Monday, 24 October 2011

Zero-Days

It is a different world. Forget the 30,000 people in “computer security” that the PLA have in China wearing uniforms. Think of the 150-160k external “consultants”. These are people with Microsoft, Adobe etc. source code. They know zero-days before we do. This is the thing, it is a different world. When we find zero-days, expect that others have been using them for months.

Basically, we have a team of more people than Microsoft employs with the goal of finding and exploiting the vulnerabilities in computer systems. These are generally Microsoft systems as there are simply more of them. You attack the system with the largest user base to get the best return on investment.

Basically, we have many times the number of people looking through source code in China than Microsoft does. This was supplied to the Chinese as a part of the conditions of trade in China. The result, well there have not been too many formal vulnerability releases by the Chinese government.

So we have around 10 Chinese software testers for each person coding in Microsoft, and yet Microsoft finds bugs, external parties find bugs, but the Chinese groups do not?

Well they do not release them at least.

Generally speaking and from the perspective of criminal groups, zero-days are the last issue we need to concern ourselves with.

This is a little different when we look at state-players.

These Chinese groups are yet to issue a single CVE for all of the effort the expend on analysing the source code that Microsoft and others have provided.

Knowing of a vulnerability and defending yourself against its exploitation is one thing, but we have many skilled groups in China. It is not too difficult to create vulnerabilities given source code and time.

We keep wondering how

I find it remarkably surprizing that we wonder how systems are exploited and data extruded time and again from locations in China and we are not looking at the fact that China is expending MORE effort than Microsoft and the rest of the information security world as a whole in looking for vulnerabilities in the Microsoft software platform and yet they are not actually releasing vulnerabilities.

Food for thought.

No comments: