SAN FRANCISCO (06/26/2000) - I woke up last Friday to my radio blaring in dramatic tones dire warnings about the latest "hacker danger lurking on your PC."
Groan. Another writing day shot to hell, sorting out facts from fiction for concerned clients.
It turns out that this was nothing nearly as dire as Melissa or the Love Bug.
In fact, many industry experts considered it to be nothing more than an attempt at cheap publicity by a relatively unknown computer security company.
Now, let's be honest: news about security incidents helps sell security services. That's a fact. As a partner in a security company, you would think I would be happy about such revenue-generating panics. I'm not. I plan to be in this industry for the long term. Eventually, people will get immune to hearing that "the sky is falling" and ignore all security warnings.
The people from Network Security Technologies (NetSec) defended themselves by stating that it was the media's fault that this warning got so out of hand. In a statement sent to the Hacker News Network, M. Scott Shreve, director of NSOC Technologies for NetSec, states: "Nobody said there was a cutting-edge new tool out there. We just found definitive evidence that several thousand machines fell victim to a slightly modified version of an old tool."
Well then, why the press release -- complete with extensive background on a previously unknown company? Why give the Trojan a new name, Serbian Badman Trojan, when it was already known as the SubSeven Trojan? If the company discovered a potentially dangerous situation with regard to a known Trojan, wouldn't it have been more appropriate to alert the virus vendors or at least check the signatures with them?
Rain Forest Puppy was also criticized when he released details about finding a backdoor in a Microsoft product that was activated with the phrase "Netscape engineers are weenies!"
The difference is that what RFP discovered actually was new and he gets no financial benefit from hyping an exploit. RFP has since written a policy "to establish a guideline for interaction between a researcher and software maintainer."
While NetSec's motivations for alerting the media to an old Trojan may be debatable, there are people who obviously benefit by exploiting FUD (fear, uncertainty, and doubt). Lew Koch recently reviewed Winn Schwartau's book, Cybershock: Surviving Hackers, Phreakers, Identity Thieves and Weapons of Mass Destruction.
Schwartau is either a respected information security professional or a self-promoting charlatan, depending on whom you talk to. An earlier book of his, Information Warfare, was generally considered to be a good wake-up call to managers about potential problems. His latest appears to be, well, more of a shrill scream for attention.
A bit of sensationalism is sometimes necessary to get the appropriate resources to address a problem. If no one raised an alarm about the Y2K problem, would management have devoted the necessary resources to fixing it? Granted, that particular alarm went way overboard, but that doesn't change the fact that there was a problem that needed attention.
Sometimes a little hype is a good thing. Too much, though, will eventually backfire.
The sky isn't falling. Or is it?
About the author
Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms, and provides security consultation to several financial institutions in the New York City area.