WikiLeaks has recently exposed that the CIA possessed the capability to hack into nearly every device you own. With all that we have learned from these leaks, Digital Edge wants to take the time to focus on is the “zero days” concept – which can be simply put as a weakness/hole in a system that allows a hacker to breach it before anyone even knows about this vulnerability. The concept of “zero days” takes place once the vulnerability is reported.
Once a hole in a system is found, it should be reported immediately, so it can be patched up before it’s exploited. Now, there is a very significant difference between people that report this hole, white hats and people that don’t, black hats. When someone finds a way to exploit the system – a new, unknown vulnerability in a system, a software etc. – and that person reports it, it becomes known as “zero days”. Reputable software manufacturers are running special programs for these reporting’s which are treated similarly to campaigns that the police runs – bring a gun, no questions asked, we will pay you for the gun. The person that reported might receive a reward on his/her research but will definitely receive recognition in the security community and the IT industry overall.
US government runs National Vulnerability Database. The mission of National Institute of Standards and Technology (NIST) is, “NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance”
To recap, white hats or researchers would report these vulnerabilities to manufacturers and the National Vulnerability Database, to keep America safe. However, black hats don’t, they instead monetize on “zero days”. Recent news uncovers that the CIA doesn’t report these holes either but instead acts the same as hackers….
Digital Edge is a strong proponent of awareness, this is why we publish these security information articles. Our intention in not to criticize the intelligence community in any way. Our goal is to make sure that you're alert, responsive, and educated.
Let’s forget about WikiLeaks for a second, do you know what the most vulnerable thing is that you own? You may not think so, but it is not your phone or your computer. Those are mature products more or less and are well protected in most cases.
Your soft spot is other gadgets you have in your household. What do you think your door lock is running on? What do you think your blood pressure device that is reporting your blood pressure runs on? If you say LINUX or any other operating system, then you are right!!! Simple everyday products that you may have never even considered could be access points for hackers.
What is the problem?
- Device manufacturers are pushing product to the market thinking only about the features and usability. They don’t think about the fact that you can be buying and bringing home a security hole.
- Device manufacturers don’t even think about the ability to patch and protect such devices. Without criticizing manufacturers, we just want to warn you about possible dangers such devices can bring.
An example of an incident that happened a couple of months ago was the hacked DVRs and cameras by a Chinese firm. Due to lack of password protection, people’s cameras were hacked and controlled in America.
With that said, a hacker doesn’t need your iPhone today to be hacked. There are no antiviruses, patching, or reviewing on any of your basic everyday objects. On top of that, nobody can inspect or notify you that your device has a bug that reports anything to the CIA. This is very serious. If a hacker has control over one of your devices, the further proliferation is much easier.
There is not much news in hacking, but the angle and the points of attacks are changing.
Please email us or comment on this article if you want to have a deeper discussion.
Lastly, contact us if you want to stay secured. Digital Edge updated its security assessment offer. We don’t just assess the security of your organization and provide our humble opinion on the state of it; we can fully secure your business and get your security measures approved by the ISO accredited certification body (ISO – 27001) or SSAE 16 (SOC 2) auditing board. Digital Edge will facilitate the entire process.