WEBVTT - What Are Zero Day Attacks? 0:00:04.440 --> 0:00:12.840 Welcome to tech Stuff, a production from iHeartRadio. Heydarren, Welcome 0:00:12.880 --> 0:00:16.080 to tech Stuff. I'm your host, Jonathan Strickland. I'm an 0:00:16.079 --> 0:00:19.520 executive producer with iHeartRadio. And how the tech are you? 0:00:20.440 --> 0:00:23.760 So this morning I woke up to a text message 0:00:23.880 --> 0:00:28.480 from a radio station in Alabama. I have frequently been 0:00:28.520 --> 0:00:33.239 on that station talking about tech stuff in general, and 0:00:33.280 --> 0:00:35.160 they were asking if I would be willing to jump 0:00:35.200 --> 0:00:37.440 on the air this morning to talk about how some 0:00:38.040 --> 0:00:42.120 Google Chrome news was unfolding, specifically that Google discovered a 0:00:42.360 --> 0:00:48.599 zero day vulnerability within Chrome that could potentially compromise users, 0:00:50.080 --> 0:00:53.199 like upwards of three billion of them. So today I 0:00:53.200 --> 0:00:55.240 thought I would talk a little bit about what a 0:00:55.480 --> 0:00:59.160 zero day vulnerability is, touch on a little bit of 0:00:59.240 --> 0:01:03.040 terminology used in the information security sector to kind of 0:01:03.600 --> 0:01:06.399 demystify a bit of it and to help folks like 0:01:06.520 --> 0:01:09.800 me wrap our minds around the whole thing. Now, for 0:01:09.840 --> 0:01:13.040 those of y'all who are neck deep in computer security fields, 0:01:13.720 --> 0:01:16.200 you're going to know all of this already. This is 0:01:16.280 --> 0:01:19.280 sort of a one oh one of what zero day 0:01:19.360 --> 0:01:23.520 vulnerabilities are all about. So let's define that. Because zero 0:01:23.640 --> 0:01:28.240 day vulnerability, zero day exploit, zero day attack. These terms 0:01:29.240 --> 0:01:32.200 seem to mean something, but you don't necessarily understand it 0:01:32.240 --> 0:01:37.360 when you first see it. Essentially, it's describing a situation 0:01:37.480 --> 0:01:42.160 in which there is something exploitable within some sort of 0:01:42.200 --> 0:01:46.240 technical system. This system can be software, it can be hardware, 0:01:46.920 --> 0:01:50.960 and this vulnerability exists within the system, and the people 0:01:50.960 --> 0:01:52.920 who should be on the lookout for that kind of 0:01:52.960 --> 0:01:56.080 thing are unaware of it. So, in other words, the 0:01:56.160 --> 0:02:00.760 company behind the system doesn't know that the vulnerability the exists. 0:02:01.200 --> 0:02:06.400 The security community at large doesn't know that this vulnerability exists, 0:02:06.800 --> 0:02:09.320 but it's there. So if you think about it, think 0:02:09.360 --> 0:02:11.960 of it in physical terms. Let's think about like a 0:02:12.040 --> 0:02:16.840 giant security wall that goes around your home, and it 0:02:16.919 --> 0:02:19.560 turns out there's a gap in the wall, but it's 0:02:19.600 --> 0:02:22.840 behind some shrubs and stuff, and you just haven't gone 0:02:22.840 --> 0:02:25.119 back there, and you haven't noticed it. You don't even 0:02:25.120 --> 0:02:28.280 know there's a gap there. Well, that gap obviously shows 0:02:28.320 --> 0:02:31.400 that there's a hole in your security and you just 0:02:31.440 --> 0:02:33.400 aren't aware of it. But if someone else is aware 0:02:33.440 --> 0:02:36.720 of it, they could exploit that without your awareness and 0:02:36.800 --> 0:02:40.960 potentially cause a lot of damage. And if they're very clever, 0:02:41.360 --> 0:02:43.520 they can cause a lot of damage. Over an extended 0:02:43.520 --> 0:02:45.920 amount of time, as long as they don't make you 0:02:46.000 --> 0:02:49.400 aware that that hole is there. That's kind of the 0:02:49.520 --> 0:02:54.600 idea here. It's partly called a zero day vulnerability because 0:02:54.639 --> 0:02:58.680 the entity behind the product has had zero days to 0:02:58.720 --> 0:03:01.440 fix it before someone's figure out a way to exploit it. 0:03:02.720 --> 0:03:04.520 In other words, you can't really fix a problem if 0:03:04.520 --> 0:03:07.120 you don't know that there is a problem there. Right again, 0:03:07.200 --> 0:03:09.600 if you look out and you don't see the hole 0:03:09.639 --> 0:03:13.000 in the wall because it's being obscured by something else, 0:03:13.560 --> 0:03:15.440 then you don't know that there's a problem to fix. 0:03:15.480 --> 0:03:18.799 You just assume everything's fine, and it's not until some 0:03:19.000 --> 0:03:23.040 other signs pop up that suggests that it's not fine, 0:03:23.560 --> 0:03:25.960 that you start looking, and then maybe you uncover it. 0:03:26.280 --> 0:03:27.840 At that point you could argue, all right, well, now 0:03:27.880 --> 0:03:30.440 it's no longer zero day because we found it and 0:03:30.480 --> 0:03:33.600 we can do something about it. But the gap of 0:03:33.680 --> 0:03:37.920 time between when the problem first manifested and when you've 0:03:37.960 --> 0:03:42.520 found out about it that represents the target of opportunity 0:03:42.880 --> 0:03:47.360 for this in the case of computer security hackers. So 0:03:47.600 --> 0:03:52.400 let's give an example with Google Chrome. Google makes the 0:03:52.480 --> 0:03:55.680 Chrome web browser, engineers create an update for the browser, 0:03:55.760 --> 0:04:00.200 and in the process. There is a gap in the 0:04:00.200 --> 0:04:04.120 browser's security. It's unintentional. It was not put there on purpose. 0:04:04.680 --> 0:04:09.720 It just sort of happens because this is complicated stuff. 0:04:10.240 --> 0:04:13.960 So the engineers didn't detect the gap. They pushed it through, 0:04:14.360 --> 0:04:17.560 and the update goes through the entire development process, and 0:04:17.600 --> 0:04:20.800 then Google deploys the update. They roll it out, and 0:04:21.240 --> 0:04:24.360 people start to update their browsers or the browser gets 0:04:24.400 --> 0:04:28.200 updated upon a reboot or something, and thus the update 0:04:28.240 --> 0:04:32.600 gets installed, and now the security gap is affecting those 0:04:32.680 --> 0:04:36.960 machines because they actually have that version of Chrome in place. 0:04:37.600 --> 0:04:41.359 Now in the wild, hackers are also scouring Chrome, but 0:04:41.400 --> 0:04:46.280 they're looking for these vulnerabilities. They're probing the code, looking 0:04:46.360 --> 0:04:50.520 for weaknesses where they can exploit those weaknesses. It might 0:04:50.600 --> 0:04:55.120 mean creating some specific types of malware or some sort 0:04:55.160 --> 0:04:59.360 of process that will initiate a sequence that allows them 0:04:59.400 --> 0:05:02.680 to exploit the vulnerability. So it may you know, it 0:05:02.720 --> 0:05:05.039 takes more than just finding there's a vulnerability there. You 0:05:05.080 --> 0:05:07.080 have to figure out a way to exploit it. But 0:05:07.240 --> 0:05:09.720 these are all things that hackers do on the rag. 0:05:10.279 --> 0:05:13.520 So they find this gap, then they scramble to develop 0:05:13.560 --> 0:05:16.080 the tools that can take advantage of this gap. Then 0:05:16.080 --> 0:05:19.919 they deploy those tools, perhaps doing so very quietly in 0:05:19.960 --> 0:05:22.320 an effort to extend the amount of time that they 0:05:22.360 --> 0:05:28.440 have to exploit this vulnerability before Google or some computer 0:05:28.520 --> 0:05:33.360 security expert from somewhere else finds this gap and then 0:05:33.480 --> 0:05:36.919 alerts everybody to it. The hackers do their best to 0:05:37.040 --> 0:05:38.960 use the gap to do whatever it is they want 0:05:39.000 --> 0:05:41.680 to do, depending upon the nature of the gap, that 0:05:41.720 --> 0:05:45.800 could include anything from spying on computer activity on a 0:05:45.839 --> 0:05:50.560 compropised machine to forcing a computer to execute malicious code 0:05:50.760 --> 0:05:54.599 remote code execution in other words, And really it just 0:05:54.640 --> 0:05:57.480 depends upon the nature of the vulnerability and the nature 0:05:57.520 --> 0:06:01.600 of the malware being developed, so there are lots of 0:06:01.640 --> 0:06:05.520 different possibilities there. So when we the general public hear 0:06:05.560 --> 0:06:09.279 about a zero day vulnerability, it's kind of like hearing 0:06:09.279 --> 0:06:13.000 about something that was a zero day vulnerability but now 0:06:13.160 --> 0:06:17.080 kind of isn't because it's now not just the hackers 