Phishers Pushing Zero-Day Attacks Further
eSecurityPlanet Columnist Ken van Wyk talks about the difference between zero-day attacks and neg-day attacks... and how phishers are making everything worse.
Let's start with my choice of nomenclature.
In my previous column, I described how phishing attackers are pushing the zero-day attacks further. This term seems to me to be at the heart of the confusion, although it is aside from the main point that I wanted to make. What I've always considered to be a zero-day vulnerability is one the product vendors learn about on the same day it's announced on various full-disclosure forums. In other words, the vulnerability is disclosed to the public and the vendor at the same time.
This is in sharp contrast to what I described as a 'neg-day' attack in which the attackers are actively exploiting a vulnerability well before the vendor learns of it. This is because, in my mind, a virtual stopwatch starts ticking at time zero the moment the vendor is notified of the vulnerability. Exploits prior to that zero event are thus in negative time by my view.
More to my point, whichever of these definitions you subscribe to, the main issue I raised in my column remains the same.
With the amount of money the phishing community is clearly stealing from people, the attackers have ample resources to be actively searching for new, undiscovered (and undisclosed) security defects in popular software. That is to say it is highly likely they are no longer just the consumers of vulnerability information that gets discovered and disclosed by others. They are the producers of new vulnerability data. (I'll again point out here that I have no first-hand knowledge of this, but I believe it to be reasonable conjecture.)
So why is this such a big deal?
Well, in the past, many so-called 'security researchers' have largely acted on a code of ethics. Even those who ardently believe in full disclosure by publishing their findings and, quite often, accompanying exploit code have done so in the belief that they are providing a valuable public service. Their aim, whether you agree with their actions or not, has largely been to improve the security of the Internet.
Now, enter the meteoric rise of phishing and its vast monetary harvests and you introduce pure, unadulterated evil into the equation.
It should be obvious to all that it is in the phishers' best interests to not disclose any information about the product security defects they exploit. Further, the phishers are clearly a profit-motivated group. The situation now has swung from one in which security researchers are trying to improve security to one in which the attackers are actively trying to erode security. Outside of the attackers, no one stands to gain from this scenario, even indirectly.
So, whether you call them zero-day attacks or something else, there's a new and much nastier attacker out there these days, and I sure don't think this falls into the category of being 'FUD'.
What can we do about it? How do we protect ourselves from this type of evil?
Well, the answer involves various aspects of security. At a local PC level, I'm a firm believer in reducing our vulnerability exposures to the world. Keeping software versions and patches up-to-date, for example, is a good starting point, as is making use of firewall technologies and such.
Next, since the attack vector provided to the phishers by most of the world consists of the ever popular Outlook/Internet Explorer combination, I like to do what I can to differentiate myself from the herd. This is the inverse of Dan Geer's (et al) monoculture research in which he claimed that we reduce the overall security of the community by all (or nearly all) running the same software with the same weaknesses. That is, one novel attack can do great harm to a community that are all vulnerable to the same thing.
To that end, on my workhorse laptop, I've completely abandoned the use of both Outlook and Internet Explorer. In their place, I like to see almost anything that's less popular: Eudora/Thunderbird and Firefox/Mozilla, for example. That's not to say these products are without vulnerabilities, but they're not the principal targets of the attackers... at least not yet.
Make no mistake about it, these are not solutions to the phishing problem. At best, they're just stopgap measures that make my PC a little less vulnerable than the ones other people are running. As I've said here before, I am convinced the only way of really addressing the problem is to improve how we produce software. That's a long battle that is only in its formative stages right now.
In the meantime, I'll keep doing what I can.