[ISN] Viruses and Worms: What Can We Do About Them?

From: InfoSec News (isn@private)
Date: Sun Sep 21 2003 - 23:56:05 PDT

  • Next message: InfoSec News: "Re: [ISN] Solaris Flaw Leaves Machines Open to Attacks"

    Forwarded from: security curmudgeon <jericho@private>
    Testimony of Richard D. Pethia
    Director, CERT Coordination Center
    Quoted material from the testimony.
     | We activated the center in just two weeks, and we have worked hard
     | to maintain our ability to react quickly.
    I think there is little room for debate when it comes to questioning
    CERT's response time for releasing advisories on vulnerabilities.
    There have been cases where CERT releases an advisory on a remote
    vulnerability *years* after it has been widely exploited. Even these
    days, they release shoddy advisories lacking technical details
    days/weeks after the issue is brought to light.
     | Today, with continued sponsorship from the Department of Defense and
     | from the Department of Homeland Security, we continue our work and
     | disseminate security information and warnings through multiple channels
    Nice of them to remind us that our tax dollars fund them. What they
    neglect to tell Congress, is that these multiple channels include some
    that go to specific vendors/customers long before they are made
    public. CERT continues to distribute this advanced information knowing
    that there is a well established leak that in turn publishes the
    information anyway. These channels are maintained despite the wide
    exploitation of vulnerabilities affecting *millions* of computers on
    the net.
     | Impact of Worms and Viruses
     | In the 2003 CSI/FBI Computer Crime and Security Survey...
     | The Australian Computer Crime and Security Survey found similar...
     | damages are estimated to be .. (Business Week, the London-based mi2g..
    Great, Congress is going to listen to these extensive damage figures
    from an "expert" who is citing other "experts" that generate computer
    crime and damage figures from glorified sewing circles. The CSI/FBI
    survey has consistantly polled around 350 companies and asked them for
    incident number and damages. They don't care who answers from these
    organizations, nor do they care what figures they receive back. The
    statistical value of this survey according to some
    staticians/economists is basically worthless. Better yet, he goes on
    to cite the FUD Mongering mi2g company who is well known for their
    drama filled advisories and lack of ethics.
    (Vmyths: http://vmyths.com/resource.cfm?id=64&page=1, Forno:
    http://www.infowarrior.org/articles/2002-12.html, Attrition:
     | There is nothing intrinsic about computers or software that makes them
     | vulnerable to viruses.
     | Recommended Actions  What Can the Government Do?
     | Provide incentives for higher quality/more security products.
     | (read the two paragraphs)
    YAY, CERT finally uses its influence and voice to say something
     | Information assurance research.
     | More awareness and training for Internet users.
    Hrm, what did CERT say it did in the intro?
     | we identify and publish .. , conduct research ..
     | and provide training to system administrators, managers, and incident
     | response teams.
    CERT asking for money during Congressional testimony?
    It's too bad there isn't more scrutiny placed on the people who testify 
    before Congress. Hell, even Dan "the FUDmeister" Verton issued a press
    release about testifying in the coming months.
    More CERT reading:
    CERT: The Next Generation
    The Demise of the Internet's Last Objective and "Trusted" Organization
    CERT Vulnerability Leaks
    Cashing in on Vaporware
    CERT Rides the Short Bus
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 22 2003 - 03:54:49 PDT