Re: how often do 0-days REALLY happen?

From: Randy Taylor (rtaylorat_private)
Date: Wed Jan 09 2002 - 09:56:39 PST

  • Next message: Jan van Rensburg: "Machine compromised"

    The short answer is that 0-day exploits do happen, they
    can be devastating, and it hurts - a lot. The good news
    is they don't happen nearly as much as they used to -
    thank the security community, which is more numerous and more
    collectively vigilant than they used to be, and technology like IDS
    and firewalls which will give you warning signs of general badness
    heading your way even if they don't get the specifics of the attack.
    
    FWIW, the last time I got 0-day'ed was in 1995 - a combination
    of nfsshell (file handle guessing pre-fsirand), waterworks (does
    anyone remember waterworks? It was a session hijacker), and
    other evilness ripped the living daylights out of some of my
    systems - the only tipoff I had were some TCP wrapper events, and I
    wouldn't have had even that if the attackers had maintained their discipline.
    So I set up a Network General sniffer and waited. I still have the
    trace somewhere - I dig it up and re-run it every once in awhile just
    to remind myself how bad things can get, and how quickly it can
    happen. Thanks to the trace, I was able to develop enough evidence
    to positively identify the two perps. We were able to get one busted - the
    other slipped away. I still keep track of the guy that got away to this
    day - last I heard he was working for a managed security provider.
    *chuckle* I'm real glad that particular company has nothing to do with
    watching _my_ stuff. ;)
    
    Hope this helps. 8)
    
    Best regards,
    
    Randy
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 13:28:30 PST