Updated: 2/7/2004; 9:22:37 PM.
Spire Security News and Views
Spire Security is a market research and analysis firm dedicated to bringing clarity to the information security world. This blog is focused on providing analysis and insight to the happenings of the day, current security trends, and missing pieces to the information security puzzle.
        

Friday, February 06, 2004

Bandwidth-based Web DDOS Attacks

This article: Mydoom lesson: Take proactive steps to prevent DDoS attacks discusses the problem of bandwidth DDOS attacks that are difficult to defend against. Distributing the servers is the key - a la Akamai.


8:23:33 PM    comment []

VMyths current target: Mi2G and MyDoom Estimates

An interesting attack from VMyths' Rob Rosenberger:

I am interested because I, too, would like to estimate damage done and am currently investigating ways to do this. Of course, if you subscribe to VMyths' philosophy, this virus didn't cost anyone anything... I tend to differ slightly - comments inline below.

Vmyths.com Virus Hysteria Alert
{2 February 2004, 22:05 CT}

In our previous Hysteria Alert, we predicted "someone will soon
declare a 'guesstimate' damage value for the MyDoom virus/worm,
strictly for its PR value." Vmyths named mi2g as one of the more
dubious candidates.

It is always fun when somebody "predicts" something so obvious that it is hard to be wrong. Some folks do it with caveats and percentages, while still others just state the obvious. Virus damage estimation has been going on for at least three years now. (Full disclosure: I may very well do this sometime in the future as well.) So here is my prediction: sometime in the future, VMyths will blast someone for "fearmongering" strictly for its PR value. (Gosh, I feel like John Edward must when he is speaking with the dead).

mi2g played its PR card with a wag of $38.5 billion in global damages.
We dismiss it as completely absurd. mi2g's guesstimate is: 
   * 1.6% of the U.S. federal budget proposed for the next fiscal year;
   * 40% of the damage to New York City on 9/11/01; and
   * more than double the cost of Hurricane Andrew in 1992.

These numbers he is using is the first indication of error. Each of these examples deal with real dollars, not economic dollars - certainly for the first one, though there is a chance that it is not true for the other two, but I can only assume that if VMyths doesn't like the mi2g estimates, they won't like estimates used anywhere.

There is something else going on here as well. I call it the "world wide rash" syndrome.  It is the difference in the way we feel about one person losing a million dollars (must really be awful) versus two million people each losing a dollar (at least each person only lost a dollar). Of course, the net result is "double the cost of the guy who lost a million dollars..."

Btw, this report estimates the losses due to Hurricane Andrew at $63.9 billion. Not to worry, we don't pay much attention to the U.S. Bureau of Economic Analysis anyway. They were probably just in it for the PR.

mi2g has pulled PR stunts since 1999 on an almost regular basis.
See http://Vmyths.com/resource.cfm?id=64&;page=1 for a critical look at
the firm's shenanigans.

Unfortunately, gullible reporters have already started to latch onto
this latest PR stunt. The Web Host Industry Review, for example,
published it in breathless tones. Vmyths believes major media outlets
will fall like dominoes -- mi2g's declaration is simply too large for
them to ignore.

It sounds incredible to say it, but mi2g now demands money if you want
to read press releases associated with their PR stunts. You'll pay
"£29.38 (including taxes)" just to read their "$38.5 billion" press
release, for example.

Visit http://www.mi2g.com/cgi/mi2g/press/010204.php if you don't
believe us.

This is actually pretty funny.


We asked it before and we'll ask it again. Why do British fearmongers
so often give guesstimates in U.S. dollars?

A cute distraction, intended to "warm" you up to the wit of VMyths. And since I am an American, I would look too proud if I answered this honestly.

mi2g has threatened to sue Vmyths for libel
(see http://Vmyths.com/rant.cfm?id=497&;page=4 for details) and this
Hysteria Alert may lead to a renewed effort to crush us. For the
record: we stand by our criticisms of mi2g. However, Vmyths prides
itself for an industry-leading "corrections & clarifications" page.
Anyone may write to VeaCulpa_at_Vmyths.com to contest our claims &
accusations.

One can only hope that someone will care enough to pursue legal action. It is even better PR than estimating the damage done by viruses and worms.

Anyone may visit http://Vmyths.com/rant.cfm?id=470&;page=4 to rebut our
opinions & criticisms.

Do the math. Stay calm. Stay reasoned. And stay tuned to Vmyths.

