The good, the bad and the scary

After all the warnings and headlines, the much-anticipated Kama Sutra (Nyxem.E) worm turned out to be a wet blanket. Even though it caused very little actual damage, it reportedly still infected between 469 507 and 946 835 systems from 15 January to 1 February.

The worm was designed to overwrite several document types, including Word and Excel files, on infected systems on the third day of every month, beginning last Friday (3 February). It spreads through spam e-mail messages promising pornographic pictures.

This particular strain of malware is considered rather rare, because infected systems make a single call back to a Web site, providing the worm author and security researchers with information about its proliferation.

On the subject of worms, it seems not all worms are created equal - or bad in this case. According to the New Scientist, a new generation of "beneficial worms" will be developed in the near future and will spread rapidly through networks, patching machines before a malicious worm can attack.

The technology is already in use as so-called "patching worms", which are sometimes developed by virus-writers to try to stop the spread of worms deployed by their rivals.

Legitimate users, however, have been wary of unleashing patching worms, also called nematodes, because they are difficult to control, raising fears that the originator would be liable if one were to crash computers it was designed to patch.

Perhaps the idea of a patching worm is not so far off base, considering new research from Telewest that suggests UK consumers will spend a collective lb3 billion dealing with virus attacks and the after effects.

Apparently, according to the survey, which polled 1 395 people, over a quarter of PC owners questioned admitted to ditching their PC and buying a new one rather than paying to have it cleaned up.

Unfortunately, while we might soon be able to use good worms to fight off the bad ones, there will never be a patch for stupidity.

While we might soon be able to use good worms to fight off the bad ones, there will never be a patch for stupidity.

Mariette Du Plessis, events programme director, ITWeb

This week The Boston Globe and the Worcester Telegram & Gazette inadvertently attached the credit card numbers of more than 200 000 subscribers to newspaper bundles.

How on earth did they manage to do this? Well, they were so keen to recycle used paper that they accidentally reused discarded internal reports, which contained the full credit card numbers of subscribers, to produce more than 9 000 routing slips for bundles of an edition of the Worcester Sunday Telegram that was distributed to retailers and carriers.

Imagine if consumers were able to claim "stupidity" damages from companies like The Boston Globe - there definitely would be several insurance firms going bankrupt every year.

Some might see the US Department of Homeland Security`s Operation Cyber Storm as equally foolish, but I personally applaud this gutsy move.

Apparently, critical sections of the US IT infrastructures will come under attack this week as part of Operation Cyber Storm, a global penetration test to assess how vulnerable the nation is to online attack. The exercise will be global in scale and include targets in the US, UK, Canada and Australia.

The US National Cyber Security Division is funding the testing programme, which will see large-scale cyber-attack tests conducted on financial, IT, energy, transportation and telecommunications sectors.

I wonder if the South African government will ever be so brave as to give hackers carte blanche on attacking the likes of Eskom, ABSA, FNB and so on?

The security glitch award of the week goes to Microsoft, which was kept busy patching new vulnerabilities in the Internet Explorer 7 (IE7) browser just days after its release and fixing the Windows Meta File (WMF) image format, which reportedly affects older IE versions.

In the case of IE 7 beta 2, a denial of service bug apparently creates a means for a hacker to crash the software and potentially execute arbitrary malware on PCs running the code, according to security experts.

While Microsoft confirmed the bug does crash IE 7, it maintained the bug was not exploitable by default to elevate privilege and run arbitrary code. Of course, Microsoft also argued the bug was difficult to exploit and wasn`t the subject of hacker attacks.

Now if that`s not asking for a mass onslaught of denial of service attacks - Microsoft should know better than stating hackers aren`t smart enough to exploit its holes!

As for the new WMF flaw, which exists in IE 5.5 running on Windows 2000 and IE 5.01 on Windows ME, it apparently allows an attacker to take control of a system through a specially crafted WMF image posted on a Web site or sent through a spam e-mail.

This time Redmond`s response was only about 5% of the world`s computers run IE 5.

Browsers are definitely a favourite pastime for malware writers. Mozilla`s Firefox browser recently also came under attack, prompting this week`s release of patches for eight vulnerabilities that had severity ratings ranging from "low" to "critical".

The critical flaw could allow attackers to instruct a system to perform certain tasks on start-up without the user`s permission, effectively allowing control of the system. The update also includes a fix for a vulnerability that was published in December, in which an attacker could prevent Firefox from running altogether by "poisoning" one of the application`s log files.

This week Microsoft also made the headlines when it confirmed plans to launch its OneCare security suite for consumers and small businesses in the US this June.

OneCare provides anti-virus, anti-spyware, back-up software and system maintenance and performance tools, as well as a two-way firewall that will filter incoming and outgoing traffic.

Microsoft calls its software an "automatic and self-updating PC care service" - subscribers will receive anti-virus and firewall protection updates, "PC tune-ups" that help maintain the performance and reliability of PCs, back-up and restore capabilities, and help and support.

Microsoft`s introduction is expected to upset the current balance of power in the consumer security software segment.

The largest providers are currently Symantec, McAfee and Trend Micro, which charge $69.99, $69.99 (about R430.00) and $49.95 (about R305.00) a year respectively for products similar to Microsoft`s.

OneCare reportedly will cost $49.95 a year including updates and users will be able to run the software on up to three computers.

Interestingly, analyst firm Gartner suggested late last year that Microsoft could significantly undercut the incumbents` prices by charging as little as $15 (about R92) per user per PC. At the time, Gartner predicted anti-virus prices would drop about 10% per year over the next few years.

If this week`s security stats don`t scare business into action, then I don`t know what would. A European survey, conducted across the UK, France and Germany, states that companies regard data security as a lower priority than the security of the rest of their IT systems.

Some 66% of organisations listed their networks, servers and applications as a security priority, but only 15% listed corporate data, and just 6% said the security of their databases was a priority. Roughly 50% said they would have difficulty making data available if they kept it secure.

Yet, new research released by Symantec reports that the average laptop could contain data worth almost $1 million and that some could store as much as $8.8 million in commercially sensitive data and intellectual property.

The same research also shows that only 42% of companies automatically back up employees` e-mails, where much of this critical data is stored, and 45% leave it to the individual to do so.

Frightening stuff indeed.

Sources used: ITWeek, ZDNet, The Register.