Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Secretive “We protect you from people like us”

Published byRosalind Williams Modified over 9 years ago

Similar presentations

Presentation on theme: "The Secretive “We protect you from people like us”"— Presentation transcript:

1 The Secretive 0-Day Market @greybrimstone @netragard adriel@netragard.com “We protect you from people like us”

2 First, what is 0-day? 0-day = Undisclosed or unknown to the public.

3 Second, what is vulnerability? Vulnerability = susceptibility to risk or harm

4 0-day + vulnerability As it relates to computer security, a 0-day vulnerability is an undisclosed software flaw that can be used to control the flow of execution in a computer’s memory.

5 Who is really responsible? Does anyone know who is responsible for the creation of 0-day vulnerabilities? Where does the risk really come from?

6 Software & Hardware Vendors Hackers do not create 0-day vulnerabilities, technology vendors do. Any time you deploy a new technology you are introducing 0-day vulnerabilities into your environment, even if it’s a “security” product.

7 Question Do 0-days pose a higher risk than published vulnerabilities?

8 Fear of the unknown The risks associated with 0-day’s are hugely distorted and amplified by the media and even the security industry.

9 What is the real risk of 0-day? According to the Verizon Data Breach Investigations Report (DBIR) the risk associated with 0-days is negligible when compared to the risks associated with known vulnerabilities. DBIR reports that 99.9% of exploited vulnerabilities had been compromised more than one year after the associated CVE was published.

10 and… 97% of compromises observed in 2014 were attributable to just 10 CVEs most of which dated back to the early 2000’s.

11 and… Half of the CVEs published in 2014 went from publish to pwn in less than one month.

12 Here’s a pretty graph

13 So what is the real risk of 0-day? 0-day equates to about 0.01% of all known compromises. Most of the 0.01% aren’t memory corruption.

14 Common Sense The likelihood of vulnerability exploitation increases as more people learn about the vulnerability and/or its methods of exploitation.

15 0-day lifespan The biggest secret in the 0-day marketplace is the 0-day. Keeping that secret is challenging. Every time a 0-day is used to compromise a target its chances of discovery increase exponentially. Keeping a 0-day secret means limited & highly-controlled use or non-external research based use.

16 0-day lifespan 0-day’s are expensive. Anyone who purchases a 0-day exploit wants maximum value which is directly tied to lifespan. It is for this reason that it is rare for 0-day’s to be used for mass- compromise.

17 Privacy The federal government doesn’t need to use 0- days for mass surveillance. The government collects data directly from service providers.

18 Privacy If anyone decides to use a zero-day exploit to infringe on your privacy then chances are that you’ve done something to warrant that level of attention. You’ve made yourself a high-value target.

19 Ethics The ethics of a 0-day are determined by the humans that use them, not by the actual 0-day. In 2013 the FBI allegedly used a FireFox 0-day to to take down a child pornography ring. Ethical or not?

20 Ethics Stuxnet, a computer worm first reported by security company VirusBlokAda in mid June 2010, was built to sabotage Iran’s nuclear program with a series of what would appear to be accidents. Stuxnet used multiple 0-days. Ethical or not?

21 Buyers Who buys 0-day exploits?

22 Buyers Security Companies

23 Buyers Security Companies Governments

24 Buyers Security Companies Governments Organized Crime

25 Buyers Security Companies Governments Organized Crime But, not most software vendors

26 Vetting buyers Determining who should or should not be able to purchase 0-day exploits is becoming increasingly difficult. A framework needs to be created to support a legitimate 0-day market. The wassenaar arrangement is not the correct framework.

27 Nessisary Technology Banning 0-day’s == Increased Risk All countries use 0-day vulnerabilities for offensive research (including North Korea).

28 Questions Contact Information: Adriel T. Desautels @greybrimstone / @netragard adriel@netragard.com 617-934-0269 We protect you from people like us https://www.netragard.com

Download ppt "The Secretive “We protect you from people like us”"

Similar presentations

Tiffany Phillips CIS 1055-004 What is a Social Networking Website? Social networking websites function like an online community of internet users. Depending.

Tiffany Phillips CIS What is a Social Networking Website? Social networking websites function like an online community of internet users. Depending.
Nicole Say Kaitlyn Jones Justin Berry Section 1, Group 3.

Nicole Say Kaitlyn Jones Justin Berry Section 1, Group 3.
Introduction and Overview of Digital Crime and Digital Terrorism

Introduction and Overview of Digital Crime and Digital Terrorism
1.8 Malpractice and Crime In this section you must be able to: Explain the consequences of malpractice and crime on information systems. Describe the possible.

1.8 Malpractice and Crime In this section you must be able to: Explain the consequences of malpractice and crime on information systems. Describe the possible.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Information Security EDU 5815 1. IT Security Terms EDU 5815 2.

Information Security EDU IT Security Terms EDU
 Someone who exercises playful ingenuity  Misusers of the internet who try to obtain or corrupt information; people who try to prevent it.

 Someone who exercises playful ingenuity  Misusers of the internet who try to obtain or corrupt information; people who try to prevent it.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Targeted Cyberattacks: A Superset of Advanced Persistent Threats Published in: Security & Privacy, IEEE (Volume:11, Issue: 1 ), Jan.-Feb. 2013, 54- 61.

Targeted Cyberattacks: A Superset of Advanced Persistent Threats Published in: Security & Privacy, IEEE (Volume:11, Issue: 1 ), Jan.-Feb. 2013,
Unit 7: Store and Retrieve it Database Management Systems (DBMS)

Unit 7: Store and Retrieve it Database Management Systems (DBMS)
Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.

Viruses,Hacking and Backups By Grace Mackay 8K Viruses Hacking and Hackers Backups.
HALDEBIQUE Geoffroy ROYER Johan  Crime motivated attacks  Hacktivism  Cyber Warfare.

HALDEBIQUE Geoffroy ROYER Johan  Crime motivated attacks  Hacktivism  Cyber Warfare.
Computer Security Workshops Security 101 - Introduction, Central Principles and Concepts.

Computer Security Workshops Security Introduction, Central Principles and Concepts.
Computer Security And Computer Crimes. Problem under consideration A software flaw was found in a national bank's web site that allows anyone who knows.

Computer Security And Computer Crimes. Problem under consideration A software flaw was found in a national bank's web site that allows anyone who knows.
Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.

Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.
MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 Hossein BIDGOLI Phishing Email that bites Paying for Privacy Pirates.

MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 Hossein BIDGOLI Phishing that bites Paying for Privacy Pirates.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
ETHICS, POLICY & SECURITY ISSUES 1CIIT---ETHICS,POLICY AND SECURITY ISSUES.

ETHICS, POLICY & SECURITY ISSUES 1CIIT---ETHICS,POLICY AND SECURITY ISSUES.
MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 LO1 Describe information technologies that could be used in computer.

MIS PERSONAL, LEGAL, ETHICAL, AND ORGANIZATIONAL ISSUES OF INFORMATION SYSTEMS CHAPTER 4 LO1 Describe information technologies that could be used in computer.
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Similar presentations

Ads by Google