RE: how often do 0-days REALLY happen?

From: Ofir Arkin (ofir@sys-security.com)
Date: Tue Jan 08 2002 - 22:02:08 PST

  • Next message: quentynat_private: "Re: unidentified DNS attack"

    Leon,
    
    Sometimes you "get lucky" and being hit by a 0-day. We had a similar
    case with the Honeynet project were a "fresh" worm hit one of our
    honeypots (http://project.honeynet.org).
    
    Usually a 0-day will be shared among a small group of people (1-some)
    that will wish to save the ability to make harm with it as long as they
    can. Not mentioning other powers they might have possessing it.
    
    The usage of the 0-day will be dependent on the harm it might cause and
    the targets it might be lunched against. 
    
    
    BTW - the one you forgot to mention is Mike Schiffman the author of the
    book
    (http://www.amazon.com/exec/obidos/ASIN/0072193840/qid=1010555933/sr=8-1
    /ref=sr_8_3_1/107-6413282-0312523).
    
    
    Ofir Arkin [ofir@sys-security.com]
    The Sys-Security Group
    http://www.sys-security.com
    PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA 
    
    -----Original Message-----
    From: leon [mailto:leonat_private] 
    Sent: ג 08 ינואר 2002 23:54
    To: incidentsat_private
    Subject: how often do 0-days REALLY happen?
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Hi everyone,
    
    I have been reading this list for a couple of years now and I just
    got done reading hacker's challenge.  Great book (hi to everyone who
    contributed and reads this list, I know David D is one of them).  The
    book is quite unique in how it goes about presenting itself. 
    Basically it is 20 challenges (here is what happened, here are the
    logs, and here are some questions).  At the end of the book are the
    solutions (how a security professional figured out xy and most
    importantly z).  The reason I wrote the subject heading as I did is
    because throughout the book they show case after case of remote
    exploit all for vulns that are months old.  On this list and the sec
    basics I constantly (relative I know) hear people talking about being
    compromised by vulns that patches have been available for, for
    months.  So I ask upon you incidents list (ye who have SO MUCH more
    experience then I) do systems being compromised by zero day exploits
    really happen (I am sure they happen but I am really curious as to
    the frequency and how a professional goes about dealing with a never
    seen before exploit.)  Just figured I would throw that out there and
    see how everyone responds because I was thinking about it on the walk
    home (hey, shoot me, it is cold in nyc, gotta do something to keep
    from freezing). 
    
    Cheers & TIA,
    
    Leon
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
    
    iQA/AwUBPDuGj9qAgf0xoaEuEQI/WgCfQQNfGWqTRDZefFmT80WhIOTdYPYAoKV8
    wpaiOoiq6Q55TXu/NctJOWYN
    =x7uY
    -----END PGP SIGNATURE-----
    
    
    ------------------------------------------------------------------------
    ----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 08:27:03 PST