Checklist 97: Privacy Nightmare at 30,000 Feet

In the past, we’ve spent a substantial amount of time talking about the business of security flaws. Usually, it centers around things such as selling personal data on the Dark Web after stealing it using exploits and attacks. Credit card details, names, and addresses, and more — it all makes for a booming black market of data. That’s not the only kind of information sold on the Dark Web, though: sometimes, it’s the exploits that lead to gathering user data in the first place.

On this week’s episode, we’re looking at a few recent interesting instances involving the buying and selling of exploit data. That, plus another look at the potential “creep factor” of apps that seek to learn more about you. On our list for today’s discussion:

• An internal thief steals a cracking company’s tools
• Zero-day exploit rewards reach new highs
• United wants to know more about its passengers

In between the news, we’ve got some thoughts of our own to add — but first, let’s look at what happens when your employee decides he could make more money selling your products on his own, instead of through your business.

NSO Group briefly loses proprietary phone hacking tools

If you haven’t noticed from some of our recent discussions, breaking into other people’s phones is a big business. In Checklist 88, Graykey’s Anatomy, we took a deep dive into the subject of the big iPhone cracking device du jour, created by a US-based company known as Grayshift. n Of concern is the Graykey’s ability to break into any iPhone by cracking its passcode through unknown methods that led Apple to recently institute the “USB Restricted Mode” setting in iOS, preventing USB accessories from accessing your device after an hour since your last unlock.

Companies like Grayshift make noise about how they strictly only sell their tools to law enforcement agencies and governments — as opposed to anyone, who might use such a device to crack stolen iPhones to make them ready for resale. Not every company is so cautious. As it turns out, neither is every employee of these companies — even the ones that purport to only deal with legitimate governments.

That was the hard lesson recently learned by Israeli mobile phone security company NSO Group. We’ve discussed an NSO Group product once in the past, in our Checklist episode titled All About Spyware. Back then, we talked about something called Pegasus – a nefarious piece of spy software designed to hide on iPhones and intercept data such as text messages and more. NSO Group stays pretty secretive about what it develops and how it does it. Naturally, they would want to guard the exploits they know and the techniques they use very closely. Unfortunately for them, they seem not to have anticipated one of the most common attack vectors: an insider.

According to a report from Forbes, an employee at NSO decided he could perhaps make more money on his own than by working for the company. After disabling the security software on his computer, he copied a wealth of source code from NSO’s internal servers and took it home with him on an external hard drive. After doing some cursory Google research to figure out what to do with his haul, the would-be “hacker” went on to the Dark Web, spinning a story about how he had broken into the company’s files and stolen the code. He then went on to offer the tools for as much as $50 million in cryptocurrency — about 50 times what NSO would charge for a deployment of Pegasus!

Unfortunately for the man, NSO was hot on his heels and rapidly identified the breach within their systems. Once they figured out who was responsible, they informed the Israeli authorities, who subsequently arrested the employee and returned the stolen source code to NSO. According to the company, no actual data was disclosed to third parties. While the staffer advertised what he had available on the Dark Web, he seems to have never provided proof or shared snippets of the code to prove its authenticity. Their secrets remain safe for now – at least, that’s what NSO says.

The Dark Web isn’t the only place where people are interested in learning how to exploit our digital devices, though. Sometimes the money is coming from a more established, “legitimate” organization, and no one is making the process a secret.

Zerodium expands exploit bounties

Zero-day exploits are the bane of every security team in major tech companies, from Google and Microsoft to Apple. A zero-day attack is one that uses a bug or security hole that has never been publicly reported or acknowledged, and typically is not even known to the team that developed the software in the first place. Because no one knows about them, they’re available to use for exploiting all kinds of systems and gathering data. That makes them valuable — and it means that more than a few companies have found ways to make money from zero days, instead of resorting to the black market of the Dark Web.

One of those companies is Zerodium, a broker that periodically offers public rewards for hackers who disclose zero-day exploits to them. Afterward, the company turns around and repackages these exploits for sale, typically to governments who want to be able to maintain access to information in a world where device makers increasingly shut out everyone who isn’t the device’s rightful owner. Most often the exploits sought after by Zerodium involve Linux-based systems such as CentOS and Ubuntu, and UNIX-based systems, like FreeBSD, which often power the servers running the web. A typical bounty for sharing info on these exploits ranges from $10,000 to $30,000.

Now, though, Zerodium is bringing out the big guns. The company announced that it was seeking certain classes of bugs and exploits in Linux and was willing to pay up to $500,000 for the “right” kind of zero day. Other bugs, such as an exploit that might allow a hacker to gain elevated admin privileges, could go for $100,000 if they affected enough Linux distributions. It’s obvious this is a big business — and it’s more than a little unsettling to think about our security being up on the auction block like this. So how is Zerodium determining how much an exploit is worth?

The answer to that question is surprisingly in-depth; they are not arbitrary numbers by any means. Instead, there are many factors at play in determining the quality of an exploit. Chief among them is how easy it is to trigger. For example, one of the most valuable zero-day classes would be a “no click” exploit — something that requires absolutely no user interaction to start tapping into a machine’s weaknesses. This might be the case when a user visits a malformed website, or when an infected ad triggers a no-click exploit in a web browser. Other exploits might take one or two clicks, and this influences the price.