0:06:17.080 --> 0:06:19.240 who know about it. Now, there might not be much 0:06:19.279 --> 0:06:22.520 we can do about it at the time. But often 0:06:22.560 --> 0:06:25.160 when we hear about zero day vulnerabilities for the first time, 0:06:25.200 --> 0:06:28.560 it comes along with a solution that's being rolled out 0:06:28.560 --> 0:06:31.360 at the same time. Because companies that are hit by 0:06:31.360 --> 0:06:33.720 this sort of stuff. If they can hold on to 0:06:33.839 --> 0:06:36.800 that information until they have a solution, they typically will 0:06:36.839 --> 0:06:40.320 because otherwise you're panicking people and you have no way 0:06:40.360 --> 0:06:43.680 to fix things. Right. So it may be that when 0:06:43.680 --> 0:06:46.480 you hear about this vulnerability, it's the same time when 0:06:46.520 --> 0:06:48.920 you hear about a patch, a security patch that's been 0:06:49.400 --> 0:06:54.760 rolled out that you can update your device to. Typically 0:06:54.839 --> 0:06:57.800 we see a very fast response to the discovery. Sometimes 0:06:58.560 --> 0:07:02.640 the response we see is in other areas of cybersecurity, 0:07:02.720 --> 0:07:07.080 for example, antivirus software creators. They might come up with 0:07:07.160 --> 0:07:13.320 tools to help detect and prevent applications that have been 0:07:13.400 --> 0:07:17.640 hit by zero day vulnerabilities to do malicious activity on 0:07:17.680 --> 0:07:21.600 your machine, and in the meantime, you're still waiting for 0:07:22.000 --> 0:07:26.160 the creator of the root problem to roll out a patch. 0:07:26.560 --> 0:07:29.480 That often can be the case too companies will patch 0:07:29.520 --> 0:07:32.480 their products. So Google, for example, pushed out a patch 0:07:32.520 --> 0:07:36.280 for this most recent vulnerability already, which, by the way, 0:07:36.320 --> 0:07:38.440 is where I need to point out to all of 0:07:38.480 --> 0:07:41.280 you that if you use Google Chrome, you should check 0:07:41.280 --> 0:07:43.840 to see if it's up to date, just to protect yourself. 0:07:43.840 --> 0:07:46.640 If you're wondering how to do that. In the upper 0:07:46.680 --> 0:07:49.240 right corner of Google Chrome, they're the little three dots. 0:07:49.240 --> 0:07:51.480 If you click on that, it brings up settings, like 0:07:51.560 --> 0:07:55.160 you can choose settings from a drop down menu, and 0:07:55.200 --> 0:07:57.720 then from the next menu that pops up, you look 0:07:57.760 --> 0:08:01.600 at about Chrome and it will have a little button 0:08:01.640 --> 0:08:05.080 there that lets you update your browser at that point, 0:08:05.120 --> 0:08:07.320 and you should click on that make sure your browser 0:08:07.400 --> 0:08:10.440 is up to date and patched so that you are 0:08:10.480 --> 0:08:17.800 not going to be victimized by this type of vulnerability. Now, 0:08:17.840 --> 0:08:21.920 sometimes hackers will even know about vulnerabilities and code before 0:08:21.960 --> 0:08:25.720 the code gets released. So imagine for a moment that 0:08:25.840 --> 0:08:30.880 you are a black hat hacker. Your job is to 0:08:30.960 --> 0:08:35.199 try and find vulnerabilities in various systems and platforms and 0:08:35.240 --> 0:08:38.040 then figure out ways to exploit them. So you are 0:08:38.080 --> 0:08:43.040 an expert in penetrating systems, and maybe you're on the 0:08:43.080 --> 0:08:46.120 payroll of a nation state. Maybe you know Russia or 0:08:46.200 --> 0:08:49.480 China is paying you to do this, or maybe you 0:08:49.559 --> 0:08:51.839 work in the United States for one of those organizations 0:08:51.880 --> 0:08:54.679 that goes by initials all the time, like the NSSA, 0:08:55.240 --> 0:08:58.200 because they do this too. So information is a precious 0:08:58.200 --> 0:09:02.400 resource and access to information is your specialty as this 0:09:02.520 --> 0:09:06.280 kind of hacker, So you dedicate your time to gaining 0:09:06.320 --> 0:09:10.240 access to developer platforms on the QT so that you 0:09:10.280 --> 0:09:14.200 can look at code while it's still in development. Maybe 0:09:14.920 --> 0:09:18.160 you start probing this code for vulnerabilities well before it 0:09:18.200 --> 0:09:21.440 gets rolled