If the payload for all of these infected hosts affects traffic across the Internet, even Linux users may care about this issue. Don't be lulled into apathy, this is a powerful, dynamic and capable threat with some very advanced coding and routines. The developers know how to optimize their threat and squeeze a ton of trouble from its deployment. It now sits in a rather powerful position, depending on how they intend to use it. You can catch scanning hosts on your internal networks using listeners on port 445 from Linux boxes without samba. Tools like netcat or own HoneyPoint applications have proven great at finding active hosts. If you identify any on your environment, remove them immediately. The less zombie systems Conflicker has to utilize, the better!

This trend will only continue as the barrier to entry continues to drop. More and more attackers become resourced enough to perform DDoS and other assaults against online security, while at the same time, the it gets easier and easier to obtain the tools, techniques and knowledge to perform the attacks. As those two curves intersect, these attacks will continue to grow. Cybercrime as a service also plays into this and generates an underground economy that can come to bear on these attacks as well. While I don't think we need to worry about any kind of cyber-war or that hype, attack frequency and gross assaults of large proportion will likely continue to grow for the foreseeable future.

I think that instead of all of these point solution laws that we keep passing aimed at specific facets of the consumer data protection process, we should put together a working group to pass a comprehensive law that addresses the real root problems. Such a comprehensive approach could address items such as time to live, how data may be used/mined/obtained, information protection requirements, privacy and notification mechanisms and responsibilities for all parties concerned. Maybe if we take a wider, deeper look at the real problem, we can find ways that the law could really help protect consumers instead of just giving PCI Council, attorneys and others more "buttons to push". I am a big supporter of addressing the real root of the problem, but the legal and regulatory landscape around data protection and privacy is already so confusing for average organizations, that while loaded with good intention, anything less than a comprehensive approach at this point is likely to make the situation more difficult. Legal approaches also need to consider that according to the Verizon breach report for 2009, around 66% of all breaches happened around data that organizations didn't even know they had and 75% of breaches were identified by third parties outside of the victim organization. Until we can establish legal requirements that tie security groups to lowering those numbers, in my opinion, all else is likely to fail anyway.

Symantec, if you made a mistake, just admit it. Let people know and tell them about the issue, the controls you put into place to fix it and the mechanisms you enacted to ensure that it does not happen again. Mistakes happen, and people will understand, if you are honest and forthright. But, if you keep dodging the issue and there really was something there, you can rest assured it will come to light and then people really will be angry and question their trust. Do the right thing. Tell people what happened, right away!

I just hope that the new CIO pays more attention to the growing needs of American companies and consumers around information security. Today, we have a myriad of standards, legal requirements and regulatory guidance, but little that has truly helped protect consumer private data and trade secrets. Maybe this new CIO will help focus more attention to securing our national information infrastructure!