John PescatoreI always use a simple equation when talking about security. It is all about the pain level, because until the pain level gets high enough to threaten the “gain” level, it is hard to make progress:
Pain = Threat x Vulnerability + Action
Conficker was a good example of this equation in action, especially when you think about how the US Department of Defense got hit. We knew more than 5 years ago about the vulnerability caused by auto-execution when portable media was inserted was inserted into a Windows PC. There were even threats, but not much action. We knew about the serious vulnerability posed by the flaw in the Server service in Windows in October 2008, and threat code came out rapidly. Attackers added the action component to Conficker to take advantage of Auto Run and  - voila! The pain caused by Auto Run was finally higher than the gain.
There is a good post in Microsoft’s Security Response Center blog about the changes Microsoft will make to limit Auto Run capabilities from non-optical media in Windows 7. Note that there is a loophole – smart USB devices that pretend to be CD drives will still be able to Auto Run. This fix is not yet available for Windows XP or Vista either – there is a workaround that Microsoft published (actually, republished – the first approach didn’t work well) that is a more acceptable approach than squirting glue in USB connectors or just telling users “Don’t do that.”
Imagine if automobiles had auto-run enabled! Or garbage disposals, ovens, blenders, etc…
Category: Uncategorized Tags:
0 responses so far ↓
There are no comments yet...Kick things off by filling out the form below.
Leave a Comment