Zero-Days Doubled In 2015, More Companies Hiding Breach Data, Says Symantec

Reader itwbennett writes: According to a new report by security firm Symantec, 54 zero-day vulnerabilities were discovered in 2015, more than twice as many as in 2014, and the number of breaches -- 10 million records -- also hit a record high. Driving this is a new professionalism in the market. "People figured out that they could make money by finding zero-day vulnerabilities and selling them to attackers," said Kevin Haley, director of security response at Symantec. "So there became a marketplace, and these things started to have value, and people started to hunt for them." At the same time, 2015 saw another disturbing trend: The number of companies choosing not to report the number of records they have lost rose by 85 percent (from 61 in 2014 to 113 in 2015). "More and more companies aren't actually revealing what was breached," said Haley. 'They will say attackers came and stole from us, but not saying how many records were lost."

Lost my breach data

[messymerry]

The dog ate it...

Re:Lost my breach data

... wait three days and I can get it to you.

Make it undesirable to exploit zero days

Pass laws and international treaties agreeing that people who exploit zero days will be punished severely enough to deter criminals from carrying out their attacks. I recommend they be executed for their crimes. The best approach might be a combination of crucifixion and being burned at the stake.

Re:Make it undesirable to exploit zero days

I vote for having them eaten to death by rats, starting with their genitals.

Re:Make it undesirable to exploit zero days

[phishybongwaters]

Deter criminals? You mean like how the death penalty has stopped anyone from ever murdering again? oh wait.......

Re: Make it undesirable to exploit zero days

Make them eat their own (and I dont mean rats).

Re:Make it undesirable to exploit zero days

True story, Bro: OJ sold the FBI a iOS v9.3.1 zero-day.

Re:Make it undesirable to exploit zero days

I can see why you post as AC...

Re:Make it undesirable to exploit zero days

[Archangel+Michael]

Death Penalty isn't to deter crimes, though that may actually e a side benefit. It is actually a form of punishment. However, as sparingly used as it is, you might as well do away with it. Since often takes 20 years (or more) to get though the process of the death penalty it actually doesn't serve as punishment either, so you might as well do away with it. Since there are quite a number of people who have been convicted of crimes they didn't actually commit, you OUGHT to do away with it.

I do believe in the death penalty in theory, however I am opposed to it in practice. There are people who don't deserve to live, even in prison, however because of the problems with the system itself, I oppose it on practical grounds.

Re: Make it undesirable to exploit zero days

Zero day is no different than a One day if the Zero Day doesn't get patched.

Re:Make it undesirable to exploit zero days

Pass laws and international treaties agreeing that people who exploit zero days will be punished severely enough to deter criminals from carrying out their attacks. I recommend they be executed for their crimes. The best approach might be a combination of crucifixion and being burned at the stake.

Severe punishment is not a deterrent.
Knowledge that one will almost certainly be caught is a deterrent.

It's the same psychological trick that makes speeding tickets profitable.
People speed and 99 times out of 100 they don't get caught.
The one time they do get caught, it's not "Whoops, I shouldn't have been speeding." it's "The cop got lucky that time. She won't catch me next time."

If anything, a severe punishment only increases the stakes and makes things worse.
It makes criminals more wary of being caught, and thus take more precautions against being caught.
And when almost caught, it makes criminals do even more desperate and extreme things to avoid being caught.
If you have a choice between death-by-cop OR being caught and tortured to death ... which do you choose?
If you have a choice between blowing up the whole building OR being caught and tortured to death ... which do you choose?
If you have a choice between blowing up the whole city block OR being caught and tortured to death ... which do you choose?

Re:Make it undesirable to exploit zero days

[JustAnotherOldGuy]

You mean like how the death penalty has stopped anyone from ever murdering again?

Yep, that's the thing...most people who commit crimes don't think they're going to be caught. Dire consequences like the death penalty don't seem to deter people, even from premeditated murder, which you would think would be the kind of murder that people would be prevented from committing.

(Or, maybe it does in some cases, but we don't hear about murders that weren't committed because of the law. How would we know?)

But yeah, in general it doesn't seem to be much of a deterrent.

Re:Make it undesirable to exploit zero days

[jellomizer]

As I see it, they should in general apply the same rules.

If you got in without permission, but you didn't break anything. Trespassing.
If you got in and broke the server/software. Breaking and Entering
If you stole data, theft (based on the value of the data)
If you sold the data corporate espionage.

In general it would be the same laws of old if you entered a building and started sifting threw the paper files, or changing data etc....

