Conficker leaves security industry looking clueless

[See update at the bottom of the post]

Eric Orgen of has a good write-up about the Conficker hype and the subsequent lack of activity since April 1. Conficker provided the security industry much publicity, getting picked up by the mass media, guaranteeing the attention of millions of netizens (Internet users).

Burried inside Conficker's code was a piece of code checking the date which would enable a new mechanism for the malware to update itself starting on April 1. The security industry warned the public of the dangers of Conficker and the threats posed by this new mechanism for updates (i.e. calling home and asking "what do you want me to do now?").

But April 1 came and went, and instead of the predicted bang, Conficker has so far behaved more like a dud. This behavior, or lack thereof, leaves the security industry looking like a bunch of greedy geeks crying wolf in order to sell their wares. Of course, security vendors are not the only ones deserving blame. The media itself jumped on the opportunity for sensational stories like "The Internet is Infected" (I will not name the usually respectable TV program which produced this segment). But the obvious hype and the uncoordinated (until the last minute) response from the security industry beg the question: what can we, the security industry, learn from this event?

Eric's article asks three basic questions related to the fallout of the Conficker hype:
  1. How can we not know what happened?
  2. How can a vulnerability that was patched 6 months ago be leveraged by the widest spread malware in history?
  3. Why does the security vendor response seem so amateurish?
We can't afford to lose the public's trust or respect because the next malware attack may just cause the kinds of massive infections and disruptions that we know can happen.

Update: My good friend over at the Blackfist security blog (@bfist on Twitter) reminded me that he and I had a discussion around this very subject on April 2. I would be remiss if I didn't point out his blog entry on the subject, where he quotes another friend, @marcusjcarey:
In my opinion, the best twitter advice on conficker came from @marcusjcarey: "Security Professionals must remember the 'Little Boy Who Cried Wolf' ie. manage expectations #conficker". If only it were the security professionals faults.
In my opinion, the security industry is, at least partially, at fault in its lack of coordinated response. While many security vendors were honest in their portrayals and genuinely tried to calm the frenzied media, several engaged in less-than-honorable practices. The security industry should be careful not to behave like the "snake oil" vendors of the past. After all, software security still has a long way to go; users should be able to trust their security vendors and, by extension, the security community.

Src: Conficker leaves security industry looking clueless | SearchSecurity

No comments: