Hackers are exploiting 0-days more than ever:
Previously unknown "zero-day" software vulnerabilities are mysterious and intriguing as a concept. But they're even more noteworthy when hackers are spotted actively exploiting the novel software flaws in the wild before anyone else knows about them. As researchers have expanded their focus to detect and study more of this exploitation, they're seeing it more often. Two reports this week from the threat intelligence firm Mandiant and Google's bug hunting team, Project Zero, aim to give insight into the question of exactly how much zero-day exploitation has grown in recent years.
[...] "We started seeing a spike early in 2021, and a lot of the questions I was getting all through the year were, 'What the heck is going on?!'" says Maddie Stone, a security researcher at Project Zero. "My first reaction was, 'Oh my goodness, there's so much.' But when I took a step back and looked at it in the context of previous years, to see such a big jump, that growth actually more likely is due to increased detection, transparency, and public knowledge about zero-days."
[...] While awareness and detection efforts have increased, James Sadowski, a researcher at Mandiant, emphasizes that he does see evidence of a shift in the landscape.
"There are definitely more zero-days being used than ever before," he says. "The overall count last year for 2021 shot up, and there are probably a couple of factors that contributed, including the industry's ability to detect this. But there's also been a proliferation of these capabilities since 2012," the year that Mandiant's report looks back to. "There's been a significant expansion in volume as well as the variety of groups exploiting zero-days," he says.
If zero-days were once the domain of elite government-backed hacking groups, they have been democratized, Sadowski says. Financially motivated digital-crime groups, some of which employ highly skilled hackers, have now been spotted using zero-days as well, at times for both traditional finance scams and other attacks like ransomware. And the rise of so-called "exploit brokers," an industry that sells information about zero-days and, typically, a corresponding exploit, have enabled anyone with enough money to wield zero-days for their own purposes.
[...] Zero-day vulnerabilities and exploits are typically thought of as uncommon and rarified hacking tools, but governments have been repeatedly shown to stockpile zero-days, and increased detection has revealed just how often attackers deploy them. Over the past three years, tech giants like Microsoft, Google, and Apple have started to normalize the practice of noting when they're disclosing and fixing a vulnerability that was exploited before the patch release.
(Score: 5, Insightful) by Spamalope on Monday April 25 2022, @02:39PM (3 children)
As long as bad quality is a 'you' problem, and risky designs for glitz or feature creep are accepted this will escalate. For example, without viable alternatives what incentive is there for Google to invest in security, beyond what they need to protect their spyware exclusivity?
(Score: 2) by looorg on Monday April 25 2022, @02:47PM
The question sort of remains why. Is it just cause there is more software, more bad software to. Or is it just cause more people are looking then looked before and way back most software didn't have to bother with networking etc. Some combination of them. While I would like to think that more programmers previously were better then todays batch I just don't know. It seems to be the case but I just don't know for certain. There obviously seems to be a lot more bad once.
(Score: 5, Informative) by canopic jug on Monday April 25 2022, @02:52PM (1 child)
In this case, Google is carrying water for M$. Follow the links and you will see that the Project Zero [blogspot.com] efforts spend a lot of time on Windows and Windows-based M$ products. To make matters worse, Google never recommends migration off of the dead end malware which is posing as an operating system. Dropping Windows from the desktop won't in and of itself make businesses, agencies, and schools secure, but it is a necessary prerequisite. Again, this is a staffing problem not a technical problem. Using a FreeBSD distro or a GNU/Linux distro is perfectly within reach of most businesses, if they fire the microsofters, the ones who sit on the payroll and use company money to sell M$ products from inside the perimeter, and hire one or more IT people in their place. This is especially important on the desktop.
Money is not free speech. Elections should not be auctions.
(Score: 2) by Gaaark on Monday April 25 2022, @10:06PM
I gave you a +1 Informative.
I also give you +1 Internets for your sig:
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Monday April 25 2022, @04:06PM
maybe it's because today the computer also controls money. for example "home" banking or that energy intensive, distributed alternative.
if it's just personal risqué beach holiday pics of the trophy ... spouse, pshaw, today we have xxx-hub or watnot.
zero day used to be fun, for funs sake and a many benign hack was introduced to sledgehammer justice. today, it's money and even ... blood and possible environmental disaster.
also the hammer now seems to swing both ways ... for sanctioned freedom and stuxtice.
