Re: how often do 0-days REALLY happen?

From: Randy Taylor (rtaylor@enterasys.com)
Date: 01/09/02 

Date: Wed, 09 Jan 2002 12:56:39 -0500
To: "leon" <leon@inyc.com>, <incidents@securityfocus.com>
From: Randy Taylor <rtaylor@enterasys.com>

The short answer is that 0-day exploits do happen, they
can be devastating, and it hurts - a lot. The good news
is they don't happen nearly as much as they used to -
thank the security community, which is more numerous and more
collectively vigilant than they used to be, and technology like IDS
and firewalls which will give you warning signs of general badness
heading your way even if they don't get the specifics of the attack.

FWIW, the last time I got 0-day'ed was in 1995 - a combination
of nfsshell (file handle guessing pre-fsirand), waterworks (does
anyone remember waterworks? It was a session hijacker), and
other evilness ripped the living daylights out of some of my
systems - the only tipoff I had were some TCP wrapper events, and I
wouldn't have had even that if the attackers had maintained their discipline.
So I set up a Network General sniffer and waited. I still have the
trace somewhere - I dig it up and re-run it every once in awhile just
to remind myself how bad things can get, and how quickly it can
happen. Thanks to the trace, I was able to develop enough evidence
to positively identify the two perps. We were able to get one busted - the
other slipped away. I still keep track of the guy that got away to this
day - last I heard he was working for a managed security provider.
*chuckle* I'm real glad that particular company has nothing to do with
watching _my_ stuff. ;)

Hope this helps. 8)

Best regards,

Randy

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • [REVS] XST Strikes Back
    ... Get your security news from a reliable source. ... support for TRACE in browsers and proxy servers. ... never arrives at the web server (of course, if the first proxy server is ...
    (Securiteam)
  • Re: Major DNS cache poisoning at Verisign/WorldNIC
    ... A security breach Tuesday involving Verisign's Network Solutions unit ... >going on at Verisign apparently done by some Brazilians ("Web Pirates") ... >and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: nouser - rootkit ?
    ... be> doing a "feint" rootkit to mask a "real" rootkit for so few targets? ... Odd OSes are used by security nuts for just that reason. ... sploits will crash daemons (a buffer overflow is a buffer overflow), ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: New Web Vulnerability - Cross-Site Tracing
    ... > Security has unmasked a flaw in one of the Web's cornerstone protocols ... TRACE is IMHO a silly feature, but it's unrelated to the real problem. ... a simple GET request sent by XMLHTTP could ask for a page from ... TRACE would be a danger if there were a legitimate way to persuade a browser ...
    (Bugtraq)
  • Re: Reaching not possible
    ... > site) and without any reason. ... I tried every analysis of my security ... > interpreting this trace. ... Post the tcpdump output to the newsgroup. ...
    (comp.security.misc)