With what intention was Zero Day Initiative (ZDI) created, have you asked yourself? It isn’t hard to guess that it is made to make the whole Internet security better. Of course, also for making technology community safer for computer users. By giving the affected vendors the opportunity to issue solutions to end users, it ensures responsible disclosure of vulnerabilities. ZDI is giving advance notice to the other security vendors, in which way their customers may receive quicker and more effective protection responses from those vendors. It also gives participating security and TippingPoint (providing customers with Zero Day Protection).
At some point people got the whole idea of ZDI wrong, thinking it’s encouraging them to violate the license applicable to vendors’ product. This is a huge misunderstanding. They are actually encouraging security researchers and individuals who became aware of zero-day and software vulnerabilities to participate in a program. That will be for their own financial benefit and of course, vendor, security, and end-user communities.
In the beginning of Bug Hunting, there was a backup. The first advisory by ZDI in 2005 Symantec’s VERITAS NetBackup program. Not created for Windows, Apple, or something everyone would expect. The first ZDI advisory detailed a remote code execution vulnerability providing information to where people go to the patch and correct it. As I mentioned Windows and Apple (for example), everyone expected that only big vendors are popular, but it’s important to remember that they are not alone. Just to name a few others-Motorola, BitTorrent, Lexmark…
As most people tend to use a web browser while online, it’s obvious that the browsers are in the bullseye. In that case, it’s the browsers that are the popular target for researchers and attacks alike. 16% of all submission of the ZDI is related to a browser. But, not all the submissions they receive actually become patches. 42% end up being rejected. Sometimes the bug is not valid, or it doesn’t lead to code execution. But once when the researchers determine the submission is legit, they fully document the bug before reporting it to the vendor.
As it all started in 2005, they’re not done yet. In 2016, ZDI paid out $2 million for vulnerabilities, publishing 674 advisories last year. There are now 379 advisories pending disclosure, so it’s supposed and expected that 2017 will be the same, and efficient year.
They are actually looking to put a pressure on software vendors who procrastinate on fixing security flaws. By a program which purchases the right to the vulnerability information (TippingPoint), exchanging for exclusivity to broker fixes with affected vendors.
Well, I might say that first of all, it’s for the best to meet the enemy. Who are hackers and how many types of attacks do exist?
There are many of sneak attacks malicious hackers’ use, so it’s better to get to know the facts for your cyber and social security.
Hackers have been using filename tricks with which they execute malicious code since the beginning of malware. Naming the file somehow that will attract people to click on it (for an example-porn is used often), If you click on that item, you know you’re trapped! Never click on the suspicious item and always follow the instructions of internet security tips, also for mobile phones and Android. Another stealth trick of hackers is using an operating system against itself, a file location trick (”relative versus absolute”). So, if you want to run a built-in, harmless Windows paint.exe, when you click and try to open it, hackers can make the same icon with the same name, but won’t be your paint.exe. It will be something much worse-the bogus copy. They also do host-file redirecting, waterhole attack (poisoning the location of people who meet there every time to achieve malicious objectives), browsers cookie theft and list goes on. If you are familiar with these topics you won’t miss a danger when you see it.
So, after all, yes-the bug bounties are security’s best friends making the world a safer place, especially Zero Day vulnerabilities. At first, it may sound like a gift to cyber criminals. Rewarding people to reveal new software flaws really sounds like that. But they are, of course, great for business to encourage security researchers to find online vulnerabilities and disclose them in a secure and responsible way, before the criminals do it. In that case, they are also preventing the breaches and making sure their customers and products are safe. Using the technologies that have the best security intelligence in them is the big part of defending their company. They need it to defend against attacks while they’re patching their infrastructure.
Why should you patch and why don’t users patch? It is important to update the system with the latest security patches to be protected against attacks that exploit the vulnerability. If you don’t, you are risking of malware attacks that use software exploit. So, why aren’t all users doing it? They say that the updates take too long, that they don’t see any benefit from it (you will see the benefit when it comes too late-don’t do that to yourself!)… Don’t let yourself to get the ”best lesson” from life-”Looking at the past and learning from it, to know what to expect in the future”. Well, this surely is a great lesson but for serious users and companies which track hackers and watch their actions. Also great for those who care about the internet security and social security, for those who want to end massive cyber-attacks and malicious hackers. Learning something is great, but practice makes perfect. Practicing fast, and always being one step in front of every threat. Go on, Zero Day Initiative!
The most vulnerable software in 2015 were: Mac Os X, Iphone Os, Flash Player, Ubuntu Linux, Air Sdk, AIR, Air Sdk & Compiler, Opensuse, Debian Linux and Internet Explorer. The list of top 10 with most security flaws in 2016 were: Android, Debian Lux, Ubuntu Linux, Flash Player, Leap, Opensuse, Acrobat Reader Dc, Acrobat Dc, Acrobat and Linux Kernel.
And don’t forget to uninstall what you don’t need from your computer and automate your software updates!