Zero-Days Doubled In 2015, More Companies Hiding Breach Data, Says Symantec (csoonline.com) 59
Reader itwbennett writes: According to a new report by security firm Symantec, 54 zero-day vulnerabilities were discovered in 2015, more than twice as many as in 2014, and the number of breaches -- 10 million records -- also hit a record high. Driving this is a new professionalism in the market. "People figured out that they could make money by finding zero-day vulnerabilities and selling them to attackers," said Kevin Haley, director of security response at Symantec. "So there became a marketplace, and these things started to have value, and people started to hunt for them." At the same time, 2015 saw another disturbing trend: The number of companies choosing not to report the number of records they have lost rose by 85 percent (from 61 in 2014 to 113 in 2015). "More and more companies aren't actually revealing what was breached," said Haley. 'They will say attackers came and stole from us, but not saying how many records were lost."
Lost my breach data (Score:5, Funny)
Make it undesirable to exploit zero days (Score:1)
Pass laws and international treaties agreeing that people who exploit zero days will be punished severely enough to deter criminals from carrying out their attacks. I recommend they be executed for their crimes. The best approach might be a combination of crucifixion and being burned at the stake.
Re: (Score:3)
Re: (Score:2)
Death Penalty isn't to deter crimes, though that may actually e a side benefit. It is actually a form of punishment. However, as sparingly used as it is, you might as well do away with it. Since often takes 20 years (or more) to get though the process of the death penalty it actually doesn't serve as punishment either, so you might as well do away with it. Since there are quite a number of people who have been convicted of crimes they didn't actually commit, you OUGHT to do away with it.
I do believe in the
Re: (Score:3)
1) is bullshit. Heat of "passion" is a crap of excuse. I once saw a dude beating up his girlfriend. I stopped my car, got out and got in between them. He said she made him mad and that is why he was beating her up. I pushed him really hard and asked him if that made him mad. He said yes. I sad why aren't you hitting me? It was because I was 9 inches taller and about 70 lbs of muscle more than him. People CAN control their passions, they just choose not to when there is no danger to them. It is also why I am
Re: (Score:3)
You mean like how the death penalty has stopped anyone from ever murdering again?
Yep, that's the thing...most people who commit crimes don't think they're going to be caught. Dire consequences like the death penalty don't seem to deter people, even from premeditated murder, which you would think would be the kind of murder that people would be prevented from committing.
(Or, maybe it does in some cases, but we don't hear about murders that weren't committed because of the law. How would we know?)
But yeah, in general it doesn't seem to be much of a deterrent.
Re: (Score:2)
Re: (Score:2)
No, I don't think I won't get caught next time - I just consider it "totally worth it". I effectively pay the state $150-250 once every few years, in exchange for saving myself ten days off my daily commute (over the same threeish years between tickets). Realistically, I would need to get nailed f
Re: (Score:3)
Severe punishment is not a deterrent.
Knowledge that one will almost certainly be caught is a deterrent.
Getting caught is only half of it. They must face punishment and quickly. Word spreads among the criminal community and that is a deterrent. Dead people tell no tales, and they don't serve as a warning.
Every so often I see on one of those news programs where they go into a prison and talk to people on death row and/or serving life in prison. I wondered why they did this. It was only fairly recently I realized this. People don't see prisons, they don't see prisoners. I'm a rare person that has worked
Re: (Score:2)
As I see it, they should in general apply the same rules.
If you got in without permission, but you didn't break anything. Trespassing.
If you got in and broke the server/software. Breaking and Entering
If you stole data, theft (based on the value of the data)
If you sold the data corporate espionage.
In general it would be the same laws of old if you entered a building and started sifting threw the paper files, or changing data etc....
Now if a shop locked their door, but they broke in due to a known but unrepor
Re: (Score:2)
It won't work because criminal activity is either part of the shadow economy or part of the security services or both in most places.
I'd guess Western Europe, North America and parts of Asia-Pacific already have laws like this and will generally play ball with each other's law enforcement systems. In "important" cases, some non-aligned states may vulnerable to diplomatic pressure.