Now if a shop locked their door, but they broke in due to a known but unreported fault in the lock, then the company should be able to sue the lock maker. Just as if someone breaks into your company because the software vendor said it was safe, but it wasn't and they knew about it.

Re:Make it undesirable to exploit zero days

The death penalty doesn't deter anything. As far as I am concerned there are 4 types of murders and none of them can be deterred. First is heat of passion, which cannot be deterred by the consequences by their very nature. Second is premeditated, which cannot be deterred because people evaluate their chances of getting caught at all, rather than using a true expected value calculation, especially when you are talking about something as repugnant by default as murder. Third is those done while in an altered state of mind, which by definition isn't rationally made. Fourth is accidents, which are also not able to be deterred by their very nature of being accidents.

Re:Make it undesirable to exploit zero days

[pla]

People speed and 99 times out of 100 they don't get caught. The one time they do get caught, it's not "Whoops, I shouldn't have been speeding." it's "The cop got lucky that time. She won't catch me next time."

No, I don't think I won't get caught next time - I just consider it "totally worth it". I effectively pay the state $150-250 once every few years, in exchange for saving myself ten days off my daily commute (over the same threeish years between tickets). Realistically, I would need to get nailed for over a thousand bucks a year before the tickets even break even with my time savings.

I don't even bother defending my speed to the cop. I just politely hand him my well-organized paperwork to minimize the amount of time the stop wastes, he comes back with my ticket, and I go about my day.

Re:Make it undesirable to exploit zero days

Copying data isn't theft.

Re:Make it undesirable to exploit zero days

[blindseer]

Severe punishment is not a deterrent.
Knowledge that one will almost certainly be caught is a deterrent.

Getting caught is only half of it. They must face punishment and quickly. Word spreads among the criminal community and that is a deterrent. Dead people tell no tales, and they don't serve as a warning.

Every so often I see on one of those news programs where they go into a prison and talk to people on death row and/or serving life in prison. I wondered why they did this. It was only fairly recently I realized this. People don't see prisons, they don't see prisoners. I'm a rare person that has worked inside a prison with convicted felons and not have committed a felony myself. (I am a contracted state employee, I work on the computers the prisoners use.)

People need to know that people do get punished for breaking the law. We also need to know what those conditions are. We need to know both that they are treated well enough and that it's still not a pleasant place to be.

All too often criminals will get caught but there is not enough prison space for them. What happens then is that petty criminals keep up with their petty crimes because they never see the inside of a prison. They get probation after probation. It's only when they cross a certain line that they get confinement. We can thank the "war on some drugs" and mandatory minimums for much of this.

In my mind no prison sentence should exceed five years for a single crime. Getting 15 years in prison for having a couple doobies in a pocket is insane, first because marijuana possession should not be a crime, and second because people convicted of aggravated assault might get only 10 years.

One argument against a five year maximum is that some people just need to go away for a long time. Okay, then charge them with multiple crimes. It's not like we don't have enough crimes on the books to find something. I remember a guy that broke into a house, tied up the family, raped the women, and then set the house on fire. Only the father survived by tearing through his restraints enough to crawl out of the burning house. So let's add that up, five counts unlawful imprisonment, four counts murder in the first, one count attempted murder, two counts rape, one count arson. If convicted on all crimes that thug is effectively getting a life sentence.

Prison also needs to be an unpleasant experience. They should not get to see sports on TV. They can read it in the newspaper. If they behave themselves then they can listen to it on the radio. They need to learn a trade and have a job by the time they get out. I think that by giving the incentive of getting out early they'd at least try to learn and find a job.

People speed and 99 times out of 100 they don't get caught.

That brings to mind another thing. Don't punish released criminals for trying to protect themselves and their families. By that I mean this prohibition on convicted felons from possessing firearms is cruel and unusual in my mind. It is also why I believe that that there are so many criminals returning to prison. Certainly some criminals possess firearms to return to crime but if one is truly reformed in prison then we should allow them to own a shotgun to go hunt with their children. If they are no longer a threat to the point that we can release them from confinement then we can allow them to keep a pistol on the nightstand while they sleep in their crappy apartment.

Tell me which is worse, getting caught armed by the police and doing another ten years in prison or getting caught unarmed by a home invader and ending up dead? This is precisely the dilemma the Second Amendment was created to avoid.

Re:Make it undesirable to exploit zero days

[swb]

It won't work because criminal activity is either part of the shadow economy or part of the security services or both in most places.

