Security in the news: Events and non-events

April 1 passed without the massive attack by the much-anticipated Conficker Internet worm, but don't relax just yet.

April 1 passed without the massive attack by the much-anticipated Conficker Internet worm, but don't relax just yet.

True, the sneaky malware, which has gone through several evolutions since security experts first became aware of it, did not seize control the nation's computers, perpetrate massive identity theft and bring down the Web. But the story might not be over.

"The network of Conficker-infected machines could still spring to life and be used for nefarious deeds," reports the Associated Press. "One scary element is that Conficker's authors have given the infected PCs peer-to-peer abilities, which allows them to update each other and share malicious commands through encrypted channels."

The scope of the potential problem remains a tantalizing mystery, but a number of security experts tentatively offered their best guess-timates last week:

  • One Internet infrastructure vendor, OpenDNS, reports that 500,000 of its customers, out of 10 million worldwide, have been infected with the most recent iteration, Conficker.c, the IDG News Service reports.
  • After monitoring network activity on April 1, IBM's security experts concluded that 4 percent of Internet addresses sending out malicious data is infected with the same variant, according to Computerworld.
  • Also from Computerworld: A security company based in Vietnam pegs the number of infected PCs at 1.38 million worldwide, of which only 2.6 percent are in the United States.

So why didn't the sky fall? Was the problem overhyped? Were the emergency patches successful? Was it an April Fool's Day joke? Or is the main event still to come?

"More likely the 'it's hitting on April 1' is a misdirection -- a pay-no-attention-to-the-man-behind-the-curtain kind of deal," writes InfoWorld blogger Robert X. Cringely. "Because these days no self-respecting worm author would actually tell you when his baby was planning to strike."

Meanwhile, technology experts are carefully monitoring activity in the Senate, which is considering legislation that aims to tighten up Internet security in government and industry.

The bill would establish a new advisory office in the Executive Office of the President, propagate cybersecurity standards for the public and private sectors, and improve training and certification programs for cybersecurity.

Also, as Network World noted, the legislation would give President Obama the power to shut down Internet connections in the event of a "cybersecurity emergency."

Some security experts "don’t think such sweeping power is good news for anyone, including private networks that could be shut down by government order," writes Network World's John Fontana. "Those same networks would be subject to government mandated security standards and technical configurations."

Others are skeptical of the federal government's ability to improve Internet security through brute force. "Security is an attitude, and it's hard to legislate attitude," Brian Chess, founder and chief scientist at Fortify Software Inc., told Computerworld. "It has more to do with understanding the impact of insecure software on the organization."

Some FCW readers also have their doubts. "Whatever happened to the checks and balances that our Constitutional fathers envisioned?" one reader, signing himself as "Disgusted," commented on our April 1 Web story. "This is yet another example of a knee-jerk reaction by uninformed bureaucrats who are clueless about cybersecurity, yet fancy themselves to be experts because they personally use a Blackberry."

Another reader shared similar sentiments in more graphic terms: "Can you imagine what a disposable diaper would look like if you charged the government with developing it?"