Inciting Fear for Fun and Profit

For the most part, I enjoy security research. The exception, however, seems to be in dealing with the relatively clueless of our field.

We’ve all met them. The foremost example: the users who’ve been trained that anti-virus is the only tool necessary for security. The ones that make you feel like you’re talking to a parakeet. “ANTI-VIRUS! ANTI-VIRUS! ANTI-VIRUS!”. When you inform them of a new vulnerability in a product they use, having yet to hear of patching, most will just run to update the AV and keep at it. They see nothing as a threat. These folks are dangerous. Thankfully, though, vendors are beginning to get the idea, and moving more toward making simple ignorance less of a threat to the internet-at-large. We still have a long way to go, though, so other issues certainly need to be dealt with in the interim.

Perhaps one reason why users react so sluggishly to things is because, no matter who you are, someone will tell you that every bug, virus, exploit, worm, etc., that is uncovered is a grave threat to your systems and will cause them to be taken over by invaders who will steal your credit card number, post your life story to the web, and turn your computer into an evil zombie that will destroy everything in its path at the push of a button. When I read so-called “information” from leading industry fear-mongers, I feel like I’m watching a crappy Sci-Fi movie.

Folks out there are predicting the end of the world. What now, you ask? Well, the Windows WMF bug, of course. Didn’t you know that the WMF bug is going to lead to the “mother-of-e-mail-worms” that will devastate e-mail and render it completely useless? What’s that, you say? A user still has to double-click an attachment, and most would do that anyway? Apparently, that doesn’t matter to some so-called industry “experts”. The worms are coming and they’re going to kill us all!!!

When you present evidence to dispute the claims of these types, they simply devise an old theory with no relevance to the world and go on with their claims. These types are almost as much of a threat to the security of the internet as the malware itself. Welcome to the world of the media slut. The sole purpose of this mind-boggling new species is apparently to expand its own following by desperately trying to convince the rest of the world that they are under constant, grave threat.

I’ll share with you now a few gems from those of media slut fame. You can decide which ones sound familiar (care to guess who they’re from? There’s a couple of familiar names…):

We could see the mother of all worms here. My big fear is we’re going to wake up in the next week or two and have people warning users not to read their e-mail because something is going around that’s extremely virulent.

We’re expecting a virus to appear at any moment, an email-borne virus, because, when you open the email, your viewer shows an image. That can install malware on your machine.

It [a worm] has the ability to propagate very quickly, and that it does not require any direct user interaction. I mean, there are many vectors that will get this thing into people’s machines… the good news is there’s something that anyone who knows about this… can do immediately. It’s possible to unregister Windows’ handling of the vulnerable DLL. What will happen is that, in Windows Explorer, the image thumbnails that Windows Explorer would normally show, they will stop functioning. But you want them to stop functioning…

The exploitation code has gone like wildfire across the Internet. So… do this immediately. … The word really needs to get out about this. …This is a big, bad problem.

And, now, we can even add this gem from Kelly Martin of SecurityFocus:

How simple this is to do on a web page or through email, here at the beginning of 2006, is just astonishing. While there have been many unpatched vulnerabilities for Windows over the years, some with effective exploits available, nothing quite reaches the magnitude of the situation we’re in today.

You heard them… unplug… power down, and… run for the hills!

We can always hope that, one of these days, the reality will dawn on these so-called researchers, media-driven as they are, that one vulnerability will not bring down the internet. Unfortunately, I can’t hold my breath on that one, and it’s about as likely as the “mother-of-email-worms” appearing. Nevermind the facts. Those don’t matter. The messiahs are on a mission to save us all from our computers.

  • WhiteAcid

    But without all my trusty friends in the media how will I sell my overpriced under-performing suite of computer protection software?

    I don’t know many people who read such things though. Either people are clever enough to know it’s naked stupidness parading in front of them or they are too indifferent to read those kind of things. I may be wrong, but I haven’t yet met a non-media person hyped about a bug. The one exception was the y2k bug where everyone had been hyped up.

