-security-panama-papers/">long-outdated version of Drupal</a>. </p>
<p>Simple security protocols, such as ensuring that software updates were installed regularly, would have closed these doors. While a determined attacker could have found other ways in, the treasure trove of documents now known as the Panama Papers was apparently left virtually unprotected.</p>
<p>Organizations should take advantage of the fact that the entire process of data extraction takes time: a hacker first creates an intrusion (or an insider first gets motivated to undertake malicious activity), then conducts reconnaissance for data access and security, and finally copies data. There is sufficient time in this process to take action that could limit damage. </p>
<h2>Guarding from the inside</h2>
<p>By understanding and accepting that it is impossible to create a perfectly secure computing and data environment, companies can take significant steps to increase the likelihood of timely detection, and to prevent (or at least limit) the compromise of data. They must:</p>
<ol>
<li>Restrict information access based on immediate need. The push to increase productivity by integrating databases and improving data accessibility to employees has come with a security cost. Smartly controlling access to data should improve both productivity and security.</li>
<li>Log and monitor access to data and downloads, not only to enforce basic protections, but also to understand who is accessing data and why – and to record patterns of normal behavior for each user. Departures from those norms could trigger security alerts. Companies are starting to do this, but without protections that are strong enough to be really effective.</li>
<li>Divide information intelligently into separate blocks based on what data sets are really related to each other. This can prevent a single intrusion from compromising the entirety of an organization’s data. For instance, people’s contact information should be stored separately from records of their financial transactions.</li>
<li>Manage data archiving to regularly delete obsolete records.</li>
<li>Begin a program of active insider probes, in which security staff surreptitiously offer employees opportunities to violate access protocols, and record and analyze the responses. This can reveal malicious intentions or behavior ahead of time, and help make judgments about staff members’ potential threat to become data thieves. </li>
</ol>
<p>As individuals, we also need to conduct a personal risk analysis of the likelihood that our personal information could be leaked from companies that manage our data. </p>
<p>It is likely that most of the information exposed in the Panama Papers is not from criminals attempting to launder money, but rather from rich people attempting to shelter their wealth from taxes. Whether these shell corporations were designed for legitimate purposes or not, the breach has shown more than their holder’s identity. It has revealed how the rich and famous hide their wealth and evade taxes. And it has redoubled suspicions about business transactions that need this cloak of secrecy. </p>
<p>This incident also confirms the antiquated basis of security – the overarching approach and specific programs and tools – being used in corporations today. The Panama Papers will have ongoing political, tax and business implications on an international level. With luck, they might also lead to greater scrutiny and fundamental redesigns of corporate security structures.</p><img src="https://counter.theconversation.com/content/57464/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sanjay Goel does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Breaches of confidential information are inevitable. But we can limit their size and scope, and therefore their damage.Sanjay Goel, Associate Professor of Information Technology Management, University at Albany, State University of New YorkLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/456372015-08-05T03:56:21Z2015-08-05T03:56:21Z‘Zero-day’ stockpiling puts us all at risk<figure><img src="https://images.theconversation.com/files/90849/original/image-20150805-22471-1ld6d8w.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Once a software maker learns about a "zero-day" vulnerability, there's usually no time left to fix it.
