Viruses and Worms: What Can We Do About Them?

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>

http://www.cert.org/congressional_testimony/Pethia-Testimony-9-10-2003/

Testimony of Richard D. Pethia
Director, CERT Coordination Center

--

Quoted material from the testimony.

 | We activated the center in just two weeks, and we have worked hard
 | to maintain our ability to react quickly.

I think there is little room for debate when it comes to questioning
CERT's response time for releasing advisories on vulnerabilities.
There have been cases where CERT releases an advisory on a remote
vulnerability *years* after it has been widely exploited. Even these
days, they release shoddy advisories lacking technical details
days/weeks after the issue is brought to light.

 | Today, with continued sponsorship from the Department of Defense and
 | from the Department of Homeland Security, we continue our work and
 | disseminate security information and warnings through multiple channels

Nice of them to remind us that our tax dollars fund them. What they
neglect to tell Congress, is that these multiple channels include some
that go to specific vendors/customers long before they are made
public. CERT continues to distribute this advanced information knowing
that there is a well established leak that in turn publishes the
information anyway. These channels are maintained despite the wide
exploitation of vulnerabilities affecting *millions* of computers on
the net.

 | Impact of Worms and Viruses
 | In the 2003 CSI/FBI Computer Crime and Security Survey...
 | The Australian Computer Crime and Security Survey found similar...
 | damages are estimated to be .. (Business Week, the London-based mi2g..

Great, Congress is going to listen to these extensive damage figures
from an "expert" who is citing other "experts" that generate computer
crime and damage figures from glorified sewing circles. The CSI/FBI
survey has consistantly polled around 350 companies and asked them for
incident number and damages. They don't care who answers from these
organizations, nor do they care what figures they receive back. The
statistical value of this survey according to some
staticians/economists is basically worthless. Better yet, he goes on
to cite the FUD Mongering mi2g company who is well known for their
drama filled advisories and lack of ethics.
(Vmyths: http://vmyths.com/resource.cfm?id=64&page=1, Forno:
http://www.infowarrior.org/articles/2002-12.html, Attrition:
http://www.attrition.org/errata/charlatan/mi2g-history.html).

 | There is nothing intrinsic about computers or software that makes them
 | vulnerable to viruses.

...

 | Recommended Actions  What Can the Government Do?
 | Provide incentives for higher quality/more security products.
 | (read the two paragraphs)

YAY, CERT finally uses its influence and voice to say something
worthwhile.

 | Information assurance research.
 | More awareness and training for Internet users.

Hrm, what did CERT say it did in the intro?

 | we identify and publish .. , conduct research ..
 | and provide training to system administrators, managers, and incident
 | response teams.

CERT asking for money during Congressional testimony?



It's too bad there isn't more scrutiny placed on the people who testify 
before Congress. Hell, even Dan "the FUDmeister" Verton issued a press
release about testifying in the coming months.


More CERT reading:

CERT: The Next Generation
The Demise of the Internet's Last Objective and "Trusted" Organization
http://www.infowarrior.org/articles/2001-03.html

CERT Vulnerability Leaks
http://www.attrition.org/errata/sec-co/cert-04.html
http://www.attrition.org/errata/sec-co/cert-02.html
http://www.attrition.org/errata/sec-co/cert-01.html

Cashing in on Vaporware
http://www.attrition.org/security/rants/z/jericho.007.html

CERT Rides the Short Bus
http://www.attrition.org/security/rants/z/jericho.002.html



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.