out to the public. Now, if you're lucky 0:09:21.880 --> 0:09:25.800 and you're very good, you find something that can be 0:09:25.960 --> 0:09:30.040 used immediately as soon as this gets rolled out. And 0:09:30.120 --> 0:09:32.160 this is the best case scenario for you, because you 0:09:32.160 --> 0:09:35.280 already know the vulnerability, you can already work on an exploit, 0:09:35.760 --> 0:09:39.000 and the tool hasn't even been pushed out yet, So 0:09:39.760 --> 0:09:44.520 at the moment that it goes public, you'll chances are 0:09:44.600 --> 0:09:47.720 you'll be able to exploit it right away. It really 0:09:47.760 --> 0:09:51.400 does become a zero day vulnerability. In that case, this 0:09:51.480 --> 0:09:54.120 gives you the maximum amount of time to work with 0:09:54.200 --> 0:09:58.360 that vulnerability and to compromise target devices before someone gets wise. 0:09:59.120 --> 0:10:01.920 And again there's no telling how long that might take. 0:10:02.320 --> 0:10:06.319 Sometimes it can be years before someone realizes, Hey, something 0:10:06.360 --> 0:10:09.520 hanky's going on. Let's look into this now. Of course, 0:10:09.600 --> 0:10:13.320 chances are you're not necessarily the person who's making use 0:10:13.480 --> 0:10:17.520 of these vulnerabilities. You're finding them, but you aren't necessarily 0:10:17.559 --> 0:10:22.000 the same person who's exploiting them. Instead, you find these 0:10:22.040 --> 0:10:26.680 vulnerabilities and then you pedal your knowledge on the black market, 0:10:27.200 --> 0:10:30.640 where you're selling information to criminals and the like, and 0:10:30.720 --> 0:10:35.120 they in turn will actually use the exploits to leverage 0:10:35.120 --> 0:10:40.040 that vulnerability. You might instead go to the gray market. 0:10:40.080 --> 0:10:42.360 This is where you could be selling the information to say, 0:10:42.440 --> 0:10:47.040 researchers in the cybersecurity field, or maybe to a defense 0:10:47.120 --> 0:10:51.600 contractor who in turn is working alongside military organizations. I mean, 0:10:51.640 --> 0:10:54.719 we've seen this too, right. We've seen companies that are 0:10:54.800 --> 0:11:01.680 essentially defense contractors develop malware that are it's zero day vulnerabilities. 0:11:01.679 --> 0:11:05.560 A great example that's the NSO Group, the Israeli company 0:11:05.880 --> 0:11:11.880 that created the Pegasus malware that targeted iOS devices. So 0:11:12.160 --> 0:11:15.120 you might be working with intelligence agencies to do this 0:11:15.200 --> 0:11:18.160 sort of thing, or maybe you are one of the 0:11:18.240 --> 0:11:21.280 good guys out there. You're a white hat, so what 0:11:21.320 --> 0:11:25.520 you're doing is not trying to sell off this information 0:11:25.720 --> 0:11:29.280 to criminal bidders on the black market. Instead, what you 0:11:29.360 --> 0:11:32.960 are doing is you're taking part in bug bounties where 0:11:32.960 --> 0:11:37.160 a company will offer a reward if you find security 0:11:37.240 --> 0:11:41.640 vulnerabilities in their products. And so you discover the vulnerability, 0:11:41.720 --> 0:11:46.480 you send it a bug report to a company, they 0:11:46.600 --> 0:11:49.840 verify that it is in fact a vulnerability, and then 0:11:49.840 --> 0:11:52.319 they pay you while they get to work patching that 0:11:52.400 --> 0:11:55.800 vulnerability out before any bad guy out there figures out 0:11:55.880 --> 0:11:57.800 that this thing's there, or if they have figured it 0:11:57.840 --> 0:12:00.360 out before, they can do too much damage with it. 0:12:00.880 --> 0:12:05.040 So hopefully the white hats get the information to the 0:12:05.120 --> 0:12:08.000 right people in time, and the right people take the 0:12:08.080 --> 0:12:13.080 right actions to prevent any exploitation of that vulnerability, though 0:12:13.240 --> 0:12:17.079 that you know, is never a guarantee, so these zero 0:12:17.160 --> 0:12:23.360 day attacks typically they are devastating because there's no defense 0:12:23.600 --> 0:12:28.280 right like, there's no way as a user, there's nothing 0:12:28.320 --> 0:12:31.680 you can do because you don't you're not doing anything 0:12:31.679 --> 0:12:34.160 with the code on