Our second book club episode features essential reading for threat intelligence. New York Times reporter, Nicole Perloth, gives a history of the zero-day market and how it has changed the cyber weapons arms race. Learn how this market was created and what it means for future cyber defense.
Nicole Perloth, a cybersecurity and digital espionage reporter for the New York Times, gives an overview of the formerly secret zero-day market. This underground trade of software vulnerabilities has enabled some of the most catastrophic cyber attacks the world has ever seen. Learn how it started and what the world’s stockpile of zero-days means for cyber defense.
AUBREY BYRON
And maybe the most catastrophic typo of all time. He wrote back what was supposed to be illegitimate and accidentally wrote legitimate.
SHANNON RAGAN
Oh, no.
AUBREY BYRON
And he clicked on it.
[music plays]
SHANNON RAGAN
Welcome to Needlestack, the podcast for professional online research. I'm Shannon Reagan, Needlestack producer and your host for Today.
AUBREY BYRON
And I'm Aubrey Byron, fellow needlestack producer. And it's my turn to attempt at armchair expertise today.
SHANNON RAGAN
So this is our second iteration of the Needlestack Book Club. Cheers. We will be back to our regular programming in January with our regular hosts, Matt Ashburn and Jeff Phillips. We miss you, Matt and Jeff. But in the meantime, we wanted to provide our audience with some book recommendations just in time for the holidays. So Aubrey's going to take it away today.
AUBREY BYRON
Yeah. So I read. This is how they tell me the world ends by Nicole Perla. This book, as the subhead suggests, is all about the cyber weapons, arms race, nicoleza cybersecurity and digital espionage reporter for The New York Times. Overall, this was a fascinating read. It's going to be a little less directly applicable to our OSINT crowd than The Belling Cat book was. If you missed it last week, check out Shannon talking about that one. But it's definitely a great one to pick up, especially for our threat intelligence listeners. But also, as just a citizen of the United States and or the world.
SHANNON RAGAN
I set that worth reading. I'm in. So. Nicole Perlawth, times reporter. Love a good journalist book. How did her background in journalism make for the read?
AUBREY BYRON
Yeah, I think the big advantage of reading a book by a journalist on a subject like this is that it can get pretty dry. And she's a great writer and has been on this beat for well over a decade. So she knows her stuff, but it's also very well written. It's also written for a lay audience, so there's not a ton of jargon. You can safely recommend this book to people outside of cybersecurity. She even mentions kind of being worried about getting flack for that for oversimplifying. But in a later portion, she talks about why she wrote it and layspeak and why she thinks it's important for people to know that this exists. And from a journalistic standpoint, the range of her sources are incredible. She talks to a lot of major players in the invention of this zero day market and decorated former CIA directors, just the whole gamut of everybody involved.
SHANNON RAGAN
It sounds like a good read. This has been recommended to us by a very important person. So what is the zero day market and what is the role that is playing and how the world will end?
AUBREY BYRON
Yeah, so the zero day market is really kind of what the entire book is structured around. She hops around in time, but the short history of this underground, formerly secret industry is the main thread throughout. So for background, a zero day is, if you don't know a software vulnerability that is unknown to the developers or vendors. And this market is based around hackers discovering these holes and vulnerabilities and then selling them to the highest bidder, every software developer's nightmare. And the CIA and NSA were really involved in creating this market because they wanted to be able to run offense on cyber weapons and it was kind of their offensive strategy. But the book reveals that many of the same strategies are now being utilized against us by adversaries at this point.
SHANNON RAGAN
I love moments like this. It's like the call is coming from inside the house, like the thing you created. That's the problem now.
AUBREY BYRON
Yeah. And the invention of the market actually kind of enables governments that probably wouldn't have had the resources to basically have their own hackers discover these vulnerabilities now that they can just buy them off the shelf as is. And she says that virtually every nation state has their own stockpile of these zero days now.
SHANNON RAGAN
Yeah. Leading us into the new arms race. So obviously we have them and I guess everybody else has them. How does that play out in adversarial instances or conflicts with these zero days?
AUBREY BYRON
Yeah, so probably the most famous, almost certainly, and there's an entire chapter on it, is Stuxnet, or Operation Olympic Games, which was a US worm that we developed with Israel to stop Iran's nuclear capacity from forming. And it exploited 40 day flaws in Microsoft and they infected the gas centrifuges. And it's pretty fascinating how it works if they just ever so slightly change the frequency, but not enough for the Iranians to notice. But it still ruined a fifth of their nuclear capacity at the time. So it was really successful. And it was all installed by USB drive.
SHANNON RAGAN
Wait. Tiers to USB?
AUBREY BYRON
Yeah. Well, years later, basically the exact same thing was done to us by Russians scattering USBs in the parking lot of an army base in the Middle East and someone picked it up and plugged it in.
SHANNON RAGAN
Of course, why wouldn't he?
