More on this book
Community
Kindle Notes & Highlights
Google offices across the globe,
it was clear that this was no insider.
An attacker had infiltrated their machines from the outside.
security was only as good as the weakest link. And usually the weakest link was a human who clicked on a simple phishing email or message containing something nasty.
The attacker might mimic a FedEx tracking notice or an HR manager. Somebody, somewhere in the organization,
almost inevitably fell for it ...
This highlight has been truncated due to consecutive passage length restrictions.
But the most sophisticated attackers want the source code, the hieroglyphics created and admired by the engineering class.
Source code is the raw matter for software and hardware. It is what tells your devices and apps how to behave, when to turn on, when to sleep, who to let in, who to keep out.
Google’s services—from Google Search to Gmail to Google Maps—runs to an estimated two billion lines of code.
stealing Google’s source code, China’s hackers could potentially implant backdoors into Gmail software, guaranteeing long-term access to any Gmail account of their choosing.
“There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.”
by 2010, stolen passwords were everywhere. Hackers religiously scanned the internet for weaknesses, broke into password databases, and dumped them on the dark web.
Dear reader, use long passwords.
offered to pay $80,000 for exploits that could defeat Google’s Chrome browser, $100,000 for Android exploits. The top prize, $500,000, was reserved for the iPhone. As the number of Zerodium customers went up, so did Bekrar’s payouts. In 2015 Zerodium tweeted out a $1 million offer for the gold mine: a remote jailbreak of the iPhone,
By 2020 Bekrar was offering $1.5 million for exploits that could remotely access someone’s WhatsApp messages and Apple’s iMessages without so much as a click. He was paying out $2 million for remote iPhone jailbreaks and—in a notable shift—$2.5 million for an Android jailbreak.
She knew from tracking the data that the biggest dropoff in direct bug reports was for Internet Explorer bugs. Clearly, there was an offensive market for IE bugs, given that it was still one of
A single IE exploit could produce a wealth of intelligence about a target: usernames, passwords, online banking transactions, keystrokes, search histories, travel plans—essentially a spy’s wish list.
At the Nuclear Regulatory Commission, which regulates nuclear facilities, information about crucial nuclear components was left on unsecured network drives,
That wasn’t the worst of it. The slides appeared to show that the NSA and GCHQ were directly hacking Google and Yahoo’s internal data centers to intercept customer data before it was encrypted and passed over the open web—essentially a man-in-the-middle
Once Google had checked everything off its list, it rolled out a new user-friendly email encryption tool to customers. Buried in the code was a winking smiley face ;-)
Project Zero’s researchers found critical zero-days in Apple’s Safari browser, design flaws in some of the most reputable security products, and a Microsoft zero-day that would have given spies full control over Windows machines.
Over the next few years, Project Zero identified more than sixteen hundred critical bugs, major flaws not just in the world’s most targeted software and security tools but also in the Intel chips inside nearly every computer in the world.
he shared what he’d heard from Apple’s customers abroad. There was now a deep suspicion of America’s technology companies, he told the president. America had lost its halo on civil liberties, and it might be decades before it ever earned it back. Leaving anything open to surveillance was, in his mind, a civil liberties nightmare,
not to mention bad business. People had a basic right to privacy, and if American companies couldn’t protect them, they would take their business overseas. Cook was putting the government on notice: Apple was going to encrypt
every...
This highlight has been truncated due to consecutive passage length restrictions.
From now on, Apple automatically encrypted everything on the phone—messages, call logs, photos, contacts—using a complex mathematical algorithm that used the user’s own unique passcode to unwrap a larger key on the device. Apple no longer held the spare keys to customer data. They’d given the only pair to the users.
How could the U.S. government ever guarantee it could keep Apple’s backdoor safe, when it could not even manage to protect its own data?
breach at the Office of Personnel Management was still fresh in Cook’s memory. The breach had exposed the very data you would think the government had the most personal incentive to protect: Social Security numbers, fingerprints, medical records, financial histories, home addresses, and sensitive details for every American given a background
check for the last fift...
This highlight has been truncated due to consecutive passage length restrictions.
Apple is definitely within their rights to protect the privacy of all Americans,” she told reporters.
Without warning, the Justice Department dropped its case, informing the judge it had found another way to access Farook’s data. It no longer needed Apple’s help. Unnamed hackers had approached the FBI with an alternative way in,
had just publicly copped to paying hackers $1.3 million for a way to bypass Apple’s security.
And the FBI claimed it did not know what the underlying
flaw was and had no plans to he...
This highlight has been truncated due to consecutive passage length restrictions.
the rumors that Cellebrite was the FBI’s accomplice had started with Cellebrite itself,
The agenda listed hacks of encrypted medical devices to e-voting systems, cars, app stores, Androids, PCs, and the Cisco and SAP business apps that could enable attackers to take remote control of computers at the world’s biggest multinationals and government agencies.
came up with an automated attack tool,
Implant, that penetrated customers’ networks with exploits—some known, but many more that they discovered themselves. Analysts initially slammed the tool as unethical and dangerous. But one of Impact’s first takers, NASA, helped change the industry’s minds.
Two weeks ahead of Argentina’s upcoming presidential elections, the Gaucho and the Ekoparty guys had gotten their hands on Argentina’s new voting
The Gaucho gave me a little tour of his studio. As we passed the telescope, he told me he’d once hacked a satellite.
Chip manufacturers hired the Gaucho to make sure that their chips were secure.
He’d discovered all sorts of ways one could hack chips to get into the global supply chain.
What Iran, North Korea, and others could not develop on their own, they could now just buy off the market. The Gaucho might not sell them a way in, but there were many others here that would.
“The main target in this attack was to stop the flow of oil and gas to local and international markets and—thank God—they were not able to achieve their goals,”
the malware—called Shamoon after a word left in the code—did exactly what it needed to do: it sent Iran’s chief regional rival, the Saudis, into a tailspin, and signaled to Washington that Iran now posed a formidable cyber threat of its own, that one day soon it would come for us.
that meant using regulation to force private utilities, pipeline operators, and water treatment plants to beef up their security, so be it, Chertoff said. He’d overseen the government’s response to Hurricane Katrina and could see that the United States now faced a cyber threat on U.S. infrastructure that would be just as dire—if not worse.
tower in Shanghai where members of the PLA’s Unit 61398 were staging thousands of attacks on American businesses, including Coca-Cola, the security company RSA, and Lockheed Martin. We could track individual hackers at specific IP locations and, in some cases, even watch what was
little more than a month after the Aramco attacks, Iranian hackers put U.S. banks in their crosshairs. Executives at Bank of America, J.P. Morgan, Citigroup, Fifth Third Bank, Capital One, and the New York Stock Exchange could only watch helplessly as, one by one, their banking sites crumbled or were forced offline by a deluge of Iranian internet traffic.
“If we are going to be aggressive about using our cyberweapons against these adversaries,” Panetta told me, “we have to be damn well prepared when these attacks come our way.”
Iranian hackers were inside the Bowman Dam—in the PLC controllers—and it looked as if they might open the sluice gates.
