Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday March 21 2017, @05:53AM   Printer-friendly
from the keep-it-to-yourself dept.

RAND corporation recently received rare access to study a couple hundred 0-day vulnerabilities and their exploits.

It turns out that 0-day vulnerability discoveries live for about 6.9 years, and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap. This means that releasing discoveries to the public provides very little defensive value while obviously destroying offensive ability.

The report (summary and full text[PDF]) includes quite a bit more about the industry, including some estimates of pricing and headcount.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by vux984 on Tuesday March 21 2017, @06:02AM (7 children)

    by vux984 (5045) on Tuesday March 21 2017, @06:02AM (#481978)

    "and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap."

    Wait ... HOW did they find THAT out? Did Russia or China give them a stack of their stock-piled zero-days so they could compare to the CIA/NSA ones?? I mean seriously... what possible methodology are they using here? I don't get it.

    But if its true then we should logically be using ours to steal theirs and then notify the manufacturers/vendors etc about them; so that they get closed. I mean, if there really isn't much overlap, then closing discovered foreign owned 0-days down should be a priority for the NSA... that is half their mandate after all. Why aren't they releasing a steady stream of foreign-discovered 0-days to 'our team'.

    • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @06:21AM

      by Anonymous Coward on Tuesday March 21 2017, @06:21AM (#481983)

      The PDF explains it well. There are a bunch of fancy statistics, particularly relating to lifetime. The weakest assumption is that the set of vulnerabilities found in the private set of about 200 is of a similar nature as the ones that are public. Still, it's not a bad assumption, especially given the known properties of that set of vulnerabilities. From there we may compute the chance that a pair of adversaries will discover the same bugs or different bugs.

      The NSA may well be releasing a steady stream of foreign-discovered 0-days to 'our team'. There is no way they'd take credit for it. Probably they'd use anonymous bug reports to the vendor.

    • (Score: 2) by fadrian on Tuesday March 21 2017, @01:14PM (2 children)

      by fadrian (3194) on Tuesday March 21 2017, @01:14PM (#482090) Homepage

      Wait ... HOW did they find THAT out? Did Russia or China give them a stack of their stock-piled zero-days so they could compare to the CIA/NSA ones?? I mean seriously... what possible methodology are they using here? I don't get it.

      You could get lists of your allies' 0-days and compare to them to see if there was much overlap, too. Well, you could if we had any allies anymore... Thanks, Trump!

      --
      That is all.
      • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @01:45PM

        by Anonymous Coward on Tuesday March 21 2017, @01:45PM (#482111)

        Obvious questions:

        Where did Rand get the data and why would they expect the source to be truthful?

        The analysis seems to be about an 'us' versus 'them' pair. this results in a small overlap which leads to holding our zero day's.
        It seems like in the real world, there are many 'them's with varying degrees of visibility.
        How could the information source know that the 'them' they provided data for is representative of the whole situation?

        The elephant in the room is that there are so many bugs and so little time.
        Aside from finding and outing zero day's, what can be done to address this situation?
        This report seems to say that the best action is to continue the current situation.
        Unfortunately, that makes everybody's computer a war zone.
        There must be a better path.

      • (Score: 2) by tangomargarine on Tuesday March 21 2017, @02:29PM

        by tangomargarine (667) on Tuesday March 21 2017, @02:29PM (#482150)

        Assuming of course you trust said allies to give you the complete list, which would be doubtful, Trump or no.

        --
        "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
    • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @04:40PM (2 children)

      by Anonymous Coward on Tuesday March 21 2017, @04:40PM (#482232)

      "and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap."

      Wait ... HOW did they find THAT out? Did Russia or China give them a stack of their stock-piled zero-days so they could compare to the CIA/NSA ones?? I mean seriously... what possible methodology are they using here? I don't get it.

      Because it's the NSA's (and others') job to know this, and they are much better at it than a random armchair spy on the internet.

      Truthfully I don't know how they know, but several ways I can think of are:
      1) Their 0-day exploits have clear signatures (e.g. recognizable internet traffic patterns), and they don't see them in domestic networks.
      2) The have out-of-channel sources of information (e.g. compromising some of the authors or discoverers of the 0-day exploits)
      3) They set up honey-pots, and look for how they are compromised
      4) They look at historically discovered 0-day holes and extrapolate from them
      5) Compare between "friendly" organizations (e.g. NSA can talk to CIA and others) to compare and contrast what exploits they have independently discovered, and extrapolate from that

      You know... the exact some thing that security firms do to locate security holes...

      • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @05:08PM

        by Anonymous Coward on Tuesday March 21 2017, @05:08PM (#482245)

        It's #4 and #5, with multiple ways of estimating and lots of statistics.

      • (Score: 3, Insightful) by vux984 on Tuesday March 21 2017, @09:41PM

        by vux984 (5045) on Tuesday March 21 2017, @09:41PM (#482416)

        1) Their 0-day exploits have clear signatures (e.g. recognizable internet traffic patterns), and they don't see them in domestic networks.

        Most exploits 'stockpiled' aren't going to be visible, and when deployed very narrowly targeted. There's not going to be much to see nor when to see it.

        2) The have out-of-channel sources of information (e.g. compromising some of the authors or discoverers of the 0-day exploits)
        3) They set up honey-pots, and look for how they are compromised

        Safe to assume both sides are working those angles, and that's going to result in an *increase* in overlap; as one sides 0-days get added to the arsenal of the other side.

        4) They look at historically discovered 0-day holes and extrapolate from them
        5) Compare between "friendly" organizations (e.g. NSA can talk to CIA and others) to compare and contrast what exploits they have independently discovered, and extrapolate from that

        It get tricky because you are polluting the well; seeing the others exploits, even if they were independently developed is going to guide what you look for in future for your own, making your future independently developed exploits...somewhat less independent. Would you have found X if you hadn't seen the other guys Y... etc. Plus western hackers might have the same general approaches and even cross-contamination of staff over time so there might be more overlap between CIA and NSA than you'd find elsewhere.

        And for a lot of bigger exploits like remote root through the browser its a chain of exploits. So even if only one element in the chain is common to both parties exploit kit fixing that element will shutdown both chains.

        Then there is also that exploits aren't developed in isolation -- they'll be drawing from what is publically released, and again that contaminates the independence if they are both approaching targets with starting points that contain many of the same 'script kiddie' and or 'black market' exploits -- because how do you know the market isn't selling to the stockpiles on both sides. Again creating direct overlap, but also contaminating the independence of future exploits.

        It doesn't make extrapolation impossible, but its definitely harder. And its really hard to imagine RAND has good data to work from. So I'd think their estimates of overlap would be really loose.

        Plus are they counting all overlap the same? Maybe Microsoft Word is swiss cheese so exploits for word will have little overlap. But maybe OpenBSD and LibreSSL are much smaller attack surfaces and those exploits have higher overlap... if we both have 100 exploits, 99 for MS word and 1 for BSD; and its the same 1 for BSD but a different 99 for Word you could just as easily argue that we have 50% overlap as 1% depending on how you write the results up.

  • (Score: 2, Interesting) by Soylentbob on Tuesday March 21 2017, @06:56AM

    by Soylentbob (6519) on Tuesday March 21 2017, @06:56AM (#481988)

    From tfa:

    No vulnerability characteristics indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and exploit class type.

    Yes, please... As a long term Linux-user, I'm convinced that at least in the prestigious projects (Linux, postgres, mariadb [former mysql] etc. receive patches for known zero-days pretty fast. Regarding overall code quality, open source [wikipedia.org] seems to have an edge (although I doubt this for some of the newer hipster-projects), but would be interesting to know if availability of source-code makes it significantly easier for foreign governments to find zero-days.

    The best strategy to ensure superiority and safety would IMO be to employ developers contributing to contribute to critical projects in order to gain competence, and maybe to invest in freely available static code-analysis tools. Maybe that would be a good option to sink some of the defence-budget. Since Trump was demanding Europe to increase their defence-spending, that might be a good first step :-)

  • (Score: 2) by RamiK on Tuesday March 21 2017, @11:51AM (1 child)

    by RamiK (1813) on Tuesday March 21 2017, @11:51AM (#482057)

    There are some good arguments for open source buried in the appendix: In "Additional Figures and Tables" the figures for "Frequencies of Exploit-Level Characteristics Among 127 Identified Exploits" (p.89) stand at 50 open source, 70 closed source, 1 mixed and 6 unknown. And in "More Information About the Data" under "Data Frequency Counts" (p.101) the ratio is repeated with 123 closed and 74 open.

    That's to say, open-source is more secure even at the nation state level.

    --
    compiling...
    • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @02:10PM

      by Anonymous Coward on Tuesday March 21 2017, @02:10PM (#482133)

      There may be 50 open source and 70 closed source, but this doesn't tell you what they got it from. This is just an attribute of the sample set.

