Slashdot Mirror
Why All The Hype About 0day?
nuthinbutspam writes "Michael Sutton has up an interesting post on the security vulnerabilities that we really need to be concerned about. According to Sutton, it's not the new ones that are scary, it's the old ones that have long since been forgotten. He illustrates his point by walking through an example where he uses Google and Yahoo! to identify 50 web servers that are wide open to attack. The list includes an ivy league school, various colleges and a company traded on the NYSE. Sobering stuff."
I think this webserver crashed by time time 3 ppl visited it.
I think that qualifies as a well duh. If you haven't secured yourself against old vulnerabilities, worrying about zero-day vulnerabilities won't do you much good. On the other hand, if you're on top of security, staying in touch with the latest vulnerabilities has some real value. It's common sense. To use a bad analogy, if someone is suffering from a hear attack, you don't stop treating them because you notice they have a scratch that needs a bandage.
http://72.15.199.203/blogs/avoco_secure/archive/20 06/02/02/222.aspx
If you, as the admin, haven't secured your systems for KNOWN vulnerabilities, then you probably aren't one of the people concerned about 0 day exploits.
On the other hand, those of us who DO secure their systems ARE concerned. And rightfully so.
Michael Sutton has up an interesting post on the security vulnerabilities that we really need to be concerned about. According to Sutton, it's not the new ones that are scary, it's the old ones that have long since been forgotten.
The old ones may be the most worrying to people tracking security in general. They are not, however, the most worrying to those of us looking to secure our own networks, since we know how to stop them. It is a matter of control. I can patch and Firewall, and ACL away any old worms and detect them if they get through. I might be helpless, however, if a new, zero day worm hits.
Release The exploit in a form so easy even the most assbackwards 13 yearold skiddie can use it on his Dell.
Just wait and see how long it takes before it gets patched.
perpetually dwelling in the -1 pits
*looking at watch waiting for compulsory relation to terrorism analogy and the ubiquitous overlord welcoming*
Please troll me up, I am aching for some negative karma.
Either you care or you don't and get abused and will take your responsibility when your machine is being abused to abuse other machines.
Take your pick.
It is well known that people do not patch their servers, even if they are vulnerable to a well-known vulnerability.Simply because they do not take the time to look it up or fix it or whatever..
BUT even the ones who DO patch their servers can do nothing about 0day exploits circulating in the wild.
And that goes for the vulerabilities only known to the bad guys, as well as to those announced publicly, but there is no patch.
That is a risk many people take(well, everyone who is vulnerable, which *may* be every windows box for example),
versus "lazy" guys who do not patch their servers regularly.
Also, viruses are also much more destructive when they originate from 0day exploits, which can result in an important number of machines being pwned in no time(which has happened quite a few times now,right?)
I do know there are hundreds of vulnerable systems out there.. the script kiddies know best, but to me it is clear why there is certain "hype" about 0days.
The most dangerous vulnerabilities are the ones people don't know about. Whether that's because they haven't learned yet or because they've forgotten is immaterial.
That's why Step 2 of making a truly secure network is to assume "everything I have done so far is wrong and my server is slightly less airtight than a block of swiss cheese infested by cheese-eating termites".
Breaking Into the Industry - A development log about starting a game studio.
Following direction on the site, it was a wiki at Harvard with the remote vunerability:p /Special:Version
http://hcs.harvard.edu/~freeculture/wiki/index.ph
that is vulnerable is Harvard: hcs.harvard.edu/~freeculture/wiki/index.php/Specia l:Version (good link this time!)
When I read this headline I thought it was talking about 0-day warez.
The term "zero day" refers to the amount of time between a patch being available and an exploit being in the wild. That's all fine and dandy except it propagates the idea that exploits are never in the wild before a patch is available. It's not the "zero day" exploits that have me worried--it's the "negative three months" exploits.
I have been in a meeting with a Microsoft security "expert" who seriously claimed that exploits are only be produced by reverse-engineering Microsoft's patches, and that the primary risk is that the time it takes to reverse-engineer a patch is decreasing. If that was really true, Microsoft could stop all exploits immediately by never releasing any more patches. The primary risk is that there's a flaw in the software, obviously, and the clock starts ticking the moment people start using the buggy software, not the moment Microsoft tells us to patch it.
However, admitting that Microsoft is REACTING to hackers rather than the other way around makes them look kinda dumb. Thus the "zero day" myth.
I thought this was about 0 day warez.
If you are in charge of an important network, you are always afraid.