Not every zero-day works every time, either. Reliability is a big factor in value. Some zero-days rely on exploiting a combination of known and unknown bugs, a process known as chaining; this is typically seen in the industry as a negative detail due to the increased chance that one or more of the bugs will not actually remain exploitable on the target system.

Market share matters, too. Linux exploits command such a high price these days because it’s typically used to power servers. However, Windows zero-days have historically also been very valuable due to the huge number of desktop users who continue to use one of the many versions of Microsoft’s operating system still in the wild. iOS and Android zero days are even more valuable.

While the high bounties Zerodium currently has available are notable, overall this is a space in the tech industry that grows more every year. It’s not always a “good” thing, thought, considering whose hands the exploits end up in after a sale. There have been cases where companies face accusations of selling exploits to oppressive governments who turn around and use them to curtail human rights activities within their borders.

How should we feel about all this?

It’s hard to draw any clear distinction between a black-hat hacker going on to the Dark Web to sell a zero day to the highest bidder and the same hacker going to a company like Zerodium to claim one of their bounties. How much trust can we really place in these companies when they say they’re only sharing the info with governments? Furthermore, does that even really matter? In the end, these companies are only helping to make us more insecure.

As we saw with the Shadow Brokers leak of NSA-linked hacking tools last year, when these powerful zero-days make it out into the wild, they can wreak havoc in short order. Ransomware attacks such as the WannaCry incident are extremely hard to mitigate while they’re in progress, and there is always an element of “closing the barn door after the horse has bolted” to instituting fixes to these zero-days after the fact. In an ideal world, we would only need to worry about the Dark Web purveyor of zero-days. Other legitimate outfits would instead  inform developers, so they could institute fixes before a problem ever occurred.

Unfortunately, how strongly we may feel on this issue ultimately doesn’t matter in the end. Law enforcement agencies want a way to break into phones owned by suspects or the accused, the government wants to ensure it’s not shut out of information it deems pertinent to an investigation, and hackers are all too happy to continue profiting at the expense of better security. Ultimately, companies like Zerodium and Cellebrite are only as good as their word — and that raises another question: How much can we really trust that word? For now, the best thing to do is to remain aware of these goings-on. We may not be able to effect change now, but we can always hope for a shift in the future.

United tries its hand at the app business

Everyone wants to know everything about you — or at least, that’s how it feels these days, especially given some of the Facebook patents that we discussed on last week’s episode. It’s not just social media companies that want to know more about you, though; it’s also companies like the airline that you might fly on to see your family for the holidays.

At a recent technology conference, one of United Airlines’ vice presidents spoke about how the company hopes to deploy a new app soon that will help it to provide a more “personal” experience on your flights, based on what the app learns from you. In other words, the company says, they want to make it so that before a flight attendant ever makes it to your seat to ask what you’d like to drink, they already know a little bit about who you are.

United seems to be at least a little self-aware as to how this might sound, as Fortune reports the company is gathering data and undertaking tests to determine precisely where the line is between “helpful” and “creepy.” We’ve come a long way since the early days of targeted ads when the idea of choosing what a user sees based on their preferences was a new concept. Today, just about everything digital we use gathers some form of information about us — and it’s not necessarily something everyone likes.

According to Fortune, three-quarters of respondents in one survey admitted to feeling at least somewhat “creeped out” by experiences with big brands defined by personalization efforts. Yet at least 50% of those people said they also do nothing to stop the personalization or to change it. Is this because they believe it isn’t possible or is it something else? Are we inevitably headed towards a world where you walk into a store, and the clerk asks you strangely personal questions?

The unfortunate reality is that to a certain degree, personalization like this is a Pandora’s box — once it’s been opened, it’s impossible to put everything back inside ever again. Even our phones can pick up on our habits if you leave the right settings turned on. Google might automatically tell you how long it will take you to commute to work in the morning, or your phone might remind you that a friend has a birthday on the horizon. It’s hard to deny that in some ways, these features are useful. It’s why they were developed, after all.

However, it is also worth thinking critically about situations like this app United has begun developing. If so many of us find personalized brand experiences creepy, perhaps the answer is actually to voice displeasure with companies for these things — or to avoid using them altogether. Sometimes, that’s easier said than done. Given how connected our lives are today, it’s almost impossible to avoid ending up in the data dragnet. Minimizing your exposure is certainly something of which we’re all capable, though. It just takes time and effort to familiarize yourself with all the settings!

It would be nice if more companies simply offered a toggle for personalization, but as we’ve seen time and again, data is as good as money in today’s world. Whether it’s a zero-day exploit, a cache of personal information, or statistics about where you travel to, how frequently you fly, and what type of in-flight snack you like, this is a big business. It’s to all our benefit to pay closer attention to what that truly entails.

That will wrap up this week’s discussion. While there’s not much the average person can do about the buying and selling of high-tech exploits on the Dark Web, we do have the ability to exercise better control over our privacy. Remember, the tools to help you are out there, and sometimes they’re built right into your phone and your web browser. We could all do better regarding picking and choosing what information about ourselves we’re truly comfortable with sharing — especially when it comes to massive corporations.