I'd guess Western Europe, North America and parts of Asia-Pacific already have laws like this and will generally play ball with each other's law enforcement systems. In "important" cases, some non-aligned states may vulnerable to diplomatic pressure.

But by and large, China and its client states and Russia and its client states will never agree to this, as will the US in most cases involving the other two. Some non-aligned states will just be too incompetent to cooperate (whether they are or aren't, it'll be impossible to tell).

And that's just the baseline politics of it all, it says nothing about actually catching anybody. We can't contain drug smuggling at the Mexican border, and that involves a physical product moving over a closely watched international border. Data on the Internet? I don't have any hopes there.

Re:Make it undesirable to exploit zero days

[mlw4428]

I'd say the death penalty has been 100% successful at stopping a murderer (of whom the death penalty was applied) from murdering other people.

Re:Make it undesirable to exploit zero days

You forgot to factor in the probability of you getting into a high-speed crash, the time and money you lose to recovery due to the crash, and the costs incurred by others affected by your crash. If you actually went through the thought process of computing the expected time and money lost due, based on the probability of a crash at your given speed, you'd probably find that you're actually LOSING time and money compared to driving with traffic (or at around the speed limit without traffic.)

Re:Make it undesirable to exploit zero days

Not necessarily. The *individual* odds of getting in an accident are pretty low, despite there being hundreds of thousands of cars involved in accidents every year. And the reduction in time on the road has to be factored into the calculation as well.

Re:Make it undesirable to exploit zero days

Or maybe make it more profitable to turn in zero-days to the manufacturer than it is to auction them off. Like meaningful bounties and rewards that very few companies provide. I guess that would cost Apple and MS some money so it is unlikely to happen.

Re:Make it undesirable to exploit zero days

The car analogy is a bit off. Data theft should be compared to thefts like a home break in. Home security is interesting because we don't fortify our homes to the best of our means nor technology. We put a reasonable amount of security up to stop an "average" criminal with typical means from stealing things from our property or even attacking our personal bodies. I find it curious that our physical lives don't have the utmost in security, yet we seem to believe this is something that is reasonable in technology. No company can withstand a state-sponsored attack any more than your house or apartment could withstand an attack by an organized gang. I think we need a tech equivalent of the NTSB. An agency that won't judge, and will simply analyze an attack and come up with security standards the industry can adopt. Over time, these standards can become a stick to measure security by in cases of liability. We won't encourage transparency by preaching perfection in security.. if anything, the harsher you are the more you'll see breaches bottled up.

Re:Make it undesirable to exploit zero days

[Archangel+Michael]

1) is bullshit. Heat of "passion" is a crap of excuse. I once saw a dude beating up his girlfriend. I stopped my car, got out and got in between them. He said she made him mad and that is why he was beating her up. I pushed him really hard and asked him if that made him mad. He said yes. I sad why aren't you hitting me? It was because I was 9 inches taller and about 70 lbs of muscle more than him. People CAN control their passions, they just choose not to when there is no danger to them. It is also why I am a big defender of 2nd Amendment. Passions change when you're staring down the barrel of a Glock

2) Premeditated murder comes at a cost. If that cost actually was "death", there would be some incentive to not ever go through with it. And quite frankly, even if we don't have that exact number, it is greater than 0, and that is a deterrent.

3) Altered states is like driving drunk IMHO You didn't mean to, but you didn't mean not to as well. I have no sympathy for people here. (excluding Mental Illness)

4) Accidents, by definition aren't murder.

And you conveniently forget the murderers who commit additional murders once released. Death Penalty would definitely prevent (not deter) those.

Finally, you totally ignore self preservation as a motivation for anything. Which is why you're viewpoint is completely wrong. At least my view is principled, I oppose the death penalty on practical grounds, there are way too many ways our systems fail. My view is pragmatic and you are unable to sway my opinion with unprovable claims of deterrence and prevention (either which way) .

Driving this is also more data colleciton

[Opportunist]

More and more ill equipped and security unconscious duds collecting any and all kinds of data while having not the foggiest clue about securing it adequately.

And this will not change. Mostly because the only one who could, the government, by issuing laws that break the idiots' backs if they are too stupid to secure what they collect, have no interest in breaking their OWN back.

Re:Driving this is also more data colleciton

[Archangel+Michael]

This will change when people who have their data exposed can sue both those that exposed the data, and those that buy/use it. We should quit trying to stop these assholes, and just try to take the profit out of their side of the equation.

