Alan Shimel made an interesting comment in response to Mike Murray's response to Alan and other's comments in the wake of MS06-040, he said: "I think the world has changed for these type of exploits." In reference to the absence of a genuine full-blown, sasser-esque, worm exploiting MS06-040. I was tempted to dismiss this out of hand as apologist nonsense, but it caused me to wonder, why hasn't such a worm materialized (yet)?
Call me cynical, I have a hard time believing that the world is kinder, gentler place than it was two years ago. For criminal elements, organized or otherwise, a wormable exploit is an opportunity for profit. Yet this "perfect storm" vuln is only getting worked over by a lousy spambot engine?
One possible answer: Yes, the world has changed. If a worm is released, (almost) everyone will patch their systems. People have started to "get" patching. But the gains ($$$) to the worm creator will be minimized by a rapid response from a maturing security industry.
However, if there is no worm, then fewer systems would be patched. Thus more systems would be vulnerable to compromise via targeted attacks with a potential for greater payoff. Anyone have a better theory?
As the security industry matures, we must never forget that our adversaries are maturing too.
Comments (4)
I think this discussion really revolves around 'profit' and its definition. In the past, the motivation for writing a worm was to do damage. Profit, for the worm author, was defined as damage. This speaks to the good ol' ego motivation that previously haunted every commentary about 'hackers.' That motivation, however, has changed. As vulnerabilities become avenues for getting cold hard cash, the more traditional criminal element enters the picture and profit gets re-defined as $$$.
A destructive worm doesn't yield this kind of profit. The more criminals see electronic exploit as a means to money, the fewer large scale destructive worms we'll see. That doesn't mean the danger is gone. Quite the contrary. Bigger profit opportunity means better funded criminals, which means more sophisticated attacks. Are you looking over your shoulder yet?
Posted by terlin | August 22, 2006 10:34 AM
Posted on August 22, 2006 10:34
Exactly. :)
Posted by rbarrett | August 22, 2006 12:07 PM
Posted on August 22, 2006 12:07
Not sure if you read my original article on this but my comment on the world changing is not at all that it is a kinder gentler place. The world has changed in that we are not dealing with kiddie scripters or hacker gangs that measure their chops based upon how many web sites they deface or bring down or how big the worm they wrote spreads, as much anymore. Like Terlin above says, today's cyber criminals are all about profit. SHOW ME THE MONEY, and I will show you were the hackers today are. This presents us, as security vendors with new challenges to confront, new foes to fight and will demand our very best.
Posted by Alan Shimel | August 22, 2006 1:29 PM
Posted on August 22, 2006 13:29
So what does this change do to the process of assessing the risk a vulnerability presents? It used to be that 'worm' was the keyword for 'most likely to be exploited.' In other words, when a condition is incorporated into an automated exploit, it presents more risk than when it's not. If, however, financial profit has supplanted impact as the major motivator, then 'wormable' vulnerabilities should *decrease* in probability of exploit and conditions that present an opportunity for data theft should increase. In other words, the probability of exploit is shifting from those that compromise availability to those that compromise confidentiality.
Or perhaps they're different measurements, since an automated exploit that performs wide-scale data theft would be the most likely to be exploited.
Posted by terlin | August 23, 2006 6:25 AM
Posted on August 23, 2006 06:25