more on UK Gov't Warns of Massive Trojan Attack

[David Farber <dave () farber net>]

Begin forwarded message:

From: Richard Forno <rforno () infowarrior org>
Date: June 17, 2005 8:11:45 AM EDT
To: Dave Farber <dave () farber net>
Subject: Re: [IP] UK Gov't Warns of Massive Trojan Attack



(Dave is a security guy with a clue btw....he does some good FUD-Busting
here....rf)

------ Forwarded Message
From: David Kennedy CISSP <david.kennedy () acm org>
Date: Thu, 16 Jun 2005 17:20:42 -0400
Subject: De-hyping The NISCC Trojan Story

For your enjoyment.  Push to infowarrior if you wish.  I have no problem
with attribution.

[Before I cut the hype, I'd like to preface this note with a couple
other observations:  this incident gets worse the more we learn about
it and it might be an indicator of "what's next."  Last year was the
"Year of The Bot."  This year may well become know as "The Year of
Spyware."  2006 could be "The Year of the Targeted Trojan."  That
said, today's stories are just sloppy writing and thinking.]




> http://tinyurl.com/dvmjf

- - From the Globe & Mail:

> > > >
The NISCC says it has found 76 Trojan programs, and the IP addresses
on the e-mail carrying the Trojans come from the Far East.
<<<<

There is no evidence there are 76 different trojans.  What NISSC does
is they list the various aliases 9 different vendors use for the
trojan horse programs with a total of 76 lines of aliases, at least
two of which appear twice each.  The most by any one of those vendors
is Sophos' 18.  (and Sophos is based where?  Who's easy for the UK
press to get a quote from?)  Kaspersky calls out 17.  Panda calls it
only one.  One could conclude Panda is the most efficient at catching
them all with one sig.  One could conclude Panda only catches one and
something between 17 and 75 are not detected.  Without samples and
objective testing there's no way to tell what the number is.

Far East?  The known perpetrators, a London-based couple who have
already been arrested and incarcerated, may have used one of
thousands of spam e-mail proxies to broadcast messages carrying the
trojans, and happened to use one in East Asia.  Bouncing mail from
London through a proxy in, say, Guangzhou does not mean there is some
cabal of Cantonese spies behind this.

Bah...!

Again the Globe&Mail:

> > > >
NISCC says that nearly 300 British government departments and
businesses — including financial, health care, telecommunications and
transportation organizations — have been the subject of these
attacks.
<<<<

Holy crap!  300 victims!

Computer Weekly:

> > > >
The discovery has sparked a major behind-the-scenes operation by
NISCC to alert more than 300 government and private sector
organisations responsible for the UK’s critical infrastructure and
services, to introduce countermeasures on their computer systems.
<<<<

What?!  You mean there are NOT 300 victims, only that NISCC
distributed their warning to 300 organizations responsible for
infrastructure security?  The CERT Coordination Center at Carnegie
Mellon has been around since 1988.  I estimate their mailing list has
tens of thousands of subscribers.  Just by pushing out a bulletin
does not mean there have been tens of thousands of victims.

The facts of this incident could show this is a significant risk.
But those facts have yet to be revealed and critical thinking is
essential in parsing the facts from sloppy writing from journalists
desperate to please their editors and advertisers.





-------------------------------------
You are subscribed as [USER_EMAIL]
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/