What’s a zero-day attack?
When news breaks of the latest cyber attack, one of the buzzwords you may hear is “zero-day attack.” Sounds like some kind of computer sorcery, but what is it really?
Let’s look at one of the most serious instances of one of these attacks. In 2015, a cyber attack targeted the U.S. Office of Personnel Management (OPM). Attackers were able to obtain credentials for a government contractor and used them to gain access to OPM’s network. Inside, they exploited a vulnerability in the network’s security to plant an undetectable piece of malware that quietly siphoned off all manner of government employee information for almost a year. Once the malware was discovered, government security experts had to sift through the massive outdated network to purge any remaining instances of it. Ultimately, millions of personal records of government employees were stolen. The amount of data breached is directly attributed to the time the malware lived inside the OPM network, exporting data unnoticed.
This kind of coordinated effort exploits a weakness in software that developers are either not yet aware of, or haven’t yet come out with a patch for. It’s called “zero-day” because once an attack is noticed, the software developers work immediately to figure out where the weakness is located, and how to fix it. You might even say they have zero days to solve the problem.
Attackers usually steal information so they can turn around and sell it to the highest bidder. Shady folks online might be interested in fraudulently using credit card and bank passwords. Other shady folks may want a list of email addresses so they can send phishing scams to as many people as possible. Interestingly, neither of these things happened in the wake of the OPM attack, leading experts to believe a foreign government stole the data for intelligence purposes. A similar attack happened to the Democratic National Convention in 2016, where attackers were able to find and exploit in the DNC security, inject malware to gather data, and mine a large amount of it before being discovered. The stolen information was used against the Clinton campaign with the intent to sway the outcome of the presidential election. Sad!
Two steps in the right direction
There is no be-all/end-all defense against a zero-day attack, since by it’s very nature it relies on exploiting vulnerabilities that are unknown to the developer. The key is to detect the breach as quickly as possible to cut of the extraction of data.
A common thread with many zero-day attacks is that it starts with stealing the credentials of a verified user. Once an attacker has access One way to significantly lower the possibility of this kind of attack is by requiring two-step verification. Had that been part of OPM’s security, the bad actors who were able to gain access by stealing an contractor’s credentials in the first place might have been thwarted. Imagine if the contractor’s login had to be verified by a random code sent to his cell phone via text. The likelihood of an attacker having access to both his credentials and his cell phone is significantly lower. Of course, it’s not impossible for someone to steal both your work credentials and your phone, but now they need to work twice as hard. If an attacker gets past initial network security, the best bet is to identify the exploit as early as possible so it can be patched. The longer the exploit goes undetected, the more data will be stolen.
But my password is encrypted…I’m good right?
Nope. Though it is true that a password hashed using something like bcrypt is tough to crack, not all companies or governments use up-to-date encryption. Sometimes the passwords stolen in these attacks use obsolete encryption methods, and are easy to crack via rainbow table or brute force techniques. In the case of the infamous Ashley Madison hack, passwords hashed with bcrypt were stored in the same database as passwords hashed using less secure MD5 encryption. MD5 passwords were easily cracked, and since they correlated with the bcrypt passwords, it made those easier to crack as well.
Take the recent Yahoo hacks as another example. Most of the data stolen from Yahoo were old, weakly encrypted passwords, and unencrypted password hints. Why should that matter if say, your bank account’s password has state of the art encryption? Answer: people tend to use the same password for everything. If a hacker gains access to a bunch of old defunct Yahoo email accounts, there is a good chance that some of those account holders used the same password for a credit card or bank account.
Zero-day attacks will happen. No matter how secure an organization’s systems are, there will always be attackers probing around for vulnerabilities that the developers aren’t yet aware of. However, through encryption and two step verification, you have a higher chance of deterring an attacker from being able to user your info. Moral of the story: don’t use the same password for Ashley Madison as you do for your bank account.
Sources:
