Digg this story   Add to del.icio.us  
Celebrity Viruses Improve Security
Adam O'Donnell, 2009-04-21

Every so often, a computer virus becomes more than just a novelty for anti-virus researchers and moves into the consciousness of the mass media, even if it's not a grave threat.

The recent Conficker outbreak is a fantastic example of this. While only a small fraction of all PC users were infected with the worm, a great deal of media coverage was devoted to the outbreak. Any user affected by Conficker was likely already compromised by the time they heard about the threat, as users with infected systems were already not performing proper digital hygiene, such as keeping machines fully patched. The virus's payload was not initially destructive, rather it contained an auto-updating routine that became even more sophisticated after April 1st.

Nevertheless, the hype did help. Concerned users ended up cleaning up their systems from a multitude of other malware, even if they have never encountered the Conficker worm itself, leaving the overall population of systems cleaner than they were previously.

It would be easy to level charges of alarmism at the security vendor community for fueling the Conficker coverage. I believe, however, that the net outcome of raising the awareness of what is essentially the public health of the Internet by calling attention to a potentially frightening, but statistically uncommon threat, is worth the occasional media hyperbole. Sometimes, computer virus hysteria is good for us.

Once upon a time, home and business users were well aware of the impact of computer viruses. Many of them either directly experienced or knew someone who experienced the destructive power of computer viruses, and users who went through the pain of having a virus wipe our their system created backups and kept their anti-virus software up to date.

Yet, things have changed.

Save for spam, we rarely work with threats that are immediately evident to the end user. Modern viruses don't purposely destroy people's systems any longer. If anything, modern malware works as hard as possible to mask its presence from end users, and any indication of its impact is heavily decoupled from the original act that brought the infection.

For example, a desktop can become infected with a keylogger tuned to look for credit cards after its user attempts to install a bogus web video codec. When the bank calls several months later to report that the card has been used in several suspicious transactions, the card holder has no reason to suspect that the card's compromise was caused by the fake video codec software installed months before.

Modern malware is efficient, quiet, and lulls users of systems it compromises into a false sense of security. To counteract the lack of awareness of common but under-appreciated security issues, we must use every opportunity presented to us to educate consumers about computer security threats, even if it involves frightening the population about uncommon threats.

The media has frequently spurred public awareness of threats other than those in computer security. Take public health: In 2000, Katie Couric underwent a colonoscopy on television with the hopes of encouraging the viewing public to follow her lead. Doctors saw a statistically significant increase in the number of voluntary colonoscopies over the course of the next nine months, leading researchers to coin the term the "Couric Effect" to describe the improvement in preventive health compliance. Seeing someone famous get sick drives us to the doctor.

The net result of the localized increase awareness about a specific disease is that the public becomes marginally healthier by being persuaded into doing what they know they should have done in the first place: Performing regular maintenance on their body to screen for illnesses that may not cause problems for years to come. Most doctors would not screen for a specific illness without performing a general workup. Often other problems are uncovered during the course of the examination that would never have been spotted if the patient wasn't inspired to go to the doctor in the first place.

Similarly, even consumers worried about the wrong computer threats can still improve their security. Much as the average patient benefits by adhering more closely to medical checkup guidelines after hearing about a television personality's experiences, the average computer user benefits by stepping up their security measures to prevent a headline-making worm, even if they aren't affected by it. Like an individual with borderline obesity and high blood pressure going to the doctor to check for the West Nile virus, computer users' digital health improves as long as something drives them to perform regular maintenance.

Repeated media-driven scare events that drive point actions to address an issue doesn't fix anything in the long term, be it in public health or in computer security. Patching a desktop irregularly and visiting a doctor sporadically is not preventive maintenance. We need to capitalize on these opportunities to educate the populous into going beyond fixing what is the problem of the day and instead engage in what is recognized as proper hygiene. In the end, running backups, applying patches, and keeping anti-virus products up to date should be as routine as brushing your teeth.

Adam J. O'Donnell, Ph.D. is the director of emerging technologies at Cloudmark, an anti-messaging abuse company. He has worked on several books, serving as the technical editor and contributor to "Building Open Source Network Security Tools," a contributing author on "Hacker's Challenge," and co-author of "Hacker's Challenge 2".
    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus