Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why All The Hype About 0day?

Posted by ryuzaki0 on from the look-backwards dept.

nuthinbutspam writes "Michael Sutton has up an interesting post on the security vulnerabilities that we really need to be concerned about. According to Sutton, it's not the new ones that are scary, it's the old ones that have long since been forgotten. He illustrates his point by walking through an example where he uses Google and Yahoo! to identify 50 web servers that are wide open to attack. The list includes an ivy league school, various colleges and a company traded on the NYSE. Sobering stuff."

4 of 85 comments (clear)

  1. Re:Ivy League school was Harvard by Fnkmaster · · Score: 2, Interesting

    Which is on a random guy's personal site on the Harvard Computer Society web server, run by a volunteer student group. Nothing really to see here.

    Any school that has an area where any student can put up arbitrary PHP code is going to have tons of sites with vulnerabilities.

    It's not on an official school server, and presumably the hosting on such sites is set up with sufficiently tight permissions to prevent any serious damage from being done if people run arbitrary, crappy PHP code.

    Nuff said on that vulnerability. It sounds much worse when it's presented as "the website of a major Ivy League university".

  2. It's a fundamental problem of the "security biz" by Anonymous Coward · · Score: 2, Interesting
    A big portion of "0days" is the marketing hype and power. You can trade them, you give yourself street cred if you have some. It's a geek thing. Back in the day, there were virus exchange BBSes (yeah, you had to use a phone and dial up) and they'd let you download viruses until your heart was content but you had to upload one first. Some wanted a new one that couldn't be detected before they'd give you respect.


    Think about it, how do you get famous in security? You break something. Further, a lot of pen-testing is done with loaded contracts, if you actually break in, you might get paid a lot more so you create this culture where by nobody who does that is really that interested in actually increasing security and it's in their best interest to actually have a collection of exploits that they don't disclose. There is a whole mystic around it, do you want Kevin Mitnick to test your social engineering defenses or do you want some faceless large company to do it?


    You can spend a couple grand to go to blackhat and "learn hacking" and you can spend tens of thousands of dollars buying exploits from companies like immunitysec, it's a potentically a great business if you don't mind being a security "expert" that doesn't actually encourage security and you don't mind hanging around and dealing with criminals and some of the dirtier folks out there. Just trade and accumulate "0days" and then sell them. Then they all have this nice little excuse built in, they are practicing responsible disclosure and so they can't tell you; then they backhand the vendors and claim that they reported certain issues "months ago" and the vendors never fixed it. I'm not sure what the percentage is, but a lot of it is bullshit. Just look at those Apple Wireless frauds from a couple weeks ago, they didn't report shit to anybody, they lied about it, the lied about being threatened with law suits and claimed that's why they couldn't disclose anything, the entire thing could be a fraud. They lied to their audience at blackhat, they very clearly made it sound like they were threatened by apple and other vendors and the truth is they never spoke to anyone about it; that's par for the course. I'd bet that somewhere near 80% or even more of it is that way, that's the reason behind full-disclosure.


    It's all about layered protection and policy. That's sort of where the whole thing falls apart, organizations don't have policy and you can't build protection on top of nothing. No policy, what do you expect? Sure, large schools and organizations are going to have tons of unpatched systems, who'd want to screw up a working server if they don't have to and security isn't their concern? Honestly, unless you're a high profile target, 0days aren't your problem. Your problem is insiders doing stupid or malicious things, botnets and unpatched systems that are exposed to the world and that you potentially don't even know about.

  3. Agreed. I've always assumed that "Pro" crackers by CFD339 · · Score: 2, Interesting

    ....would work to keep a tool kit of their own "zero-day" exploits handy for that day when they need or want to gain access to something in particular where the admin is doing the work of applying patches.

    --
    The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
  4. Re:Phrased slightly differently ... by Anonymous Coward · · Score: 1, Interesting

    I'm suprised that nobody has caught the fact that this could very well be flawed research, after all it's a blog post and not a whitepaper.

    If I went around the day that Microsoft released the August patches I'd probably find that most if not all of the computers I was able to check were in fact *not* patched. Now, checking a few days later, or to cover those that wait a week or even a month I'd probably find a much larger number that are patched. I'd also probably find those pesky Ivy Leauge computer nerds had patched within a month :)

    He's actually got a very good idea, but it's not extrapolated enough.

    Something that I've seen before is _very_ old ideas, such as TCP attacks (think: LAND) that are being missed by TCP/IP stack implementers _today_. Those things are damm scary.