This Is How They Tell Me the World Ends PDF Download
- Book Name: This Is How They Tell Me the World Ends
- Authors: Nicole Perlroth
- Pages: 528
- Publish Date: 9 February 2021
- Language: English
- Genre: fiction
Nicole pearl roth this is how they tell me the world ends the cyber weapons arms race narrated by amanda maher and thomas florio on december 23, 2015 just before christmas celebrations were about to start russia shut off the electricity and heat across western ukraine ever since ukraine had won its independence in 2014
russia had been retaliating by unleashing a digital assault on ukraine's government and media agencies and now they were proving just how effective those attacks had been russian hackers had embedded themselves in networks that controlled
ukraine's infrastructure and to prove that they still had control over the nation they turned the power off for six hours in the dead of winter for good measure they did it again a year later blacking out the city of kiev never before had a nation crossed this line and hijacked another country's grit
but the reality of the situation is that this attack wasn't something that just happened out of the blue for years there'd been an escalating arms race going on around the world only this time
It wasn't rockets and ballistic weapons it was lines of digital code that allow almost any device that uses a computer chip to be hacked this is the story of how we got to this point and how increasingly vulnerable we're making ourselves by connecting more and more things to an internet that's anything but secure.
Blink one of nine ground zero days the author began covering the cyber security beat for the new york times in 2010 by 2013 she was already feeling the side effects of the job she'd uncovered stories of Chinese hackers getting inside everything from printers to thermostats and trying to steal intellectual property
That ranged from military planes to the formula for coca-cola Iranian hackers had already brought down the network for the Saudi oil company Aramco wiped its data and destroyed 30 000 computers
While leaving an image of a burning american flag on every screen so after just a few years reporting on the topic anything with a plug was beginning to look suspicious as a much needed escape from the internet the author booked a week-long tour through kenya but our african vacation was cut short
when edward snowden decided to give the world a peek into the dark recesses of america's national security agency or nsa and his position as an nsa contractor snowden leaked thousands of highly classified nsa documents these documents revealed that america's premier spy agency was surprise pretty good at spying
In fact its tools and capabilities were better than most the bigger surprise was that many people believed that digital encryption was still keeping networks and information safe snowden's leak blew that line of thinking wide open
It was clear that the nsa had found a myriad of ways to hack around encryption in some cases the nsa was paying companies to give it back door access to their data but in other cases the back doors came from what are known as zero days now a zero day is essentially a flaw in a piece of hardware or software that
when exploited allows someone undetected access this means the flaw hasn't been made public so there have been zero days for the company to come up with a patch for example if you surf the web using microsoft explorer a zero day flaw for that web browser could
allow someone to invisibly hack into your browser steal your passwords credit card information or emails and even download your data or record your keystrokes the snowden leaks showed that the nsa had accumulated a good number of zero days that provided it with access to all of the most widely used apps social media platforms phones computers and operating
systems when this news got out some people assumed that companies like apple and microsoft were in cahoots with the nsa but this wasn't the case these companies were livid when they learned that the nsa knew about these zero days and didn't let them fix
The flaws perhaps even more worrisome is the fact that the nsa didn't always find and develop these zero days itself it bought them with taxpayer money from hackers around the world as we'll see
In the next blink the marketplace for zero days is a morally dubious gray zone that has only gotten darker in recent years blink two of nine the first rule of the zero day market the snowden leaks offered a glimpse of what zero days are capable of but people familiar with cyber security and the hacking community
Were already well aware the author knew that hackers earned a lot of money by selling zero days and exploits to brokers and bidders what she didn't know was who those buyers were months before edward snowden became a household name
The author was attending one of the world's many hacker conventions this one was in south beach florida after a while she found herself sitting at a table with ralph langner a german security specialist and two italian hackers
The author wanted to learn more about how the zero day market worked so she asked the two italians to elaborate on their business practices for instance who do they typically sell to are there countries like russia or turkey that they might think twice about selling to but neither of the italians would offer even a hint it turns out there's often a legal component to such silence
The author later learned that selling a zero day often involves the seller signing a non-disclosure agreement such ndas usually stipulate that the hacker won't mention the details of the sale for a certain period of time but this doesn't mean
That nothing is known about the zero-day market in the early 2000s hackers often posted their zero-day exploits on message boards some would also attempt to bring flaws to the attention of companies like microsoft but for the most part they were treated like someone