(Score: 5, Informative) by hopdevil on Monday April 25 2022, @04:56PM
Once upon a time, it was accepted that vulnerabilities found by developers or security researchers were publicly disclosed, starting the 0-day clock. The community good will and kudos you got from improving open source software was payment enough. Of course there were always people that intended to exploit software.
Nowadays, people expect that bugs are worth something. Either bug bounties or third parties will buy them. The third parties are often reselling, but the bugs are still 0-day.
A side issue here is also the loss of community control of open source software.. since Google, etc. are the main developers of widely used software, the benefits of open, public disclosure are gone
The idiotic CSO/CISOs which developed and run modern security programs at companies drove this shift
(Score: 5, Insightful) by lcall on Monday April 25 2022, @07:18PM (7 children)
This seems like a good reason for IT people to understand OpenBSD better, its motivations and usage patterns, given that it has had only 2 of the worst kind of security holes since ~1996, and therefore seems vastly safer against zero-days, including privilege escalation exploits, etc. An ounce of prevention is worth a pound of cure, no? https://www.openbsd.org [openbsd.org] .
(And corporations & others donating ( https://www.openbsd.org/donations.html [openbsd.org] ) to the project could also be wise, since they probably all benefit from things that come from the OpenBSD project, like openssh.
https://www.openbsd.org/innovations.html [openbsd.org]
Just a fan.
(Score: 0, Disagree) by Anonymous Coward on Monday April 25 2022, @11:04PM (6 children)
The default install of MS-DOS has had 0 remote holes in the default install for an even longer period of time. I doubt anyone would claim MS-DOS is secure because of that. It is easy to be secure when you don't do very much. And by that measure, almost any OS you pick is going to be equivalent nowadays.
(Score: 1) by lcall on Tuesday April 26 2022, @05:53PM (5 children)
True, the default install is not as big as some, but it is also much more audited to avoid known problems. Then one can install binary packages from the ~11k available. The above (base and many packages) also benefit from pledge/unveil (where the kernel limits what apps can do, to what they say they will do, without user configuration required), privilege separation (again no extra config), lack of privilege escalation exploits, clean design, clear documentation, and the many other mitigations listed under the innovations link I included earlier.
It is not rare for issues to arise in all the other operating systems, and for OpenBSD users to realize: "not a problem, that was already fixed or mitigated or prevented in my obsd installation."
Yes there are limitations, as with anything. Only 1 user can run X at a time as far as I know (but that can be worked around with xauth or ssh); no bluetooth support; USB support isn't as broad (but can work if the device is supported in the drivers); and one is expected to read and understand the excellent instructions. But nobody else does what they do nearly as well, as far as I can see. Installation and upgrades are easy and have gone smoothly for me.
(Score: 2, Interesting) by lcall on Tuesday April 26 2022, @05:57PM (4 children)
(ps: the default install is also surprisingly capable, one might find.)
(Score: 0) by Anonymous Coward on Tuesday April 26 2022, @08:59PM (3 children)
How many remotely accessible processes does it install and set to autostart?
(Score: 1) by lcall on Tuesday April 26 2022, @09:59PM (2 children)
I could be wrong, as I don't do a lot of that now, but:
I think only sshd. There are many installed and available in base, but the intent is that a new installation is secure by default (so, limited), and as one enables services (or installs additional software), one can consider the security implications of each. I strongly consider that a good approach (as does the project). There is no need for tutorials, tips, and tricks on "how to lock down a new installation of OpenBSD". And each new service has a very low probability of security issues, uses privilege separation (so no root access after first few operations at startup), and most or all use pledge & unveil to limit their possible runtime operations to what they should be, even if they were compromised.
There are a number of them installed and available, but would have to be enabled by changing a config file entry from NO to something else. There is more in the FAQs and manual pages. The services have reputations (at least on the mailing list I follow) for stability and reliability.
https://www.openbsd.org/faq/ [openbsd.org]
Like, do a Ctrl-F here for the letter "d" and see the many daemons available in base, in manual pages from section 8:
https://man.openbsd.org/?query=%3D&apropos=1&sec=8&arch=default&manpath=OpenBSD-current [openbsd.org]
(Score: 1) by lcall on Tuesday April 26 2022, @10:10PM
(ps: and maybe one has to update the firewall, pf. Also covered in the FAQs.)
(Score: 0) by Anonymous Coward on Wednesday April 27 2022, @04:23AM
Only sshd you say? Why you almost got the point.