Your IP: Unknown · Your Status: Protected
Unprotected
Unknown
Blog In Depth

What is zero day?

Most software has had a bug at some point. But what if that bug has the potential to open backdoors for hackers to exploit? Worse still, what if the developers of the software have no idea it exists? Criminals can abuse these so-called zero day vulnerabilities for months or even years before anyone patches them. So what are these vulnerabilities? And how much damage can they cause?

Sybil Andrea

Sybil Andrea

Apr 02, 2021 · 7 min read

What is zero day?

What is zero day?

The phrase “zero day” can refer to two different concepts — zero day vulnerabilities and zero day exploits. So, let's start with the first one.

A zero day vulnerability is a flaw in software or hardware which is yet to be discovered by its developers. This means that there's currently no way to plug the hole in security. It can be any vulnerability — a bug, lack of encryption, missing authorizations, to name a few examples.

The term zero day alludes to the amount of time — zero days — that the software vendor has been aware of the problem. The name goes back to online bulletin boards, when zero day meant the number of days a new software has been released publicly.

In the best case scenarios, when someone discovers a zero day vulnerability, they report it to the software developers, so they can patch it before it can be exploited. There are actually databases where the cybersecurity community pools their knowledge to help combat these threats together. But unfortunately, sometimes the hackers get there first.

Zero day exploits and attacks

This brings us to a zero day exploit. A zero day exploit is the code criminals use to abuse the zero day vulnerability for their own means. Vulnerabilities allow them to carry out a zero day attack — installing backdoors, injecting malware, or stealing sensitive information.

Since zero day attacks can potentially be carried out undetected, these vulnerabilities are incredibly valuable. It's not only hackers looking to profit from the weak cybersecurity of a large organization. Intelligence agencies around the world can also initiate zero day exploits.

The global exploit market

Discovering, buying, and selling zero day vulnerabilities is emerging as a whole industry.

  • Black markets sell information on zero day vulnerabilities, enabling criminals to trade information about how they can abuse software bugs.
  • Grey markets cater to cybersecurity businesses, and allow researchers to sell information to militaries, intelligence agencies, and other authorities.
  • White markets are more like the CVE or bug bounty programs, where researchers disclose information to buggy software developers.

So, what happens when hackers find the vulnerabilities before the vendors do?

Famous zero day attacks

There are many infamous zero day attack examples throughout modern history. Let's take a look at some of the most notorious incidents.

Stuxnet

Stuxnet was a computer worm that used different Windows zero day vulnerabilities to target supervisory control and data acquisition (SCADA) systems.

The worm caused enormous damage to the nuclear program of Iran. It destroyed nearly a fifth of Iran's nuclear centrifuges and infected a staggering 200,000 computers. It's often described as one of the first cyber weapons since the perpetrators behind the worm are thought to be the United States and Israel.

Sony hack

The Sony hack in 2014 also tops the list as one of the most famous zero day exploits. During the Sony Pictures hack, criminals utilized a zero day vulnerability to break into the company's network and steal data.

Hackers later released the incredibly sensitive information, including the copies of upcoming movies, the company's plans for the future, business deals, and Sony's top management emails. What specific exploit the hackers used remains a mystery to this day.

Dridex

Back in 2017, hackers found a vulnerability in Microsoft Word and developed Dridex malware which they then hid in MS Word attachments. Those who downloaded the file would activate the Dridex Trojan. The dangerous bank fraud malware spread to millions of users worldwide.

Browsers are vulnerable too

It's not just the apps you're using that can get targeted. The browser you're reading this blog post on could also be exploited.

Firefox zero day

In 2020 Firefox had a vulnerability that allowed hackers to place and execute code inside Firefox's memory. This enabled criminals to run malicious code on any of their victims' devices. The developers released an emergency patch, but not before some hackers managed to exploit it.

Google Chrome zero day

2021 hasn't been great for Chrome zero day exploits. The browser had to issue three emergency patches for zero day vulnerabilities this year. The latest flaw could enable remote code execution and DDoS attacks on the systems affected.

Zero days and the workplace environment

Since any software you're using can fall victim to a zero day threat, what does that mean for businesses? A faulty line of code can create a backdoor in your organization’s systems, so the first thing to do is reorient your thinking about cybersecurity.

Most organizations' responses to cybersecurity incidents tend to be reactionary — responding to previously known threats. However, the problem with zero days is that, by the time you know what happened, it's already too late.

The key to zero day protection is a proactive approach. Detection, data, and activity monitoring are some of the first steps in avoiding zero day attacks.

