by William Murray

Not so long ago, but in a different era, the rogue hackers were building tools to automate the creation of viruses and worms to exploit newly publicized vulnerabilities.  They boasted that these tools were enabling them to develop malicious code faster and faster and that soon they would be able to create an attack within twenty-four hours of the identification of a vulnerability. Thus was born the idea of the “zero-day” attack.  Note that “zero-day” is a term of art, that it modifies attack, and that it is relative to the identification of the vulnerability.  

While it is sometimes used to refer to a previously unknown vulnerability, the words have no meaning in that context. “Zero-day” relative to what?  To yesterday?  The term has lost its original meaning without gaining a new one.  It became an expression that, not only carried no meaning of its own, but confused the meaning of any terms with which it was used.  This aggravates the general problem in security that our terms of art, e.g. threat, attack, vulnerability, and risk are used without distinction, not to say interchangeably.  Multiple times a week I find myself parsing quotes about security in the media, in a sometimes vain attempt to figure out what the source intends.

One of our colleagues, asked by a reporter to name the three biggest threats confronting enterprise for the coming year, glibly listed three vulnerabilities.  These were notable more for their novelty than their importance.  

Today everyone who describes a method of attack seems to feel compelled to give it a cute name that distinguishes it from all others. Therefore, we now have “phishing,” and “spear-phishing,” to distinguish between bait attacks based upon whether the targets are random or chosen and whether the bait appeals simply to the greed, lust, fear, and sloth of all, or contains some information specific to a target of choice.  I do not argue that the distinctions may not be useful, so much as that we do not need cutesy names for them.  Do we really need “Bluetooth Snarfing” to refer to an attack for which there is only a proof of concept, little economic motive, which exploits an implementation induced error in the way vendors implement sharing, and to which Bluetooth is merely incidental?*

We now use the names of attacks, for example “buffer overflow” and “cross-site scripting” to describe, not even qualify, the vulnerability, “unchecked in-puts.”  Now, not all “un-checked inputs” are vulnerable to all attacks but they all have the same remedy, parsing the inputs.   

We use inaccurate, or at least arguable, analogies to name things, often to suggest that something is more dangerous than it is.  For example, we use “drive-by” to describe an attack that relies for its success that the victim visit a hostile or compromised web-site and perform an overt act while there.  Of course, the analogy is to “drive-by shooting” where attackers shoot the innocent in their own neighborhood.

I realize that our culture and language are now so corrupt that it may take a generation or more to fix it.  However, I propose three rules:

1)   the inventor of an attack does not get to name it

2)   that we prefer natural language descriptions, e.g. “previously undisclosed”  

3)   and that we avoid cute labels, e.g., “zero-day,” thought up by the rogues to aggrandize themselves.  


* That’s right; Bluetooth is merely incidental, not necessary, to the attack.  The attack would work the same if the same sharing scheme operated over infrared or WiFi.

Tags: Attack, classification, Information Security, risk, terminology, zero-day

This entry was posted on Wednesday, July 15th, 2009 at 4:40 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.