The world's most likely destruction may stem not from overt threats like nuclear war, but from accidental exploitation of software and hardware vulnerabilities, facilitated by a clandestine global market for "zero-day exploits."
Mind Map
Klik untuk perbesar
Klik untuk menjelajahi mind map interaktif lengkap
So, how does the world end?
Nuclear war,
a deadly plague,
falling asteroids?
Probably not. Most experts agree that
the most likely way for the world to be
destroyed is by accident. A mistake. And
today, we're looking at the ultra secret
underground market that deals in
exploiting those mistakes. a market
where hackers in their basement make
millions of dollars from terrorists,
dictators, and even your own government.
But as we venture into this dark
underground world, we'll also be asking
how it affects you. Have you ever
wondered if you're being watched through
your webcam or phone camera, or if your
password protected files and messages
are really as private as they seem? As
our lives become more and more connected
by technology, have you ever stopped to
think of the risks? [Music]
[Music]
I will warn you now. Your life will
probably be better if you don't watch
this video. Sometimes ignorance is
bless. And you'll be happier not knowing
because once we open this vault, there's
[Music]
I hardly ever updated my computer. I
used to hit the remind me later button
over and over until eventually whoever
was telling me I needed to update just
gave me no choice and ran the update
anyway. I'd always think, why do we need
so many updates? What's even changing?
If you can relate, then by the end of
this video, I guarantee you'll have
changed your mind about postponing
updates. But let's start at the
beginning. There are all kinds of secret
black markets. From drugs to organs to
weapons, there will always be illegal
trades happening in the shadows. But one
of the most disturbing and secretive
markets is the buying and selling of
zeroday exploits,
which raises our first question. What
the hell is that? A zero day, sometimes
pronounced oday, is essentially a flaw
in either software or hardware for which
there is no existing patch or fix. It's
called a zero day because the original
developer has had zero days to come up
with a defense. They have no idea it's
even there. And until the vendor learns
about it and provides an update to fix
it, anyone using that software or
hardware is vulnerable. That's why zero
days are the most powerful tool to any
hacker. It can be a backdoor into any
system in the world. For example, a zero
day in Apple's iOS could allow someone
to remotely break into any iPhone in the
world and see every file, app, photo,
and message completely undetected.
And there is no protection against the
Zeroday exploit. By definition, it's an
unknown vulnerability. So, no antivirus
will help you. Of course, eventually the
manufacturer finds the security hole and
releases a security update, but it could
be months or years before they detect
it, which means a catastrophic amount of
damage can be done before then. With the
right zeroday exploits, a hacker could
break into any company or system in the
world. And that doesn't just mean your
devices. They could break into a
military base or the safety controls at
a chemical plant or even shut down a
nation's electricity grid. Given how
powerful these zeroday exploits can be,
they are of course incredibly lucrative.
The right buyer will pay millions of
dollars. But as for who is buying these
zeroday exploits, well, that's an even
[Music]
It all started in the 80s and '90s when
hackers would find bugs in various
software. This was often just a hobby.
They were curious to see how the code
worked and if they could find any
vulnerabilities in it. If they found a
mistake in the code, they would often
approach these tech companies like
Microsoft or Oracle and let them know
they found a vulnerability.
But these tech companies were not
remotely grateful. It was the opposite.
They viewed these hackers as a nuisance,
as criminals. They certainly didn't want
people drawing attention to flaws in
their products. And so they would tell
hackers to stop poking around their
software or else they take legal action.
This reaction from tech companies caused
a lot of frustration amongst hackers who
were trying to do the right thing by
notifying the companies of flaws in
their code. So the threats from the tech
companies caused a lot of resentment
which would ultimately convert many
white hat hackers to black hat. And so
when the companies didn't listen to
them, some hackers just started sharing
the bugs they found publicly online,
like on a service called Bug Track.
Microsoft then compared them to terrorists.
terrorists.
So in 2003, a security company called ID
Defense sensed an opportunity. They
started offering to pay hackers directly
for vulnerabilities they found. It was
often quite small amounts, maybe $100.
But this gave hackers an incentive to
share the bugs they found in an ethical
way. Because ID Defense would then share
these bugs with the vendors so they
could get fixed. But in the meantime,
they could offer their own clients a
workaround to protect themselves until
the vendor fixed the bug. So, ID
Defense's business model actually worked
quite well for everyone. But this gave
birth to the zeroday market where these
zeroday vulnerabilities could be sold
for a profit. And it wasn't long before
I defense started getting out bid.
Government agency contractors and their
intermediaries started reaching out to
hackers on these forums and offering to
pay way higher prices. It could be tens
or hundreds of thousands of dollars for
the right exploit. Of course, there was
one critical condition. Complete
silence. A zero day is only worth so
much if nobody else knows about it. As
obviously, as soon as the vendor fixes
the security hole, the hacker loses
access. So, if government spies and
brokers were going to shell out six
figures for a zeroday exploit, it was
crucial nobody else knew about it. The
first rule of the zeroday market is you
do not talk about the zero-day market.