who's just told you they broke into your house last night instead of thanks the hackers were handed lawsuits one of the first companies to see a different way of doing things was i defense a fledgling security outfit idefense offered
Its clients information about potential dangers so that they could start working on a patch for the most part early security companies simply monitored places like bug track but idefense knew that not every hacker wanted to settle for the street cred
That came with posting an exploit on a message board so in 2002 idefense started a new plan it would offer hackers money for their zero days then the security company could inform
Its clients everyone would benefit the only problem was companies like idefense could only spend so much the most it could afford was a couple of thousand dollars per verified exploit by 2005 government intelligence agencies were entering
The market armed with much bigger budgets the key difference here is that agencies like the nsa weren't spending big bucks to inform the companies affected instead they did the exact opposite and kept the zero days under wraps after all a digital spy tool is only good
If the vulnerabilities remain unpatched this is how americans ended up having their tax dollars spent on keeping the vulnerabilities in their computers and phones a secret both from the companies that made the products and from themselves blink
Three of nine money versus morals any market where details are hidden where buyers and sellers can't discuss things is bound to be trouble the zero-day market is no exception for starters since zero day sales are private sellers can't estimate a fair price for their work sellers also don't know how their zero day will be used and if sellers
think they've been cheated or misled there could be consequences to further complicate things buyers need to verify that a zero day works before money changes hands what prevents them from testing it declining to buy and then using it anyway on the other hand buyers have to put a lot of trust in sellers as well who's to say that a hacker won't sell a zero day to multiple countries around
the world even if that hacker has agreed not to it's not like these agencies are going to openly compare their inventory as a result the market relies on a ridiculous amount of trust sellers essentially promise not to talk about their activities much as mobsters adhere to omerta a code of silence and everyone likes to think that buyers operate on a samurai code of bushido which dictates a
morally upstanding way of life these are very dangerous things to rely upon when dealing with information that erodes liberties and puts the safety of the world at risk when the author was at the florida hacker convention and the two italians refused to answer her question
ralph langner the german security specialist grew irritated he turned to the author and spoke loud and clearly these men are young they have no idea what they are doing all they care about is money
they have no interest in learning how their tools will be used or how badly this will end it wasn't until 2015 that a broker from the zero day market finally agreed to speak openly but anonymously to the author starting in the late 1990s
the broker began working at one of the major contractors who bought zero days for the u.s intelligence agencies the agencies came with requests like finding
a way into a russian embassy or a pakistani consulate the broker's team would find out what kind of technology these places had and then find a way in so while a microsoft windows bug in the early 2000s might have earned someone 50 000 a bug for
some obscure program that was being used by a foreign target could go for double that amount but as the 2000s rolled on it wasn't just u.s agencies that were looking to buy other governments began cold calling hackers and brokers asking
what have you got the international market came in strong in the mid-2000s offering unprecedented amounts of money for zero days for some the money was enough to trump any questions about morality for others there wasn't a question at all
these people merely exposed flaws in programs and systems they didn't weaponize them or use them to spy on people they were happy to let somebody else worry about that blink four of nine going public of course some hackers
do have a strong sense of right and wrong take charlie miller for example miller worked at the nsa before stepping down for family reasons but he never stopped dismantling code and finding new vulnerabilities
in fact he once created a fake stock market app for the iphone that gave him access to every other app a person had installed this proved to apple that its screening process wasn't
so flawless after all and earned miller the nickname zero day charlie but that wasn't his biggest discovery he later uncovered a zero day for the linux operating system worth a lot of money but when he went to try and sell it
he immediately discovered just how inefficient and unfair the market was he couldn't tell how much he should be asking and he couldn't be sure that a potential buyer wouldn't just rip it off and not pay him ultimately miller sold a zero day to an unnamed government agency for fifty thousand dollars and a two year period of silence
but he wanted to expose the problems in the market so that sellers weren't at such a disadvantage after the two-year waiting period miller planned on publishing an academic paper entitled the legitimate vulnerability market inside
the secretive world of zero-day exploit sales unsurprisingly the nsa wasn't too happy about this agents even flew out to st louis to meet with miller at the airport miller was expecting a buy out a nice bag of cash in order to keep him quiet instead the agent simply urged him to keep his mouth shut but miller didn't shut up in 2007