So here is the place I have the biggest problem. "Do the math"..."do the math"..."do the math"... has there been anything but the laziest of "math" done here? Come on - comparing random whole numbers.... it is absolutely silly. What would be interesting is if somebody actually did "do the math." I happen to think the number is pretty big as well, but in economic terms, productivity costs money. I like to think that an hour of my time is worth something. Big 5/Final 4 terms think an hour of their time is worth a bit more than something. So comparing the real dollars in a budget to economic dollars that are measuring productivity, among other things, is ridiculous. Of course, these numbers can always be challenged with alternative methods (VMyths chose not to, I suppose). 


Rob Rosenberger, editor
http://Vmyths.com
(319) 646-2800

Acknowledgements:
Mary Landesman, http://antivirus.about.com

 

 


7:46:09 PM    comment []

Expert's Guide to Effective Patch Management

I will be giving a webcast on patch management for searchsecurity.com. This coincides with the article I've written on patch management for Information Security Magazine (in February's issue, which should eventually show up at www.infosecuritymag.com).

Note: check out www.patchmanagement.org for a great mailing list on patch management.


12:33:33 PM    comment []

People seem to like this MadLib I wrote poking fun at whatever the latest and greatest virus or worm is... try it out, it actually still works fairly well:

Spire ViewPoint

last updated: February 3, 2003
File under Spire Discipline: Threat Management

Author: Pete Lindstrom

[Adjective] Computer Worm [verb] Internet

In the wee hours of [date], a [adjective] computer worm spread [adverb] throughout the Internet. Dubbed [silly name] because [ridiculous reason that doesn't explain anything about how it works], and also known as [another random name] and [another random name], the worm has infected an estimated [number] systems within [length of time]. Experts are calling this worm the most [adjective] since [date in the past].

The worm exploits a hole in [Microsoft product name] that was first identified [number] months ago by [security company name]. In an attempt to secure the planet, and for our own good, [same company, or name of parents] released detailed information about the vulnerability and how to exploit it. They also mentioned how to fix it, but apparently [noun] listened. Coincidentally, the worm that exploited this hole was also first identified by [same company] Not coincidentally, they make a product to protect against [noun].

"Actually, it's not really a [noun], it's a [noun]," said [Pete Lindstrom, or some other person seeking publicity]. " A true [noun] works by [random filler that nobody will read]."

The worm's payload [verb] every system by [verb ending in -ing] the [noun]. Comparatively speaking, this is much worse than [another worm] but not as bad as [another worm]. The computers of [place] were hit the hardest. Current damage is estimated at [dollar figure more than the GNP of two-thirds of the world's nations]. " This worm has the potential to [something or other]," said [Pete Lindstrom, or some other person trying hard to come up with something interesting to say ;-)]. " It just goes to show you that [another something or other]."

Though there is no way to protect against this particular bug, experts recommend trying [longshot one] or [longshot two], neither of which matter, since nobody will do it anyway.


1:09:42 AM    comment []

Paying for e-mail: An idea whose time has come?. CNET News.com's Charles Cooper writes that charging for e-mail may not be so crazy an idea, after all.

Another approach to stop spam. Interesting that it, too, is a story about efforts from Microsoft. Paying for email is interesting, though we'd have to be pretty careful about ensuring against spoofed addresses (as the article points out).


12:50:50 AM    comment []

ISS warns of holes in Check Point firewall, VPN server

"Internet Security System Inc. warned of critical vulnerabilities in Check Point Software Technologies Ltd.'s Check Point Firewall-1, Check Point VPN-1 Server, and SecuRemote and SecureClient VPN clients."

Is it just me or does ISS tend to find a lot of security holes with its competitors?


12:38:11 AM    comment []

Microsoft project aims to make spammers pay for spam

This is a pretty interesting problem. Email scales so incredibly well that it costs the same to send 1 message as it does a million (sort of). So they are going to make email work harder to send one message. So the goal is to consciously cripple our systems. I am not sure this is a great direction to head. I would rather continue down the path of more trust in those we exchange email with... Sure, there are weaknesses with that, but I'd rather have a system based on trust than one that purposely reduces capabilities.


12:10:17 AM    comment []

© Copyright 2004 Pete Lindstrom.
 
February 2004
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29            
Jan   Mar
Home
Click here to visit the Radio UserLand website.

Subscribe to "Spire Security News and Views" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.