Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why All The Hype About 0day?

Posted by ryuzaki0 on from the look-backwards dept.

nuthinbutspam writes "Michael Sutton has up an interesting post on the security vulnerabilities that we really need to be concerned about. According to Sutton, it's not the new ones that are scary, it's the old ones that have long since been forgotten. He illustrates his point by walking through an example where he uses Google and Yahoo! to identify 50 web servers that are wide open to attack. The list includes an ivy league school, various colleges and a company traded on the NYSE. Sobering stuff."

28 of 85 comments (clear)

  1. Re:slashdotted after 0 comments by daeg · · Score: 5, Funny

    I wonder if his webserver was one of the 50.

  2. All security is important by Tyger · · Score: 4, Insightful

    I think that qualifies as a well duh. If you haven't secured yourself against old vulnerabilities, worrying about zero-day vulnerabilities won't do you much good. On the other hand, if you're on top of security, staying in touch with the latest vulnerabilities has some real value. It's common sense. To use a bad analogy, if someone is suffering from a hear attack, you don't stop treating them because you notice they have a scratch that needs a bandage.

    1. Re:All security is important by regular_gonzalez · · Score: 2, Insightful

      An even better analogy would be that it's like fixing newly discovered vulnerabilities on your website but neglecting to check for older exploits.

      Why the omnipresent need to analogize the most straightforward things? The world may never know.

      --
      Due to circumstances beyond my control, I am master of my fate and captain of my soul.
    2. Re:All security is important by LurkerXXX · · Score: 4, Insightful

      No kidding. Shocker. He found some machines at Universities, etc, that hadn't been patched in a long time.

      How is that surprising? Does he think that never does some department set up a small server for itself, then in a couple years, the person admining it leaves, and since the machine is still 'working', people continue to let it run/use-it. After a while, running with no admin, it gets way out of date on patches and is vulnerable to anybody. Happens all the time. And it's got absolutely nothing to do with an active and competent admin worrying about 0-day exploits on the boxes that they ARE taking care of.

    3. Re:All security is important by Iron+Condor · · Score: 5, Funny

      Why the omnipresent need to analogize the most straightforward things? The world may never know.

      Because a good analogy is like a diagonal frog.

      --
      We're all born with nothing.
      If you die in debt, you're ahead.
    4. Re:All security is important by FooAtWFU · · Score: 2, Funny
      Because a good analogy is like a diagonal frog.

      That analogy is almost, but not quite, entirely unlike a diagonal frog.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    5. Re:All security is important by LurkerXXX · · Score: 2, Insightful

      Wow, insulting me because I said it was no suprise. Who pissed in your corn flakes?

      I didn't say every machine was a 'junk' machine, but if you have any experience at Universities, you often will see departments 'doing their own thing' when it comes to departmental servers, where the IT department of the University is not involved in their administration at all other than supplying an IP-address/DNS. The IT department's 'security model' is usually for machines directly under their control. Not the computers in every department. That's reality. It happens.

      In any competently run University IT dept, the IT folks running the machines with sensitive information would keep those machines firewalled off from the rest of the University. Besides unpatched departmental 'junk' servers, the network is also full of undergrad laptops, etc, with who knows what spypare/malware on them. And some of the undergrads may be hackers themselves. Any competent folks would treat the main University LAN as just as hostile of an environment as the Internet. I would never want you to administer *my* network if you don't understand that. Bub.

      In case you aren't familiar with what often happen

  3. Phrased slightly differently ... by khasim · · Score: 5, Insightful

    If you, as the admin, haven't secured your systems for KNOWN vulnerabilities, then you probably aren't one of the people concerned about 0 day exploits.

    On the other hand, those of us who DO secure their systems ARE concerned. And rightfully so.

  4. Wrong Perspective by 99BottlesOfBeerInMyF · · Score: 4, Insightful

    Michael Sutton has up an interesting post on the security vulnerabilities that we really need to be concerned about. According to Sutton, it's not the new ones that are scary, it's the old ones that have long since been forgotten.

    The old ones may be the most worrying to people tracking security in general. They are not, however, the most worrying to those of us looking to secure our own networks, since we know how to stop them. It is a matter of control. I can patch and Firewall, and ACL away any old worms and detect them if they get through. I might be helpless, however, if a new, zero day worm hits.