he presented his paper at a conference at carnegie mellon this was the day the world at large was made aware of the zero-day market to the general public it barely made a ripple but to hackers and the companies whose hardware and software were being exploited
it was a momentous occasion some hackers thought miller was committing a grave offense breaking the omerta but others cheered him on by exposing the government-funded market he was showing that hackers weren't just
the criminals the computer companies were making them out to be their work was worth something for a while miller thought this would change everything he soon uncovered a zero day that could remotely control someone's iPhone
but this time he handed it over to apple and when he found another zero day for the new android operating system he brought it to google at first google seemed interested in working with miller to patch the vulnerability
but he soon discovered that google was communicating with miller's boss trying to get him fired this was the last straw in 2009 miller started a no more free bugs campaign that caught on like wildfire after all this they still wanted to treat hackers like the enemy
then it would only mean that those hackers would go back to selling their zero days elsewhere blink 5 of 9 an impossible mission for a long time each country used different equipment russia had its
hardware and software the us had its and never the twain shall meet if something infected a russian computer the us didn't have to worry about that infection crossing the globe and plaguing u.s computers of course those days are long gone
now everyone's using the same type of hardware and software and we're all connected by the same internet so anything that gets used on an adversary can easily turn around and bite the hand that released it in the u.s the ever-growing stockpile of weaponized zero days grew
incredibly in the wake of 9 11. after 9 11 new cyber security laws meant that electronic surveillance no longer required a court order and the intelligence budget ballooned from a few billion to 75 billion suddenly agencies had a lot more money to buy and develop zero days just as more and more people around the world
were getting online and digitizing their information american advancement in using and weaponizing zero days can best be understood by looking at what happened in tehran in 2007 as iran was ramping up its nuclear weapons program israel was getting ready to strike things weren't looking good in the u.s george w bush
was being briefed on possible outcomes of this conflict and many were pointing to a possible world war iii situation bush called for a new option naturally the nsa had already analyzed every detail of iran's nuclear facilities it already had zero days lined up for every kind of machine
being used at the time this was all standard espionage stuff used for information gathering but now it was going to weaponize these tools in the hopes of preventing war from breaking out it was called operation olympic games and in some ways
it was a marvel of ingenuity a string of seven zero days found its way into a compound that wasn't connected to the internet it then spread throughout the computers undetected found its way to the program that controlled the centrifuges and attacked those centrifuges without anyone noticing what was happening
it took a long time before iran figured out what was wrong and then in june 2010 the worm escaped the facility an outside laptop was probably brought in to conduct a test but whatever the case may be once the worm got onto a connected computer
it was pandemonium russia california india europe indonesia the bug was everywhere and it quickly picked up an official name stuxnet over a hundred countries and tens of thousands of machines were infected and one german ralph langner
put the pieces together he took apart the code and noticed one important target number 164 which happened to be the number of centrifuges in iran's nuclear facility but langner wasn't the only one pulling stuxnet's code apart and figuring out
how this unprecedented cyber weapon worked now the weapon was ready to be turned against its maker blink 6 of 9 a booming stockpile in 2011 langner gave a presentation at an annual ted conference
he provided a thorough and understandable description of stuxnet and explained the ramifications of what happened when this advanced cyber weapon found its way into the wild his point was clear there was nothing stopping a person from making a few adjustments and pointing stuxnet at a chemical plant a factory or a power grid
this was serious the irony wasn't lost on langner the us had used a dangerous cyber weapon to avert a conventional war in the process that weapon had become available to enemies of the u.s and this had happened right at the dawn of a new cyber-based era in
warfare meanwhile iran was upset and looking for revenge with the ingenuity of stuxnet making headlines around the world the marketplace for zero days only got bigger every country with a security agency was eager to start its own stockpile of cyber weapons
some nsa employees were getting poached to start working overseas in places like the emirates where a company called cyberpoint paid a lot more than a government agency like the nsa ever could one such employee was david evanden he abruptly left
when it became apparent that more often than not his efforts were being used to spy on activists and political dissidents not terrorists in the u.s alone from 2013 to 2016
there was a two-fold increase in the number of brokers selling surveillance technology vupen a french company run by xiaoki bekrar saw its sales to government agencies double year over year israel russia india
