Zero Day Attacks: Paper Identification Number 5
Abstract:The aim of this paper is to explore zero day security leaks, theirmarket, and the role of the government in such markets and itsresponsibility to the public. Unknown to many people, there are someof the best hackers using various techniques to search for leaks insystems. Such leaks make the systems vulnerable. They take advantageof the vulnerabilities, converting them into digital weapons whichthey sell to willing buyers, a significant portion of whom arecriminals. Such leaks are popularly known as zero days, and they havea lucrative market. There are three kinds of markets for zero days,and they include the black, white, and gray markets. No solid defenseexists for zero days given the fact that codes are written by humanbeings who are susceptible to making mistakes. While black marketsoperate on the basis of trust, the gray markets operate legally andare largely unregulated. White markets are more liberalized and assuch attract many young hackers. Gray markets, on the other hand,have the government agencies as the biggest buyers of zero days. Thedanger posed by zero days is growing. Given the continued advancementin technology, zero days are bound to cause severe damage in thefuture if not well regulated. Proper policy formulation that wouldenable regulation of the activities in the market for zero dayswithout infringing so much on the public’s privacy is necessary.
Whileone quietly browses through the internet, there are some of thebest-talented hackers scanning it consistently hoping to findundetected security leaks. When they find such leaks, they tend toconvert them into building blocks for cyber weapons for which thesource markets managing to sell them at astronomical prices not onlyto criminal organizations but also to governments and securityservices enabling them to infiltrate undetected into computer banksand in some extreme cases, the nuclear plants .A gold rush exists for these lucrative security leaks among hackersand use the term “zero days” for it. The following study willcover zero day security leaks, markets for selling such leaks, andthe government’s role in such markets as well as theirresponsibility to the people.
Azero day vulnerability is nothing more than just a flaw. It is anunknown mistake in coding or programming that exposes a weakness insoftware or hardware and can open the door for complex issues beforeanyone can detect what is happening .Hackerscanexploit zero day vulnerabilities through several different attackvectors.An attackvector referstothe path through which a hacker may gain unauthorized access to acomputer or network when intending to deliver a payload an outcomethat is malicious. Attackvectors can enablehackers to take advantage of system vulnerabilities. A zero dayvulnerability alone is harmless. Only once it is taken advantage ofwill the effects be realized. The Lockheed Martin Cyber Kill Chain explains how this happens.
Thekill chain begins with reconnaissance. The attacker accumulates dataon the objective before the assault begins. This step is where thezero days is discovered. Weaponization follows. The attacker uses thevulnerability and creates a payload of code or programing to send toa target. Once the vulnerability is packaged, it is delivered, eitherby email or another form of media. Upon receipt of the payload, thevictim will unknowingly execute the exploit. The exploit will theninstall some malware if needed so that the attacker can assumecommand and control of the infected system. Once command and controlhave been obtained, the attacker has the access he needs to takeaction on the target.
Thereis no defense to stop a zero day attack. If humans write code, therewill be flaws in it. Given the nature of humans, some will takeadvantage of the flaws. However, most hackers are not the ones usingthe vulnerabilities. The money is in the sale of these packages.Hackers will sell their creations ranging from raw exploits tofully-developed malicious packages equipped with harmful payloads. There are three main markets the white, the gray and the blackmarket. Buyers can be anyone from a lone shark to foreign and eventhe government. Selling exploits is currently legal regardless of theintended use. So the markets are full of buyers competing for theopportunity to secure their systems or attack their adversaries.
