The computer virus that attacked the nuclear centrifuges was so aggressive that it spread all over the world. That the Iranian computers where it first took hold were not connected to the Internet gives a measure of its virulence. The virus targeted very specific industrial computers, but to get there it had broken through Microsoft Windows. Using the same trick, it got into the FedEx computer network and similar international systems in different countries.
This was just one of the many times the tools of spy craft got out in the wild as chronicled by Nicole Perlroth in her excellent book, “This is how they tell me the world ends.” Spy agencies have been secretly collecting data on limitations in everyday technology to get into the rivals’ systems for decades. The technology manufacturers themselves sometimes don’t know about these limitations, making it impossible to protect their users from attacks. In information security parlance, these are “zero day” exploits. A gifted writer, Perlroth instead calls them the “blood diamonds” of the security trade.
Whenever a blood diamond becomes public the technology makers rush to provide a fix, usually via a system update. It’s a good idea to install those updates, since chances are spy agencies paid top dollar to exploit them. An undisclosed way into your iPhone, for example, might net the hacker to first find it $2 million or more. Anyone too slow to install the update, including large organizations like cities and hospitals, will pay the price in the form of ransomware or worse.
The depressing conclusion of all the yet undisclosed limitations is that no system is safe from intrusion. Technology companies have started to talk about “zero trust” security, where organizations will restrict the number of people who have access to the entire system. The analogous solution to your own information is to think twice before you commit any data to digital form.
Instead of millions for an original way in, criminal gangs might just pay a few hundred to send fake emails that people will click, and that will get them in through an older backdoor. You can save yourself the hassle and never click on unsolicited links, or opening documents that you were not expecting.
Some of your colleagues will likely click or open those. That’s why we like the approach of one of our customers, BitTrap, which offers incentives for hackers to reveal their presence inside the network, so that companies will at least know when they were breached.
Spy agencies can still probably access your every communication even if you don’t click on any suspicious link. At the cutting edge of information security, enterprising hackers are trying to find a way into the most valuable systems.
Not a lot you can do about that, except petitioning your government to protect you. Perlroth went as far as reading printed copies of the Snowden documents while locked into an office closet. The New York Times had gotten hold of the documents and they wanted her to be one of the reporters to read the trove. The newsroom’s ample windows would let anyone snoop in on them while at work, so editor Dean Baquet volunteered his closet as the only available room confined by walls. They let their phones out and got to work.
Some personal news: This week marks my 10 year anniversary at the @nytimes. I never thought I’d make it two years(!) let alone ten. It has been the wildest of rides and I could not be prouder of the work we’ve done together.— Nicole Perlroth (@nicoleperlroth) November 16, 2021
After ten years of these antics, you can excuse Perlroth for leaving the New York Times at the start of December to spend more time with her toddler. She sure did her share so that we can all understand what’s next in computer security beyond the industry jargon.