they were all willing to spend just as much as the u.s on cyber weapons by 2013 antarctica seemed to be the only part of the world that wasn't buying beckerar flaunted the fact that vupen's clients didn't heed the moral principles of bushido his twitter avatar was darth vader
he took no responsibility for what governments did with his zero days in 2015 the hacking team and italian brokerage had its internal emails and contracts leaked to the public the leak revealed the brokerage's callous disregard for vetting clients any government
was acceptable regardless of its human rights record as long as the money was good so they sold zero days to russia egypt saudi arabia kazakhstan and even sudan a place described by u.s aid workers as one of the most horrendous human rights situations in the world the hacking team as well as other sellers was helping to supply
all these governments with the tools to monitor and suppress dissidents journalists and innocent people like the nuclear weapons of the cold war some countries weren't stockpiling cyber weapons for everyday use
there was simply an increasing sense that it was better to have them than not the sheer number of zero days was also increasing rapidly with books like the shellcoders handbook discovering and exploiting security holes giving new hackers a leg up in the business
but it would all pale in comparison to what would be released in the years to come blink 7 of 9 install
now in mid-december 2009 google's information security team noticed something was amiss alarms were being triggered throughout its network something was inside ping-ponging wildly around the system usually some malware might show up when a careless intern visited an online gambling site
but this was different this intruder was looking for something it took weeks of round-the-clock work by a team of around 250 workers but the intruder was eventually rooted out and shown to be of chinese origin remarkably china had hacked google's network and stolen
its source code more specifically it was an operation pulled off by legion yankee one of the most elite hacking groups that works under contract for the chinese government information about satellite technology missiles aerospace nuclear propulsion elite chinese hackers have broken in and stolen all of this and more and
now they'd gotten their hands on the backbone technology behind google's operations likely in an effort to set up back doors that would allow china to indefinitely monitor the gmail accounts of political dissidents this break-in changed the way google dealt with zero days from
then on the general consensus was this can't happen again part of the new plan paying hackers for zero days starting in 2010 hackers who could report verified flaws in google products could earn a bounty of up to 31 337
that's elite spelled out in hacker code that was nowhere near as much as the amount the international market was paying out but it did come with some bonuses hackers were free to brag about
their newly discovered exploit and they didn't have to worry about playing a role in helping some nation state stomp on people's liberties companies like microsoft and facebook also began to pay bounties rather than hand out lawsuits to hackers who turned over zero days but some sellers bulked at the low rewards in 2012
vulpin's xiaoqi bekrar broke into the newest chrome browser in three hours and laughed off the idea of reporting it to google he told a reporter we wouldn't share this with google for even one million dollars we want to keep this for our customers naturally
this drove the tech companies crazy but it did finally strengthen their resolve to start getting serious about security rather than only concerning themselves with getting products out faster than
the competition soon microsoft was getting 200 000 vulnerabilities turned over to them every year 200 000 different ways for its products to be abused that translates to 200 000 patches that microsoft one of the best tech companies in the world has to come up with every year
now just think about all the unreported vulnerabilities across all platforms and all devices for people like bekrar each one is a potential payday needless to say when your operating system offers a verified update
don't wait install it now blink 8 of 9 cyber weapon diplomacy during the obama administration everything was being digitized smartphones became ubiquitous with social media and cloud servers people were dumping their entire lives onto
the internet and during this time there were three main threats to us cyber security iran china and russia in 2015 obama tried to neutralize two of these threats first he struck a nuclear deal with iran and it seemed to work attacks from iran largely stopped the focus then shifted to beijing for years chinese hackers had been relentless stealing intellectual property with abandon
they stole everything from the formulas for benjamin moore paints to the plans for the f-35 fighter jets by 2015 they'd even been found sitting inside the network at the office of personnel management the u.s agency that stores the personal information including fingerprints of all government employees they'd likely been hiding there for years before anyone noticed in september 2015 obama invited xi jinping to the white house the red carpet was rolled out
there was cannon fire a military ban playing the chinese anthem and kids waving chinese flags but it was still a tense couple of days as obama pressed the issue this wasn't about espionage both parties knew that
the u.s was eavesdropping as well but the stealing had to stop or else there'd be sanctions the two sides agreed no more intellectual property theft and no targeting of critical infrastructure during peace time for two years the chinese cyber attacks dropped by 90 percent but neither of these digital truces was going to last not with trump in the white house meanwhile