      For example, if they had 3 people finding bugs in open source and 37 equally-skilled people finding bugs in closed source, we could conclude that finding bugs in open source is easier.

      As they say, "future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and exploit class type".

      For now, they haven't done that. It may be that the data was insufficient to do so, or that RAND was less interested, or that RAND was in a rush to publish, or that RAND wants to milk this for as many reports as possible.

  • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @12:50PM (2 children)

    by Anonymous Coward on Tuesday March 21 2017, @12:50PM (#482078)

    and i am sure the stock market will rebound after the secretly faulty A.I. has de-orbitted all GPS satellites.
    seriously ... if all cars were made in two countries only and then would go about not telling the other about flaws, this will
    end it lots of customers dying in car crashes and the shareholders will stop smiling pretty soon?

    we thus have to assume that something went wrong when RAND COMPUTED this result, maybe a recommended-as-withheld zer0day was at work?

    • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @01:12PM (1 child)

      by Anonymous Coward on Tuesday March 21 2017, @01:12PM (#482088)

      "hello fellow citizen! in the name of national security(*) your computing results maybe have to stay wrong and/or faulty! have a nice day!"
      (*)?

      • (Score: 1) by khallow on Tuesday March 21 2017, @02:20PM

        by khallow (3766) Subscriber Badge on Tuesday March 21 2017, @02:20PM (#482142) Journal
        HELLO CITIZEN. VIEWING FRIEND COMPUTER ANNOUNCEMENTS THAT ERRONEOUSLY SUGGESTS FRIEND COMPUTER IS EVER IN ERROR IS TREASON. HAVE A NICE DAY.

        *zappity zap zap zap zap*
  • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @02:16PM (5 children)

    by Anonymous Coward on Tuesday March 21 2017, @02:16PM (#482137)

    Even if that's true, it's still a lot. There are about 200 nations out there and most of them have significant resources at their disposal.

    And then there is the question which country has the most to lose. Hint, it's the more advanced countries generally.

    Breaking things is easy, making them is hard.

    Do the right thing and patch the vulnerabilities. Hell make it a "prisoner exchange" with foreign governments so everybody profits.

    • (Score: 0) by Anonymous Coward on Tuesday March 21 2017, @03:08PM (4 children)

      by Anonymous Coward on Tuesday March 21 2017, @03:08PM (#482171)

      This isn't something really done in Somalia, Guatemala, Haiti, Bangladesh, Nauru, and Lesotho.

      The main threats are: China, Russia, France, Israel, Iran, India, North Korea. Besides them, things aren't too serious.

      The loser countries buy from loser companies like Hacking Team. This stuff is weak. Hacking Team doesn't bother with having more than a handful of exploits at most.

      The right thing is to protect our country by doing things like Stuxnet, which set back Iran's nuclear weapons program by a couple years. Imagine if you could make Russian SLBMs obey a geofence to stay out of the USA. That could save our asses someday.

      • (Score: 2) by maxwell demon on Tuesday March 21 2017, @07:13PM

        by maxwell demon (1608) on Tuesday March 21 2017, @07:13PM (#482320) Journal

        Imagine if you could make Russian SLBMs obey a geofence to stay out of the USA.

        How do you know that is not already done?

        --
        The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 2) by bob_super on Tuesday March 21 2017, @09:42PM (2 children)

        by bob_super (1357) on Tuesday March 21 2017, @09:42PM (#482419)

        > The main threats are: China, Russia, France, Israel, Iran, India, North Korea. Besides them, things aren't too serious.

        *recovers from laughing*
        I've got a bridge to sell you if you don't think that most Middle-Eastern/Gulf countries, South-and-East-Asian countries, and most of Europe (plus the UK) should be on your cute little list.
        "Sure, we spend billions on weapons, but who cares about them cybers?"

        Seriously deluded.

        • (Score: 0) by Anonymous Coward on Wednesday March 22 2017, @12:55AM (1 child)

          by Anonymous Coward on Wednesday March 22 2017, @12:55AM (#482483)

          The UK is part of 5EYES, cooperating with us. Sure, they may cheat, but they can't afford to piss us off.

          Most of Europe is being cheap. They habitually underfund their military.

          I covered "Middle-Eastern/Gulf countries, South-and-East-Asian countries" with Hacking Team. Yep, it's pitiful. They depend on shitty stuff from Hacking Team, and even Hacking Team laughs at the incompetence.

(1)