Hacking and the value of a Zero Day
The San Francisco tech geek arrested last week in an Internet drug bust may have been caught because of National Security Agency operations. Or, experts say, the feds could have broken into the Silk Road, his alleged illicit goods network, using a Zero Day exploit.
A Zero Day is not the name of a Hollywood blockbuster movie. It’s the hottest single commodity for hackers who want to break into networks.
Take bank robberies. In the old days, bad guys with guns may have gathered intelligence. But to rob, they broke in through the front doors and headed to the vault. The clock ticked as police had only so much time to apprehend the thieves.
In today’s information economy, some hackers pilfer money and secrets from corporations without guns, by finding and using a piece of computer code called a Zero Day. A Zero Day is the electronic equivalent of the informant who tells the bank robber where to drill a hole in the back of the bank vault. It’s called a Zero Day because the good guys have no clue until after it’s used, say on Day One or, sometimes, Day 31.
Zulfikar Ramzan with Sourcefire is one of the few hackers good enough to find Zero Days. He found a vulnerability in a class of home broadband routers like Linksys.
Ramzan explains, “Your home router is the conduit between you and the Internet.” He figured out a way to fool the router to steal your username and password when you log in to bank websites.
Hackers can use Zero Days, and try to rob the bank themselves, or they can sell the hack to someone else, and just pocket a finder’s fee.
The good citizen he is, Ramzan did not sell his Zero Day.
If you were in the market for one, it’s not hard to find.As with so much in hacking, Zero Days are going mainstream.
High quality Zero Days can cost hundreds-of-thousands of dollars and typically are exchanged through brokers who vet the buyer and seller.
But for lower end Zero Days, you can go online shopping at sites like 1337day.com.
The site accepts Bitcoin and other anonymous ways to pay for goods online. It also uses the ever-popular online business model of a freemium. Most of the exploits cost nothing. The more expensive ones cost $600.
The site is littered with grammar mistakes. Click on the link for “Facebook send messages from anyone 0day.” It says, “This vulnerability is unknown developers Facebook. Hurry exploiting ;-)” Another site, Vupen.com, has perfect grammar and a whimsical picture of people holding hands on the beach at sunset. Not what you’d associate with a hacker website.
But the site uses a subscription model. Site owners reserve the right to decide what corporations and governments can join. To browse the goods, you have to complete a form that requires a professional e-mail address.
Hacking into another person’s network is illegal. Yet cyber-lawyer James DeNaro says the U.S. government is not going to crack down anytime soon.
"Some of the biggest buyers are the United States government itself, law enforcement agencies," DeNaro says. "And this is largely due to the fact that exploits can be useful for so many different law enforcement purposes."