Mr. Stewart has 30 years of experience with hundreds of international, commercial, military, and government IT projects. He holds certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell, and others. He has a Masters in Cybersecurity, a Bachelors in IT, a Minor in Professional Writing, and is a published author.
A secret war is raging across the globe. Intelligence communities and threat actors are racing against one another to find every vulnerability they can in every single bit of today’s technology. It could be the latest Windows bug or a promiscuous network protocol from a wireless weather station. Once found, the finder does what every soldier in this conflict does. Hide it from the world, even your own allies!
This secret war is about finding bugs and vulnerabilities not yet disclosed to the public, the manufacturer, or discovered by legitimate security researchers. These are called zero-day vulnerabilities and can give attackers direct access to any system. Zero-day vulnerabilities ensure that even systems with the latest updates and strong endpoint protection can be accessed silently. And every country’s intelligence community and individual threat actors keep a stockpile available.
Intelligence agencies around the globe can use zero-days to infiltrate hostile networks or criminal suspects’ computers and phones. Because they are unknown, they are typically untraceable. We know someone used a similar tactic to infiltrate and disrupt the Iran nuclear facilities in 2010. This was known as the Stuxnet worm, and while no one actually took credit for the hack, the list of countries with the means and desire to complete the attack is very small.
Stuxnet is a program that snuck it’s way into an air-gapped Iranian nuclear enrichment facility to infect Siemens centrifuges, used to separate uranium, at the firmware level. But it did so using multiple zero-day vulnerabilities chained together. Variably, it would accelerate the centrifuges to the point of hardware failure. It was smart enough to do this randomly, and it gave false health statuses of the devices it had infected. Read a technical deep-dive on Stuxnet here.
When details of the Stuxent worm became public, most cybersecurity researchers called it a ghost story. They could not believe software smart enough existed in 2010 to bypass checks, scan and move to target systems, and remain stealthy. Others scoffed at the ability of the code to push the hardware to the point of physical damage. Many believed the story was circulated to frighten enemies with impossible technology and that an insider actually damaged the systems.
Several points of concern arise from this, if the Stuxnet worm is real. First, that was 16 years ago! The worm, for lack of a better term, was so sophisticated, it gave off false health readings to hide itself. If a state-sponsored attack could cause systems to physically destroy themselves through software, what could they do to a power grid, a hydroelectric dam, or a pacemaker? Who is to say a Stuxnet clone isn’t already lurking in IoT and SCADA devices, just waiting for the command to shut down an entire country at once?
Speculation aside, we have seen government agencies side-step manufacturers. Companies such as Apple, Cisco, and Microsoft sometimes stonewall law enforcement when asked to bypass security and privacy features. However, over 90% of the time, they simply do as they are asked and bypass security, many times without a warrant. In 2015, the FBI demanded Apple create a weakened version of its OS to allow them access to an iPhone belonging to a shooter in San Bernardino, California. Apple openly refused. The FBI hired a security firm to hack it. It cost taxpayers $900,000, but the firm found a flaw, not in the Apple code, but in an open-source bit of Mozilla code, and hacked the phone.
Now imagine the FBI, CIA, NSA, and Homeland Security have a library of zero-days at their disposal. If a criminal suspect won’t cooperate, or a legal wiretap cannot be obtained, what will stop them from using a zero-day to gain access? Don’t say “morals” and “ethics” because both were sidelined in favor of “national security” by the Patriot Act.
Now imagine the KGB, North Korean, a terrorist group, or just a ransomware gang each has a similar library. No need to imagine. It’s real, and there is nothing you can do to stop one of these sophisticated groups from accessing your systems. Are our digital assets forfeit? What can we do to prevent our homes and businesses from becoming fodder in this digital world war?
The only answer is more cybersecurity researchers finding and publishing exploits and vulnerabilities in the public domain. Bringing bugs and issues to light is the only way to force manufacturers and developers to address, document, and patch them.
It’s not sexy, but cybersecurity professionals need to donate time to bug hunting. I know, I don’t like it either. It’s not as exciting as hacking into a customer network or rising through the ranks of a Capture the Flag competition. But it is required before we find ourselves sitting in the dark with a failed power grid, wishing we had spent more time looking for bugs instead of flags.
Get started at HackerOne, BugCrowd, or any other bug bounty program. If you want to break into the cybersecurity field, what better way than bug hunting?
But what can the average user do to protect themselves? Do what your training has been constantly telling you.
See what happens when you click those links in Spam emails here.
Another key protection is a firewall with Intrusion Prevention. But, you need to go a step further. The firewall must include a Cloud-based component that is constantly updated with the latest threats to prevent both inbound and outbound connectivity to known threats. To add extra protection, ensure the firewall uses Geofencing. This refuses to make connections, inbound or outbound, to countries with heavy hacker traffic, including China, Russia, North Korea, India, etc. See how Geofencing works here.
Finally, ask a cybersecurity professional for tips. You cannot solve all your security issues with hardware, software, and policy, but you can cover yourself 99.9%. If you are unsure of whom to ask, call or email me! It is up to each of us to be one another’s lifelines in this age of constant digital bombardment.
Reach out to us! We’re all in this together. Visit our contact page to submit an inquiry. Also, please follow us on social media for the latest updates.
The Hillbilly Hacker Podcast is the hottest new show on the Internet to learn about today’s latest technology in simple words. You can find the Hillbilly Hacker on Spotify, Apple, Amazon, or where ever you find your podcasts. (Link)
Check out Hillbilly Hacker’s Hot Spam on YouTube. We’ll show you what happens if you click on that Spam link. (Link)