the russians had embedded themselves in the system by early 2013 there had been at least 198 attacks on u.s infrastructure systems and security outfits trying to pick apart the code kept finding traces of russian language and moscow timestamps russia's weapon of choice for these attacks was dubbed sand worm it specifically targeted general electric software
the kind used around the world to control water treatment facilities electric grids and oil and gas pipelines in 2014 and 2015 the world got a taste of what this weapon was capable of when on two separate occasions russia turned off the power in ukraine as far as u.s intelligence could determine russia was sitting in the systems and networks of u.s infrastructure
as a warning the message was beware how you respond to our actions in ukraine we can turn off your electricity too it was a new age of mutually assured destruction
so despite the unprecedented nature of these attacks the world's response has only been to continue hooking up more devices and critical infrastructure to the internet thus increasing our vulnerability blink nine of nine the keys to the kingdom in august 2016
chaos reigned in the u.s it was an election year and by then russian hackers had already broken into the servers of the democratic national committee as well as the email account of hillary clinton's campaign manager
they were releasing their stolen goods through wikileaks then more bad news arrived on twitter a group calling themselves the shadow brokers claimed to have found a collection of nsa cyber weapons which it was now dumping onto the internet
as a free-for-all as one former nsa employee said these are the keys to the kingdom things were getting bad and they were going to get worse while snowden's earlier leaks were an eye-opener the tools he was aware of were just the tip of the iceberg
he was only a low-level contractor he didn't know what was at the disposal of the elite nsa group formerly known as tao or tailored access operations these tools included a string of xerodays that targeted microsoft software protocol it was called eternal blue and it could jump from server to server barely leaving a trace though
used for gathering intel eternal blue could if it fell into the wrong hands be turned into a deadly weapon so imagine the nsa's dismay
when in april 2017 the shadow brokers decided to release eternal blue as part of a collection of 20 of the nsa's best zero day exploits of course now that it was in the open microsoft could theoretically patch the vulnerabilities
but that would mean that every computer running on an old or bootlegged version of a windows operating system would have to install the right upgrades
it was essentially an impossibility within weeks the number of computers infected by versions of eternal blue was quadrupling but it soon became apparent that one variation of the weapon was proving most popular ransomware
this is the practice of taking over a system such as a hospital's patient files or a city's power grid and holding it ransom for a cash payout in particular north korea was discovering that ransomware was an effective way of generating much needed revenue
one of the most effective ransomware attacks was an exploit known as wannacry released in 2017 and eventually traced back to north korea within 24 hours it had spread to 150 countries why was it so effective its code can be traced back to eternal blue likewise
new russian cyber attacks like the malware known as not petya also have roots in eternal blue ultimately ransom attacks have generated billions of dollars and they're only becoming more common between 2019 and 2020 over 600 american towns and cities have been held hostage by ransomware all evidence seems to point to things getting worse before they get better
the author keeps flashing back to a photo she came across of a hacker from new zealand in it he's wearing a t-shirt with an important message plastered across the chest someone should do something you've just listened to our blinks too this is how they tell me the world ends by nicole pearl roth
the key message in these blinks is that most experts admit that it's an impossibility for a computer network to be made completely impervious and secure however that doesn't mean improvements can't be made for the past few decades the emphasis has always been on offense not defense the us has been busy finding and weaponizing exploits
while leaving its critical infrastructures and products vulnerable to attacks u.s hardware and software companies have been operating under the philosophy of getting their products out as fast as possible while worrying about the details later and fixing problems with updates and newer models instead
they should be focusing on testing and retesting security before any products are released or any systems and networks are put online in norway and japan government regulations strictly control and test the security for systems being used for communications finance transportation and electricity after japan implemented
these measures in 2005 cyber attacks dropped by 50 percent rather than following suit trump eliminated the role of national cyber security coordinator in 2018 this role must be re-established and strengthened
it would also help if new rules were put in place regarding vulnerabilities the nsa held on to eternal blues microsoft vulnerabilities for three years this is far too long especially for such widely used software at the very least the u.s should put a time limit
on how long an intelligence agency can keep a zero day under wraps and when those zero days are turned over advisory notices should be made available to the public so that users are made aware.
Also read: Inner Trek By Mohan Ranga Rao PDF Download
Also read: Surrounded by idiots pdf download
Also read: The Silent Patient Book pdf Download
Also read: A Short History Of Nearly Everything Pdf
THANK YOU SO MUCH
Comments
Post a Comment