Security in the news: Events and non-events

April 1 passed without the massive attack by the much-anticipated Conficker Internet worm, but don't relax just yet.

True, the sneaky malware, which has gone through several evolutions since security experts first became aware of it, did not seize control the nation's computers, perpetrate massive identity theft and bring down the Web. But the story might not be over.

"The network of Conficker-infected machines could still spring to life and be used for nefarious deeds," reports the Associated Press. "One scary element is that Conficker's authors have given the infected PCs peer-to-peer abilities, which allows them to update each other and share malicious commands through encrypted channels."

The scope of the potential problem remains a tantalizing mystery, but a number of security experts tentatively offered their best guess-timates last week:

  • One Internet infrastructure vendor, OpenDNS, reports that 500,000 of its customers, out of 10 million worldwide, have been infected with the most recent iteration, Conficker.c, the IDG News Service reports.
  • After monitoring network activity on April 1, IBM's security experts concluded that 4 percent of Internet addresses sending out malicious data is infected with the same variant, according to Computerworld.
  • Also from Computerworld: A security company based in Vietnam pegs the number of infected PCs at 1.38 million worldwide, of which only 2.6 percent are in the United States.

So why didn't the sky fall? Was the problem overhyped? Were the emergency patches successful? Was it an April Fool's Day joke? Or is the main event still to come?

"More likely the 'it's hitting on April 1' is a misdirection -- a pay-no-attention-to-the-man-behind-the-curtain kind of deal," writes InfoWorld blogger Robert X. Cringely. "Because these days no self-respecting worm author would actually tell you when his baby was planning to strike."

Meanwhile, technology experts are carefully monitoring activity in the Senate, which is considering legislation that aims to tighten up Internet security in government and industry.

The bill would establish a new advisory office in the Executive Office of the President, propagate cybersecurity standards for the public and private sectors, and improve training and certification programs for cybersecurity.

Also, as Network World noted, the legislation would give President Obama the power to shut down Internet connections in the event of a "cybersecurity emergency."

Some security experts "don’t think such sweeping power is good news for anyone, including private networks that could be shut down by government order," writes Network World's John Fontana. "Those same networks would be subject to government mandated security standards and technical configurations."

Others are skeptical of the federal government's ability to improve Internet security through brute force. "Security is an attitude, and it's hard to legislate attitude," Brian Chess, founder and chief scientist at Fortify Software Inc., told Computerworld. "It has more to do with understanding the impact of insecure software on the organization."

Some FCW readers also have their doubts. "Whatever happened to the checks and balances that our Constitutional fathers envisioned?" one reader, signing himself as "Disgusted," commented on our April 1 Web story. "This is yet another example of a knee-jerk reaction by uninformed bureaucrats who are clueless about cybersecurity, yet fancy themselves to be experts because they personally use a Blackberry."

Another reader shared similar sentiments in more graphic terms: "Can you imagine what a disposable diaper would look like if you charged the government with developing it?"

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.