    1. Re:Wrong Perspective by Aadain2001 · · Score: 5, Insightful

      Don't forget, no matter how much you firewall or patch or try to secure your systems and network, you can never truely protect yourself from an uniformed user. All it takes is one user getting their personal laptop infected and putting it back on the corporate network for it to attempt to spread. And all it takes for the it to take hold in the network is a couple of developement boxes that some group has forgotten about for a few years and forgotten to patch. And while your most important systems remain protected, worms and viruses can still cause havok by flooding the network, sending out bogus emails, etc. And then you have to take time off your projects and track down those old boxes and deal with their owners. So yes, while old problems are not hard for you to protect against, never forget the other person who doesn't know how to protect themselves and how they can still effect you.

      --
      Space for rent, inquire within
    2. Re:Wrong Perspective by djmurdoch · · Score: 4, Funny

      Don't forget, no matter how much you firewall or patch or try to secure your systems and network, you can never truely protect yourself from an uniformed user.

      You're right. These days those uniformed users don't even need warrants.

    3. Re:Wrong Perspective by ezratrumpet · · Score: 2, Insightful

      Sometimes all the protection is on the ethernet connection, leaving one or more drives unprotected. A malicious user with a floppy or a thumb drive can make short work of a network through those holes.

    4. Re:Wrong Perspective by sgbett · · Score: 3, Funny

      Why so? Was uniformed spelled wrong? ;)

      --
      Invaders must die
    5. Re:Wrong Perspective by EvanED · · Score: 5, Funny
      Eye halve a spelling chequer,
      It came with my pea sea,
      It plainly marques four my revue
      Miss steaks eye kin knot sea.

      Eye strike a key and type a word
      And weight four it two say
      Weather eye am wrong oar write
      It shows me strait a weigh.

      As soon as a mist ache is maid
      It nose bee fore two long
      And eye can put the error rite
      Its rarely ever wrong.

      Eye have run this poem threw it
      I'm shore your pleased two no
      Its letter perfect in it's weigh,
      My chequer tolled me sew.
  5. simple by scenestar · · Score: 3, Funny

    Release The exploit in a form so easy even the most assbackwards 13 yearold skiddie can use it on his Dell.

    Just wait and see how long it takes before it gets patched.

    --
    perpetually dwelling in the -1 pits
    1. Re:simple by ultramkancool · · Score: 4, Funny

      Why not just attach a spreading mechanism and call it a worm.

  6. *sigh* by hnile_jablko · · Score: 3, Funny

    *looking at watch waiting for compulsory relation to terrorism analogy and the ubiquitous overlord welcoming*
    Please troll me up, I am aching for some negative karma.

  7. Security is simple by ZorbaTHut · · Score: 3, Insightful

    The most dangerous vulnerabilities are the ones people don't know about. Whether that's because they haven't learned yet or because they've forgotten is immaterial.

    That's why Step 2 of making a truly secure network is to assume "everything I have done so far is wrong and my server is slightly less airtight than a block of swiss cheese infested by cheese-eating termites".

    --
    Breaking Into the Industry - A development log about starting a game studio.
    1. Re:Security is simple by Kesch · · Score: 4, Funny
      ... assume "everything" I have done so far is wrong and my server is slightly less airtight than a block of swiss cheese infested by cheese-eating termites.


      You just HAD to drag the French into this.
      --
      If this signature is witty enough, maybe somebody will like me.
  8. Ivy League school was Harvard by TornSheetMetal · · Score: 3, Informative

    Following direction on the site, it was a wiki at Harvard with the remote vunerability:
    http://hcs.harvard.edu/~freeculture/wiki/index.php /Special:Version

    1. Re:Ivy League school was Harvard by Fnkmaster · · Score: 2, Interesting

      Which is on a random guy's personal site on the Harvard Computer Society web server, run by a volunteer student group. Nothing really to see here.

      Any school that has an area where any student can put up arbitrary PHP code is going to have tons of sites with vulnerabilities.

      It's not on an official school server, and presumably the hosting on such sites is set up with sufficiently tight permissions to prevent any serious damage from being done if people run arbitrary, crappy PHP code.

      Nuff said on that vulnerability. It sounds much worse when it's presented as "the website of a major Ivy League university".

  9. "Zero day" is a marketing gimmick by Anonymous Coward · · Score: 4, Insightful

    The term "zero day" refers to the amount of time between a patch being available and an exploit being in the wild. That's all fine and dandy except it propagates the idea that exploits are never in the wild before a patch is available. It's not the "zero day" exploits that have me worried--it's the "negative three months" exploits.

