Why All The Hype About 0day?

nuthinbutspam writes "Michael Sutton has up an interesting post on the security vulnerabilities that we really need to be concerned about. According to Sutton, it's not the new ones that are scary, it's the old ones that have long since been forgotten. He illustrates his point by walking through an example where he uses Google and Yahoo! to identify 50 web servers that are wide open to attack. The list includes an ivy league school, various colleges and a company traded on the NYSE. Sobering stuff."

Re:slashdotted after 0 comments

[daeg]

I wonder if his webserver was one of the 50.

All security is important

[Tyger]

I think that qualifies as a well duh. If you haven't secured yourself against old vulnerabilities, worrying about zero-day vulnerabilities won't do you much good. On the other hand, if you're on top of security, staying in touch with the latest vulnerabilities has some real value. It's common sense. To use a bad analogy, if someone is suffering from a hear attack, you don't stop treating them because you notice they have a scratch that needs a bandage.

Re:All security is important

[LurkerXXX]

No kidding. Shocker. He found some machines at Universities, etc, that hadn't been patched in a long time.

How is that surprising? Does he think that never does some department set up a small server for itself, then in a couple years, the person admining it leaves, and since the machine is still 'working', people continue to let it run/use-it. After a while, running with no admin, it gets way out of date on patches and is vulnerable to anybody. Happens all the time. And it's got absolutely nothing to do with an active and competent admin worrying about 0-day exploits on the boxes that they ARE taking care of.

Re:All security is important

[Iron+Condor]

Why the omnipresent need to analogize the most straightforward things? The world may never know.

Because a good analogy is like a diagonal frog.

Phrased slightly differently ...

[khasim]

If you, as the admin, haven't secured your systems for KNOWN vulnerabilities, then you probably aren't one of the people concerned about 0 day exploits.

On the other hand, those of us who DO secure their systems ARE concerned. And rightfully so.

Wrong Perspective

[99BottlesOfBeerInMyF]

Michael Sutton has up an interesting post on the security vulnerabilities that we really need to be concerned about. According to Sutton, it's not the new ones that are scary, it's the old ones that have long since been forgotten.

The old ones may be the most worrying to people tracking security in general. They are not, however, the most worrying to those of us looking to secure our own networks, since we know how to stop them. It is a matter of control. I can patch and Firewall, and ACL away any old worms and detect them if they get through. I might be helpless, however, if a new, zero day worm hits.

Re:Wrong Perspective

[Aadain2001]

Don't forget, no matter how much you firewall or patch or try to secure your systems and network, you can never truely protect yourself from an uniformed user. All it takes is one user getting their personal laptop infected and putting it back on the corporate network for it to attempt to spread. And all it takes for the it to take hold in the network is a couple of developement boxes that some group has forgotten about for a few years and forgotten to patch. And while your most important systems remain protected, worms and viruses can still cause havok by flooding the network, sending out bogus emails, etc. And then you have to take time off your projects and track down those old boxes and deal with their owners. So yes, while old problems are not hard for you to protect against, never forget the other person who doesn't know how to protect themselves and how they can still effect you.

Re:Wrong Perspective

[djmurdoch]

Don't forget, no matter how much you firewall or patch or try to secure your systems and network, you can never truely protect yourself from an uniformed user.

You're right. These days those uniformed users don't even need warrants.

Re:Wrong Perspective

[EvanED]

Eye halve a spelling chequer,
It came with my pea sea,
It plainly marques four my revue
Miss steaks eye kin knot sea.

Eye strike a key and type a word
And weight four it two say
Weather eye am wrong oar write
It shows me strait a weigh.

As soon as a mist ache is maid
It nose bee fore two long
And eye can put the error rite
Its rarely ever wrong.

Eye have run this poem threw it
I'm shore your pleased two no
Its letter perfect in it's weigh,
My chequer tolled me sew.

Re:Security is simple

[Kesch]

... assume "everything" I have done so far is wrong and my server is slightly less airtight than a block of swiss cheese infested by cheese-eating termites.

You just HAD to drag the French into this.

"Zero day" is a marketing gimmick

The term "zero day" refers to the amount of time between a patch being available and an exploit being in the wild. That's all fine and dandy except it propagates the idea that exploits are never in the wild before a patch is available. It's not the "zero day" exploits that have me worried--it's the "negative three months" exploits.

I have been in a meeting with a Microsoft security "expert" who seriously claimed that exploits are only be produced by reverse-engineering Microsoft's patches, and that the primary risk is that the time it takes to reverse-engineer a patch is decreasing. If that was really true, Microsoft could stop all exploits immediately by never releasing any more patches. The primary risk is that there's a flaw in the software, obviously, and the clock starts ticking the moment people start using the buggy software, not the moment Microsoft tells us to patch it.

However, admitting that Microsoft is REACTING to hackers rather than the other way around makes them look kinda dumb. Thus the "zero day" myth.

Re:simple

[ultramkancool]

Why not just attach a spreading mechanism and call it a worm.