Malware Controlled Systems are Pervasive

Consistently and dangerously the number of computer systems in the world infected with malicious software is growing in both the quantity and the employment chosen by those that control these software packages. This alone is making the public internet an extremely dangerous and unstable environment to conduct business. These infected systems threaten both consumers and businesses.

Consumers are the majority of infected systems, so the common – system errors, pop-up nuisances, identity theft, crashed applications, and generally slow network/processor complaints have some root in these malware applications. The infected systems threaten the integrity and confidence in the digital environment.

Businesses are the major targets of these malware infected systems. The computing power is utilized to conduct coordinated attacks, act as gateways, harbor illegal transactions, and generally obfuscate the origination of the attacker. The greater these malware hosts grow in the number, the harder it is for operators of businesses to effectively shut down these attacks. Gone is the day of blocking Ukraine, Russia, and other such non-customer regions.  These systems threaten the integrity of business operations and can bring about insecure and out of compliant environments.

The utility of these vast networks of computers is only just being realized through the use of the tools in GhostNet, and the distributed denial of service attacks recently conducted. In addition, these systems allow for framing an individual, business, or even country by sourcing all the attacking “guilty” systems from a specific country – such as China.

Businesses must work to secure their own operations, and greater efforts must be taken to solve the consumer malware problem. We need a “Check-engine Light” simple solution for consumer’s infected with malware.

The graphic/screenshot for this post is from an Agent interface pulled down from a major commerce site last week.  Deadly and Simple.

Kind regards,

James DeLuccia IV

Join me and the world at RSA 2009, where I will be speaking on Credit Card Security

Passwords of 8,000 (700) Comcast Customers Exposed

Update:  3/17/09 – Comcast posted a comment to this article informing on the state of the “public” account information.  Great news for Comcast customers, but it does stir questions regarding the other usernames and passwords – where are they valid?  Regardless – Comcast gets kudos for attacking this problem both internally with security precautions and PR wise with knowledgeable individuals.  Thank you for the update and looking forward to greater response from other parties.

Recently some individual uploaded approximately 8,000 usernames and passwords of Comcast users to Scribd.  While the document has been taken down the data is still very much in the wild, and any individual (or business) must absolutely change ALL of their account passwords ASAP.  Unfortunately most individuals share passwords between websites, so it is key to remember good password policy.

1. Always use difficult passwords
2. Always rotate passwords
3. Always retire passwords
4. Always have tiered password structures – meaning have some passwords that are more difficult and regularly rotated on those accounts that are more important (bank accounts are obvious, but Comcast accounts would be on the top if you have set that email up as the default email account for your other web service accounts)

Finally, continue to do as Kevin Andreyo did – google yourself and keep a handle on your privacy.

Once the data has been breached it is no longer useful for privacy, authentication, or authorization.  It is good to see Comcast moving to clear out these insecurities, but this (sadly) is only the beginning of this drama.

A good question – how does compliance and security controls falls into this situation – where is the incident response plan (Here is a good start from the Source Boston conference), and how is mangement made aware of such occurrences?  Meaning did the CEO of Comcast find out via the New York Times reporter, or from internal resources (communication is key).

Consider these impacts to your consumers.

Thoughts?

James DeLuccia IV

Join me and the world at RSA 2009, where I will be speaking on Credit Card Security

*BTW – The data referenced in the New York Times Article and Digg, is still available online – after a bit of Googling I was easily able to find it, and confirm its authenticity.