the back end of the various 0:12:34.640 --> 0:12:39.840 devices and programs you're using. But beyond that, if no 0:12:39.880 --> 0:12:42.880 one is aware of them, apart from the attackers, then 0:12:43.280 --> 0:12:45.800 there's going to be a lot of damage done up 0:12:45.880 --> 0:12:48.920 until that discovery has been made. They can also happen 0:12:48.960 --> 0:12:52.000 at a very high level. These can be attacks that 0:12:52.040 --> 0:12:56.240 are not going after the general citizen. They might cast 0:12:56.280 --> 0:12:58.960 a very wide net in order to get as many 0:12:59.360 --> 0:13:02.800 people lump as possible, but the hope typically is to 0:13:02.920 --> 0:13:06.000 land a few important targets, like you're aiming to get 0:13:06.000 --> 0:13:11.760 some high profile or important people, whether those are politicians 0:13:12.000 --> 0:13:16.640 or activists or journalists. You know, it depends on case 0:13:16.640 --> 0:13:22.000 to case, but that's often the goal. Now. Granted, even 0:13:22.040 --> 0:13:24.680 if that's the goal, people might still make use of 0:13:24.720 --> 0:13:27.079 all that other information by selling it off on the 0:13:27.200 --> 0:13:31.240 black market or whatever, so you know, maximize your gains. 0:13:31.679 --> 0:13:36.240 But typically these kinds of attacks are not necessarily meant 0:13:36.280 --> 0:13:41.960 to grab John Smith's information or whatever. They're going after 0:13:42.440 --> 0:13:46.400 bigger fish, So the vast majority of machines affected by 0:13:46.400 --> 0:13:49.520 a vulnerability exploit might not be of much interest to 0:13:49.559 --> 0:13:52.680 the hacker, at least not directly. That's very small comfort 0:13:52.679 --> 0:13:54.360 when you figure out that your machine has been hit, 0:13:54.480 --> 0:13:56.280 But at the very least you might luck out in 0:13:56.960 --> 0:13:59.679 that you're not the type of person the hackers we're targeting, 0:14:00.520 --> 0:14:04.600 and they aren't exploiting the information right away, unless, of course, 0:14:04.600 --> 0:14:06.400 you are an important person, in which case, Hey, thanks 0:14:06.440 --> 0:14:08.679 for listening to tech stuff. Thanks everybody for listening to 0:14:08.760 --> 0:14:11.800 tack stuff. You're all important to me, And honestly, the 0:14:11.880 --> 0:14:14.720 list of important people can get pretty big depending upon 0:14:14.760 --> 0:14:17.440 the aim of the attack. Okay, we're going to take 0:14:17.440 --> 0:14:19.280 a quick break. When we come back, we'll talk more 0:14:19.360 --> 0:14:31.920 about zero Day vulnerabilities and attacks. Okay, we're back, and 0:14:32.120 --> 0:14:34.600 up to this point, I've kind of been using Google 0:14:34.680 --> 0:14:38.040 Chrome as an example because, well, we just had that 0:14:38.200 --> 0:14:41.400 news break that up to around three billion users could 0:14:41.400 --> 0:14:46.160 have been affected by this particular exploit or this vulnerability, 0:14:47.040 --> 0:14:49.760 and web browsers have frequently been the focus of zero 0:14:49.880 --> 0:14:53.400 day attacks, so even without this most recent example, we 0:14:53.400 --> 0:14:55.640 could still talk about Google Chrome. This is not the 0:14:55.680 --> 0:14:59.240 first time there's been a zero day attack or zero 0:14:59.280 --> 0:15:02.960 day vulnerability with Google Chrome. It's happened multiple times in 0:15:03.000 --> 0:15:06.840 the past. The evolving nature of the web means that 0:15:06.960 --> 0:15:11.040 companies that make web browsers are constantly updating their products, 0:15:11.360 --> 0:15:15.000 whether to make them run more efficiently or add new features, 0:15:15.440 --> 0:15:19.840 or to accommodate new types of web technology. They need 0:15:19.880 --> 0:15:23.760 to update the browser to make it work. This, however, 0:15:23.840 --> 0:15:26.920 can introduce the chance for vulnerabilities to emerge. As software 0:15:26.920 --> 0:15:31.920 gets more complicated, changes to that software can have unexpected consequences. 