Conficker and the Boy Who Cried Wolf Syndrome

By Matthew Harwood

Security researchers fear that the alleged decision of Conficker's designer, or designers, to not activate the worm on April Fool's Day will desensitize average computer users to very real threats of malware churning throughout cyberspace.

The worm, which exploits a well-known vulnerability in Microsoft Windows, may have infected as high as 10 million computers, although recent estimates from IBM have reduced that number substantially. Security researchers feared that a code update on April 1 may have activated the worm, creating a vast army of "zombie" computers, or botnets, that could steal personal information or wage a huge distributed denial of service attack (DDoS).

But the digital equivalent of a mushroom cloud never appeared on the horizon, and security researchers worry that general fear may transform into antipathy.

CNet reports:

But just like the boy who cried wolf too many times or Chicken Little after the sky didn't fall, the experts said they worried that conflated expectations that are not met could mean people will ignore legitimate threats in the future.

Simple concepts of good and bad are easy to understand, while complicated issues and relative conditions, which underpin security, aren't. For instance, Dan Kaminsky, director of penetration testing at IOActive, said he often finds himself trying to talk people down off of one of two "ledges" of thinking.

"It's either 'nothing is going to happen', and that's not true, or it's 'the world is coming to an end and computers are going to explode in some technological Ebola equivalent,' and that's not true either," he said, echoing comments he made in a post on his blog. "Concern, but not panic, is really the appropriate engineering response to the problems of this nature. But concern doesn't sell nearly as well as panic."

Security experts have criticized the media-driven hype surrounding Conficker, particularly a segment on 60 Minutes that said the worm could "disrupt the entire Internet." But as The Washington Post's Brian Krebs writes, the threat from Conficker hasn't gone away:

All of that said, the truth is that the threat from Conficker is as real today as it was three days ago on April 1: The worm's author(s) could easily decide to wait until everyone's guard is down to instruct all infected systems to update themselves with additional malicious components, or to attack some target online or start blasting spam.

Whether or not the threat from Conficker is justified, security researchers say computer users need proactive rather than reactive security. The basics are simple. Keep your antivirus software and firewall up-to-date, do not click on suspicious links in e-mails, and install any recommended patches from your software providers.

For those still concerned about the Conficker worm, click here for DHS recommendations.


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.