Traditionally,underground markets require an extensive system of trusted gatheringsto perform the transactions of deal making, report falsification,money related exchanges and illegal transport, among others. Theseextra pieces add to the cost of the sale which in turn makes theoriginal reward for the seller decrease.Zerodays, on the other hand, are virtual products and can be easily sold.The scenario explains why the payouts in the black market are farmore lucrative than in the gray markets. Gray markets involve saleswith governments and other institutions. They usually require the useof a third party to keep the transaction a secret.Graymarkets are smaller compared to the other markets. They rely heavilyon personal relationships. As for the black markets, theidentification of legitimate buyers and sellers may prove to be ahuge challenge. In addition, black and gray markets, purchasers andthose selling rarely disclose vulnerability prices to the public. Assuch, they make it difficult for one to determine the size and valueof the markets . There are reports that the prices often rangefrom a few thousand dollars in some instances to hundreds ofthousands in dollars in other cases. In some few cases, the price mayreach one million dollars. Although criminal groups are responsiblefor a significant portion of the demand for criminal use, there arevalid claims that nation-states comprise the primary drivers.Thewhite market does not face any of these problems as they activelypromote the use of their bounty systems and patches. In the whitemarkets, the bug bounty programs that are widespread make it easierfor both buyers and those looking to sell to meet. As such, it makesit easier for the money to exchange hands, attracting many younghackers.
Blackmarkets for zero days are very mysterious. There are very few peoplecapable of hacking large platform systems worthy of reachingmagnificent prices on the black market. These elite hackers will notspeak out about selling exploits. Although selling exploits is notillegal, it is a very dangerous business. Most of these hackers teamup with their local governments to produce exploits to either protecttheir government or attack their enemies.
In2016, after the San Bernardino terrorist attacks, the Federal Bureauof Investigation paid more than $1.3 million for a zero day thatwould allow them to unlock an iPhone without the manufacturer’sassistance. This gray market transaction is one of the largest knownzero day transactions in recent history. Governments around the worldpurchase zero days for both offensive and defensive use. Many wouldargue that the world is currently in a cyber cold war .
Despitethe secrecy with which zero days exploit companies operate, not allbusinesses are hiding their activities. Some have shown an effort inhelping stop what they find as risky behavior. There are those whounearth and bring to the light dangerous conduct on the part of someof the entities. To ensure that what they sell lands in safe hands,they take their time to vet potential buyers of their exploits. Withthe advancement of technology, the effects of zero days exploits mayturn out to be worse than they are at the moment . There will bebound to be chaos and problems as they will operate in a way similarto physical weapons.
Themagnitude of transactions governments conduct in the gray markets forzero days has reignited calls for regulation. With the escalation ofcyber war around the world, fears are rife that the growing trade inseeking and selling of exploits is getting out of control. There areincreased calls from various stakeholders for the enactment of newlaws that will rein in on the trade that has become murky. Someregistered firms conduct their operations in an authorized gray zonein the zero day market. They have permits to sell their exploits toauthorities in different countries. In some cases, authorities usethem in covert surveillance operations, as part of espionageundertakings, or cybersecurity missions . However, due to theunregulated sales, concerns abound over the possibility of some ofthe companies working with rogue foreign regimes that may use theexploits in their attacks on their opponents.
Governmentsand the US, in particular, provide the biggest market for zero dayvulnerabilities . The American government has for many yearsexpressed its interest in zero day exploits. In furthering many ofits security-related courses, it has found zero days as beinginstrumental in giving it an edge over its competitors or theentities it hopes to decimate. It has been seen to embrace theactivities of hackers who have the ability to help it achieve itsinterests in a world where cyber warfare capability increasinglyplays a major role in one’s success when pursuing the power to havecontrol over others.
Younghackers are also being attracted into zero days exploits by theprospects of working with the government . They to find it coolespecially working under the Federal Bureau of Investigation, one ofthe world’s most powerful investigative agencies. Working with theFBI gives them access to an unfettered pile of resources that ahacker may wish to use. They also have to worry less about being onthe wrong side of the law. Some just enjoy the opportunity to servetheir country while having to do what they enjoy most. When thegovernment gets to solve a mystery as was the case with the iPhoneused by one of the attackers in the San Bernardino terrorist attack,it becomes big news that rests well with the public. Those involvedin solving the mystery take great pleasure in being part of a teamthat helped solve the problem.