0:15:32.880 --> 0:15:34.880 I'm sure anyone out there who has worked on a 0:15:34.880 --> 0:15:38.440 complicated system, whether it's software or otherwise, they know that 0:15:38.520 --> 0:15:41.800 when you fix one problem, sometimes the fix can end 0:15:41.880 --> 0:15:46.680 up causing three more problems somewhere else because the interconnections 0:15:46.680 --> 0:15:50.600 between all these different components gets really really complex. By 0:15:50.640 --> 0:15:53.920 the way, this is where all of us should take 0:15:53.960 --> 0:15:57.680 time to thank people who work in QA, because it's 0:15:57.720 --> 0:16:01.440 their job to test products and look for problems so 0:16:01.480 --> 0:16:05.880 that hopefully issues can be fixed before the product has 0:16:05.960 --> 0:16:09.320 headed out to the real world. And even when you 0:16:09.360 --> 0:16:11.240 sit there and think, wow, I have this thing and 0:16:11.280 --> 0:16:13.160 it doesn't work nearly as well as I hoped it, 0:16:13.200 --> 0:16:16.880 would just know that there's a really good chance there 0:16:16.880 --> 0:16:19.840 were QA people working on that where if they had 0:16:19.880 --> 0:16:22.400 not been there, you wouldn't even get the level of 0:16:22.440 --> 0:16:25.840 performance that you got out of that thing. So, yeah, 0:16:25.920 --> 0:16:28.520 QA people are really super important. I don't just say 0:16:28.520 --> 0:16:31.120 that because I happen to be married to one. Now, 0:16:31.560 --> 0:16:35.960 beyond web browsers, there are other types of products that 0:16:36.640 --> 0:16:41.160 are rich targets for zero day attacks. Now, again, for 0:16:41.200 --> 0:16:43.280 a zero day attack to even work, there has to 0:16:43.280 --> 0:16:47.080 be a vulnerability, right, there's not a guarantee of vulnerability 0:16:47.120 --> 0:16:51.240 will be there. But there are certain types of technologies 0:16:51.600 --> 0:16:56.840 that hackers focus on more because the potential of finding 0:16:56.840 --> 0:16:59.960 a vulnerability and then exploiting it also means the potential 0:17:00.120 --> 0:17:04.840 we're hitting a huge number of targets so browsers are 0:17:04.840 --> 0:17:07.840 way up there because that's how a lot of people 0:17:08.000 --> 0:17:12.360 access the Internet right they're using the web based Internet. 0:17:12.560 --> 0:17:16.200 Operating systems are also way up there, so our email systems. 0:17:16.720 --> 0:17:21.240 The Internet of Things era introduced tons of new components 0:17:21.280 --> 0:17:24.840 that connect to information networks, and in the rush to 0:17:25.040 --> 0:17:29.680 build new and sometimes useful tools, not always, the Internet 0:17:29.680 --> 0:17:31.159 of Things has got a lot of stuff that you 0:17:31.200 --> 0:17:34.600 could argue has limited, if any use. There's a ton 0:17:34.600 --> 0:17:37.639 of stuff that is really useful. Well, whenever you're tapping 0:17:37.680 --> 0:17:44.000 into a networked communication infrastructure, you're potentially introducing a vulnerability 0:17:44.080 --> 0:17:47.200 to the overall system, especially if you have not taken 0:17:47.240 --> 0:17:51.720 the time to build real security into your product. And 0:17:52.080 --> 0:17:54.399 time and again there have been stories about Internet of 0:17:54.400 --> 0:17:59.879 things devices that limited or no security to them, which 0:18:00.320 --> 0:18:04.560 created a great intrusion point for hackers. So really, any 0:18:04.680 --> 0:18:09.440 networked component can potentially be ground zero for a zero 0:18:09.600 --> 0:18:15.119 day attack, whether it's hardware, firmware, or software. It's just 0:18:15.160 --> 0:18:19.359 that stuff like browsers and operating systems are so widely deployed, 0:18:19.560 --> 0:18:23.359 they're so prominent that these targets are often the most 0:18:23.359 --> 0:18:29.520 desirable because everybody's got an operating system just about everybody's 0:18:29.520 --> 0:18:32.800 got a browser, but not everyone has I don't know, 0:18:33.160 --> 0:18:37.399 like a smart seismometer attached to their network. And so 0:18:38.240 --> 0:18:41.520 you focus on these big, big targets hoping to find 0:18:41.600 --> 0:18:46.920 vulnerabilities as a hacker because of the potential of how 0:18:47.000 --> 0:18:49.879 many hits you're going to get on an attack. It 0:18:49.920 --> 0:18:53.439 may be that you find an incredible attack for some 