</span> <span class="attribution"><span class="source">Midnight via www.shutterstock.com</span></span></figcaption></figure><p>“Zero-days” are serious vulnerabilities in software that are unknown to the software maker or user. They are so named because developers find out about the security vulnerability the day that it is exploited, therefore giving them <a href="http://www.eset.co.uk/Press-Centre/Blog/Article/flash-zero-day">“zero days” to fix it</a>. </p>
<p>These vulnerabilities can be found in some of the most widely used software and platforms on the commercial market: Adobe Flash, Internet Explorer, social networks (Facebook and LinkedIn, to name two) and countless others. </p>
<p>The <a href="http://www.bloomberg.com/news/2014-05-02/us-contractors-scale-up-search-for-heartbleed-like-flaws.html">recent dump of emails from Hacking Team</a> sheds new light on the extent of government involvement in the international market for zero-days. Rather than disclosing these vulnerabilities to software makers, so that they can be fixed, government agencies buy and then stockpile zero-days. </p>
<p>This practice and the policy that permits it expose billions of internet and software users to serious and unnecessary cybersecurity risks. A number of solutions to this problem are available, but first let’s take a look at the zero-day market.</p>
<h2>The growing market for zero-days</h2>
<p>Knowledge of the existence of zero-days is valuable to criminals and intelligence agencies alike. They pay lots of money to learn about these vulnerabilities and then develop exploits (or simply purchase the exploits) to circumvent the information security of their targets. </p>
<p>Among other techniques, the hackers that breached <a href="http://recode.net/2015/01/20/heres-what-helped-sonys-hackers-break-in-zero-day-vulnerability/">Sony Pictures Entertainment</a> and the <a href="https://www.washingtonpost.com/world/national-security/chinese-hackers-breach-federal-governments-personnel-office/2015/06/04/889c0e52-0af7-11e5-95fd-d580f1c5d44e_story.html">Office of Personnel Management (OPM)</a> exploited zero-day vulnerabilities to pull off these high-scale hacks.</p>
<p><a href="https://tsyrklevich.net/2015/07/22/hacking-team-0day-market/">This has become serious business</a>. The international market for the buying and selling of zero-day vulnerabilities comprises <a href="http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf">three overlapping markets</a>: “black,” “gray” and “white.”</p>
<p>Sellers in the black market include freelance hackers and organizations. Buyers include <a href="http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf">criminals and criminal organizations</a>. Given the underground nature of the market, there’s no telling how many vulnerabilities are bought and sold on the black market. Roy Lindelauf, a researcher at the Netherlands Defence Academy, believes that <a href="http://www.economist.com/news/business/21574478-market-software-helps-hackers-penetrate-computer-systems-digital-arms-trade/">more than half of exploits sold are now bought from bona fide firms rather than from freelance hackers</a>, suggesting that the black market is not the biggest of the three interlinked markets.</p>
<p>The second market is “gray” in the sense that it is legal though unofficial and unregulated. <a href="http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html?_r=0">Nation-states historically have had a monopoly over buying in the gray market</a>. They include Brazil, India, Israel, Malaysia, North Korea, Russia, Singapore, the United Kingdom, the United States and many more. Defense contractors such as <a href="http://www.techweekeurope.co.uk/news/zero-day-exploit-vulnerabilties-cyber-war-91964">Northrupp Grumann</a> and <a href="Raytheon">Raytheon</a> are also thought to be buyers and/or sellers.</p>
<p>Firm estimates of the size of the gray market are difficult to make. The National Security Agency (NSA) in the United States is considered to be “<a href="https://wikileaks.org/hackingteam/emails/emailid/169933">the best, surest zero-day acquirer … in truth, a really insatiable one</a>,” according to a Hacking Team email indexed by WikiLeaks. It spent <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-by-buying-millions-of-dollars-worth-of-computer-vulnerabilities/">US$25 million in 2013</a> to procure “software vulnerabilities” from private malware vendors. <a href="http://www.researchgate.net/publication/259150675_The_Known_Unknowns_In_Cyber_Security">One source</a> suggests that the average price for a zero-day ranges from $40,000 to $160,000. </p>
<p>Buyers in the also legal “white” market include software makers such as <a href="http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html?_r=0">Facebook, Google, Microsoft</a> and <a href="https://threatpost.com/linkedin-goes-public-with-its-private-bug-bounty/113362">LinkedIn</a>. Software makers offer a sum of money, sometimes called “bug bounties,” to anyone who finds and discloses the existence of a vulnerability to them. </p>
