The U.S. government is developing new computer weapons and driving a black market in “zero-day” bugs. The result could be a more dangerous Web for everyone.
Every summer, computer security experts get together in Las Vegas for Black Hat and DEFCON, conferences that have earned notoriety for presentations demonstrating critical security holes discovered in widely used software. But while the conferences continue to draw big crowds, regular attendees say the bugs unveiled haven’t been quite so dramatic in recent years.
One reason is that a freshly discovered weakness in a popular piece of software, known in the trade as a “zero-day” vulnerability because the software makers have had no time to develop a fix, can be cashed in for much more than a reputation boost and some free drinks at the bar. Information about such flaws can command prices in the hundreds of thousands of dollars from defense contractors, security agencies and governments.
This trade in zero-day exploits is poorly documented, but it is perhaps the most visible part of a new industry that in the years to come is likely to swallow growing portions of the U.S. national defense budget, reshape international relations, and perhaps make the Web less safe for everyone.
Zero-day exploits are valuable because they can be used to sneak software onto a computer system without detection by conventional computer security measures, such as antivirus packages or firewalls. Criminals might do that to intercept credit card numbers. An intelligence agency or military force might steal diplomatic communications or even shut down a power plant.
All but one supported edition of IE are affected: 2001’s IE6, 2006’s IE7, 2009’s IE8 and last year’s IE9. Together, those browsers accounted for 53% of all browsers used worldwide in August. The only exception was IE10, the browser bundled with the new Windows 8, which does not contain the bug.
Monday’s advisory was expected, said Andrew Storms, director of security operations at nCircle Security. “I think they had to get it out today,” said Storms late Monday in an interview over instant messaging. “Too many people watching and waiting for something official.”
Earlier Monday, Microsoft acknowledged that it was investigating reports of a vulnerability but did not promise a patch.
The bug, when Microsoft gets around to patching it, will be rated “critical,” the company’s highest threat ranking. Exploiting the flaw allows hackers to execute code — in other words, plant malware on a machine — and opens Windows XP, Vista and Windows 7 to drive-by attacks that only require getting victims to visit a malicious or compromised website.
Writing in the Wall Street Journal this week on the occasion of Israeli Independence Day, Israeli Ambassador Michael Oren penned a powerful op-ed on the erosion of Israel’s image.
His conclusion: Israel’s image has deteriorated in large part because of a “systematic delegitimization of the Jewish state.”
“Having failed to destroy Israel by conventional arms and terrorism,” he writes, “Israel’s enemies alit on a subtler and more sinister tactic that hampers Israel’s ability to defend itself, even to justify its existence.”
First, some full disclosure. I like and respect Michael Oren. He’s a remarkably talented historian, astute analyst, and able diplomat.
I also have no doubt that there are efforts to delegitimize Israel, that anti-Semitism pervades some of the anti-Israel rhetoric, that Israel is one of the few countries in the world that’s judged by impossibly high standards, and that the perception and reality of its power causes many to ignore the realities of its vulnerability.
But I just don’t buy the argument that Israel’s image has eroded principally because of a dedicated campaign to delegitimize it.
Three other factors drive Israel’s very bad PR: the realities of nation-building, the image of the asymmetry of power, and Israel’s own actions, which, like those of so many other countries, value short-term tactics over long-term strategy.
If you ever need to search for a particular vulnerability, or see how critical or non it is, this is the spot to search.
A presentation due to be shown at the Black Hat security conference at the end of the month will show that many of the routers used for residential internet connections are vulnerable to attack by hackers. The attacks would allow traffic to be redirected and intercepted, in addition to giving hackers access to victims’ local networks.
The title of the presentation, “How to Hack Millions of Routers,” gives a clear indication of the scale of the potential issues. Popular router models from Netgear, Linksys, and Belkin were found to be vulnerable, including models used for Verizon’s FIOS and DSL services, as were widely-used third-party firmwares such as DD-WRT and OpenWrt. About half the routers tested did not appear to be vulnerable.