Re: Blackworm hunbers

[Martin Hannigan <hannigan () world std com>]

> Well, let's hope we can watch the Super Bowl in peace -- I'm
> turning my pager & cell phone off anyways. :-)

I'm going for Steelers. You? I've got a couple of fresh 
Maine Lobsters and Union Oyster House chowdah to put up 
if you're interested in a wager.

[ Removed my name from the subject. I like it in lights, but
  I've had enough for today! :-) ] 

> In any event, as Alex Eckelberry writes over on the Sunbelt
> Software blog, "...we’re now seeing infestations for the
> Blackworm worm (aka KamaSutra) getting close to 2 million.
>
> "Yesterday it was at close to 700k. 
>
> "Of course, it’s possible that this URL has gotten out to
> the public, which would increase the count (simply hitting
> the website increments the count by one).  However, to my
> knowledge, this URL is only known in the security community.

The URL is out all over the place.

> "Remember that this worm has a very destructive payload. Even
> if you discount the number here, you’re still looking at a
> significant number of people who will suffer potentially
> devastating data loss."
>
> I couldn't agree more.

People without A/V? How sad can you feel? I don't want anyone
to lose data, but I bet a bunch of people by A/V as a result.
That's good.

Check out this story where it was downplayed:

http://www.eweek.com/article2/0,1895,1915070,00.asp

> > http://isc.sans.org/blackworm
> > Further, our reports lead to a SANS ISC temporary URL's for each AS.

http://isc.sans.org/diary.php?storyid=1073 - but really, do you
consider this to be a huge issue that we should prepare to be on
call over? 

Sans, http://isc.sans.org/infocon.php and Symantec, http://www.symantec.com/index.htm  , are both at their normal 
threat levels.

The point I was trying to make before the thread went, East?, was 
that there is a perceived problem in the security community with 
approrpriate response. I'd tell you how I think that could have
been avoided, but then my name would go up in the subject again.
*cough full disclosure* 

Off the top of my head I think the security trust landscape
today looks like this. I base this on participation, people
I know participating, comments I hear at the NANOG water bubbler,
etc. and they are nothing but personal opinions.

SANS - Trusted, good reputation growing
NSP-SEC - nuetral since it's a collective of people+groups
skitter15 - untrusted, but trusted when info leaks. (too long to explain)
PSIRT - trusted, borderline. 
US-CERT - trusted for NA matters, w/other certs
UK-CERT - trusted for EU matters, w/other certs
IL-CERT - no comment
DA - untrusted
TISF - untrusted, new, etc.
CERTs at large - Nuetral, has to be case by case
Carrier Security Groups - Trusted for matters of their own
MSS - Neutral
AV - Trusted
Software Vendors - Neutral
Hardware Vendors - Untrusted, case by case 
        Force 10 - Trusted
        Juniper - Trusted
        Cisco - Nuetral, case by case
Team-Cymru - Trusted case by case
SecuriTeam - Untrusted, untested

This isn't a popularity contest, so I'll leave individuals
off of my list, but you can probably guess who in most cases
including using some of the notes above.

-M<