Skip navigation

Zero-day attack

warning: Creating default object from empty value in /var/www/vhosts/ on line 33.
Original author: 
Joshua Kopstein


The US government is waging electronic warfare on a vast scale — so large that it's causing a seismic shift in the unregulated grey markets where hackers and criminals buy and sell security exploits, Reuters reports.

Former White House cybersecurity advisors Howard Schmidt and Richard Clarke say this move to "offensive" cybersecurity has left US companies and average citizens vulnerable, because it relies on the government collecting and exploiting critical vulnerabilities that have not been revealed to software vendors or the public.

"If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users," Clarke told Reuters. "There is supposed to be some mechanism...

Continue reading…

Your rating: None

burning fire computerHe's unassuming, even a little dweebish, but nonetheless Adriel Desautels represents a new breed of Internet mercenary that wields terrifying power across the world.

Desautels is a hacker, and he trades in Zero Day exploits. Zero Days are bits of code that can penetrate, manipulate and/or incapacitate normal functions on a computer, and, most importantly, they have not yet been seen by the internet community.

Their lack of history makes them incredibly difficult to defend against, and so they're incredibly lucrative—both to state and non-state actors.

A post by Ryan Gallagher on Slate today outlines how companies or individuals peddling Zero Days in black and gray markets make a killing at the cost of societal stability.

From the post:

“As technology advances, the effect that zero-day exploits will have is going to become more physical and more real,” [Desautels] says. “The software becomes a weapon. And if you don’t have controls and regulations around weapons, you’re really open to introducing chaos and problems.”

Desautels' company, Netragard, Inc., could be considered one of the good guys: They've pledged to only sell their exploits within the U.S., to the government and properly-vetted private entities.

Others though, are not so well-meaning—the primary motivator in most unregulated markets is money. As Gallagher notes, one post by the hacker group Anonymous outlined how the company Endgame sold 25 exploits for $2.5 million—a package Bloomberg called "cyber warfare in a box."

Of other concern is that the market has little to no oversight, allowing groups to decide exactly whom they direct their wares to:

Desautels says he knows of “greedy and irresponsible” people who “will sell to anybody,” to the extent that some exploits might be sold by the same hacker or broker to two separate governments not on friendly terms.

In a time when American defense secretaries await the first "cyber pearl harbor," the idea that organizations can sell exploits to shady individuals with nefarious agendas makes the idea all the more realizable.

Also, it puts into the spotlight the burgeoning cyber arms race taking place across the globe, really since the U.S. announced with pride that it was responsible for Stuxnet, thus inviting itself to become victim to attacks (and promptly realizing its defenses were insufficient).

What often goes without mentioning, though, especially when infrastructure is so often the target, is what the moral implications are for the "manufacturers" of these weapons of war: An exploit that takes out water treatment plants or exposes the names of covert operatives could be the digital equivalent of a cluster bomb.

Equally the moral equivalent.

We've covered mercenary Zero Day exploits at Business Insider, most recently that of "Red October," but the lengthy, in-depth post on Slate today is also definitely worth a read.

OR CHECK OUT: The 18 things SEALs never leave home without >

Please follow Military & Defense on Twitter and Facebook.

Join the conversation about this story »

Your rating: None