0:18:53.800 --> 0:18:56.080 Internet of Things connected device, but if there aren't a 0:18:56.119 --> 0:18:59.440 ton of those out in the world, then it still 0:18:59.480 --> 0:19:02.720 limits the effectiveness of your attack. Right, So you're balancing 0:19:02.760 --> 0:19:05.840 this out how bad is the vulnerability, how well can 0:19:05.880 --> 0:19:10.840 I exploit it, how widely is it distributed, and how 0:19:10.880 --> 0:19:13.040 long do I think it can get away with it? Well, 0:19:13.040 --> 0:19:14.840 that being said, if we look back on the history 0:19:14.880 --> 0:19:18.160 of zero day attacks, one of the standouts that comes 0:19:18.240 --> 0:19:21.800 up an early example of zero day attacks, although the 0:19:22.000 --> 0:19:26.800 term zero day predates the discovery of this particular attack, 0:19:26.840 --> 0:19:30.000 because I say that because a lot of the resources 0:19:30.000 --> 0:19:32.719 I looked at called this the first zero day attack, 0:19:33.000 --> 0:19:35.280 which is kind of funny because we had the term 0:19:35.359 --> 0:19:38.520 before we even knew it existed. But it's Stuck's net, 0:19:39.080 --> 0:19:42.159 stuxn et. You may have heard of that. This was 0:19:42.800 --> 0:19:45.760 in the news more than a decade ago at this point, 0:19:46.800 --> 0:19:52.080 but it was intended to infect a specific kind of system. 0:19:52.440 --> 0:19:55.120 I've actually done an episode about Stuck's Net, so I'm 0:19:55.119 --> 0:19:58.080 not going to go into a full history of it, 0:19:58.800 --> 0:20:01.080 but i will talk a bit about what it was 0:20:01.240 --> 0:20:05.840 and what was going on. Okay, So around two thousand 0:20:05.840 --> 0:20:09.479 and five or two thousand and six, some programmers or 0:20:09.800 --> 0:20:14.360 hackers if you prefer, were hard at work developing a 0:20:14.440 --> 0:20:19.159 sneaky kind of malware. And based upon the scope of 0:20:19.200 --> 0:20:24.840 this malware, the target of the malware, and the sophistication 0:20:25.040 --> 0:20:29.119 of the attack, it's pretty clear that this had to 0:20:29.160 --> 0:20:33.960 be a state sponsored effort, that this was a group 0:20:34.000 --> 0:20:37.680 of hackers who had access to a lot of resources, 0:20:38.040 --> 0:20:41.640 like in the form of money and stuff, and subsequently 0:20:41.720 --> 0:20:45.320 people have sussed out that was probably the United States 0:20:45.320 --> 0:20:49.640 and Israel working together to do this. So the malware 0:20:50.240 --> 0:20:53.320 it had to do several things. First, it needed to 0:20:53.359 --> 0:20:59.600 be able to infect a target machine and spread very easily. Second, 0:21:00.080 --> 0:21:03.439 it needed to remain undetectable, so it needed to not 0:21:03.720 --> 0:21:07.480 cause too much trouble or else someone might catch on 0:21:07.600 --> 0:21:10.840 that something he ky's happening. Third, it needed to be 0:21:10.840 --> 0:21:15.600 able to transfer itself onto a device like a flash drive. 0:21:16.040 --> 0:21:18.120 So if you were to plug a flash drive into 0:21:18.160 --> 0:21:20.959 an infected computer, it needed to be able to copy 0:21:21.080 --> 0:21:24.479 itself onto that flash drive, along with whatever else it 0:21:24.600 --> 0:21:28.560 was you were planning to put on that flash drive. Fourth, 0:21:28.880 --> 0:21:31.040 it had to carry programming that would allow it to 0:21:31.080 --> 0:21:37.560 manipulate systems with programmable logic controllers. So these components also 0:21:37.680 --> 0:21:44.919 known as plc's connect to industrial machinery. So essentially, PLCs 0:21:45.000 --> 0:21:49.680 let a computer system send commands to industrial equipment that 0:21:49.760 --> 0:21:54.199 does something whatever industrial process it needs to do, but 0:21:54.240 --> 0:21:56.840 the computer can control it, and the PLC is kind 0:21:56.880 --> 0:22:01.359 of the interface that allows it to communicate with this 0:22:01.480 --> 0:22:05.080 industrial equipment. And in the case of stucks net, it 0:22:05.160 --> 0:22:09.280 was a specific kind of industrial equipment. It was a 0:22:09.280 --> 0:22:15.960 centrifuge that was used to process uranium, specifically to refine uranium. 