HOUSE_OVERSIGHT_018333.jpg

Software and hardware manufacturers usually struggle to keep such exploits secret until they can deliver a fix, but this doesn’t always work. Secrets get out. And, anyhow, even once a patch is developed, it can take weeks or months before it’s widely installed. It’s not uncommon, therefore, that within hours of the announcement of a newly found zero day, attacks using that method explode around the net. Thousands of hackers try to take advantage of the vulnerability, to kick at the defensive corners of systems while they are down for repair or restart - or simply left vulnerable by slower-witted system administrators who don’t yet know that it is now open hunting season on a particular bit of code. Heartbleed, a “zero day” that permitted hackers to slip into your computer via holes in website and browser security, was disclosed to the world on April 7, 2014 - more than two years after it had apparently been put in place because of a programming error. Accidentally? By an overworked engineer? Deliberately? By some state security agency? In any event, two days after it was announced and long before it had been fully patched, attacks using the method grew from a few dozen per hour to millions as hackers tried to suck data from unsecured networks.14° The exponential power of a connected system is as apparent in sickness as in health. 4, In recent years, hacking has moved deeper still, beyond the level of software and USB drives and into the very atomic level of computers, the places where the electrons that make up bits and bytes float. The technical elegance of these micro- level hacks has been, often, breathtaking - exploits that look like Wagnerian operas compared to the Cap’n Crunch’s thin, reedy weird-machine whistle. As companies like Intel and AMD began packing more memory cells on silicon wafers, for example, they noticed magnetic interference flowing across the surface of their chips like waves. Electrical signals, recall, have a magnetic element, so more tiny digital cells, closer together, is like a bow] of interacting magnets. Physics would have predicted such a result. In 2014 security researchers Mark Seaborn and Thomas Dullien, who worked at Google, discovered that they could use the magnetic vibrations on two parallel rows of memory chips to flip the electrical state of a third row - sort of like using a magnet under a table to move a paperclip around - in a way that the system might never notice!*!. This permitted them to reach “off limits”, super secure areas of the machine’s memory where they could do what they wanted. They called the break, “Rowhammer’” and it represented an ideal and essentially unfixable hole that affected nearly every small chipset made for a half a decade. They published the technical consideration about modern computing systems. See also Rebecca Shapiro, Sergey Bratus and Sean W. Smith, ““Weird Machines” in ELF: A Spotlight on the Underappreciated Metadata”, paper published online by Bratus. 140 In any event: Leyla Bilge, Tudor Dumitras, “Before We Knew It: An Empirical Study of Zero-Day Attacks In the Real World,“ Paper presented at ACM CCS ’12, Oct 16-18, 2012, p 10 M41 In 2014: Mark Seaborn and Thomas Dullien, “Exploiting the DRAM rowhammer bug to gain kernel privileges”, March 18. 2015, Google Project Zero blog 101 HOUSE_OVERSIGHT_018333