Archive for August, 2009

It lurks among us, waiting for who-knows-what to do exactly that.  It lurks, in the Microsoft Windows realm, because it’s the only viable environment to propagate in.

The smug ones pontificate about how safe they are with their Macs or Linux ~ that’s immaterial because the World is Windows, for better or worse and we need to learn about and from Conficker for the future’s sake.

An interesting piece in the N.Y. Times discussed how Conficker continues to morph following the advances or missteps of it’s adversaries.  The article also speculates that the original purpose of Conficker may not be financial, but state-sponsored.  It’s as if a five million zombie botnet, at current counts, sprang into being for no obvious reason.  Waledac spambots are one thing, financial gain from selling AV scareware is another, but is that all there is?

Anyone or group sophisticated enough to create Conficker and keep abreast and ahead of the Conficker Working Group, etc., must have a purpose and intent(s) in mind ~ we just don’t know yet what it/they are.

Calling Dr. Evil…

If somehow, the ‘good guys & gals’ could take over the Conficker botnet, the harnessed computing power could be used for good, like SETI research at least.  😉

Given the Microsoft emergency patch on October 23, 2008 and the media press during late March/early April 2009, this begs the question of why so many Windows machines remained un-patched long enough to continue the infection spread.  Variant C disabled Windows Update and blocked AV software lookups.  Perhaps the use of pirated copies of Windows has aided the worm’s spread; as unlicensed copies, my understanding is they are incapable of running Windows Update.

It may be another proof of concept and a way to test the waters, stimulus-response style.  In this chess match, there are vested interests watching the process and reactions on both sides of the aisle…



Read Full Post »

Ah Summer!

I recall the halcyon days of Summers past, when my teachers assigned reading lists, with the hope of broadening my mind and preventing recursive learning.  They needn’t have worried about me; I’m a compulsive book-a-holic and used to stalk the Bookmobile more frequently than the ice-cream truck…

This summer, besides the daily security reading via online newsletters, magazines, and blogs, I’ve added the following books:

I’ve finished the first and am marching through the second, saving the heavy-lifting tome for last.

I like the approach and arguments put forth by Adam Shostack and Andrew Stewart; we need a New School of thinking about information security, moving away from the FUD promulgated by many vendors and security practioners, and focused instead on objective measurement via empirical means and on multi-disciplinary thinking, particularly from the perspectives of economics, psychology, and sociology.

Following on that line of thought, I’m enjoying Andrew Jaquith’s book.  My academic training was in economic geography, statistics, and resource management, so I’ve been deeply immersed in data modeling and measurement before.  I’ve also done a fair amount of evaluation work, mostly post hoc.

I completely agree that we need better ways to measure information security risks; how to quantify and qualify them and how to present them cogently to our funding sources, i.e., management.

As Bruce Schneier said, “Security is not a product, it’s a process.” So too, is the collection, refinement and presentation of our empirical data to management.  You’ve got to have the ground truth if you want to make better decisions.

The last book is interesting to me, in light of the so-called North Korean ‘cyberwar’, the previous electronic adventures in the Republic of Georgia and Estonia, and the essential reality that the Internet and software is our primary infrastructure now, after concrete.  After I wade through this impressive work, it will take it’s place next to Sun Tzu and Carl von Clausewitz.

As the current Administration in Washington D.C. keeps shedding cybersecurity personnel the way our bodies slough-off skin, my hope is that the President might read this book and really put some impetus into finding and retaining a cybersecurity ‘czar’ who reports directly to the President, with sufficient funding, authority, and autonomy to make a difference!

Keep On Keepin’ On Folks…

Read Full Post »