Last month we suggested there could be an outbreak of an email virus on 14 February, we were wrong, VBS/SST-A (the Kournikova worm) struck on 13 February. Initial statistics from MessageLabs indicated it was spreading twice as fast as VBS/LoveLetter did in May 2000. However, reports made to Yui Kee suggest that it hit far fewer companies in Hong Kong. This was probably related to timezone differences of the source, Philippines for VBS/LoveLetter, Netherlands for VBS/SST-A.
The creator of VBS/SST-A apparently posted an apology on the Internet and turned himself in to the police. We welcome his arrest. Although his intention might have been a joke or a demonstration of insecurity, the fact is he disrupted thousands of users around the world. We do not need another demonstration of this vulnerability; Melissa and LoveLetter have already proved the point. In this context, the comments of the Major of his town suggesting he should be rewarded with a job offer, are deplorable. Before we laugh at foreign politicians demonstrating their ignorance of technical subjects, we should remember that some of our own politicians also sometimes show their ignorance. However, the politicians who preface their remarks with how little they know of technical subjects tend to show the deepest grasp of the issues involved.
Too Many Alerts
Sometimes, anti-virus vendors are accused of crying wolf, they rush out with press releases about the latest highly destructive virus which quickly turns out to have affected almost no-one. The recent VBS/SST-B (a minor variant of VBS/SST-A, with a German message) and W32.Naked@mm (the “Naked Wife Trojan”) are examples of this. The press are quick to follow-up on such releases; massive virus outbreaks bringing businesses and countries to their knees are good copy. Users get tired of the repetitious warnings, until they fall victim to a real epidemic, such as Melissa or LoveLetter.
As an Anti-Virus distributor and consultant in Hong Kong it would be unfair for us to point an accusing finger. We try to judge each case and provide timely, accurate and balanced information on virus emergencies. We will not be naming companies in these examples, you should judge your suppliers actions yourself.
Anti-virus developers have, to some extent, a split personality. There are the techies, who analyse and deal with the new viruses – their concern is to serve the company by giving the customers the protection they paid for. Then there are the marketers – their concern is to serve the company by getting the maximum favourable publicity. When a new threat is discovered, particularly if it has the capability to spread very fast, they both want to get a warning press release out as quickly as possible.
However, in some companies, the marketers appear to have a bit too much influence. If things are quiet, they will release a warning about a months-old virus that is no longer causing problems. Or they release a warning about a virus that, for technical or social reasons, it is clear will not spread very far or fast. Even worse, some have issued warnings about viruses that no one else could confirm even existed.
Some cases are less clear – at one point, reliable statistics showed that VBS/SST-A was spreading twice as fast as LoveLetter, so a major alert was justified. Only hindsight could show us it would be less successful overall. However, some companies also made a worldwide press release for VBS/SST-B, even though its German message made it unlikely to spread outside of German-speaking countries.
Good Security is Boring
System administrators and information security staff have a similar problem to anti-virus vendors when trying to get the message out to users. So much of computer security depends on users, from choosing good passwords to not indiscriminately clicking on email attachments, but the message is not exciting. There are any number of films where breaking a security system or a security system failing has been a central feature of the plot, but none which prominently feature a successful security system. The reason is obvious, successful security is boring – you take care of all the tedious details, and nothing happens, no dramatic break-ins, no chases, no explosions.
Therefore, the big security failure is often the only chance we have to get the message to users and managers. Managers are the more important target: to be effective, the security culture of an organisation has to come from the top. Use the statistics from vendor press releases and internal organisation data to present how much money good security is, or could be, saving. But avoid the hype which can undermine your case – LoveLetter was certainly a major, worldwide incident, but the figure of US$10 billion for damages is highly speculative.