ID Defense started to notice bug
submissions began to drop and some
hackers started suggesting they had
better options.
However, since these transactions were
typically done through brokers, hackers
would usually have no idea who they were
selling to or how the zero day would be
used. You're just dealing with a
middleman. You may hope the exploit you
found is being sold to your own
government who will use it to spy on
terrorists and prevent harm. But in
reality, it could be sold to a rogue
nation state who may use it to trigger
an explosion at a chemical plant and
kill civilians. You have no way of
knowing. That's why the Zero Day sellers
have been referred to as merchants of
death, selling the bullets for cyber
war. We know from Edward Snowden's leaks
that the United States was one of the
biggest players in the zeroday market.
The leaked documents suggested the NSA
had acquired a vast library of invisible
back doors into basically every app,
server, and system you could think of,
and they could break in even if a device
was turned off. But essentially, every
country in the world is now active in
the zeroday market. [Music]
[Music]
Initially, the main reason for hoarding
these exploits was because they're the
best tool for espionage.
But now that we use the same software in
factories, nuclear plants, power grids,
and pipelines, these zeroday exploits
became a new tool for cyber war. Of
course, the exact same zero days that
could be used against your enemies can
be used against you. as most of the
world is all using the same technology
and tech companies have embraced the
mantra of move fast and break things.
But this means as more code is hastily
written, more bugs appear that can be
exploited. Interestingly, tech companies
have now changed their tune towards
hackers and instead of viewing them as
the enemy, they've realized they're a
cheap form of quality assurance. So many
companies now offer their own bug bounty
programs to pay hackers for finding
vulnerabilities in their code. The
problem is zeroday brokers pay
significantly more money. So companies
are basically trusting hackers who find
a bug will accept less money by giving
it directly to the vendor so they can
fix it rather than selling to a zeroday
broker. As an example, there is a
zeroday broker who actually shares their
price list publicly called Zerodium.
Most brokers are very secretive about
who they sell to and for how much. But
Zerodium is transparent that they pay
between two and $2.5 million for a zero
day for Android or iOS that can access a
user's device fully. This is the holy
grail of zero days as it can get you
into almost any device without the user
even needing to click anything. So, as
you can now see, there is a thriving
market for zeroday exploits, as they can
essentially be cyber weapons of mass
destruction. And you can imagine the
damage they could inflict.
Except we don't need to imagine. It's
already happened. [Music]
It's 2010 at the headquarters of Iran's
nuclear program where they're developing
nuclear weapons. Little do they know,
they've been infected with a malicious
computer worm, which is the most
sophisticated cyber weapon the world has
ever seen. It was called Stuckset. And
the attack used 40day exploits strung
together. The attack began when an
infected USB flash drive was plugged
into a computer running Microsoft
Windows. By exploiting a Microsoft
Zeroday vulnerability, Stuckset was able
to spread from the infected USB drive
onto the computer without detection.
Then using a separate zero-day
vulnerability in printers, Stuckset was
able to gain access to the facility's
local network and spread across the
entire plant. Even though the network
wasn't connected to the internet, by
exploiting these zeroday
vulnerabilities, Stuckset could borrow
itself deep into their systems until it
found its target. And then Stuckset
began overloading Iran's spinning
uranium centrifuges out of control,
causing them to overheat and self-destruct.
self-destruct.
This computer worm was causing very real
physical damage.
And yet the code was so cleverly
constructed that it reported on the
monitors that the centrifuges were
rotating at their normal speed. And thus
to the Iranian scientists monitoring the
computer screens, everything appeared
normal. By the time they finally
realized a computer worm was responsible
for the destruction of their
centrifuges, around a fifth of them had
already been destroyed by Stucksnet.
Whilst nobody ever officially confirmed
responsibility for the attack, it would
later be concluded by experts that
Stucksnet was a joint operation between
the United States and Israel. And it's
estimated it set Iran's nuclear program
back several years.
However, the other consequences of
Stuckset cannot be overstated.
This was the world's first cyber weapon
of mass destruction. A former NSA
director compared it to the moment the
first atomic bomb was used. A new weapon
was now out there and there was no going
back. It showed other countries what
could be achieved with a few zero days
used together. It was almost an advert
for the damage and destruction that
could be caused with these cyber
weapons. And so after Stuckset's
discovery in 2010, the zeroday market
became flooded with more buyers,
including countries with terrible human
rights records. The cyber arms race was on.
on. [Music]
It's May 12th, 2017, and panic has
erupted in London. Patients are being
turned away from hospitals, being told
their surgeries can't go ahead. They're
told that the British health system has
been hacked. More specifically, many
hospitals in the UK had been infected
with ransomware called Wuk Cry.