AUBREY BYRON
If you've ever rolled your eyes at some sort of security training before and you're like, who would do that? And you're like, oh well, a lot of these, turns out. And there's even one of the exploits that the NSA wrote that is later obtained by Russia and used against the US. But not only that, but Stuxnet kind of became a rallying cry for recruitment of hackers in Iran and they also began really heavily investing in cyber defense. It kind of showed the world what these zero days could do and sort of when it became public that this had happened in 2010 and everybody started taking note.
SHANNON RAGAN
So this is such like an origin story now of what cyber weapons can do as ducksnet. I think the cybersecurity community is obviously really familiar with it. It even obviously made national headlines because of the geopolitical conflict around it. But I think the importance of what it sounds like this book and other getting these stories out there is that if you're not really paying attention, you don't really understand the lengths to which these cyber weapons go into the impact that they can have on the real world because everything is so connected digitally now. So we're going to be fine. We're going to be fine. So I know in the beginning you mentioned that this focus would be more of interest to cybersecurity audiences and threat intelligence crowd, but as a lot of our audience might be more in the OSINT and online research sphere. Are there examples where open source has led to the discovery of these weapons, the defense against them, who works on them, any of that type of thing?
AUBREY BYRON
She goes a lot into the NSA and Snowden leaks since that's a big part of who is stockpiling these exploits. But there's a whole section actually about how both the NSA and CIA started using personal online data to find the roles of and recruit well placed people within the tech companies they wanted to infiltrate. And so they just used social media to both vet and to rule out potential recruits due to their habits, such as addiction, gambling, or even just personal risk factors like having an affair because they'd be more vulnerable to either being exploited or becoming a double agent. And there's a bit about this whole Snowden leak actually where she's interviewing a former NSA analyst and he kind of chuckles and is like, yes, snowden didn't even have that high of a clearance rating. He actually didn't know the full capabilities of the NSA because he was lower level.
SHANNON RAGAN
What a mean girl's response from an NSA analyst. He wore a ponytail twice a week.
AUBREY BYRON
Oh my gosh, he didn't sit with us.
SHANNON RAGAN
So speaking of mean girls, social media plays a huge role. He talked about the NSA's use of it in terms of recruitment. Are there other instances where in operations that social media or other online sites, forums, dating sites, whatever would be used in this type of work?
AUBREY BYRON
Yeah, because of when we're talking about which is a little bit like early days of social media, there's a whole section about when Facebook came online and how it was just like a Christmas gift to the CIA. Their official program is called Snacks social Network Analysis collaboration, knowledge services. And I'm going to assume that that was named before the popularized Slaying term, but who knows. But suddenly there's Russian oligarchs uploading where they're vacationing. There's jihad fundamentalists like posting their manifestos online. Things that would take a lot of traditional sources time and investment to find are just being willfully posted online.
SHANNON RAGAN
Yeah, I think that's the Bellingcat book, I think gets into this bias as well, that it's like because it's open source, there's some sort of, I would say distrust, but it's also just distaste. Like, oh, I didn't have some cool spy story to go along with getting this information, like somebody just Googled it or got on their Facebook page. It doesn't have the cool factor, but it kind of does, I think, especially because it's been so ignored in favor of these other old school or traditional intelligence collection methods.
AUBREY BYRON
Yeah. And taking your resources and spending years uncovering something that they're just going to give you, why not, right?
SHANNON RAGAN
Thanks, Oligarchs.
AUBREY BYRON
But yeah, it gets into some pretty dark stuff as well. There's analysts that get caught using some of those techniques to spy on their exes. It even jokingly is named Lovent after, like, BigAnt, which obviously is happening frequently enough to earn a name to get a nickname.
SHANNON RAGAN
Yeah, that's dark. That is dark.
AUBREY BYRON
Yeah. But that kind of example underscores sort of one of the issues that a lot of people take with the zero day market is you can't control how this is going to be used. It follows a lot of analysts throughout the book and some end up going to start their own firms just because you can make more money as a contractor. They realized some work for foreign governments eventually, and others become advocates who oppose zero days. There's a chapter about an analyst who goes to work for the United Arab Emirates and he immediately becomes concerned with how the work is being used. And this is the same time that the NSO rolled out Pegasus, which can be used remotely. And Nicole Parlor sits down for several interviews with an Emirati's activist who was released from jail because of international pressure. But he's released from jail and then immediately starts getting like, hacked. Followed. His passport is taken, money taken. Not only he's being hacked, but his wife's phone. And a particularly chilling note, even his baby monitor is bugged, which is odd. Yeah. Send chills down your spine. So, yeah, they're just like over time, these exploits, as they become used by other nations and in ways that even the way the CIA is using them makes some of their own analysts uncomfortable.
AUBREY BYRON
It just grows a lot of distrust for the market.
SHANNON RAGAN
So with that distrust and perception of zero days, like, where does the market go now? Is it still as popular as it once was? Is it finding new customers?
AUBREY BYRON
So it's definitely still being used, especially worldwide. It became public and so there was a lot of pressure to respond from the federal government. And so they kind of developed they're sort of forced to develop or they announced that they're developing a new policy that a lot of them are supposedly being turned over to be patched, but they're only going to keep the most important for national security. There's no real transparency about who's making those decisions, but supposedly there's a checklist to only keep the most crucial, and the rest are supposed to be given to the vendors to alert them. Project Zero started to try to mitigate some of these exploits and that's because many of them even stuxnet back in the day, but especially modern ones, they actually rely on a string of vulnerabilities and holes. And so if you can take down one, it actually has a domino effect and then the attack won't work.
