Re: New article on SecurityFocus

["Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa () pacbell net>]

There was a list I saw of some of these 'legitimate' web sites and if 
one of my employees had surfed there I would have fired his or her rear 
end.  This would have been way casual surfing that even a home user 
would have a bit of a time stumbling over.  Add to that, that 98/MEs are 
not automagically infected... and what's the real and true number of 
infected machines?

What source do you have for "hundred of thousands of machines"?  Stats 
please?  Source materials?   Verifiable details so that others can count 
the same body counts?

If you are talking about just any ol' bot or trojan.... the ugly reality 
is that the average user doesn't know and doesn't care and will continue 
to surf and click until the machine becomes so slow and unusable that 
then they get it wiped and cleaned.

What we need here is education of why we shouldn't be blindly clicking 
like we are.  When you buy a new computer...where is the security 
education from the Best Buy or Dell?

But to say this is "It's probably bigger than for any other 
vulnerability we've seen" 
http://money.cnn.com/2006/01/03/technology/windows_virusthreat/index.htm?cnn=yes

Gimme a break... it didn't stop the Internet [SQL Slammer], it didn't 
shut down entire businesses [Blaster], but it did freak out the Security 
community.

Drew Simonis wrote:

> > Overall, I think community's coverage of wmf has been delivered 
> > with an ounce of perception, and a pound of obscurity.  It's almost 
> > as if people *want* it to be worse than it is.  I'm not surprised, 
> > of course.  But regardless,  my call is that we'll see a little 
> > activity here and there, the patch will come out, most will install 
> > it (or have it installed automatically) and the whole issue will 
> > fade away.  But that's all.
> >
> > We'll know for sure shortly, either way.
> >
> >    
>
> Thor,
> I think your path of thought is stuck a bit in the past.  Worms are neat as a technical exercise, but we see more and more that the attackers are increasingly aware of the value of these vulnerabilities from a financial perspective, not merely for notoriety.  As such, it benefits the attacker to have a less subtle attack, one that does not sensationalize the vulnerability.  Complacency is their ally.  
>
> That said, there are already numerous (hundreds+) "legitimate" web sites that have been compromised and had exploit images injected into their content.  There are also already hundreds of thousands of machines that have been infected with Trojans or bots.  These infected machines will patch, but they won't be safe, and the problem gets worse.  
>
> So no, there won't be some catastrophic worm event.  But I posit that what there will be could be much worse.  
>
>  

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------