The Secretive 0-Day Market

@greybrimstone@netragardadriel@netragard.com

“We protect you from people like us”

First, what is 0-day?

0-day = Undisclosed or unknown to the public.

Second, what is vulnerability?

Vulnerability = susceptibility to risk or harm

0-day + vulnerability

As it relates to computer security, a 0-day vulnerability is an undisclosed software flaw that can be used to control the flow of execution in a

computer’s memory.

Who is really responsible?

Does anyone know who is responsible for the creation of 0-day vulnerabilities? Where does

the risk really come from?

Software & Hardware Vendors

Hackers do not create 0-day vulnerabilities, technology vendors do.

Any time you deploy a new technology you are introducing 0-day vulnerabilities into your

environment, even if it’s a “security” product.

Question

Do 0-days pose a higher risk than published vulnerabilities?

Fear of the unknown

The risks associated with 0-day’s are hugely distorted and amplified by the media and even

the security industry.

What is the real risk of 0-day?

According to the Verizon Data Breach Investigations Report (DBIR) the risk associated with 0-days is negligible when compared to the

risks associated with known vulnerabilities.

DBIR reports that 99.9% of exploited vulnerabilities had been compromised more than one year after the associated CVE was

published.

and…

97% of compromises observed in 2014 were attributable to just 10 CVEs most of which dated

back to the early 2000’s.

and…

Half of the CVEs published in 2014 went from publish to pwn in less than one month.

Here’s a pretty graph

So what is the real risk of 0-day?

0-day equates to about 0.01% of all known compromises. Most of the 0.01% aren’t

memory corruption.

Common Sense

The likelihood of vulnerability exploitation increases as more people learn about the

vulnerability and/or its methods of exploitation.

0-day lifespan

The biggest secret in the 0-day marketplace is the 0-day. Keeping that secret is challenging.

Every time a 0-day is used to compromise a target its chances of discovery increase

exponentially. Keeping a 0-day secret means limited & highly-controlled use or non-external

research based use.

0-day lifespan

0-day’s are expensive. Anyone who purchases a 0-day exploit wants maximum value which is directly tied to lifespan. It is for this reason that it is rare for 0-day’s to be used for mass-compromise.

Privacy

The federal government doesn’t need to use 0-days for mass surveillance. The government collects data directly from service providers.

Privacy

If anyone decides to use a zero-day exploit to infringe on your privacy then chances are that you’ve done something to warrant that level of attention. You’ve made yourself a high-value target.

Ethics

The ethics of a 0-day are determined by the humans that use them, not by the actual 0-day.

In 2013 the FBI allegedly used a FireFox 0-day to to take down a child pornography ring. Ethical or not?

Ethics

Stuxnet, a computer worm first reported by security company VirusBlokAda in mid June 2010, was built to sabotage Iran’s nuclear program with a series of what would appear to be accidents. Stuxnet used multiple 0-days. Ethical or not?

Buyers

Who buys 0-day exploits?

Buyers

Security Companies

Buyers

Security CompaniesGovernments

Buyers

Security CompaniesGovernments

Organized Crime

Buyers

Security CompaniesGovernments

Organized CrimeBut, not most software vendors

Vetting buyers

Determining who should or should not be able to purchase 0-day exploits is becoming increasingly difficult. A framework needs to be created to support a legitimate 0-day market. The wassenaar arrangement is not the correct framework.

Nessisary Technology

Banning 0-day’s == Increased Risk

All countries use 0-day vulnerabilities for offensive research (including North Korea).

Questions

Contact Information:Adriel T. Desautels

@greybrimstone / @netragard

adriel@netragard.com

617-934-0269

We protect you from people like us

https://www.netragard.com