But by and large, China and its client states and Russia and its client states will never agree to this, as will the US in most
Driving this is also more data colleciton (Score:2)
More and more ill equipped and security unconscious duds collecting any and all kinds of data while having not the foggiest clue about securing it adequately.
And this will not change. Mostly because the only one who could, the government, by issuing laws that break the idiots' backs if they are too stupid to secure what they collect, have no interest in breaking their OWN back.
Re: (Score:2)
This will change when people who have their data exposed can sue both those that exposed the data, and those that buy/use it. We should quit trying to stop these assholes, and just try to take the profit out of their side of the equation.
Re: (Score:2)
This will not happen. The governments are among the biggest data collectors and they have just recently shown just how good they are at protecting it.
You think they will make a law that essentially cuts them the most? Really?
Re: (Score:2)
The governments are among the biggest data collectors and they have just recently shown just how good they are at protecting it.
And this is tyranny. Nothing less. And yet, many people continue to support it. Something about the devil you know vs the devil you don't.
It was here, then it was gone. (Score:1)
What's going on with Slashdot stories that get posted and then deleted?
Should be trending down, not up (Score:3)
The number of zero-day exploits should be trending down, not up.
Supposedly software and development tools are becoming more mature and programmers are gaining more experience (ostensibly reducing the amount of code that's susceptible to zero-day exploits), but this is obviously not the case.
As for prevention via the law, I doubt any penalty could or would be severe enough to dissuade anyone from using a zero-day exploit they found or bought, so I don't think a legal solution (i.e. prosecution, jail time, etc) is ever going to work.
I doubt even the threat of the death penalty would do it, because most people who commit crimes don't think they're going to be caught.
Re: (Score:2)
Well customers are demanding more Cloud/Remote hosted systems than systems that they can install on their internal network or their own PC's. A lot of these Mature Programmers are use to making applications based on Local systems access, where backdoors are just part of the design. They will rarely plan out the entire process. Sure the New tools may prevent buffer overflows, and SQL injections... However that feature that needs to solve a problem, just may open a door open to an attack. An improperly c
Programmers with desktop mentality, little trainin (Score:3)
> A lot of these Mature Programmers are use to making applications based on Local systems access ...
> Also most of these apps are based on Older Code sets, Taking a PC App and just changing the UI to be Web Based.
Yep, many programmers are reasonably competent for desktop programming, where the user is trying to make the program work correctly. They are trained in and don't think with the mindset that "users" are attacking the software daily, trying to find ways to make it fail. Because Windows is th
are NOT trained in "users are attackers " (Score:2)
I left out the word "not". People with desktop programming experience think of the input as coming from a friendly user, NOT from an attacker who is trying to break things.
Re: (Score:2)
Rule #1: NEVER trust the network. NEVER.
Rule #2: See Rule #1.
Re: (Score:2)
The number of zero-day exploits should be trending down, not up.
Let me rephrase the article headline for you: "You need X! Says seller of X"
Re: (Score:2)
Let me rephrase the article headline for you: "You need X! Says seller of X"
Where can I buy this wonderful "X", it sounds like I need it ASAP!!
Re: (Score:1)
Re: (Score:2)
and programmers are gaining more experience
But there's a constant influx of new programmers with no experience.
Re: (Score:2)
But there's a constant influx of new programmers with no experience.
Damn...what can we do to stop all these goddamn &#$@! newbies from polluting our pristine pool of programmers??
Re: (Score:2)
At best it might show that more people are looking for vulnerabilities.
Ironic (Score:3)
Re: (Score:2)
It's just you, Symantec (Score:1)
They're just hiding it from you.
Time for compulsory disclosure (Score:5, Interesting)
It seems to be in the interest of the general good that companies be legally compelled to disclose when they have been breached as well as the extent of the breach. If nothing else, this will enhance the "Free Market" by driving people away from companies that are irresponsible.
Therefore, I predict a number of marionettes-err-congress critters-err-politicians will be against this idea.
Re: (Score:3)
Maybe if you included a clause that they can't get sued for repercussions of revealing that information...
Re: (Score:2)