Embed Size (px)
Citation preview
First, what is 0-day?
0-day = Undisclosed or unknown to the public.
Second, what is vulnerability?
Vulnerability = susceptibility to risk or harm
0-day + vulnerability
As it relates to computer security, a 0-day vulnerability is an undisclosed software flaw that can be used to control the flow of execution in a
computer’s memory.
Who is really responsible?
Does anyone know who is responsible for the creation of 0-day vulnerabilities? Where does
the risk really come from?
Software & Hardware Vendors
Hackers do not create 0-day vulnerabilities, technology vendors do.
Any time you deploy a new technology you are introducing 0-day vulnerabilities into your
environment, even if it’s a “security” product.
Question
Do 0-days pose a higher risk than published vulnerabilities?
Fear of the unknown
The risks associated with 0-day’s are hugely distorted and amplified by the media and even
the security industry.
What is the real risk of 0-day?
According to the Verizon Data Breach Investigations Report (DBIR) the risk associated with 0-days is negligible when compared to the
risks associated with known vulnerabilities.
DBIR reports that 99.9% of exploited vulnerabilities had been compromised more than one year after the associated CVE was
published.
and…
97% of compromises observed in 2014 were attributable to just 10 CVEs most of which dated
back to the early 2000’s.
and…
Half of the CVEs published in 2014 went from publish to pwn in less than one month.
Here’s a pretty graph
So what is the real risk of 0-day?
0-day equates to about 0.01% of all known compromises. Most of the 0.01% aren’t
memory corruption.
Common Sense
The likelihood of vulnerability exploitation increases as more people learn about the
vulnerability and/or its methods of exploitation.
0-day lifespan
The biggest secret in the 0-day marketplace is the 0-day. Keeping that secret is challenging.
Every time a 0-day is used to compromise a target its chances of discovery increase
exponentially. Keeping a 0-day secret means limited & highly-controlled use or non-external
research based use.
0-day lifespan
0-day’s are expensive. Anyone who purchases a 0-day exploit wants maximum value which is directly tied to lifespan. It is for this reason that it is rare for 0-day’s to be used for mass-compromise.
Privacy
The federal government doesn’t need to use 0-days for mass surveillance. The government collects data directly from service providers.
Privacy
If anyone decides to use a zero-day exploit to infringe on your privacy then chances are that you’ve done something to warrant that level of attention. You’ve made yourself a high-value target.
Ethics
The ethics of a 0-day are determined by the humans that use them, not by the actual 0-day.
In 2013 the FBI allegedly used a FireFox 0-day to to take down a child pornography ring. Ethical or not?
Ethics
Stuxnet, a computer worm first reported by security company VirusBlokAda in mid June 2010, was built to sabotage Iran’s nuclear program with a series of what would appear to be accidents. Stuxnet used multiple 0-days. Ethical or not?
Buyers
Who buys 0-day exploits?
Buyers
Security Companies
Buyers
Security CompaniesGovernments
Buyers
Security CompaniesGovernments
Organized Crime
Buyers
Security CompaniesGovernments
Organized CrimeBut, not most software vendors
Vetting buyers
Determining who should or should not be able to purchase 0-day exploits is becoming increasingly difficult. A framework needs to be created to support a legitimate 0-day market. The wassenaar arrangement is not the correct framework.
Nessisary Technology
Banning 0-day’s == Increased Risk
All countries use 0-day vulnerabilities for offensive research (including North Korea).
Questions
Contact Information:Adriel T. Desautels
@greybrimstone / @netragard
617-934-0269
We protect you from people like us
https://www.netragard.com
