Zero-days? Sexy, sure, but crap passwords and phishing are probably more pressing

Security experts poke holes in RAND vulnerability study


A new study from RAND Corporation concluded that zero-day vulnerabilities – security flaws that developers haven't got around to patching or aren't aware of – have an average life expectancy of 6.9 years.

The research, based on rare access to a dataset of more than 200 such vulnerabilities, also looked at how frequently the same holes are found by different groups. The rarity of independent discovery and the long half-life of defects means it can make sense for some organisations with a dual offensive and defensive role (intel agencies) to stockpile vulnerabilities, the researchers argue.

The long timeline plus low collision rates – the likelihood of two people finding the same vulnerability (approximately 5.7 per cent per year) –means the level of protection afforded by disclosing a vulnerability may be modest and that keeping quiet about – or "stockpiling" – vulnerabilities may be a reasonable option for those entities looking to both defend their own systems and potentially exploit vulnerabilities in others.

"Typical 'white hat' researchers have more incentive to notify software vendors of a zero-day vulnerability as soon as they discover it," said Lillian Ablon, lead author of the study and an information scientist with RAND, a nonprofit research organisation. "Others, like system-security-penetration testing firms and 'grey hat' entities, have incentive to stockpile them. But deciding whether to stockpile or publicly disclose a zero-day vulnerability – or its corresponding exploit – is a game of tradeoffs, particularly for governments."

Of the more than 200 real-world zero-day vulnerabilities and the exploits that take advantage of them analysed by RAND, almost 40 per cent are still publicly unknown.

The study is one of the most comprehensive of its type and its release, just two days after revelations about the CIA's cyber arsenal of hacking tools, is timely. Security pundits were quick to point out that issues such as weak password security, phishing and failure to apply available patches are all far more important risk factors than the "sexy" but somewhat hyped field of zero-day vulnerabilities.

Javvad Malik, security advocate at security dashboard firm AlienVault, commented: "Zero-days aren't so much a concern for average users. Cybercriminals tend to go for tried and tested methods to attack users and have built pretty efficient processes around it, e.g. phishing or ransomware. Larger enterprises such as financial services, critical national infrastructure, and governments are usually the ones that need to factor in zero-days and targeted attacks in their threat model."

Craig Young, security researcher at security tools firm Tripwire, questioned the study's methodology. "This study from RAND is very unscientific for several reasons," he said. "First, they are looking at only 200 vulnerabilities which is a small percentage of the number of vulnerabilities being discovered each year."

The CVE project, which documents just a portion of publicly disclosed vulnerabilities, had 6,435 identifiers released in 2016 plus as many as 3,500 additional identifiers that were assigned but have not yet been revealed publicly. This is in addition to an unknown number of vulnerabilities discovered by hackers with no intention of disclosing them.

"Another big problem with the study is that statistics such as the median time of 22 days to develop an exploit are incredibly misleading because vulnerabilities can be drastically different in terms of exploitation complexity," Young added. ®


Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022