There are many things that can keep you comfy, like daily updates and 24/7 monitoring of advisories, but the professionals do not always submit their findings. Security gurus submit holes as part of their work or to get their name known or to make a point..but many will stay in the dark. The really serious ones will always have their own unreported set of vulns in various platforms, 99% of the time these are buffer overflows at the kernel level(e.g your TCP/IP stack), leading to immediate root access to boxes/routers/firewalls.
Money is the root of all evil.
So the article isn't about warez? Damn.. I was looking for teh l337 DDL linkz!1. Guess I should stop going by the titles...
That's one of the most hilarious replies I've seen; dry, witty and straight to the point of showing off exactly what was wrong with the grandparent's comment.
If I had the points I'd do it myself. But I don't.
How to use coral cache: http://slashdot.org.nyud.net:8090/~oscartheduck
I have to agree, I've been having numerous problems with boot viruses recently.
He should know wtf he is doing because he reads slashdot???
I install security updates as I see the initial advisories posted. If you don't install them right away, they won't get installed and you will end up with situations where old vulnerabilities don't get patched. An old vulnerability got me once and I will do my best not to let that happen again.
Think about it, how do you get famous in security? You break something. Further, a lot of pen-testing is done with loaded contracts, if you actually break in, you might get paid a lot more so you create this culture where by nobody who does that is really that interested in actually increasing security and it's in their best interest to actually have a collection of exploits that they don't disclose. There is a whole mystic around it, do you want Kevin Mitnick to test your social engineering defenses or do you want some faceless large company to do it?
You can spend a couple grand to go to blackhat and "learn hacking" and you can spend tens of thousands of dollars buying exploits from companies like immunitysec, it's a potentically a great business if you don't mind being a security "expert" that doesn't actually encourage security and you don't mind hanging around and dealing with criminals and some of the dirtier folks out there. Just trade and accumulate "0days" and then sell them. Then they all have this nice little excuse built in, they are practicing responsible disclosure and so they can't tell you; then they backhand the vendors and claim that they reported certain issues "months ago" and the vendors never fixed it. I'm not sure what the percentage is, but a lot of it is bullshit. Just look at those Apple Wireless frauds from a couple weeks ago, they didn't report shit to anybody, they lied about it, the lied about being threatened with law suits and claimed that's why they couldn't disclose anything, the entire thing could be a fraud. They lied to their audience at blackhat, they very clearly made it sound like they were threatened by apple and other vendors and the truth is they never spoke to anyone about it; that's par for the course. I'd bet that somewhere near 80% or even more of it is that way, that's the reason behind full-disclosure.
It's all about layered protection and policy. That's sort of where the whole thing falls apart, organizations don't have policy and you can't build protection on top of nothing. No policy, what do you expect? Sure, large schools and organizations are going to have tons of unpatched systems, who'd want to screw up a working server if they don't have to and security isn't their concern? Honestly, unless you're a high profile target, 0days aren't your problem. Your problem is insiders doing stupid or malicious things, botnets and unpatched systems that are exposed to the world and that you potentially don't even know about.
"Looking backwards"? This story is a journal from nuthinbutspam (999551). Not only are Slashdot editors apparently publishing journals, but we're almost up to a million registered Slashdotters (and an infinitude of infinitesimal ACs). And the warning signal for the E6 milestone is "nuthin but spam".
The future's so bright, I gotta wear shades of Max Headroom.
--
make install -not war
I am n3td3v!!! i warn u aboot zero-day xploit found on slushdut. all your data is cmpromized. we r n3td3v...
JohnnyIHackStuff is almost nonresponsive.
The government can't save you.
....would work to keep a tool kit of their own "zero-day" exploits handy for that day when they need or want to gain access to something in particular where the admin is doing the work of applying patches.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Hey zonk if you have a quota and need to fill it just by posting random journal entries, try posting one that doesn't used a bastardized form of a word like "0day". That was made for warez, not exploits.
Btw the NYSE company isn't even named it coudl be any entertainment company from Universal studios to a small IPO that is making a casual game for people that costs 2 dollars, as well as single computer on a lan. With no meantion of if these are "honey pots" which will get people's attention but it will actually have no access to the real network since it's segregated.
I think slash dot needs to stop posting "news that's not news" and start pointing "news that matters" again.
lp lol
... for some reason I was thinking about something else.
It surprises me that we are still having these kinds of security problems.
A lot of it is due to to poor configuration conventions that continue to this day. This involves running servers as root, and a system setuid root programs, such as X. I am quite perplexed that simple steps have not been taken to remedy these problems, such as by running X under its own user and only giving that user access to the video hardware that X needs to run.
Setuid root is a problem since if there is a vulnerability in a server for instance that is not running as root, it could look for setuid binaries on the system that have their own vulnerabilities to compromise the system.