This document discusses zero-day vulnerabilities and the zero-day market. It describes what a zero-day is, how they are obtained and traded, various players in the zero-day industry, and programs that pay for the discovery and disclosure of zero-days. The document also notes that many security companies acquire startups to expand their solutions, and while companies invest in security, common issues still exist like weak passwords and misconfigurations.

1. hacking/cracking
the other side of the story
jim geovedi
guide to ict megatrend
31 January 2008 — Hotel Shangri-La, Jakarta

2. ‣ information security
‣ 0-day vulnerabilities

3. infosec ≠ satpam
‣ current trends: identity thefts, botnet,
mobile communication hacking, 0-day
vulnerabilities, corporate espionage,
wiretapping

4. industry status
‣ big security companies acquire small
start-up or spin-off companies to offer
more solutions
‣ "palugada" propaganda

9. software
development
‣ cheap software development?
outsource to india or china!

10. security investment
‣ companies bought a lot of security
devices or applications
‣ firewall, anti virus, spam and content
filtering, ids, ips, patch management,
etc.

11. common issues
‣ companies do not have enough
resources.
‣ vendors re-introducing:
‣ weak and easy guessed passwords
‣ clear-text protocols
‣ misconfigurations

12. ‣ information security
‣ 0-day vulnerabilities

13. ‣ 0-day, pronounce zero-day, sometimes
oh day, means new.
‣ the term has it's origin in the warez scene,
but has become firmly entrenched in the
exploit trading scene.

14. ‣ 0-day is used to refer to exploits,
software, media or vulnerability
information released today and those
that have not yet released.

15. vendor noticed patch released
intrusion
time
value life cycle of 0-day
(quick response from vendor)

16. vendor noticed patch released
intrusion
time
value life cycle of 0-day
(very late response from vendor)

19. ‣ 0-day users: intelligence agents,
professional penetration testers, product
vendors, random hackers/crackers

20. obtaining 0-day
‣ conducting research (source code/
binary audit)
‣ share/trade between friends
‣ install honeypot
‣ buy from 0-day brokers

21. market
‣ current 0-day business model is
considered weak
‣ the auction model

22. the players
‣ corporate: ISS, eEye, iDEFENSE,
TippingPoint (3Com/ZDI), Immunity,
Gleg, Argeniss, wabisabilabi, etc
‣ group or personal: cirt.dk, piotr bania,
inge henriksen, mario ballano, neil kettle,
etc.

23. programs
‣ https://labs.idefense.com/vcp/
‣ http://www.wslabi.com/wabisabilabi/
rrp.do?
‣ http://www.zerodayinitiative.com/
details.html

24. prizes
‣ remote arbitrary code execution vulnerabilities
in specified e-mail clients and servers (outlook,
outlook express, thunderbird, sendmail,
exchange)
$8,000 - $12,000
‣ remote arbitrary code execution vulnerabilities
in specified critical internet infrastructure
applications (apache httpd, bind, sendmail,
openssh, iis, exchange):
$16.00 - $24.000

25. how many?
‣ every complex software have bugs
‣ we should assume every popular
application exist has at least one 0-day
exploit in wild
‣ professionals keep their own 0-day!

26. fin.
jim@geovedi.com