SHANNON RAGAN
With all the nations involved in the trade right now, how is the US assessing the risk of these sorts of cyber weapons? Is there any barometer of what this is? And maybe compared to physical risk?
AUBREY BYRON
The takeaway of the book is kind of that she understands why we need offensive measures, but if we're going to play with fire, we need to be a lot better about our defense. There's a whole section near the end that just focuses on the vulnerabilities of our power grid and how dire it is. And that's something that kind of a lot of people have been screaming from the rooftops about for quite a few years. Ted Koppel has an entire book called Lights Out that is just about the fact that our power grid could be so easily attacked. People at the DHS that she ends up interviewing actually say they came to her, to a journalist because their higher ups just keep ignoring the problem. And so it was specifically to try to light a fire under them. And it's not just that our grid is vulnerable, but like every industry depends on power. So it's also how difficult it would be to repair depending on the scale of an attack. It could take months, even years to get power back if we were attacked in a major way. And this is what happens to my.
SHANNON RAGAN
Voice when I think about the vulnerability.
AUBREY BYRON
Sitting in my cold office with the heat on the game, don't like it. And there have been attacks specifically on smaller cities in the US. And Ransomware, where they've cut off or taken over the water supply and said, you have to pay us to get it back.
SHANNON RAGAN
Yeah, I think this has obviously been proven in Ukraine and other places, and there's been the hint of it like happening here and the testing of it. I think that's what's so creepy, that it's just adversaries are toying with. Can we do this? Yes, we can. We'll save it until we really need to use it. Which is kind of the nature of zero days too.
AUBREY BYRON
Yeah, there's actually a section where she talks about the Russians got inside one of our nuclear power plants and they didn't do anything. They were just there, and we knew they were there. And there's something just very eerie about that. Almost not doing it is just creepy.
SHANNON RAGAN
Yeah, the how of how they do this is very interesting. Does she get into the tools and tactics of this trade?
AUBREY BYRON
Yeah, a lot of it's software specific and so a little more technical. Not really particularly applicable for online research. But at one point she does talk about the DNC Wikileak leaks, hack, and one of the first things that analysts did was inspect the metadata to discover that the emails had been routed through Russia. So pretty quickly they could pinpoint who is behind it. And we have an entire blog right now on image metadata, and just even the most simple tools can actually be pretty powerful.
SHANNON RAGAN
Yeah, follow the metadata.
AUBREY BYRON
Also, for our SOC crowd, I knew that the hack came from a phishing link. What I didn't know is that it actually had been flagged by the user and only to have it sent through their network security and maybe the most catastrophic typo of all time. He wrote back what was supposed to be illegitimate and accidentally wrote legitimate know, and he clicked on it. So maybe be very clear. It's just completely avoidable.
SHANNON RAGAN
Well, we've covered a lot here, including the importance of proofreading. Are there any thoughts you have on the book that you want to use to wrap up?
AUBREY BYRON
Yeah, she just has some really great anecdotes about being a woman, walking into these very technical, male dominated spaces that are kind of fun to read. There's a lot of characters within this that she interviews. She has descriptions of one of our sources, and it's cowboy boots. There's a point where this hacking conference at this point knows that she's writing a book, and they keep trying to revoke her invitation, and she keeps using to let them. It just shows up anyway, to which they're very annoyed, and make her wear a bright green glow stick, basically to symbolize that no one should talk to her.
SHANNON RAGAN
Don't touch her, she's radioactive.
AUBREY BYRON
Yes, exactly. But she does end up talking to a hacker there, and she always asks, like, do you sell to adversarial nations or other brokers? And he says, no, but it's not out of morality, but because he doesn't want to be killed.
SHANNON RAGAN
Okay.
AUBREY BYRON
Yeah. And he goes on to compare being a hacker, at least of his caliber right now, to being a nuclear physicist in the 1930s, which I thought just really struck me kind of for where we're at, that basically the next great weapons will be cyber. That is the forefront of destruction. That's something unsettling to leave you with to think about.
SHANNON RAGAN
Yeah, no, listen, on a light note, the forefront of destruction. Oh, good. All right. Well, thanks, I guess, for telling me.
AUBREY BYRON
I'm not sure this is a cozy read, unless your anxiety keeps you warm.
SHANNON RAGAN
But it might raise your blood pressure. Well, thank you, Aubrey, for telling me about this is how they tell me the World Ends by Nicole Perla. Sounds like a great read to our listeners. If you liked what you heard today, you can find more info about the episode, including transcripts, video recordings and podcast streams on our website@authenticate.com, needlestack. That's authentic with the number eight Needlestack. You can find us and follow us on Twitter at needlestackpod. And we will be back in January with your regularly scheduled programming and regular host, Matt and Jeff. We look forward to seeing you. Then. Happy holidays and goodbye.