The Secretive “We protect you from people like us”

First, what is 0-day? 0-day = Undisclosed or unknown to the public.

Second, what is vulnerability? Vulnerability = susceptibility to risk or harm

0-day + vulnerability As it relates to computer security, a 0-day vulnerability is an undisclosed software flaw that can be used to control the flow of execution in a computer’s memory.

Who is really responsible? Does anyone know who is responsible for the creation of 0-day vulnerabilities? Where does the risk really come from?

Software & Hardware Vendors Hackers do not create 0-day vulnerabilities, technology vendors do. Any time you deploy a new technology you are introducing 0-day vulnerabilities into your environment, even if it’s a “security” product.

Question Do 0-days pose a higher risk than published vulnerabilities?

Fear of the unknown The risks associated with 0-day’s are hugely distorted and amplified by the media and even the security industry.

What is the real risk of 0-day? According to the Verizon Data Breach Investigations Report (DBIR) the risk associated with 0-days is negligible when compared to the risks associated with known vulnerabilities. DBIR reports that 99.9% of exploited vulnerabilities had been compromised more than one year after the associated CVE was published.

and… 97% of compromises observed in 2014 were attributable to just 10 CVEs most of which dated back to the early 2000’s.

and… Half of the CVEs published in 2014 went from publish to pwn in less than one month.

Here’s a pretty graph

So what is the real risk of 0-day? 0-day equates to about 0.01% of all known compromises. Most of the 0.01% aren’t memory corruption.

Common Sense The likelihood of vulnerability exploitation increases as more people learn about the vulnerability and/or its methods of exploitation.

0-day lifespan The biggest secret in the 0-day marketplace is the 0-day. Keeping that secret is challenging. Every time a 0-day is used to compromise a target its chances of discovery increase exponentially. Keeping a 0-day secret means limited & highly-controlled use or non-external research based use.

0-day lifespan 0-day’s are expensive. Anyone who purchases a 0-day exploit wants maximum value which is directly tied to lifespan. It is for this reason that it is rare for 0-day’s to be used for mass- compromise.

Privacy The federal government doesn’t need to use 0- days for mass surveillance. The government collects data directly from service providers.

Privacy If anyone decides to use a zero-day exploit to infringe on your privacy then chances are that you’ve done something to warrant that level of attention. You’ve made yourself a high-value target.

Ethics The ethics of a 0-day are determined by the humans that use them, not by the actual 0-day. In 2013 the FBI allegedly used a FireFox 0-day to to take down a child pornography ring. Ethical or not?

Ethics Stuxnet, a computer worm first reported by security company VirusBlokAda in mid June 2010, was built to sabotage Iran’s nuclear program with a series of what would appear to be accidents. Stuxnet used multiple 0-days. Ethical or not?

Buyers Who buys 0-day exploits?

Buyers Security Companies

Buyers Security Companies Governments

Buyers Security Companies Governments Organized Crime

Buyers Security Companies Governments Organized Crime But, not most software vendors

Vetting buyers Determining who should or should not be able to purchase 0-day exploits is becoming increasingly difficult. A framework needs to be created to support a legitimate 0-day market. The wassenaar arrangement is not the correct framework.

Nessisary Technology Banning 0-day’s == Increased Risk All countries use 0-day vulnerabilities for offensive research (including North Korea).

Questions Contact Information: Adriel T We protect you from people like us