Networking Notes: Safe at Home?
Most new user-targeting malware doesn't do anything anyone's going to notice. In fact, most of it makes it a point to remain unnoticed. It's decidedly unspectacular, but decidedly dangerous.
Summer, apparently, is for security. In the past two weeks both the Black Hat and DEFCON security conferences have come and gone, and in the past month several security vendors have released Internet security reports. Because Apple just released its iPhone to a lot of hype, there was also something of a mini-scare about any vulnerabilities it might bring along with its high price tag.
I've read the recent studies, looked at the stats and considered the evidence, and I'm pleased to report that, after years of terror, viruses are no longer a threat.
OK. That was irresponsible. Viruses are, indeed, still a threat. You just wouldn't know it from most mainstream security coverage. And over the past year, a consensus has emerged among security watchers that the individual threats users are facing in the form of rootkits, zombie-inducing worms and phishing are combining to create a certain synergy with much more potentially damaging consequences than we used to associate with malware. While I was chatting with a writer who contributes to Enterprise Networking Planet we landed on the notion of an ecosystem: A complex community of different things that depend on each other to contribute to a functioning whole.
Reporting, unfortunately, is still catching up to this growing new reality.
Remember when viruses first began getting media attention? The local news channel might go out and interview a local techie who'd offer up some advice for the viewers at home: Don't take floppies from strangers, don't download stuff when you don't know what it is, don't run anything you downloaded if you don't know what it is. Then there'd be some discussion of the consequences if you infected your machine by, let's face it, doing the Internet equivalent of eating strange things off the sidewalk: All your files would be deleted.
The overwhelming focus was always on the individual outbreak. If a virus came with a timer, like 1991's Michelangelo), that gave the story an interesting hook. But as malware became more sophisticated, reporters became less interested. If files weren't in danger, it was hard to explain to a general audience why they should care. And, as a skim of Wikipedia's timeline of notable computer viruses and worms, there were more and more to contend with, and they had increasingly obscure effects. The people running the networks, meanwhile, were dealing with worm-launched DDoS attacks, site defacements, and simple network disruption.
Unfortunately for all of us, focusing on the sensational effects of malware set the stage for our current problems: Most new user-targeting malware doesn't do anything anyone's going to notice. In fact, most of it makes it a point to remain unnoticed. It's decidedly unspectacular, and it's busy doing things you can't demonstrate by pointing a camera at a computer and filming someone moving a mouse around.
Consumer Reports just released a "State of the Net" report that neatly sums up why that is: The overwhelming goal of malware in the wild today is not to eat files. It's to compromise computers and use them to do something the compromiser would prefer not to be caught doing himself. Like send torrents of spam directing people to sites where a) they can download malware that compromises their systems, adding to the snowball of compromised systems or b) give up personal information that can be used for identity theft or simple credit card fraud. It's to the benefit of the people compromising these systems to remain undetected for as long as possible, so the maximum amount of spam can be sent out before detection and remediation.
The CR report's statistics reflect this trend: Internet security overviews from a few years ago, when malware overwhelmingly aimed to disrupt, focused damage assessments on lost productivity. That's a favored metric of analysts at security firms because it's easy to make the numbers up. Unfortunately, end users respond to "lost productivity" numbers with about as much interest as they respond to stats about pig knuckles futures.
Consumer Reports, however, prefers to measure the amount of money lost to theft: $49.3 billion in 2006, according to a Javelin Strategy & Research study cited in the report. Not 49.3 billion imaginary "product-o-bucks," but $49.3 billion in real money lost. The report also claims that one in 81 users had money taken from an account in a phishing scam, at an average cost of $200, representing $2.1 billion nationally.
But even with numbers like that, it seems mainstream reporting still generally focuses on the sensational. Security companies report worms, viruses and variants numbering in the thousands every year, but it takes the occasional oddball, like the overhyped "ransomware" outbreaks, to get any attention.
Last month's iPhone launch was another case in point. A columnist with eSecurity Planet noted just this week that there's an overwhelming focus on iPhone security when the root of any security concerns that device should inspire are the same as they are for any network client, and the iPhone itself actually handles provision of security updates rather well compared to much of the industry.
Worse, as I noted on my security and privacy blog, some news outlets actually turned malware threats that exploited Windows machines into "iPhone threats" to make their stories sexier.
Until that kind of reporting is a thing of the past, and until we who know something about the nature of new threats on the Internet do a better job of explaining the seemingly intangible dangers people face to those who don't, we're going to be stuck thinking of the era of Michelangelo, Slammer, Blaster and Code Red as the good old days.Add to del.icio.us | DiggThis
For more help, don't forget to try one of our PracticallyNetworked Forums.
|Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums|