Nimba is yet another example of how our lazy habits allow us to be attacked. 01/09/21 ReleVents hed: Security attitudes must change dek: Nimba is yet another example of how our lazy habits allow us to be attacked. by James Mathewson
My first reaction to news of the World Trade Center bombing was shock. “How could this happen?” I asked my brother Steve (ComputerUser’s art director), who first relayed the news to me. How could three different airports allow hijackings at the same time? How could we allow our airport security systems to become so vulnerable?
And as the investigation uncovers hundreds of terrorist sponsors and conspirators living in the United States for months and even years before the attacks, the question persists. How could our intelligence and law enforcement systems become so lax that we would let this underground network thrive all this time without some sense of alarm about its activities? At the very least, you would think the FBI, the CIA, the NSA, or the INS would have suspected something and alerted the FAA to beef up airport security before something like this happens.
These attitudes have led some of my smartest friends to suspect a conspiracy. The theory goes that we did know what was coming and we let it happen anyway to stir up public sentiment for military action. But, since I am not inclined to espouse conspiracy theories in the absence of evidence (actually I think the theory is pure B.S.), my explanations go in a different direction.
I think our natural tendencies toward alarm and self-preservation have been lulled to sleep by years and years of peace and prosperity on our own soil. Others in the world have not been so privileged–Israelis and Palestinians, for example. This false sense of security was so deeply rooted in our culture that we were not inclined to think of what could happen; we were inclined to assume everything would be OK unless circumstances prove otherwise, and our very way of life depended on this attitude. Because we were unwilling to consider the horrible things that could happen, we were unable to prevent them.
The possible exception to this was Y2K, about which many people became hysterical in considering every bad thing that could happen as a result of the date change. But when 2000 dawned without any major incidents, we reverted to our natural state of assuming everything would be OK unless circumstances proved otherwise. It’s a crying shame that the circumstances that proved otherwise came at such an alarming cost. Of course, the attitudes of considering all that could go wrong helped Y2K remediation efforts immensely. If we had not been so vigilant, 2000 would have come with calamity. While I wouldn’t want us to go so overboard again, we could use some of those worst-case-scenario attitudes today. The fact is, though September 11 shocked us into a sense of awareness of our vulnerabilities, we have not yet changed the attitudes that will determine our future safety.
A glaring example of this is the Nimba virus, which could have been prevented or defeated with free tools readily available on Microsoft’s Web site for months, as a news story on our site Friday describes. Only a little bit of effort and an attitude of vigilance was needed to prevent the kind of major damage the worm has caused. But, as some security experts claim, most companies still pay little attention to the security of their Internet systems.
Until now, lax attitudes about Internet security have not harmed companies all that much. Most of the hacks, Trojan horses, and viruses have been more nuisances than anything. But we cannot assume that the coming waves of security threats will be so benign. Nimba is one of a new generation of worms that can exploit a multitude of holes at once. But though its delivery mechanism is new, like its predecessors, its payload is not very destructive. Security people need to ask themselves what could have happened with a payload that reformats all PC hard drives in a whole company, or one that launches scripts that broadcast customer credit card numbers to e-mail addresses of known criminals, or the like. If they consider such horrific possibilities, perhaps they will prevent them before they become a reality.
James Mathewson is editor of ComputerUser magazine and ComputerUser.com.