    I have been in a meeting with a Microsoft security "expert" who seriously claimed that exploits are only be produced by reverse-engineering Microsoft's patches, and that the primary risk is that the time it takes to reverse-engineer a patch is decreasing. If that was really true, Microsoft could stop all exploits immediately by never releasing any more patches. The primary risk is that there's a flaw in the software, obviously, and the clock starts ticking the moment people start using the buggy software, not the moment Microsoft tells us to patch it.

    However, admitting that Microsoft is REACTING to hackers rather than the other way around makes them look kinda dumb. Thus the "zero day" myth.

  10. Our little secret by Plutonite · · Score: 2, Insightful

    If you are in charge of an important network, you are always afraid.

    There are many things that can keep you comfy, like daily updates and 24/7 monitoring of advisories, but the professionals do not always submit their findings. Security gurus submit holes as part of their work or to get their name known or to make a point..but many will stay in the dark. The really serious ones will always have their own unreported set of vulns in various platforms, 99% of the time these are buffer overflows at the kernel level(e.g your TCP/IP stack), leading to immediate root access to boxes/routers/firewalls.

    Money is the root of all evil.

  11. It's a fundamental problem of the "security biz" by Anonymous Coward · · Score: 2, Interesting
    A big portion of "0days" is the marketing hype and power. You can trade them, you give yourself street cred if you have some. It's a geek thing. Back in the day, there were virus exchange BBSes (yeah, you had to use a phone and dial up) and they'd let you download viruses until your heart was content but you had to upload one first. Some wanted a new one that couldn't be detected before they'd give you respect.


    Think about it, how do you get famous in security? You break something. Further, a lot of pen-testing is done with loaded contracts, if you actually break in, you might get paid a lot more so you create this culture where by nobody who does that is really that interested in actually increasing security and it's in their best interest to actually have a collection of exploits that they don't disclose. There is a whole mystic around it, do you want Kevin Mitnick to test your social engineering defenses or do you want some faceless large company to do it?


    You can spend a couple grand to go to blackhat and "learn hacking" and you can spend tens of thousands of dollars buying exploits from companies like immunitysec, it's a potentically a great business if you don't mind being a security "expert" that doesn't actually encourage security and you don't mind hanging around and dealing with criminals and some of the dirtier folks out there. Just trade and accumulate "0days" and then sell them. Then they all have this nice little excuse built in, they are practicing responsible disclosure and so they can't tell you; then they backhand the vendors and claim that they reported certain issues "months ago" and the vendors never fixed it. I'm not sure what the percentage is, but a lot of it is bullshit. Just look at those Apple Wireless frauds from a couple weeks ago, they didn't report shit to anybody, they lied about it, the lied about being threatened with law suits and claimed that's why they couldn't disclose anything, the entire thing could be a fraud. They lied to their audience at blackhat, they very clearly made it sound like they were threatened by apple and other vendors and the truth is they never spoke to anyone about it; that's par for the course. I'd bet that somewhere near 80% or even more of it is that way, that's the reason behind full-disclosure.


    It's all about layered protection and policy. That's sort of where the whole thing falls apart, organizations don't have policy and you can't build protection on top of nothing. No policy, what do you expect? Sure, large schools and organizations are going to have tons of unpatched systems, who'd want to screw up a working server if they don't have to and security isn't their concern? Honestly, unless you're a high profile target, 0days aren't your problem. Your problem is insiders doing stupid or malicious things, botnets and unpatched systems that are exposed to the world and that you potentially don't even know about.

  12. Re:slashdotted after 0 comments by Anonymous Coward · · Score: 2, Funny

    No I meanth 51th. Why do you athk?

  13. Re:You don't have to by dhasenan · · Score: 2, Funny

    Or you don't care and you deny responsibility when your machine is being abused. That's the most popular way.

  14. Agreed. I've always assumed that "Pro" crackers by CFD339 · · Score: 2, Interesting

    ....would work to keep a tool kit of their own "zero-day" exploits handy for that day when they need or want to gain access to something in particular where the admin is doing the work of applying patches.

    --
    The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
  15. Now let's see a well written journal entry. by kinglink · · Score: 2, Insightful

    Hey zonk if you have a quota and need to fill it just by posting random journal entries, try posting one that doesn't used a bastardized form of a word like "0day". That was made for warez, not exploits.

    Btw the NYSE company isn't even named it coudl be any entertainment company from Universal studios to a small IPO that is making a casual game for people that costs 2 dollars, as well as single computer on a lan. With no meantion of if these are "honey pots" which will get people's attention but it will actually have no access to the real network since it's segregated.

    I think slash dot needs to stop posting "news that's not news" and start pointing "news that matters" again.