The book This Is How They Tell Me the World Ends: The Cyberweapons Arms Race is both fabulously entertaining and scary to read. The author, The New York Times journalist Nicole Perlroth, spent seven years researching and talking to hackers, security business leaders, and national intelligence officers. She wanted to understand how the world of hacking, cyber spying and attacking computer systems works. Well, it works. And it reaches everywhere.
No computer expertise is required to read the book, all technical concepts are explained. The key lead the author follows in the book is zero-day flaws in computer software. A zero-day means an error in software that lets experts to exploit it freely because no patches for the error exist yet. Usually, the software or hardware vendor is not yet aware of the error.
In the early days of hacking, people who were the first to discover an error in commercial software tried to inform the vendor or posted the information on an online forum. This changed when a hacker realized the high value of the information. Market for trading zero-day information was gradually established. Today, sellers, middlemen, and buyers operate behind the scenes, but as described in the book, a single zero-day can be valued at million dollars today.
A hacker who discovers an error in software, and realizes it is a zero-day, can sell the information to the highest bidder. Even more money can be made from the same zero-day flaw if the hacker or today, often a business, develops a software package that lets the buyer to exploit the zero-day for breaking into computer systems.
Who are the buyers who can pay thousands or even million dollars for cyber weapon information and tools? Sure, buyers can be criminals who have their own motives for using the information, for instance, for breaking in to a hotel booking system, locking it down, and demanding a ransom. Yet, the big money and the most potential buyers for attack tools are national intelligence agencies. It is the market the book primarily examines.
The biggest breaches in the history of computer security have been executed by national military forces or intelligence agencies. They have the resources – money, educated workforce, computers, code of conduct – to run operations that can take years to complete.
The entertaining aspect of the book is the stories of hackers who let the author glimpse into their secret world. The author has been able to compose a narrative of some the world’s greatest hacks. My favorite stories were:
- Electronic typewriters in the US Moscow Embassy were hacked. It was discovered in 1984. The IBM Selectric machines sent everything that was typed to a nearby recording post outside the embassy. The typewriters had an additional wire and radio transmitter to suck information right from the source. Similar idea was used later by NSA when the agency tapped directly into intercontinental data cables.
- The incredible story of Stuxnet worm that made its way to Iranian nuclear plant and managed to break machines required for the plant to run. The president of the US blessed the years-long project for creating the software for the attack. The first pieces of information about Stuxnet were published in 2011. We know about it because the program was so resilient that after successful attack in Iran it managed to break out from the plant and spread across the world.
- Russia’s grip over Ukraine’s critical infrastructure is strong. Russian hackers have been able to sneak so deep into Ukraine’s power plants that they can turn off power in a city they want when they see fit (Christmas seems to be a popular period to do it).
A nasty consequence from selling zero-day exploits to intelligence agencies is that patching serious flaws is often significantly delayed. Agencies want exclusive rights to the zero-days they buy. Meanwhile, other parties can utilize the same flaws in software for breaking into computer systems. The worst scenario is that an intelligence agency loses its hacking tools to a criminal group or another agency that quickly deploys it for its own projects. Such a leak happened at NSA.
The epilogue of the book summarizes the reality of the modern world. The author is talking with David Retz, one of the pioneers of the internet who famously sent the first email message from one computer to another in 1976:
I asked Retz what, if anything, he would take back. His reply was immediate and unequivocal. “Everything can be intercepted,” he told me. “ Everything can be captured. People have no way of verifying the integrity of these systems. We weren’t thinking about this back then. But the fact is,” he added ruefully, “everything is vulnerable.”
What can we do to avoid being accidental targets?
The key points of the book This Is How They Tell Me the World Ends: The Cyberweapons Arms Race are gloomy. The world doesn’t run without computers and software that makes the networks and applications work. Unfortunately, there is no such thing as software without errors. It is only a question when and what kind of exploitable holes someone discovers in every piece of software.
What the discoveries presented in Nicole Perlroth’s book mean to the rest of us who not in the business of hacking, trading zero days, or exploiting computer vulnerabilities? What can we do? Can we protect ourselves from nasty surprises?
Our computers, tablets, and phones
All computers and mobile devices can be hacked. The book tells the story of Israeli hackers who found a way to do whatever they wanted on Apple iPhones. The sale price of the method was million dollars. No matter which operating system your device has, it is vulnerable one way or the other.
Of course, national intelligence agencies may not be after your computers, but criminals have access to (some of) the same tools. For instance, NSA has leaked them. Criminals that randomly search the internet for vulnerable devices, can try to utilize your computer/mobile device for their own purposes, or lock it down and ask for ransom.
Our cars
The computer system in modern vehicles is a closed system that we are supposed to access only via the dashboard. Since cars are connected to the vendor’s network (and in China to the government offices as well) there is a door for possible attacks without having physical access to the vehicle.
Our home network and IoT devices
Hacking Ring door cameras, Wi-fi routers, security cameras and other connected devices at homes has been relatively easy so far. The security of IoT (Internet of Things) devices will improve but there will always be manufacturers who don’t care about security.
We don’t have to be doomed
Securing your network traffic, updating software regularly, downloading apps from trusted sources only, not clicking links provided in messages received from unknown people, not revealing anything to unknown people who call and request personal information, using long password, and all other, often repeated advice is crucial. It significantly decreases the risk of being a target of a successful attack.
When thinking about this, a fresh perspective can be helpful. Envision the moment you realize you or your business has been hacked. Step by step, backtrack from that desperate moment to this day. Surprising security holes are easily found. I had to screen lock my tablets and phones, remove all personal data from them, and do a number of other, bigger improvements to my computer security after carefully examining all my computing devices, usage routines and habits.
After I had completed my “I have been hacked, now what?” planning process, two things stood out:
- Backup everything to multiple locations. Every device that has valuable data should be backed up to an online and offline storage. A backup that is not continuously connected to a computer can’t be tampered with, stolen, or locked by criminals.
- Store all passwords in a password manager application. This is because every service and device you use has a different password. I only remember one password: the key to the password manager app.
Even if everything goes wrong, and your computing devices are breached, the most valuable thing – your data – can be recovered.