By Dr. Samir Kelekar, Senior Consultant, Indusface
Google announced a new project for funding vulnerability research, Project Zero. The main aim of the project is to make the web a safer place for users, by focusing more on “zero-day” vulnerabilities and “zero-day” attacks. Chris Evans, Researcher Herder at Google said that the objective of Project Zero is to significantly reduce the number of people harmed by targeted attacks.
Zero-Day Vulnerability refers to a vulnerability which is not known to the security vendors and therefore does not have a patch ready. This means that the vulnerability can be exploited by hackers to access the affected application’s data. The term zero-day is used since the security vendor has known about the vulnerability for zero days, therefore, has no fix for it.
When a zero-day vulnerability is exploited by the attacker, the attacks are referred to as a Zero-Day attack or threat.
To make things clearer, we will take you in more detail about Zero-Day Vulnerability and how it comes into existence. Weakness or a flaw in a system, which leaves it open to attacks by hackers, is referred to as a vulnerability. Software companies devote a lot of time and money to fix these vulnerabilities timely and before they fall in the eyes of cybercriminals…but coding is very complex, and sometimes a vulnerability can lie in the code without being detected for years. The most recent and common example of this is Heartbleed, a critical vulnerability which allows a malicious user using a client to get 64K of memory, containing sensitive data, from the server. While Heartbleed existed in the OpenSSL software for about two years back, it was discovered only in April 2014.
Once a vulnerability is found by the security vendor, they release a patch to fix it, as software updates. It’s as simple as that!
But complications arise when the vulnerability is not discovered by the good guys first. Normally, when someone finds a flaw in software which can potentially be exploited, they inform the respective software company so that it can be fixed. Many companies, including Google, offer financial and recognition related incentives in the form of “bug bounty” to such informers.
If the same flaw is discovered by a miscreant, s/he tries to use it for their personal gain and tries to keep the vulnerability hidden for as long as possible, thereby gaining the opportunity to exploit it to the maximum. Let us share an example of this scenario with you. In 2012, a hacker announced that he had discovered an XSS flaw in Yahoo which could be exploited to hijack Yahoo webmail user’s accounts. He announced that he was ready to sell the information about this flaw to a “serious contender” for $700. The reason for this specific request was that Yahoo at that time had been unable to find the vulnerability, and the hacker wanted to keep it this way as long as he could!
An attack which occurs due to the exploitation of a zero-day vulnerability is known as a Zero-day attack. Here the exploit happens on the “zeroth” day of a developer’s knowledge of the vulnerability.
Since you do not know about the vulnerability, you cannot protect yourself against it. However, there are certain steps one can follow for early detection or minimize the possibility of a zero-day attack:
Given that zero days may not be preventable even after all the standard precautions taken, one needs to check for the after effects and possibly catch them. For instance, what would a hacker do after he has breached the security after a zero-day exploit? He would possibly try to download the whole database of users or financial info in case of a website. A Data Loss Prevention product could possibly catch and prevent such downloads. One could also look for anomalies in logs. Some SIEM (security information event management) products have sophisticated log correlation capabilities that look for anomalies in traffic. With computing power and storage being available in plenty, there are companies which use machine learning techniques to look for unusual activities.
Find your website vulnerabilities with AppTrana Free Website Scan
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.