Friday, 23 March 2012

0-day a criminal or media obsession?

[0-day (ō dā) n. 1. A generally undisclosed security hole in software.]

1. Do criminals, spies and cyber-warriors want to know about zero day (0-day) vulnerabilities?

- Undoubtedly.

2. Do they spend vast amount of time seeking them out and developing exploits?

- Doubtful.

Which of  the two statements above is more exciting for a journalist to follow up on?

I'd say the first. The concept of shady organisations knowing something that no one else does, and then using that knowledge to perform movie-style techno-magic is intriguing.

The truth, depending on who you talk to and believe, is altogether more mundane.

Earlier this year, at the Kaspersky Threatpost Security Analyst Summit, I was talking to Greg Hoglund about targeted attacks. You might imagine that this type of attack would be at the cutting edge of malware. However, Greg said that, "a lot of what we see is not 0-day. The victims aren't patching."

(left to right) Greg Hoglund, Simon Edwards,
Paul Judge, Karthik Raman and Terry McCorkle

This makes complete sense when you understand that criminals and others are having plenty of success using fairly well-known threats. Why run when you are not being chased?

Dancho Danchev has compiled a sound analysis of the situation in his article Seven myths about zero day vulnerabilities debunked.

[How many people have to know about an 0-day before it's not an 0-day any more?]