Wednesday, October 25, 2006

And How Do YOU Know?

"There are very few true zero day attacks."

Come, one, Rich? How do YOU know? Given that we know (and you yourself state) that there very few ways to prevent, block or even detect it ... What might be more true is that an average security-sloppy enterprise has more to fear and more to lose from "stale" attacks; however, it is NOT the same as to say that there are few 0days out there.

I am stunned when folks make those claims. BTW, check out this list that Pete Lindstrom maintains on public exposures of 0day attacks. But how many were used and are not on his (or anybody's) list? Ominous silence is the answer :-)

1 comment:

Anonymous said...

Perhaps he would've been more accurate to say "...Relatively Few...Zero Day Exploits" instead of "Very Few," but I think Rich has a point.

If we all really sucked at finding exploits being used in the wild, then there would be tell-tale signs, especially now that there's real money to be made in hacking and bot-herding.

So, my $0.02 worth, if I may: How do I know that there are "relatively few" zero days? Because while vulnerability research and exploit writing has become something of an art form, remote control back channels are still fairly primative. This is true of both types of software in both above-board professional practice and in 'the scene'. And since these half-assed back channel techniques are still largely effective, there's no reason to change them. And so, while there could be hundreds or even thousands of 0day sploits discovered every month, the number in use is apparently still very small. Because it can be.

Dr Anton Chuvakin