# The Scariest Business In The World ## Метаданные - **Канал:** MagnatesMedia - **YouTube:** https://www.youtube.com/watch?v=2bMYyzO8SnM - **Источник:** https://ekstraktznaniy.ru/video/24299 ## Транскрипт ### Segment 1 (00:00 - 05:00) [] So, how does the world end? Nuclear war, a deadly plague, falling asteroids? Probably not. Most experts agree that the most likely way for the world to be destroyed is by accident. A mistake. And today, we're looking at the ultra secret underground market that deals in exploiting those mistakes. a market where hackers in their basement make millions of dollars from terrorists, dictators, and even your own government. But as we venture into this dark underground world, we'll also be asking how it affects you. Have you ever wondered if you're being watched through your webcam or phone camera, or if your password protected files and messages are really as private as they seem? As our lives become more and more connected by technology, have you ever stopped to think of the risks? I will warn you now. Your life will probably be better if you don't watch this video. Sometimes ignorance is bless. And you'll be happier not knowing because once we open this vault, there's no going back. I hardly ever updated my computer. I used to hit the remind me later button over and over until eventually whoever was telling me I needed to update just gave me no choice and ran the update anyway. I'd always think, why do we need so many updates? What's even changing? If you can relate, then by the end of this video, I guarantee you'll have changed your mind about postponing updates. But let's start at the beginning. There are all kinds of secret black markets. From drugs to organs to weapons, there will always be illegal trades happening in the shadows. But one of the most disturbing and secretive markets is the buying and selling of zeroday exploits, which raises our first question. What the hell is that? A zero day, sometimes pronounced oday, is essentially a flaw in either software or hardware for which there is no existing patch or fix. It's called a zero day because the original developer has had zero days to come up with a defense. They have no idea it's even there. And until the vendor learns about it and provides an update to fix it, anyone using that software or hardware is vulnerable. That's why zero days are the most powerful tool to any hacker. It can be a backdoor into any system in the world. For example, a zero day in Apple's iOS could allow someone to remotely break into any iPhone in the world and see every file, app, photo, and message completely undetected. And there is no protection against the Zeroday exploit. By definition, it's an unknown vulnerability. So, no antivirus will help you. Of course, eventually the manufacturer finds the security hole and releases a security update, but it could be months or years before they detect it, which means a catastrophic amount of damage can be done before then. With the right zeroday exploits, a hacker could break into any company or system in the world. And that doesn't just mean your devices. They could break into a military base or the safety controls at a chemical plant or even shut down a nation's electricity grid. Given how powerful these zeroday exploits can be, they are of course incredibly lucrative. The right buyer will pay millions of dollars. But as for who is buying these zeroday exploits, well, that's an even more disturbing question. It all started in the 80s and '90s when hackers would find bugs in various software. This was often just a hobby. They were curious to see how the code worked and if they could find any vulnerabilities in it. If they found a mistake in the code, they would often approach these tech companies like Microsoft or Oracle and let them know they found a vulnerability. But these tech companies were not remotely grateful. It was the opposite. They viewed these hackers as a nuisance, as criminals. They certainly didn't want ### Segment 2 (05:00 - 10:00) [5:00] people drawing attention to flaws in their products. And so they would tell hackers to stop poking around their software or else they take legal action. This reaction from tech companies caused a lot of frustration amongst hackers who were trying to do the right thing by notifying the companies of flaws in their code. So the threats from the tech companies caused a lot of resentment which would ultimately convert many white hat hackers to black hat. And so when the companies didn't listen to them, some hackers just started sharing the bugs they found publicly online, like on a service called Bug Track. Microsoft then compared them to terrorists. So in 2003, a security company called ID Defense sensed an opportunity. They started offering to pay hackers directly for vulnerabilities they found. It was often quite small amounts, maybe $100. But this gave hackers an incentive to share the bugs they found in an ethical way. Because ID Defense would then share these bugs with the vendors so they could get fixed. But in the meantime, they could offer their own clients a workaround to protect themselves until the vendor fixed the bug. So, ID Defense's business model actually worked quite well for everyone. But this gave birth to the zeroday market where these zeroday vulnerabilities could be sold for a profit. And it wasn't long before I defense started getting out bid. Government agency contractors and their intermediaries started reaching out to hackers on these forums and offering to pay way higher prices. It could be tens or hundreds of thousands of dollars for the