April Fool’s… Is the Joke on Us?

Conficker, aka Downadup, is a worm that grew to prominence thanks to the vulnerability patched in MS08-067 last October. It’s getting widespread popularity in the media these days and deservedly so; a large botnet is always a source of concern and I wish the media paid more attention to the risks/dangers of malware and the people/organizations behind the criminal activity. But all this April 1st talk…is it hype? I’ve had at least a dozen people ask me, “are you ready for April 1st?” Um…yes.

Yes, Conficker is going to “do something” on April 1st. But if anyone in the mainstream media were to stop and think or at the least ask an insightful question instead of latching on to the latest doom and gloom theme of the day and driving it over the cliff, they might be telling a different story than the one you’re hearing from the various media outlets.

For starters, I recommend F-Secure’s wonderful Questions and Answers: Conficker and April 1st. In a nutshell, computers infected with Conficker.C (a variant of the original worm) are going to “update” themselves. All we know is that it’s going to up the ante from phoning home to a batch of 250 domains a day to 500 out of 50,000 a day, making it much harder to disrupt the phone home communications (which is how infections like this get their updates and commands for actions to perform). But since that’s all we know, that leaves a lot of room for conjecture and imagination.

So let’s think rationally for a minute. The people/organization behind Conficker are VERY sophisticated, highly proficient and professional. We aren’t dealing with a couple kids with a grudge here. The landscape has changed, but mass media doesn’t seem to realize it. The business models that cybercriminals apply these days are inline with modern corporate structures. There are board of directors, hiring managers, developers and sales. What do they sell? Why that would be access to your infected PC. Once infected by a bot your computer is there to do the attacker/owners bidding. If they need processing power to crack a password, they can use your PC. If they want to launch other attacks, they can use your computer. If they are bored and want to watch you on your webcam, they can. More and more these days, botnet rentals have become yet another business model.

Imagine you have a business. You have 2 million customers but if anyone finds out who your customers are you’ll risk losing their business. On April 1st you can sign those customers up to a contract extension. Why would you risk doing anything that would cause you to lose those customers?

I’m not buying it. The press wants you to think all hell is going to break loose because it sells papers. But there’s nothing about this worm that indicates it’s creators are stupid. Why on April 1st when they are deploying an update that is going to ensure their botnet stays strong for months to come would they risk losing it all at the same time.  It doesn’t add up. Yes, there are stupid criminals. But these criminals are smarter than the mainstream media.

The effect of the media’s attention is dangerous and misplaced. Cybercriminals are already taking note of the attention, offering new FakeAV/Rogue malware that pose as Conficker removal tools. But even worse, they’re creating a “boy who cried wolf scenario.” What will the media be saying about Conficker if it just does its updating on April 1st and slips quietly back into cyberspace? I guarantee you there will be more than one news anchor piping a comment about how it obviously wasn’t as big a deal as they thought and shrugging it off. Gee thanks. You just made my job that much harder by lowering the guard.

Cybersecurity isn’t a one-off story every 6 months to a year to fill a news quota or aid a slow news day or to fulfill a producer’s zeal for a doomsday shocker. Accessing the Internet is like walking in a really bad neighborhood at 2 a.m. It’s risky and potentially dangerous; caution, awareness and knowledge are your defenses. That pocket knife in your pocket (aka antivirus software) might help you, but chances are it won’t.

So do us a favor, mainstream media. Use your powers to do good. Keep awareness and understanding of cybercrime on your radar and treat it regularly and consistently. The sky is falling stories only breed skepticism and doubt among users in a world where letting your guard down for one minute can have far more reaching impact than most users would ever expect.

Conficker may do more than just update on April 1st, but I’ll be surprised if it does. I just hope the media doesn’t do more harm than good in their treatment of the results.

Width-In-Defense

Depth in defense is always a priority in securing an environment. For the novice, the notion is that the more layers of defense you have in place the more likely you’ll be able to detect the bad guys and their malicious code. The typical analogy is that of a fortified castle. From the outside-in, a deep and wide moat surrounds the outer wall with a drawbridge and/or portcullis to control and limit access. The inner walls provide an additional layer of protection for the castle, with additional barriers in place around the keep. And lets not forget the men and women who strategize and defend their home. Firewalls, intrusion prevention devices, web gateways, and endpoint protection act as similar layers in the depth in defense model. It’s a good model and if designed, managed and monitored properly it will serve as a well fortified defense system.

What concerns me is less the depth model and more how it’s constructed. I saw a prediction a year or so ago from an executive at one of the big security vendors who predicted that within 5 years there would be roughly 5 vendors who owned just about every security based solution available. The trend continues in that direction. From a marketing standpoint, great for them. They can wrap them all up nicely in a bundle and say they are the single source solution to all your security problems. But is that great for us, the end user?

Sure the solutions they offer for the varying layers differ. A web security gateway isn’t an endpoint or antivirus client. But if the same company provides you that web gateway and the antivirus, do you gain anything running their antivirus on the web gateway? Mixing vendors, bringing in different ways of performing a similar function, is critical if you want to provide the best defense. Antivirus solutions vary greatly in their methodology and detection capabilities. They almost all use some level of signature based detection, which is inherently weak in an age of malicious code that can polymorph or obfuscate by the second. The more layers of various antivirus solutions you can place between the attackers and your hosts the more likely you’ll be able to stop it.

Revisiting the castle analogy, those outer walls by the moat seem like a good place for archers. The drawbridge/portcullis probably would benefit more from foot soldiers and hot oil vats above the entryway. Cavalry to stampede through the narrow lanes as attackers draw near to the inner keep, and your best and finest swordsman and archers defending the castle proper.

Depth is critical, but depth plus width is where you’ll truly improve your chances of defense. You may have to suffer with different front-end management systems for the varying solutions but, honestly, most times you’re going to be better off isolating the administration of the varying layers as opposed to dealing with an all-in-one solution that in reality is a jumbled mess to manage. The majority of monitoring concerns can be handled with some basic alerting, event correlation or security information management.

So next time a vendor tells you they have the answer to all your security needs, think width-in-defense before you sign up for their suite of solutions.