We all know it’s going to happen and probably sooner than later; spammers will figure out that people are panicking about swine flu and they’ll start registering domain names and sending out email offering the latest information and drugs guaranteed to stop swine flu. I’m actually surprised that it hasn’t started already, but I guess even spammers take the weekend off occasionally.
There are a few fairly simple steps you can take to protect your users from being taken in by this spam. First of all, inoculate them by giving them real information about the swine flu. Stephen Northcutt has written up a pretty good post with lots of links to important information like what influenza really is and what steps people should be taking to prevent the spread of the flu. Here’s a couple major hints: wash your hands often and stay home if you’re sick.
The second step you can take is to keep an eye on the Internet Storm Center. There hasn’t been much activity in the spam arena around swine flu, but the guys at the ISC will probably be some of the first to let us know when it starts. It’s not a question of if we’ll get spam related to the current public panic, so keep your eyes and ears open to prevent your users from getting taken in.
The third thing I can’t suggest highly enough is don’t panic. There’s a lot of media hype around the swine flu, but the reality is, this doesn’t yet appear to be anything much more than our annual round of the flu. True, it could turn into a lot more and we don’t yet have a vaccine for this strain, but relatively few people have died and most of those appear to be people who were already in a weakened state. Plan, know what you’ll do if things do turn out to be worse than they appear, but do so in a calm, reasoned way. Think of this as another incident response drill where you need to think about the steps you’ll need to take well in advance and you’ll be fine.
Update: Looks like the spammers started some time early this morning: Swine Flu spam from McAfee Avert Labs Blog
I’m the first to admit that my own direct experience at forensics is limited, but what I’ve seen has always been done using a set of tools collected and mastered by the individual responding to the incident and that any framework surrounding the response has been developed through experience. It’s hard work that takes a very specific skill set that only a limited number of individuals have. I don’t have those skills and admire those who do.
I had a chance to sit down on the show room floor at the RSA Conference and talk to Dave Merkel about Madiant’s ‘red box’ Intelligent Response (MIR). Intelligent Response allows the forensics responder to collect important information from a large number of hosts quickly, and more importantly, consistently. Once the vector of infection or attack has been identified, MIR can be used to scan the systems with very specific instructions, allowing the specialist to find other compromised systems quickly and with a high degree of confidence.
Dave Merkel and I talk about how Madiant works as well as his opinions about recent news of breaches and compromises. If anything, Dave thinks some of the reports on SCADA compromises may be under reported, something that really makes me worry.
NSP Microcast RSAC 2009 – Dave Merkel from Madiant
This is me letting go a huge sigh of relief. The Security Bloggers Meetup is the one event I look forward to more than any other at RSA and at least as much as any event at the security conferences I attend. But it’s a huge amount of work, a lot of stress and when it’s all done, there’s a huge burden lifted from my shoulders. Which is why one of my first thoughts after the party was over is to begin the planning for the RSAC 2010 Security Bloggers Meetup.
The Meetup went almost flawlessly, with the exception of the streaming video of the Social Security Awards; for various reasons I was unable to log into uStream or reset my password, therefore the video had to be scrapped at the last minute. However, we were able to catch all of the event on high quality video and will be putting the Social Security Awards and over a dozen other video interviews up on YouTube over the next few weeks.
I don’t know what the official count on attendees was, but we had nearly four times the space this year that we had last year and we were still fairly crowded together. There was enough room for people to separate a little for private conversations, but not much more. Most importantly though was the fact that everyone I’ve talked to so far who went had a great time at the event.
A huge congratulations to the winners of the Social Security Awards last night! PaulDotCom won the Best Podcast Award, the crew at the SANS Internet Storm Center won the best Technical Blog award, the best Non-Technical Blog went to Richard Bejtlich of the TaoSecurity Blog, Sunbelt Security won the Best Corporate Blog and Mike Rothman from Security Incite won the Most Entertaining blog. Now we just need to get Mr. Rothman to start posting again.
A big thanks to my fellow committee members who made last night possible. Rich Mogul, Sonya Caprio, Alan Shimel and Jeanne Friedman all put in a lot of hours making this happen. But the woman who deserves the lion’s share of the credit is Jennifer Leggio. Without Jennifer, the Security Bloggers Meetup wouldn’t have happened! So if you see Jen somewhere at RSA or encounter her elsewhere, give her a big thank you for putting on the Security Bloggers Meetup.
Rich and I tried our best to get a podcast recorded and posted last night, and we were partially successful; at least we got the podcast recorded. But the editing and posting part was well beyond my capabilities once I got back to the hotel room last night. But it’s here, bright, shiny and new first thing in the morning.
RSA has been a hectic and exhilarating event so far, and the best part is yet to come! Rich and I had just finished our panel discussion, Avoiding Security Groundhog Day, and were joined by Rich’s partner at Securosis, Adriane Lane. We found the quietest spot possible at RSA, which happened to be the near the top of the escalators. Yes, quiet space really is that rare at RSA.
Network Security Podcast, Episide 147, April 21, 2009