right exploit. Of course, there was one critical condition. Complete silence. A zero day is only worth so much if nobody else knows about it. As obviously, as soon as the vendor fixes the security hole, the hacker loses access. So, if government spies and brokers were going to shell out six figures for a zeroday exploit, it was crucial nobody else knew about it. The first rule of the zeroday market is you do not talk about the zero-day market. ID Defense started to notice bug submissions began to drop and some hackers started suggesting they had better options. However, since these transactions were typically done through brokers, hackers would usually have no idea who they were selling to or how the zero day would be used. You're just dealing with a middleman. You may hope the exploit you found is being sold to your own government who will use it to spy on terrorists and prevent harm. But in reality, it could be sold to a rogue nation state who may use it to trigger an explosion at a chemical plant and kill civilians. You have no way of knowing. That's why the Zero Day sellers have been referred to as merchants of death, selling the bullets for cyber war. We know from Edward Snowden's leaks that the United States was one of the biggest players in the zeroday market. The leaked documents suggested the NSA had acquired a vast library of invisible back doors into basically every app, server, and system you could think of, and they could break in even if a device was turned off. But essentially, every country in the world is now active in the zeroday market. Initially, the main reason for hoarding these exploits was because they're the best tool for espionage. But now that we use the same software in factories, nuclear plants, power grids, and pipelines, these zeroday exploits became a new tool for cyber war. Of course, the exact same zero days that could be used against your enemies can be used against you. as most of the world is all using the same technology and tech companies have embraced the mantra of move fast and break things. But this means as more code is hastily written, more bugs appear that can be exploited. Interestingly, tech companies have now changed their tune towards hackers and instead of viewing them as the enemy, they've realized they're a cheap form of quality assurance. So many companies now offer their own bug bounty programs to pay hackers for finding vulnerabilities in their code. The problem is zeroday brokers pay significantly more money. So companies are basically trusting hackers who find a bug will accept less money by giving it directly to the vendor so they can fix it rather than selling to a zeroday broker. As an example, there is a zeroday broker who actually shares their price list publicly called Zerodium. Most brokers are very secretive about who they sell to and for how much. But Zerodium is transparent that they pay between two and $2. 5 million for a zero day for Android or iOS that can access a user's device fully. This is the holy grail of zero days as it can get you into almost any device without the user even needing to click anything. So, as you can now see, there is a thriving ### Segment 3 (10:00 - 15:00) [10:00] market for zeroday exploits, as they can essentially be cyber weapons of mass destruction. And you can imagine the damage they could inflict. Except we don't need to imagine. It's already happened. It's 2010 at the headquarters of Iran's nuclear program where they're developing nuclear weapons. Little do they know, they've been infected with a malicious computer worm, which is the most sophisticated cyber weapon the world has ever seen. It was called Stuckset. And the attack used 40day exploits strung together. The attack began when an infected USB flash drive was plugged into a computer running Microsoft Windows. By exploiting a Microsoft Zeroday vulnerability, Stuckset was able to spread from the infected USB drive onto the computer without detection. Then using a separate zero-day vulnerability in printers, Stuckset was able to gain access to the facility's local network and spread across the entire plant. Even though the network wasn't connected to the internet, by exploiting these zeroday vulnerabilities, Stuckset could borrow itself deep into their systems until it found its target. And then Stuckset began overloading Iran's spinning uranium centrifuges out of control, causing them to overheat and self-destruct. This computer worm was causing very real physical damage. And yet the code was so cleverly constructed that it reported on the monitors that the centrifuges were rotating at their normal speed. And thus to the Iranian scientists monitoring the computer screens, everything appeared normal. By the time they finally realized a computer worm was responsible for the destruction of their centrifuges, around a fifth of them had already been destroyed by Stucksnet. Whilst nobody ever officially confirmed responsibility for the attack, it would later be concluded by experts that Stucksnet was a joint operation between the United States and Israel. And it's estimated it set Iran's nuclear program back several years. However, the other consequences of Stuckset cannot be overstated. This was the world's first cyber weapon of mass destruction. A former NSA director compared it to the moment the first atomic bomb was used. A new weapon was now out there and there was no going back. It showed other countries what could be achieved with a few zero days used together. It was almost an advert for the damage and destruction that could be caused with these cyber weapons. And