Re: how often do 0-days REALLY happen?

[Randy Taylor <rtaylor () enterasys com>]

The short answer is that 0-day exploits do happen, they
can be devastating, and it hurts - a lot. The good news
is they don't happen nearly as much as they used to -
thank the security community, which is more numerous and more
collectively vigilant than they used to be, and technology like IDS
and firewalls which will give you warning signs of general badness
heading your way even if they don't get the specifics of the attack.

FWIW, the last time I got 0-day'ed was in 1995 - a combination
of nfsshell (file handle guessing pre-fsirand), waterworks (does
anyone remember waterworks? It was a session hijacker), and
other evilness ripped the living daylights out of some of my
systems - the only tipoff I had were some TCP wrapper events, and I
wouldn't have had even that if the attackers had maintained their discipline.
So I set up a Network General sniffer and waited. I still have the
trace somewhere - I dig it up and re-run it every once in awhile just
to remind myself how bad things can get, and how quickly it can
happen. Thanks to the trace, I was able to develop enough evidence
to positively identify the two perps. We were able to get one busted - the
other slipped away. I still keep track of the guy that got away to this
day - last I heard he was working for a managed security provider.
*chuckle* I'm real glad that particular company has nothing to do with
watching _my_ stuff. ;)

Hope this helps. 8)

Best regards,

Randy

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com