<p>There are also platforms that connect dozens of software makers with security researchers and experts. They promise a commission to those who disclose vulnerabilities to software makers through the platform. iDefense and TippingPoint were two early companies in this space. New companies have joined the scene, such as HackerOne, which <a href="http://venturebeat.com/2015/06/24/hackerone-raises-25m-to-make-the-internet-safer-via-bug-bounty-programs/">recently raised $25 million in venture capital</a>. </p>
<p>Bug bounties are a novel solution to the problem of zero-days: pay people not to hack a system. Instead, pay those people to use their skills to find and disclose vulnerabilities so that software makers can fix them, thereby improving overall cybersecurity.</p>
<p>The amounts paid through bug bounty programs can be significant. In all markets, <a href="http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf">prices tend to be determined by the type of bug and the potential for hacking use</a>. However, the prices on the <a href="http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5633685&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5633685">white market are not typically as high as prices on the black market</a>, nor do the prices come close to the losses incurred by the victims of zero-day exploits. </p>
<h2>Risks of government stockpiling</h2>
<p>While many government agencies are buyers in the global gray market for zero-days, almost no countries have an explicit policy stance toward what they do with the bugs that they buy. </p>
<p>In the US, some details of the official policy toward disclosure of zero-days have been made public. Former NSA Director General Keith Alexander has stated that the agency uses zero-days “<a href="http://www.wired.com/2014/05/alexander-defends-use-of-zero-days/">for defense, rather than … for offensive purposes</a>.” President Barack Obama’s <a href="http://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html">view</a>, according to his advisers, is that “when the National Security Agency discovers major flaws in internet security” it “should – in most circumstances – reveal them … rather than keep them mum so that the flaws can be used.” A broad exception, however, is made for a clear national security or law enforcement need.</p>
<p>The use of the phrase “<em>national security</em>” is curious considering that a policy of withholding any zero-days at all effectively puts the security of all users of the software in question – which in today’s world includes companies, government agencies and individuals – at additional risk of being hacked. </p>
<p>To its credit, the US has gone further than all other governments in explaining its policy toward zero-day disclosure. Australia, China, Russia and the United Kingdom have not made their stance on zero-days public at all. </p>
<p>The consequences of this practice – and the often-murky policies that permit it – are severe. When knowledge of a zero-day is bought and then stockpiled by a government agency, there’s no guarantee that another malevolent person or organization might not discover (or purchase) and exploit that same vulnerability. </p>
<p>By withholding knowledge of zero-days, government agencies keep all software users in a state of suspended risk. The scope of this risk is global, as the software and platforms in question are used by billions of people.</p>
<h2>What alternatives are there?</h2>
<p>Instead of a policy of stockpiling zero-days, and the risks that this policy entails, what alternative policies might exist? </p>
<p>Mandatory disclosure, or <a href="https://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf">greater oversight</a>, over the discovery or purchase of zero-days are obvious domestic alternatives to the status quo. At an international level, “voluntary collective action to harmonize export controls on zero-days through the <a href="http://moritzlaw.osu.edu/students/groups/is/files/2015/06/Fidler-Second-Review-Changes-Made.pdf">Wassenaar Arrangement</a>” is seen as another possible direction, particularly given that it is currently under review. This agreement was designed to control the export and import of weapons and technologies that have potential military applications.</p>
<p>Computer security analyst and risk management specialist <a href="http://geer.tinho.net/geer.suitsandspooks.19vi15.txt">Dan Geer</a> has proposed that the US government outbid (by 10 times) every other buyer in the international market for zero-days so long as bugs are “<a href="http://studentbounty.com/essays/cybersecurity-as-realpolitik-dan-geer/6/">sparse not dense</a>” (that is, the software in question has few, not many, bugs). </p>