so after Stuckset's discovery in 2010, the zeroday market became flooded with more buyers, including countries with terrible human rights records. The cyber arms race was on. It's May 12th, 2017, and panic has erupted in London. Patients are being turned away from hospitals, being told their surgeries can't go ahead. They're told that the British health system has been hacked. More specifically, many hospitals in the UK had been infected with ransomware called Wuk Cry. When staff opened their computers, they saw a message telling them all of their files had been encrypted. The ransom note said, "Maybe you were busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. " And of course, for that, you had to pay. A Bitcoin address was provided. There was also a timer of how long until the price increased, and if they didn't pay within a week, their important files would be lost forever. It quickly became clear this ransomware had spread all over the world at a shockingly fast speed. From Indian airlines, Chinese universities, Japanese police, to Spain's largest telecom service, hundreds of thousands of computers were encrypted with Wuk Cry. But here's the crucial part. Experts soon discovered why the attacks had spread so quickly. The attackers had used a stolen NSA exploit called Eternal Blue. This just demonstrated the risk of governments hoarding these zeroday vulnerabilities and how these exploits can fall into the wrong hands and cause untold damage. In this case, the attack was traced back to the Lazarus Group, a hacker group connected to the government of North Korea. What's fascinating about ransomware is ### Segment 4 (15:00 - 19:00) [15:00] that it is a business. There are countless reports of people haggling over the price with these attackers. And some ransomware teams even offer customer service. Ultimately, their objective is to make money. And fortunately, in this case, the attackers had been sloppy. They had unwittingly included a kill switch in their code. And a 22-year-old college dropout called Marcus Hutchkins quickly discovered her. He realized that the W to Cry malware only executed if it couldn't connect to the kill switch domain name, which was a long string of characters. So, he simply registered that domain name for $11. And because the malware could now connect to the domain, it stopped executing on new devices. Whilst it's estimated wry caused up to $4 billion in damages, things could have been so much worse. and just a month later they would be. Before we get to the next chapter, let's talk about how you can save money with today's sponsor, ShipStation. If you're running a business, managing orders can be very chaotic. And that's why I'm a big fan of ShipStation, as they make it so easy to automate shipping tasks. ShipStation seamlessly integrates with services and selling channels you already use and so you can manage all your orders on one simple dashboard. But the best part is that ShipStation is the fastest, most affordable way to ship products to your customers. You literally get discounts up to 88% off UPS, DHL Express, and USPS rates. And you also get up to 90% off FedEx rates. So basically, ShipStation can save you time, make your customers happier, and also save you money. That's why over 130,000 companies have grown their e-commerce businesses with ShipStation already. So calm the chaos of order fulfillment with the shipping software that delivers. Go to shipstation. com/magnates to sign up for your free trial. That's shipstation. com/magnates. On June 27th, 2017, Russia used this new leaked NSA cyber weapon in Ukraine in what became the most destructive cyber attack in history. Ukrainians woke up to see black screens everywhere. They couldn't buy groceries, couldn't get money out at ATMs, couldn't get paid, and they couldn't even monitor radiation levels at Chernobyl. So they had no idea if they were safe. This single attack from Russia is estimated to have cost over $10 billion. But Russia was so deeply inside all of Ukraine's systems that they could have easily used that power for something very deadly. But instead, they were trying to send a message to Ukrainians that their government was weak and Russia was stronger and in control. They had actually done something similar 2 years earlier using a different exploit. when the Russians briefly shut off the power grid in Ukraine, plunging the country into darkness and panic. What's fascinating about these cyber attacks is that one of the reasons things weren't much worse for Ukraine is that at the time, not everything was as interconnected and automated in the country. Whereas, if you contrast that with a country like the United States, virtually everything is connected to the internet. And thus, experts have warned that as we continue to connect more devices, from our hospitals to chemical plants to pipelines to cars to light bulbs and fridges, we are essentially creating the world's largest attack surface. You may think these incidents would be more of a wakeup call. We've had one country remotely destroying another country's nuclear program. We've had hackers encrypt files around the world, costing billions of dollars. We've even had a country shut off the power in another country. But the new cycle moves on, exploits continue to be hoarded, and the secretive zeroday market continues to thrive. But if you thought the zeroday market was worrying, wait until you hear about Silk Road. It's time we take a journey to the dark web and learn about the most illegal business in the world. Just click the thumbnail on screen and I'll see you there.