Re:Driving this is also more data colleciton

[Opportunist]

This will not happen. The governments are among the biggest data collectors and they have just recently shown just how good they are at protecting it.

You think they will make a law that essentially cuts them the most? Really?

Re:Driving this is also more data colleciton

[Archangel+Michael]

The governments are among the biggest data collectors and they have just recently shown just how good they are at protecting it.

And this is tyranny. Nothing less. And yet, many people continue to support it. Something about the devil you know vs the devil you don't.

It was here, then it was gone.

[Frosty+Piss]

What's going on with Slashdot stories that get posted and then deleted?

Should be trending down, not up

[JustAnotherOldGuy]

The number of zero-day exploits should be trending down, not up.

Supposedly software and development tools are becoming more mature and programmers are gaining more experience (ostensibly reducing the amount of code that's susceptible to zero-day exploits), but this is obviously not the case.

As for prevention via the law, I doubt any penalty could or would be severe enough to dissuade anyone from using a zero-day exploit they found or bought, so I don't think a legal solution (i.e. prosecution, jail time, etc) is ever going to work.

I doubt even the threat of the death penalty would do it, because most people who commit crimes don't think they're going to be caught.

Re:Should be trending down, not up

[jellomizer]

Well customers are demanding more Cloud/Remote hosted systems than systems that they can install on their internal network or their own PC's. A lot of these Mature Programmers are use to making applications based on Local systems access, where backdoors are just part of the design. They will rarely plan out the entire process. Sure the New tools may prevent buffer overflows, and SQL injections... However that feature that needs to solve a problem, just may open a door open to an attack. An improperly checked eval statement, including extra libraries that you don't need. Using a third party app who just didn't use such methods.

Also most of these apps are based on Older Code sets, Taking a PC App and just changing the UI to be Web Based.

Now I am not blaming the programmers. Almost every time this type of stuff happens the programmers make a fuss then get given an option to do it the quick way or find another job.

Re:Should be trending down, not up

[Carewolf]

The number of zero-day exploits should be trending down, not up.

Let me rephrase the article headline for you: "You need X! Says seller of X"

Re:Should be trending down, not up

[ole_timer]

If the number of users, the number of devices and the amount of software were kept constant I'd be closer to agreeing with you. But there's growth in all three. Combine that with all three are designed and built by humans and thus have bugs means growth. Plus read the story about education (or lack of) and you are beginning to get the picture,

Re:Should be trending down, not up

[jader3rd]

and programmers are gaining more experience

But there's a constant influx of new programmers with no experience.

Re:Should be trending down, not up

[phantomfive]

54 serious vulnerabilities is such a small subset of the total number of vulnerabilities that as a sample it is useless for anything.

At best it might show that more people are looking for vulnerabilities.

Re:Should be trending down, not up

[JustAnotherOldGuy]

Let me rephrase the article headline for you: "You need X! Says seller of X"

Where can I buy this wonderful "X", it sounds like I need it ASAP!!

Re:Should be trending down, not up

[JustAnotherOldGuy]

But there's a constant influx of new programmers with no experience.

Damn...what can we do to stop all these goddamn &#$@! newbies from polluting our pristine pool of programmers??

As long as companies keep using garbage...

from Microsoft, this will keep happening.

Re: As long as companies keep using garbage...

The republicans on my state made it mandatory to use that Microsoft's horrific attempt at a word processor in order do business with the state. We had to buy a Windows laptop that is only used in dealing with those Republican crooks.

Re: As long as companies keep using garbage...

And Trump said he wanted to make Excel required to file your taxes.

Re: As long as companies keep using garbage...

And as long as those Republicans create legal requirement to use Microsoft, we will never be secure.

Re:As long as companies keep using garbage...

from Microsoft, this will keep happening.

Change the law so I'm not legally required to use those crappy Microsoft products that are closed source and have nearly no support so you can't fix problems. Microsoft is so ashamed of the garbage they shove down our throats, that they hide the source code from the public. That is how embarrassed they are by their own products.

Re: As long as companies keep using garbage...

Trump will destroy this country. Destroy this country.

Re: As long as companies keep using garbage...

This. Microsoft and the Republicans are in bed together.

Ironic

[idbeholda]

Coming from a company known for, and having a long, colorful, illustrious history of rolling out notoriously insecure products. The number one spot belongs to all versions of Windows and Outbreak Express. Just saying.

Re:Ironic

[phantomfive]

Yeah. It might be more accurate to say that Symantec has 54 zero days in its products, but it might be higher than that. At least they didn't leave their debugging server turned on.

