This is becoming a point of curiosity for me. A 0-day attack is one that no one is ready for because they have not seen it before. No countermeasures are prepared, no detection is known. This begs the question, what do you really know about your environment?

I know it’s uber sexy to talk 0-day, but is that really what makes Stuxnet dangerous? It looks like a symptom to me, but not the problem.

First, the Windows Print Spooler exploit was from 2009. Stuxnet spread using this known flaw that had not been patched. That makes it three 0-day at best, not the reported four. Microsoft claimed it only heard about it in late 2010 and fixed it 13 days later. I’ll spare you the rant, but guess who really argues the case to call things a 0-day?

See “Print Your Shell” in the September 2009 edition of hakin9 magazine.

Second, not all the Stuxnet vulnerabilities were 0-day. It made use of more than just four infamous vulnerabilities; the RPC vulnerability, for example, was from 2008.

Third, even on a perfect day we expect malware detection to get less than 80%. What does a 0-day really represent (assuming you still believe the three are truly 0-day)? We have messed around with the 0-day attacks for ages (depending on your definition, of course), and yet the known vulnerabilities (non-0-day) also have a very high probability of working. A 0-day may not be as serious as other vulnerabilities. I believe they play a secondary, or even a supporting role.

What I mean is the Stuxnet authors knew an awful lot about their target environment. We can talk all day about the probability of a 0-day relative to known vulnerabilities, but what really defines this Stuxnet attack vector as dangerous is knowledge specific to operations. The danger is that the attack is able to get insider knowledge…trusted access and detailed information. The ability of an attacker to conceal themselves after the breach thus is also a symptom, rather than a primary characteristic of the threat.

A good defensive posture will focus on this as a development of insider-based risk, which requires security information at least as good as an attacker’s, as I tried to explain in my presentation at RSA 2010 in London. Know your environment.

Here is a classic targeted attack example from this past weekend in Australia

The University of Sydney (USyd)…website was last defaced Friday night with a message claiming that Jie Gao, the university’s UNIX systems administrator, is incapable of securing the web server.

That message obviously is not meant to say it is theoretically impossible to secure a web server — the inevitability of 0-day flaws. It is to accuse an administrator of not knowing their environment. Major differences from Stuxnet can be found in this attackers means, motive and opportunity, but probably not methods.

It might seem like a tangent, but the TED presentations by Hans Rosling make an insightful and powerful observation on this topic. He went to fix the equivalent of 0-day health risks in Africa using modern medicine, but realized that the greatest threat was not an unknown virus or from lack of sophisticated technology. Once he began to study the environment he found that the prevention of common malnutrition is more effective to improve child survival rates.

What risks are you running in your environment?

The BBC says the terms “Cyberwar” and “Cyberattack” are used without reasonable definition. More importantly, in the big scheme of disasters, they say not to worry about a high impact severity event.

The Organisation for Economic Cooperation and Development [OECD] study is part of a series considering incidents that could cause global disruption.

While pandemics and financial instability could cause problems, cyber attacks are unlikely to, it says.

Instead, trouble caused by cyber attacks is likely to be localised and short-lived.

Unlike many of those who warn of Cyberwar, the authors of this study (Peter Sommer, LSE and Ian Brown, Oxford) do not seem to have a related book for sale.

You may be wondering whether the OECD has made predictions before, and whether they have been accurate. Twice a year, they publish projections for the world economy. A study in 2007 by the Economics Department, which they call a post-mortem for growth predictions, vaguely suggests an answer:

Regression analysis suggests that both OECD projections and Consensus Economics forecasts add value to naive forecasts

To sum it all up, cyberwar (properly defined) is unlikely but countries will still get value from the careful study of cyberattacks. A cynic might say: The authors are not selling a book to the public; they are selling research to state leaders.

Research on Beavers reintroduced into Poland’s forests suggests that their logging and dams help bats find insects:

We aimed to test the hypothesis that beaver activity promotes new foraging sites for insectivorous bats. The beaver’s influence can be especially significant on aerial hawkers that prefer moderate structural clutter, like the Pipistrellus species (by creating new canopy gaps), and on water-surface foragers, like Myotis daubentonii (by creating ponds with smooth water surface). The study was conducted on small streams in forest areas of northern Poland, which were colonized by the European beaver (Castor fiber). Bat activity was recorded with a Pettersson D-980 ultrasound detector on line transects. The number of bat passes was significantly higher in the stream sections modified by beavers (flooded and subjected to intensive tree cutting) than in the unmodified sections (for Pipistrellus nathusii, Pipistrellus pipistrellus, Pipistrellus pygmaeus, Nyctalus noctula, and all species lumped together).

On the other hand, research on wind turbines and wind farms shows that they disturb insect patterns and kill bats:

We suggest that mortality of bats at wind turbines may be linked to high-altitude feeding on migrating insects that accumulate at the turbine towers. Modern wind turbines seem to reach high enough into the airspace to interfere with the migratory movements of insects. The hypothesis is consistent with recent observations of bats at wind turbines. It is supported by the observation that mortality of bats at wind turbines is highly seasonal (August–September) and typically peaks during nights with weather conditions known to trigger large-scale migratory movements of insects (and songbirds).