There is way too much hype about Conficker.C and what it may or may not do on April 1. I’m not sure who is feeding the media, which is fueling the hype, but it’s very counterproductive. There are worse threats out there than this one botnet, and focusing all of our attention on Conficker is letting the others go unchecked.
Rather than rehash what’s already known about Conficker.C, I’ll just point readers to an excellent Q&A post from F-Secure. Question number one:
Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?
A: No, not really.
If that’s not enough information for you, read the rest of their post, and stop freaking out.
Update: I just read an interesting post on this topic from Verizon Business Security (Risk, Group Think and the Conficker Worm), which I saw thanks to TaoSecurity.
It’s nice to see the New York Times write on the topic of Internet security, and actually focusing on a more radical solution than normal. The article basically says, Internet security is so broken that we need to start over with a “new Internet.” Sounds like fun, but that seriously misses the point.
If we are going to go down the path of starting over, why not go right to the root of the problem, and fix our hardware? Now that we know what kinds of vulnerabilities exist in our existing designs (based on the von Neumann architecture), we could create a new hardware platform that has security and privacy protections built in. This would naturally lead to a new kind of software, which could take advantage of the new hardware features and architectural decisions, to keep itself secure. Since the Internet is just a collection of networking hardware and software, it would obviously also benefit.
In fact, by rethinking the very basic underpinnings of computer design, we can propagate the results throughout the entire CPU-based world, not just the Internet. Trying to fix only one part of the problem, such as by creating “a ‘gated community’ where users would give up their anonymity and certain freedoms in return for safety” would be a disaster. Not only would it quickly be broken and misused, like every other attempt to do something similar, but it would eliminate one of the best features of the Internet that caused it to thrive in the first place.
Sadly, I doubt we will ever be able to “start over” on something like this (IPv6, anyone?). I mean, there are so many aspects of life that could use the benefit of hindsight and a redesign, like politics, tax law, health care… but they are too entrenched in society to be replaced by better systems. That makes for good job security for those of us in the computer security field, as long as we can put up with the feeling of continuous frustration, knowing that a true alternative is possible, but we are essentially powerless to pursue it.
Some interesting items in today’s security news:
Obama plans to keep his BlackBerry
There will be plenty of security and legal hurdles. Here’s one already: “The security question was inadvertently highlighted on Friday as Obama’s BlackBerry tumbled from his belt as he exited his limousine and got onto his plane…”
Widest night/day megapixel lens without distortion for the security industry
This is cool for those into physical security or surveillance: “Theia leveraged their patented Linear Optical Technology platform with all-optical barrel distortion correction to provide a nominal 110 degree horizontal field of view…” The article has a picture showing the difference from a regular wide angle lens.
Frankly Speaking: What would really make software more secure
Not a bad idea, although I’m not sure how I feel about yet another expensive software certification process: “…SANS says some state governments are already thinking about requiring software suppliers to certify in writing that their code is free of the errors on the list.” Hasn’t the federal government already tried similar approaches?
Sorry, my contact form was broken. It should be working now!
There has been a lot of hype in the news recently about unemployed IT workers turning to cybercrime to make ends meet. Some forecasts 1 claim that the guys running your mail server might “use their skills to steal credit card data using phishing attacks.” Of course, there are no hard facts to back up this claim. I find it hard to believe that an otherwise honest person would turn to something as extreme as stealing credit card numbers to help pay his bills. The truth is that there has been the opportunity for making large sums of money through cyber crime for years. If someone with the necessary skills and lack of morals was going to go into the phishing business, they would have probably already done so.
npr.org
Perhaps the economic downturn does help cyber criminals become more successful, simply because there are more desperate people out there to be scammed. Suddenly, a chance to “win $50 from Bank of America” might be just too tempting to resist. After all, “it’s a ripe economy to take advantage of people,” 2 according to a McAfee cybercrime strategist. (Nice job title.)
On the other hand, I’ve also seen claims 3 that corporations are performing more internal investigations into employee fraud and misuse of resources. I believe this type of criminal behavior is much more likely to rise, since people generally feel less guilty about taking advantage of their employers, as opposed to outright stealing from a stranger. It’s a bit like how taking home a box of pens from work might not be a big deal, whereas doing the same from a Staples store is much more obviously theft.
There is also one more reason why laid off or unemployed computer geeks might turn to criminal means: it’s the only job they can get. It’s obviously a tough job market, even considering that IT jobs are better off than most other fields. If you’ve got hacking skills and need to make some money, I suppose it’s possible that you might be tempted to work for a criminal organization. Once again, I don’t believe that usually-honest people will start joining the mob out of desperation; we’re just not that bad off yet. But I did come across at least one example 4 of an unethical corporation hiring hackers to help them exceed the limits on rain forest logging. It’s hard to know if this is an unusual case, or if it’s becoming more rampant.
The bottom line is that companies (and government agencies) need to be even more vigilant against the insider threat. It’s always been there, and it always will. The best we can do is try to mitigate it. Personally, I’m not too worried about IT workers turning to cybercrime – the crooked ones are already there.