<p>If the NSA spends $25 million a year on zero-days, under Geer’s plan this would increase to at least $250 million. The NSA budget is at least $10 billion annually, with <a href="https://www.washingtonpost.com/blogs/the-switch/wp/2013/08/29/the-nsa-has-its-own-team-of-elite-hackers/">$1.2 billion spent in 2013</a> on offensive cyber-capabilities (in other words, state-sponsored hacking). </p>
<p>Given the size of these budgets, Geer’s proposal is financially possible, though it would require a serious change of official policy, starting with mandating the immediate disclosure of all bugs to software makers so that they can be patched. </p>
<h2>Going for the root</h2>
<p>If governments were really serious about addressing the problem of zero-day vulnerabilities, they might consider going to the root of the problem: placing liability on software makers for buggy code. </p>
<p>The common practice for software makers, since the 1980s, is known as
“<a href="http://www.washingtonpost.com/sf/business/2015/06/22/net-of-insecurity-part-3/?hpid=z1">patch and pray</a>.” In short, software makers rush a product out the door, opting to release patches for vulnerabilities later, instead of investing time and resources for additional testing and patching of bugs (including zero-days) before release. </p>
<p>The economic logic is simple. Shipping equals sales and revenue. Delaying release to test and correct bugs adds to costs. Given that the losses from faulty software fall on the user, not the software maker, <a href="https://medium.com/message/why-the-great-glitch-of-july-8th-should-scare-you-b791002fff03">there’s little incentive for the software maker to fix the bugs before shipping</a>. It’s easier to “<a href="http://mashable.com/2014/03/13/facebook-move-fast-break-things/">move fast and break things</a>” when you don’t have to pay for the things that end up broken. </p>
<p>To make matters worse, users do not always promptly update their software, which is really the only defense they have. Vulnerabilities can thus persist for years after they have been discovered and patches made available. </p>
<p>Placing liability on the software maker for the losses due to their buggy software would completely alter these incentives. A number of approaches could be investigated in an attempt to find one that balances the need to minimize bugs, and protect users, while not smothering innovation. </p>
<p>Placing any kind of liability on software makers for their faulty products would take a great deal of political will, <a href="http://homeland.house.gov/hearing/subcommittee-hearing-promoting-and-incentivizing-cybersecurity-best-practices">particularly in a climate where current proposals are pushing for the opposite</a>. However, if done correctly, it would create a strong incentive for software makers to adopt more rigorous measures to reduce the number of bugs in their software. This would give a meaningful boost to the cybersecurity of billions of software users.</p>
<h2>Paradox of cybersecurity policy continues</h2>
<p>Government officials claim to be doing everything possible to enhance cybersecurity. Zero-days are a serious threat to the cybersecurity of individuals, government agencies and corporations. </p>
<p>Yet government agencies are the biggest buyers of zero-days. If they’re serious about cybersecurity, why then do these government agencies withhold knowledge of some of the zero-days that they discover or purchase? </p>
<p>This is yet another example of the <a href="http://www.mantlethought.org/other/paradox-cyber-security-policy">paradox of current cybersecurity policy</a>: government agencies tasked with enhancing cybersecurity conduct activities that result in the opposite outcome. </p>
<p>A clear policy of disclosure of all discovered or purchased zero-days would be a major step forward in bolstering cybersecurity internationally. Even better would be a policy that goes to the root of the problem, by allocating some liability on software makers for the losses linked to their buggy software. </p>
<p>Until the political will is mustered to address the problem of buggy software, including zero-days, the best that software users can do to protect themselves, unfortunately, is to follow the software makers’ lead: patch and pray.</p>
<p><em>This article has been updated to remove an estimate, derived from a ResearchGate report, of the number of vulnerabilities bought by the NSA in 2013. This estimate likely overstates the number of vulnerabilities purchased.</em></p><img src="https://counter.theconversation.com/content/45637/count.gif" alt="The Conversation" width="1" height="1" />
“Zero-days” are serious vulnerabilities in software that are unknown to the software maker or user. They are so named because developers find out about the security vulnerability the day that it is exploited…Benjamin Dean, Fellow for Internet Governance and Cyber-security, School of International and Public Affairs, Columbia UniversityLicensed as Creative Commons – attribution, no derivatives.