0:22:16.280 --> 0:22:21.640 Because the target for stuckx net was Iran's nuclear program, 0:22:22.240 --> 0:22:28.000 So the computer systems responsible for controlling centrifuges was the 0:22:28.040 --> 0:22:32.840 goal here. And the centrifuges spin at very very high speed, 0:22:33.600 --> 0:22:37.440 and in the process when they're spinning, they're spinning samples 0:22:37.520 --> 0:22:42.240 of uranium, and this is what helps separate the uranium 0:22:42.320 --> 0:22:45.240 so that you can refine it, and it's an important 0:22:45.280 --> 0:22:49.280 step in that process. So the malware would interrupt this 0:22:49.440 --> 0:22:53.600 chain of command between the computer system responsible for governing 0:22:53.640 --> 0:22:56.800 the centrifuge and the centrifuge itself, and then the malware 0:22:56.880 --> 0:23:01.400 could send instructions for the centrifuges to spin faster than 0:23:01.440 --> 0:23:04.119 they were supposed to. This had a dual effect. For 0:23:04.200 --> 0:23:07.240 one thing, it would cause the centrifuges to wear out 0:23:07.320 --> 0:23:10.560 faster and to fail more frequently. Essentially, it could break 0:23:10.600 --> 0:23:14.879 the centrifuges. For another, it could ruin uranium samples and 0:23:14.920 --> 0:23:18.920 slow down Iran's nuclear program in the process. But there 0:23:19.040 --> 0:23:22.000 was a major obstacle in the way of carrying through 0:23:22.080 --> 0:23:27.280 with this attack because the target systems, those computers that 0:23:27.359 --> 0:23:31.960 actually sent the messages to centrifuges, they were an air 0:23:32.080 --> 0:23:35.680 gap system. So an air gap system is one that 0:23:35.760 --> 0:23:40.160 does not connect to an external network, so it doesn't 0:23:40.200 --> 0:23:43.000 connect to the Internet. It's air gaped. There is a 0:23:43.040 --> 0:23:47.000 gap between the system and the outside world. This is 0:23:47.040 --> 0:23:50.920 a strategy that a lot of companies and militaries use 0:23:51.040 --> 0:23:58.240 for systems that hold critically important and sensitive information. You 0:23:58.320 --> 0:24:00.640 cannot trust for it to be connected to the Internet, 0:24:00.680 --> 0:24:03.440 because then that information might leak out to the world. 0:24:03.440 --> 0:24:06.359 We've seen it happen lots of times. So you create 0:24:06.400 --> 0:24:09.600 an air gap system and ideally there's no way for 0:24:09.640 --> 0:24:12.879 the outside world to get into the computer system. So 0:24:12.920 --> 0:24:17.800 how do you compromise an air gapped computer system. You 0:24:17.840 --> 0:24:20.639 couldn't just create a neatly wrapped package in code and 0:24:20.680 --> 0:24:24.640 send it via email or something, because again, those targeted 0:24:24.640 --> 0:24:28.119 computers didn't have that external connection. So what they did 0:24:29.240 --> 0:24:32.080 was the hackers targeted companies that were known to be 0:24:32.160 --> 0:24:36.520 working with Iran on its nuclear program. So the goal 0:24:36.800 --> 0:24:41.720 was to infect the machines on the collaborators, to target 0:24:41.760 --> 0:24:45.720 these collaborators and try and get those machines infected, and 0:24:45.800 --> 0:24:48.480 the hope that as part of their work with Iran, 0:24:49.280 --> 0:24:53.919 they would unknowingly transfer malware from their own machines to 0:24:54.000 --> 0:24:56.959 something like a flash drive, and then they would use 0:24:56.960 --> 0:25:02.159 that flash drive to update Iran's computers that were in 0:25:02.200 --> 0:25:05.760 control of the centrifuges, and thus the malware could be 0:25:05.840 --> 0:25:10.399 transferred from the flash drive to the target machines. So 0:25:10.560 --> 0:25:13.439 you had this extra step you had to take. But 0:25:13.480 --> 0:25:16.800 here's the thing. It totally worked for at least a year, 0:25:16.880 --> 0:25:20.719 the attackers were able to disrupt operations in Iran's nuclear program, 0:25:20.760 --> 0:25:24.720 even updating the malware so that subsequent visits from these 0:25:24.760 --> 0:25:30.040 partner companies would help keep things going. Now, eventually, like 0:25:30.119 --> 0:25:32.679 in twenty ten, which was at least two years after 0:25:33.520 --> 0:25:39.680