  • sunshine

    I actually believe a worm will come, and that it will be bad. Other than that? This one may plague us for a while but it will not be the-nother-of-all-worms or the one to take down the Internet. We already face these every day.

  • Gary Flynn

    There is certainly a lot of sensationalism concerning computer security. OTOH, if there weren’t, how many home users would be unpatched and without AV software? How many software vendors would be taking security seriously as a market driven item? How many governments would be taking privacy and identity theft seriously?

    More to the point, if 1/10 th of 1% of Internet users are compromised by any particular vulnerability, who are we to say those 600,000 or more people’s loss of control over their computer, passwords, and/or accounts is oversensationalized?

    I don’t know whether the various reports suggesting that high percentages of home computers are infected with spyware or of the existance of million strong BOT armies are true, but they certainly can’t be discounted and, if true at face value, certainly are due some amount of sensationalism as they are astounding.

    Finally, though no individual exploit has resulted in the “mother of all worms”, its not due to lack of capability. With the right code and social engineering, many recent defects could have been used to do tremendous damage to information confidentiality, availability, and integrity across the world.

    What determines what happens is more a question of human motivation and intent. And I, for one, am not going to discount the possibility that there are people out there that would delight in wiping out a few hundred million computers, using them for other criminal purposes, and/or quietly listening in on their passwords and communications. Not all criminals will limit their code to sending “I Love You” messages.

    In the cyber world, criminals do not have to get visas, pass through border security, or show ID. The barriers and risks to entry to the cyber criminal world are much lower. The defects and other vulnerabilities are available for the taking. The worms are their smart bombs and the BOTS their mercenaries.

  • Matthew Murphy

    Very well-written feedback, Gary. I agree that the bad press has helped drive security issues forward. Indeed, some of the bad press has been warranted. We’ve watched Windows come from a chronically insecure OS to at least a reasonably-secure OS over the last few years. It still has its problems (and IE is the big trouble spot), but it’s improved. And a LOT of that was due to bad press. In that case, the bad press was definitely warranted.

    I’m not saying that 600,000 compromised boxes or a million compromised boxes shouldn’t draw concern. I certainly believe those should be, more or less, covered to death.

    However, my argument was a lot like yours: there have been other vulnerabilities that would have been fashioned far better for the “mother-of-all-worms” type outbreak than this one. This one requires quite a bit of social engineering that other vulnerabilities did not.

    I simply don’t think the incentive is there for the people who could make a “mother-of-all-worms” scenario a reality. If you look at recent worm trends, the outbreaks are becoming MORE controlled than ever before. The full-automaton variety of worm has gone the way of the dodo because it attracts far too much press, and has the risk of swaying lawmakers to act.

    I think the botnet-owners are smart enough to realize that the noise associated with such a worm would be severely detrimental to them. IMO, the “mother-of-all-worms” would not be a mass infection as Smith, et al hypothesize, but a targeted infection of several hundred to a few thousand valuable networks as a tool to exercise further control and extract valuable information.

  • mugg

    Well, would Msoft have provided a patch so quickly without the media attention? I really doubt it.
    The engineers did get this one out in record time, and they are to be congratulated for that — they got one out almost a day behind Ilfak Guilfanov’s temporary patch. But the plan was to put off its release until our regularly scheduled Msoft hole patch release.

    Here is just a crazy guess. There will be another Msoft 0day, there will be a delay in patching the vulnerability and deploying that patch, and there will be another kid to release another netsky, zafi, nimda, welchia, sasser, zotob, kelvir, or slammer in the next year.
    None of those 5 quotes above state that this hole would have brought down the net. Just that this hole is easily and reliably exploitable and the situation is a bad one (probably because msoft was putting off patching it). Just like the previous holes.

    Are there media sluts blowing things out of proportion? Possibly. Big deal. The attention helped to get the patch out for an easily exploitable 0day.

    Here’s a serious article debunking fearmongers’ claims:

  • Pingback: SecuriTeam Blogs » Advanced targeted comment spam and FP decision making