Tuesday, March 31, 2009

Conficker and GhostNet Hype

Have you seen all this hype about Conficker and GhostNet recently? Surely there are more important threats out there rather than what this media frenzy would have you believe. How many times can security vendors claim "the sky is falling" before their customers get tired of the FUD?

I've been examining the details of both incidents/outbreaks, and it's got me chuckling while watching how many professionals are chasing their tails.

A word to the wise, if a threat gets a unique name and makes it to the prime-time news then it's too late - the odds are that it's no longer a threat to be worried about. The good guys have already countered it (as far as enterprise's are concerned anyway).

I've just blogged about the intricacies of the malware naming business and the (mitigated) threat that is Conficker and GhostNet over on the Damballa Blog site.

Read my first appearance on the blog and the brand-spanking-new post "Who really will be the fool on April Fool's day?"


  1. You just can't compare these two security incidents and I think you're down-playing the impact the GhostNet story should have on the world really.

    If you read the report on GhostNet you saw that exploits were custom built and custom delivered to key political offices. Emails were hand crafted to look like they were coming from internal offices. Though I'm sure political cyber-espionage isn't new -- a well written discovery, and subsequent analysis of a network built with a clear goal *IS* security news.

    A new worm, exploiting yet another Microsoft bug is... so, 1999.

    I wrote a little bit about this issue...

  2. I don't think I'm trying to downplay the absolute threat, what I'm saying is that by the time a specific threat makes it to the news (i.e. global media) a solution generally exists from multiple vendors.

    Before the GhostNet made it to the headlines, most security vendors had no protection for their customers. Now that it's known (and widely discussed) the protection is available.

    I'm more concerned about the threats that don't make it to the press, and where there is no common protection available. Reactive protection focuses on what makes the news, I think the threat has evolved in such a way that preemptive protection needs to be the default -- instead of masking the subject with press announcements/comments covering a single threat after the fact.