I miss the interaction that I used to have on Twitter.
Now that the only way I can get it during the day is via my phone, it is much harder to follow and participate in the conversations. Recently I’ve been trying to do a little more but with limited success.
Then, last night I posted a query looking for stats regarding malware infections on fully patched systems w/ up to date AV signatures. Man did I land a big one.
Josh Corman (@joshcorman) of the 451 Group apparently was hovering about 10 feet deep next to the ole oak tree that fell in the lake last year. As soon as the lure hit the water, he had it and was off and running.
We ended up having a pretty decent conversation about this, and he gave me some good stuff for a report I’m working on.
Then today I posted the following question on Twitter:
- What is your definition of a zero day?
It had barely hit the Twitterverse before Josh was off and running with it again. We ended up trading a few DM’s and it went so well that I posted the question again, and this time it landed in a school of large mouth Bass.
They were all over it like white on rice. I’ve included them below for you to see. Most of them were keepers, but a couple were too puny to keep so I threw them back.
Why did I do this, and why do I think it’s important? I did it b/c of a conversation I was in at work. There was a little disagreement on exactly what a Zero Day was and I wanted to get the input of those who follow me on Twitter.
They are men and women who know security from many different angles, and I wanted to see what kind of similarities and differences I would run into from different perspectives. I also was hoping to spur conversation.
Conversation is key to making security work in the big picture. That’s why I find so much value in participating in Twitter. I love how Security Professionals have latched on to Twitter and use it as a venue to have good solid conversations.
I’ve added a few thoughts of my own under some of the tweets. So feel free to read along and if you want to join in please do. Tweet me @andywillingham, email me andy dot itguy at yahoo dot com, leave a comment on this post, or blog it on your blog.
@andywillingham I also don’t really use the term outside other sec geeks. It’s otherwise always "unpatched vuln. exploit in wild."
The term has a good FUD factor for Senior Management
@andywillingham I *do* get how some define 0day with the key phrase "previously unknown," however. Either by vendor or public/defender.
@andywillingham release of working exploit code for an unpatched vuln, optionally with a side of narcissistic wanking.
@andywillingham my POV is of defense or even attacker. I don’t much care if the vendor knows. I’m still at risk as if they didn’t.
@andywillingham 0day: a vuln without a patch or official fix. So even if known, it’s 0day to me until official response.
It’s hard to patch what doesn’t have a patch
@andywillingham Media Hype for a unpatched vulnerability being exploited.
If it wasn’t for the media the term “Zero Day” probably wouldn’t have caught on.
WeldPond Chris Wysopal
Sounds like “The Spin Zone” to me
joshcorman Joshua Corman
.@andywillingham I "love" how we think Vuln 0day is sexier. Since AV is so reactive isn’t most malware ~technically~ 0day?
At least most new malware, even if patch is out if it’s not deployed it’s not doing much good.
timdafoe Tim Dafoe
wikidsystems Nick Owen
RT @andywillingham: Not one else has a opinion on what a zero day is? < the conference day when the press release goes out?
there is a lot of truth in Nick’s statement
armorguy Martin Fisher
@andywillingham Zero Day??? Hmm… Wasn’t that Elvis Costello’s second album? Or was that CCRs? I forget…
This is one of those that I mentioned being puney.
negativeindex Donald Rudder
@andywillingham sorry. Vulnerability being exploited but not disclosed to the wider security / user / vendor community.
pjvela PJ Velasco
@andywillingham I would say a zero day is the announcement of a formally unpublished exploit that makes use of an unpublished vulnerability
This is where some start to split hairs. We have a exploit and a vuln but they exploit may not be in the wild.
JoelEsler Joel Esler
@andywillingham a vulnerability previously undisclosed and in use. Without it being in use, it’s just a disclosure.
I like Joel’s thoughts about the difference between in use and disclosure.
pauldotcom Paul Asadoorian
@andywillingham The day before 1
joshcorman Joshua Corman
RT @andywillingham: What is your definition of a zero day? <- Active exploitation of a previously unknown/unpublished Vulnerability
Cross Posted from http://www.andyitguy.com/blog/?p=961