Zero day protection

So, how do you protect yourself from a threat you don't know about? Sometimes, hackers use zero day vulnerabilities together with other attack methods. Here's how to lower your risk of falling victim to an attack:

  • Update your software ASAP. Software updates often contain patches for critical vulnerabilities.
  • Stay informed. Vulnerability databases and bug bounty programs are vital in detecting flaws in your software.
  • Be wary of phishing scams. Some zero day attacks only work when combined with other attacks. Don't click on unknown links or email attachments — you may end up providing sensitive data to criminals.
  • Use cybersecurity tools. Make sure you're using a VPN and antivirus software to protect you from potential cyber threats.

Amazon is expanding its employee tracking capacity with advanced AI cameras. These devices will monitor delivery drivers, who are being asked to sign biometric consent forms. The move, which would allow Amazon to institute new levels of bio-surveillance, raises some serious questions about employee privacy.

What is Amazon doing?

Amazon is installing AI-powered cameras in the vehicles of their delivery drivers. The camera system (sourced from Netradyne, an Indian company) can run continuously, tracking a driver's location, movements, and even facial expressions. This last point is particularly worrying, as it necessitates the collection of biometric data.

Amazon’s drivers are being offered a simple choice: consent to have their biometric data collected, or lose their jobs.

What is biometric data?

Biometric data, or biometrics, are unique and measurable physical attributes that identify a person. There are over 20 biometric identifiers including fingerprints, facial recognition, DNA, and hand geometry.

Unlike passwords and usernames, biometric data is permanent — if it leaks, it can't just be changed at source. That’s why many believe the collection and storage of biometric data is a risk, even if the company claims to use it ethically. One data breach could permanently compromise a person's biometric identifiers.

Why is Amazon extending their surveillance?

Amazon says the new cameras will help its drivers stay safe on the road. An AI system like Netradyne's can analyze the driver’s face and identify their level of fatigue, preventing accidents. Alternatively, it could track eye movement and notice if drivers were looking at their phones.

It's worth remembering, however, that many Amazon delivery drivers claim to have been pressured into speeding or driving while fatigued by their superiors within the company. Some drivers claim that they are expected to keep up with the delivery rates regardless of weather conditions or any other variables. Failing to do so can result in drivers being ‘written up’ or even fired.

If that's true, the justification for installing a bio-surveillance system is much more tedious.

Employee surveillance and the right to privacy

Employee monitoring certainly didn’t start with Amazon. From pre-digital punch-cards to key-logging software for modern remote workers , there's a long history of companies trying to track employee activity. These practices are intensifying, however, now that many people are working from home instead of the office. surveillance.

In most countries, monitoring employees is legal — to an extent. In the European Union, for example, employers have to maintain some basic standards:

  • There must be a legal basis for employee surveillance (to maintain data security, for example).
  • Employees must be made aware of any surveillance measures that have been implemented.
  • Employees’ must still be able to protect their right to personal privacy.

For Amazon, operating around the world, these rules often don't apply. Combined with a track record on disregarding employee health and safety, this move to increase driver surveillance doesn't bode well.

5 common types of employee surveillance

While AI cameras are a particularly drastic example of monitoring, companies have been tracking employees for years, using a variety of methods.

  • Keycards: Keycards that allow employees to access a building can be used for security, while also logging an individual's time-keeping.
  • CCTV cameras: While most people take it for granted that their place of work may use CCTV cameras, these devices can be a serious privacy risk if they're not kept secure. Hackers have been able to break into security camera systems on many occassions.
  • Email monitoring: Email monitoring can protect a company’s network and help to prevent malware attacks. If you have a work email, you should never use it for non-work related issues.
  • Monitoring computer activity: In our current home-working era, there's no shortage of employee monitoring software on the market. While some may be legitimately safe and useful, others can be highly invasive (Office 365's app tracking feature was an excellent example of this, though it was discontinued after a backlash).
  • Key-logging software: Key-logging software can record the person’s keyboard strokes and even mouse movements. While it can be used legally, it will capture personal data and passwords, which many consider to be an invasion of privacy.

The future of employee monitoring

There are many good reasons to monitor employee activity, from data security to productivity. However, collecting too much data can directly impact on the individual freedoms and privacy of employees. Furthermore, gathering employee data creates a tempting treasure-trove for hackers and cybercriminals.

Amazon will claim that they're trying to improve road safety with their new cameras, but it's essential that these developments are scrutinized and criticized appropriately. No one should be pressured into signing away their biometric data.