Vulnerable Software Means big Trouble for Companies, Governments
It is incredible how versatile hackers can be. Some people think of the word “hacker” and picture someone surrounded by computers and cables in a large room working tirelessly. However, many hackings take place from the comfort of the hacker’s home, as is the case with Charlie Miller.
Miller has a PhD in math from the University of Notre Dame and has a decorated resume’, such as spending five years working for the National security Agency hacking into the computer servers and networks of foreign enemies. However, once that was over, Miller decided to turn his attention over to the Apple iPhone.
But why would a hacker of his talent spend his time on an Apple iPhone rather than hacking networks or servers? Maybe it is because some of the code that’s use to make the iPhone all that it is also poses a huge security risk for companies and governments alike. Afterwards, Miller realized that anything with a digital connection can be a target for hacking.
Miller was attempting to hack the iPhone to find that code. His plan was to cause the software of the iPhone to crash by randomly and constantly sending changes to the software, and to then figure out why the substitutions triggered a problem. A software flaw could open a door and let him inside.
“I know I can do it,” Miller, now a cyber-security consultant, told himself. “I can hack anything.”
After weeks of attempted hackings, Miller found what he had been searching for: a “zero day,” a vulnerability in the software that has never been made public and for which there is no known fix. The door was open, and Miller was about to walk through.
The words “zero day” strike fear in military, intelligence and corporate leaders. The term is used by hackers and security specialists to describe a flaw discovered for the first time by a hacker that can be exploited to break into a system.
In recent years, there has been one stunning revelation after the next about how such unknown vulnerabilities were used to break into systems that were assumed to be secure.
One came in 2009, targeting Google, Northrop Grumman, Dow Chemical and hundreds of other firms. Hackers from China took advantage of a flaw in Microsoft’s Internet Explorer browser and used it to penetrate the targeted computer systems. Over several months, the hackers siphoned off oceans of data, including the source code that runs Google’s systems.
Another attack last year took aim at cybersecurity giant RSA, which protects most of the Fortune 500 companies. That vulnerability involved Microsoft Excel, a spreadsheet program. The outcome was the same: A zero-day exploit enabled hackers to secretly infiltrate RSA’s computers and crack the security it sold. The firm had to pay $66 million in the following months to remediate client problems.
The most sensational zero-day attack became public in the summer of 2010. It occurred at Iran’s nuclear processing facility in Natanz. Known as Stuxnet, the attack involved a computer “worm” — a kind of code designed to move throughout the Internet while replicating itself. Last week, the New York Times reported that President Barack Obama had approved the operation as part of a secret U.S.-Israeli cyber-war campaign against Iran begun under the Bush administration.