When staff opened their computers, they
saw a message telling them all of their
files had been encrypted. The ransom
note said, "Maybe you were busy looking
for a way to recover your files, but do
not waste your time. Nobody can recover
your files without our decryption
service." And of course, for that, you
had to pay. A Bitcoin address was
provided. There was also a timer of how
long until the price increased, and if
they didn't pay within a week, their
important files would be lost forever.
It quickly became clear this ransomware
had spread all over the world at a
shockingly fast speed. From Indian
airlines, Chinese universities, Japanese
police, to Spain's largest telecom
service, hundreds of thousands of
computers were encrypted with Wuk Cry.
But here's the crucial part. Experts
soon discovered why the attacks had
spread so quickly. The attackers had
used a stolen NSA exploit called Eternal
Blue. This just demonstrated the risk of
governments hoarding these zeroday
vulnerabilities and how these exploits
can fall into the wrong hands and cause
untold damage. In this case, the attack
was traced back to the Lazarus Group, a
hacker group connected to the government
of North Korea.
What's fascinating about ransomware is
that it is a business. There are
countless reports of people haggling
over the price with these attackers. And
some ransomware teams even offer
customer service. Ultimately, their
objective is to make money. And
fortunately, in this case, the attackers
had been sloppy. They had unwittingly
included a kill switch in their code.
And a 22-year-old college dropout called
Marcus Hutchkins quickly discovered her.
He realized that the W to Cry malware
only executed if it couldn't connect to
the kill switch domain name, which was a
long string of characters. So, he simply
registered that domain name for $11. And
because the malware could now connect to
the domain, it stopped executing on new devices.
devices.
Whilst it's estimated wry caused up to
$4 billion in damages, things could have
been so much worse.
Before we get to the next chapter, let's
talk about how you can save money with
today's sponsor, ShipStation. If you're
running a business, managing orders can
be very chaotic. And that's why I'm a
big fan of ShipStation, as they make it
so easy to automate shipping tasks.
ShipStation seamlessly integrates with
services and selling channels you
already use and so you can manage all
your orders on one simple dashboard. But
the best part is that ShipStation is the
fastest, most affordable way to ship
products to your customers. You
literally get discounts up to 88% off
UPS, DHL Express, and USPS rates. And
you also get up to 90% off FedEx rates.
So basically, ShipStation can save you
time, make your customers happier, and
also save you money. That's why over
130,000 companies have grown their
e-commerce businesses with ShipStation
already. So calm the chaos of order
fulfillment with the shipping software
that delivers. Go to shipstation.com/magnates
shipstation.com/magnates
to sign up for your free trial. That's shipstation.com/magnates.
On June 27th, 2017, Russia used this new
leaked NSA cyber weapon in Ukraine in
what became the most destructive cyber
attack in history. Ukrainians woke up to
see black screens everywhere. They
couldn't buy groceries, couldn't get
money out at ATMs, couldn't get paid,
and they couldn't even monitor radiation
levels at Chernobyl. So they had no idea
if they were safe. This single attack
from Russia is estimated to have cost
over $10 billion.
But Russia was so deeply inside all of
Ukraine's systems that they could have
easily used that power for something
very deadly. But instead, they were
trying to send a message to Ukrainians
that their government was weak and
Russia was stronger and in control. They
had actually done something similar 2
years earlier using a different exploit.
when the Russians briefly shut off the
power grid in Ukraine, plunging the
What's fascinating about these cyber
attacks is that one of the reasons
things weren't much worse for Ukraine is
that at the time, not everything was as
interconnected and automated in the
country. Whereas, if you contrast that
with a country like the United States,
virtually everything is connected to the
internet. And thus, experts have warned
that as we continue to connect more
devices, from our hospitals to chemical
plants to pipelines to cars to light
bulbs and fridges, we are essentially
creating the world's largest attack
surface. You may think these incidents
would be more of a wakeup call. We've
had one country remotely destroying
another country's nuclear program. We've
had hackers encrypt files around the
world, costing billions of dollars.
We've even had a country shut off the
power in another country. But the new
cycle moves on, exploits continue to be
hoarded, and the secretive zeroday
market continues to thrive. But if you
thought the zeroday market was worrying,
wait until you hear about Silk Road.
It's time we take a journey to the dark
web and learn about the most illegal
business in the world. Just click the
thumbnail on screen and I'll see you there.
Klik teks atau cap waktu mana pun untuk melompat ke momen tersebut dalam video
Bagikan:
Sebagian besar transkrip siap dalam waktu kurang dari 5 detik
Salin Satu Klik125+ BahasaCari KontenLoncat ke Cap Waktu
Tempel URL YouTube
Masukkan link video YouTube apa saja untuk mendapatkan transkrip lengkap
Formulir Ekstraksi Transkrip
Sebagian besar transkrip siap dalam waktu kurang dari 5 detik
Pasang Ekstensi Chrome Kami
Dapatkan transkrip seketika tanpa meninggalkan YouTube. Pasang ekstensi Chrome kami untuk akses satu klik ke transkrip video apa pun langsung di halaman tontonan.