Breakingthe law to the government’s advantage appears to be a factor thathas contributed to the lucrativeness of some of the zero dayventures. There is evidence that points to tendencies by thegovernment to circumvent set policies when pursuing its zero daysinterests. Where the officials feel their actions may land them introuble, there is usually a rush to pass certain policies that wouldprotect them from facing prosecution and a possible conviction. TheUS, for instance, made its first use of the zero day attacks beforeenacting policies that allowed for such. When the US in conjunctionwith Israel was developing and releasing Stuxnet on to Iraniancomputers, through the use of zero days exploits to help get themalicious program onto the machines in Iran, it saw the need for apolicy that would deal with the vulnerabilities of zero day attacks.
Theordinary person who is not a pro in cybercrime issues has littledefense against zero day attacks directed at them. When a hackerdecides to take advantage of the vulnerability in their system, theystand to lose much especially when they have crucial data online orif they are ardent users of online services. Salvaging theirsituation may also be a challenge as they may not have the resourcesto initiate mechanisms of correcting the damage done. Their computermay also be digitally weaponized to help the attackers gain access toanyone on the victim’s network or others with whom they may sharefiles . Such persons need the intervention of the government inhelping them stay safe from potential zero days.
Inresponse to calls from the public for increased protection by thegovernment against potential zero days, the government has offeredpossible solutions through the enactment of certain policies designedto meet the needs of the ordinary person. However, the issue ofprivacy has been a thorny one. Congress has for many years pushed forthe enactment of laws that would grant the federal government immensecybersecurity powers . Their resolve to grant the governmentgreater powers has over the years been bolstered by cyberattacks ongovernment institutions. Some of the attacks have made the governmentappear an easy target.
Atthe center of the debate on whether the government should be grantedgreater powers to exercise its mandate of protecting the publicagainst zero day attacks has been the issue of the state’s abilityto protect personal data . Some people doubt the government’sability to guard against the activities of some of the smartesthackers. Fear emanates from the fact that in case of a data breach,such hackers will have access to personal data on almost anyone whoseinformation is stored in a centralized system. The situation may beworse if it involves zero day exploits of a given government againstanother given the level of resources that each may be willing toinvest in their hope to win such a war.
Clearly,zero days attacks are a common and growing phenomenon that presents asecurity nightmare to computer systems. While one is surfing theinternet, another group of elite hackers is busy looking for leaks toconvert into weapons and make money out of the exploit. Given that itis humans who write codes, no one is completely safe from zero days.The market for zero days is lucrative as it is largely unregulated.The ordinary person who is not tech savvy is the most vulnerable. Thegovernment has a role to play in ensuring that it comes up withmeasures that will ensure some significant level of control over themarket for zero days. The public also needs protection from the riskof zero days
B. Leyla, and Tudor Dumitras. "Before we knew it: an empiricalstudy of zero day attacks in the real world." InProceedings of the 2012 ACM conference on Computer and communicationssecurity,pp. 833-844. ACM, 2012.
G. Andy. "Shopping for zero days: A price list for hackers’secret software exploits,” Forbes,23 Mar. 2012."
F. Mailyn, G. Jennifer, and C. Martha. "Anarchy or Regulation:Controlling The Global Trade in Zero day Vulnerabilities." PhDdiss., Master Thesis. Stanford University,2014. [Online]. Available: https://d1x4j6omi7lpzs. [Accessded: 26-Mar- 2017]
C. Richard. "The September 11th Attack on America: Ground Zeroin Tort and Insurance Law." Conn.Ins. LJ,vol 9, pp. 51, (2002).
T. Colin. "Advanced persistent threats and how to monitor anddeter them." Network security 2011, no. 8 (2011): 16-19.
W. Peter. "What is a zero day cyber attack?." ControlEngineeringvol 59, pp. 56, Aug. 2012.