Why All The Hype About 0day?

nuthinbutspam writes "Michael Sutton has up an interesting post on the security vulnerabilities that we really need to be concerned about. According to Sutton, it's not the new ones that are scary, it's the old ones that have long since been forgotten. He illustrates his point by walking through an example where he uses Google and Yahoo! to identify 50 web servers that are wide open to attack. The list includes an ivy league school, various colleges and a company traded on the NYSE. Sobering stuff."

All security is important

[Tyger]

I think that qualifies as a well duh. If you haven't secured yourself against old vulnerabilities, worrying about zero-day vulnerabilities won't do you much good. On the other hand, if you're on top of security, staying in touch with the latest vulnerabilities has some real value. It's common sense. To use a bad analogy, if someone is suffering from a hear attack, you don't stop treating them because you notice they have a scratch that needs a bandage.

Phrased slightly differently ...

[khasim]

If you, as the admin, haven't secured your systems for KNOWN vulnerabilities, then you probably aren't one of the people concerned about 0 day exploits.

On the other hand, those of us who DO secure their systems ARE concerned. And rightfully so.

Wrong Perspective

[99BottlesOfBeerInMyF]

Michael Sutton has up an interesting post on the security vulnerabilities that we really need to be concerned about. According to Sutton, it's not the new ones that are scary, it's the old ones that have long since been forgotten.

The old ones may be the most worrying to people tracking security in general. They are not, however, the most worrying to those of us looking to secure our own networks, since we know how to stop them. It is a matter of control. I can patch and Firewall, and ACL away any old worms and detect them if they get through. I might be helpless, however, if a new, zero day worm hits.

Security is simple

[ZorbaTHut]

The most dangerous vulnerabilities are the ones people don't know about. Whether that's because they haven't learned yet or because they've forgotten is immaterial.

That's why Step 2 of making a truly secure network is to assume "everything I have done so far is wrong and my server is slightly less airtight than a block of swiss cheese infested by cheese-eating termites".

Re:All security is important

[regular_gonzalez]

An even better analogy would be that it's like fixing newly discovered vulnerabilities on your website but neglecting to check for older exploits.

Why the omnipresent need to analogize the most straightforward things? The world may never know.

Re:All security is important

[LurkerXXX]

No kidding. Shocker. He found some machines at Universities, etc, that hadn't been patched in a long time.

How is that surprising? Does he think that never does some department set up a small server for itself, then in a couple years, the person admining it leaves, and since the machine is still 'working', people continue to let it run/use-it. After a while, running with no admin, it gets way out of date on patches and is vulnerable to anybody. Happens all the time. And it's got absolutely nothing to do with an active and competent admin worrying about 0-day exploits on the boxes that they ARE taking care of.

Re:Wrong Perspective

[Aadain2001]

Don't forget, no matter how much you firewall or patch or try to secure your systems and network, you can never truely protect yourself from an uniformed user. All it takes is one user getting their personal laptop infected and putting it back on the corporate network for it to attempt to spread. And all it takes for the it to take hold in the network is a couple of developement boxes that some group has forgotten about for a few years and forgotten to patch. And while your most important systems remain protected, worms and viruses can still cause havok by flooding the network, sending out bogus emails, etc. And then you have to take time off your projects and track down those old boxes and deal with their owners. So yes, while old problems are not hard for you to protect against, never forget the other person who doesn't know how to protect themselves and how they can still effect you.

"Zero day" is a marketing gimmick

[Anonymous Coward]

The term "zero day" refers to the amount of time between a patch being available and an exploit being in the wild. That's all fine and dandy except it propagates the idea that exploits are never in the wild before a patch is available. It's not the "zero day" exploits that have me worried--it's the "negative three months" exploits.

I have been in a meeting with a Microsoft security "expert" who seriously claimed that exploits are only be produced by reverse-engineering Microsoft's patches, and that the primary risk is that the time it takes to reverse-engineer a patch is decreasing. If that was really true, Microsoft could stop all exploits immediately by never releasing any more patches. The primary risk is that there's a flaw in the software, obviously, and the clock starts ticking the moment people start using the buggy software, not the moment Microsoft tells us to patch it.

However, admitting that Microsoft is REACTING to hackers rather than the other way around makes them look kinda dumb. Thus the "zero day" myth.