It's just you, Symantec

[inode_buddha]

They're just hiding it from you.

How is this not expected?

When someone discovers a zero-day, they try to do the right thing and report it. The thanks you get is being threatened with lawsuits if you go public. Time passes and no fix is made yet you are pressured to keep quite. Is it any wonder people sell exploits rather then report them?

Time for compulsory disclosure

[Gravis+Zero]

It seems to be in the interest of the general good that companies be legally compelled to disclose when they have been breached as well as the extent of the breach. If nothing else, this will enhance the "Free Market" by driving people away from companies that are irresponsible.

Therefore, I predict a number of marionettes-err-congress critters-err-politicians will be against this idea.

Re:Time for compulsory disclosure

[meerling]

They'll fight that tooth and nail due to the tendency of stock holders to sue them whenever this happens.
Maybe if you included a clause that they can't get sued for repercussions of revealing that information...

Cock Gobblers

I submit to Symantec all the time. Shit stays undetected for weeks.

Their "zero-day" might be weeks old.

Re:Cock Gobblers

[meerling]

It takes weeks for the solution to be created and TESTED so that it doesn't eat your computer. Of course, if you want a version of QuickProtect on your computer, I'm sure Dilbert would be happy to send you one.

What do I suspect is the source (said it before)?

I suspect kids coming out of academia w/ BIG debt finding good jobs to pay the loan debt down are offshored - so it's "go to jail" either way for them if they DON'T pay down that debt once the clock starts ticking FOR SURE or creating malware instead to pay it down.

Regarding the latter - They're taking a chance of NOT getting caught, & use those skills in CS to start making BIG MONEY ripping others off.

Why?

LESS CHANCE OF IMMEDIATE JAILTIME FOR UNPAID DEBT & yes, a chance to pay it down, + perhaps even PROFIT by it...

I.E.-> Desperation creates necessity creates invention (in this case, bad ones).

* Imo, our "fearless leader politicians", puppets of BIG MONEY, have caused it along with the 1% legalized craptable called the stock market SCREAMING "make me 'MoAr'" to publicly traded companies! Mgt., in fear of their jobs, responds the easiest way controlling the easiest overhead to control - payrolls.

WHAT BACKS WHAT I SUSPECT EVEN MORE?

This (almost 30% of all known malware EVER appeared in 2015) http://www.pandasecurity.com/m... & THAT takes even more malware makers to appear to create THAT large of a 'malware explosion' - the answer to 99/100 question = money & what it will drive you to (not just when it becomes 'the HOLY dollar' for the greedy, but also the desperate).

APK

P.S.=> So, anyone wondering WHY I built my free hosts file program to protect others against threats online? Don't! THIS is why... apk

Programmers with desktop mentality, little trainin

[raymorris]

> A lot of these Mature Programmers are use to making applications based on Local systems access ...
> Also most of these apps are based on Older Code sets, Taking a PC App and just changing the UI to be Web Based.

Yep, many programmers are reasonably competent for desktop programming, where the user is trying to make the program work correctly. They are trained in and don't think with the mindset that "users" are attacking the software daily, trying to find ways to make it fail. Because Windows is the most popular desktop of all time, there are an especially high number of experienced Windows programmers who habitually think with a desktop-like mindset, not an adversarial mindset where the user is an attacker.

This goes along with the problems of teaching everyone to code just a little bit. They know enough that they can make it mostly work, most of the time. Thinking about how it be forced to not work correctly, how it responds to invalid and malicious input, is an entirely different level.

We're also lacking in tools and libraries which have been formerly proven safe, but the mindset of programmers and their managers is the biggest thing. If every line of code is looked at with an eye toward "how could this go wrong" we'd have MUCH more reliable software . If it works reliably even when being attacked, think about how well it will work when you're not attacking it!

are NOT trained in "users are attackers "

[raymorris]

I left out the word "not". People with desktop programming experience think of the input as coming from a friendly user, NOT from an attacker who is trying to break things.

... but not saying how many records were lost.

A) ALL of them.

B) We don't know.

C) We were breached?

D) Yes. They're still here.

----

CAPTCHA: faulty.

Re:Programmers with desktop mentality, little trai

[JustAnotherOldGuy]

Rule #1: NEVER trust the network. NEVER.

Rule #2: See Rule #1.

Re:What do I suspect is the source (said it before

da fuq did i just read?

Outsourcing IT contributed to this problem

That's what happens when you outsource your IT team!