Our little secret

[Plutonite]

If you are in charge of an important network, you are always afraid.

There are many things that can keep you comfy, like daily updates and 24/7 monitoring of advisories, but the professionals do not always submit their findings. Security gurus submit holes as part of their work or to get their name known or to make a point..but many will stay in the dark. The really serious ones will always have their own unreported set of vulns in various platforms, 99% of the time these are buffer overflows at the kernel level(e.g your TCP/IP stack), leading to immediate root access to boxes/routers/firewalls.

Money is the root of all evil.

Re:Wrong Perspective

[ezratrumpet]

Sometimes all the protection is on the ethernet connection, leaving one or more drives unprotected. A malicious user with a floppy or a thumb drive can make short work of a network through those holes.

Re:"Zero day" is a marketing gimmick

[Anonymous Coward]

I always thought "zero day" referred to the time between a theoretical exploit becoming known to the security community, and when a viable attack is created.

Normally you have some lag in there... People hear there's a weakness in some piece of software, and it takes the black hats a few days to come up with a way to attack that weakness. In the mean time folks are scrambling to harden their systems against the coming attack...security companies and software vendors are (supposedly) working on a patch... Folks generally see the attack coming and can prepare for it.

"Zero day" is when you have the people find out about a weakness because there is already an attack in progress (or so I thought?). The black hats discovered the weakness first, devised an attack, and launched it before anyone knew what was coming. There's no way to prepare for it, no time for folks to develop a patch or harden their systems. You simply have to rely on the security policies you already have in place, and hope they're enough to stop any and all possible attacks.

Now let's see a well written journal entry.

[kinglink]

Hey zonk if you have a quota and need to fill it just by posting random journal entries, try posting one that doesn't used a bastardized form of a word like "0day". That was made for warez, not exploits.

Btw the NYSE company isn't even named it coudl be any entertainment company from Universal studios to a small IPO that is making a casual game for people that costs 2 dollars, as well as single computer on a lan. With no meantion of if these are "honey pots" which will get people's attention but it will actually have no access to the real network since it's segregated.

I think slash dot needs to stop posting "news that's not news" and start pointing "news that matters" again.

Re:All security is important

[vmfedor]

So you just assume all those exploitable machines are "junk" machines that are left running in a closet somewhere? I would never want you to administer *my* network, bub. What if one of those junk machines could be exploited to give access to the more useful machines in the network? Or what if they weren't junk machines at all? If the admins of that network can leave easily exposed machines running what kind of security model do they have anyway? And if those machines are vulnerable to those old exploits then it's a sure thing that they are very very vulnerable to 0-day stuff, too.

How would you like to be a student at one of those universities, or a user of a commerce web site which has your credit card information, knowing that there is a *potential* and *very easy to exploit* vulnerability just waiting to happen? The articles point, methinks, is that if it's this easy to find an easily-compromised machine then there are probably a ridiculous amount of them on the internet and that people need to be more proactive about their security. Just assuming that these machines are internal department production servers is a risky way of administering a network. Why are they so exposed to the web if they don't matter? You would think a competent security admin would be proactive about finding and removing old, out-of-date machines that could potentially be compromised.

Of course, no amount of awesome admins will close all security holes. Physical and software security only can go so far. Hopefully these organizations that he pegged are smart enough to keep their really sensitive information locked up tight and not spread out all over their network.

Re:All security is important

[LurkerXXX]

Wow, insulting me because I said it was no suprise. Who pissed in your corn flakes?

I didn't say every machine was a 'junk' machine, but if you have any experience at Universities, you often will see departments 'doing their own thing' when it comes to departmental servers, where the IT department of the University is not involved in their administration at all other than supplying an IP-address/DNS. The IT department's 'security model' is usually for machines directly under their control. Not the computers in every department. That's reality. It happens.

In any competently run University IT dept, the IT folks running the machines with sensitive information would keep those machines firewalled off from the rest of the University. Besides unpatched departmental 'junk' servers, the network is also full of undergrad laptops, etc, with who knows what spypare/malware on them. And some of the undergrads may be hackers themselves. Any competent folks would treat the main University LAN as just as hostile of an environment as the Internet. I would never want you to administer *my* network if you don't understand that. Bub.

In case you aren't familiar with what often happen