Bug Watch: crying wolf over viruses

Bug Watch: Each week vnunet.com asks a different expert from the IT security world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats. This week's expert is Graham Cluley, senior technology consultant at UK-based antivirus company Sophos.

Let's play a game: what do the following all have in common?

• The Pokemon Pikachu virus
• The Liberty Palm Pilot Trojan Horse
• The Erap Estrada Philippines worm
• The Windows 2000 ADS streams virus
• The Nokia mobile phone freeze exploit.

Give up? The connection is that none of them posed a problem to the vast majority of people, and yet all were hyped by antivirus companies and other security vendors as a serious threat - and all within the last fortnight!

Viruses are now high-profile media stories, and it is easy to get coverage on the back of a new 'danger', particularly with the added attention which 'sexy' IT products such as Wap and personal digital assistants (PDAs) are garnering. Too many times we've seen vendors of antivirus products hyping up non-existent virus threats in an attempt to make a quick sale. It is time to say that enough is enough. Security solutions vendors must grow up!

I have lost count of the number of reports I have seen from supposedly sane experts in the computer virus field declaring the discovery of the first viruses to infect Palm computers, or the first mobile phone worms. The simple truth is that at the time of writing there are no viruses capable of infecting Windows CE, Psion organisers, Palm Pilots or even the latest Wap-enabled mobile phones.

But, I hear you cry, what's the problem with livening up the antivirus arena by leaping on the latest end-of-the-world-as-we-know-it bandwagon?

Well, the danger is that when there is a genuine serious threat to the majority of computer users, such as the Melissa virus or the Love Bug worm, they will ignore the warnings: "You told us it was the end of the world last week, why should we believe you this time?" So-called virus fatigue will set in and the very real, if less exciting dangers will be ignored.

Users slowly lose respect for those vendors which put their marketing money into scaring their customers witless about threats that may never emerge. The media itself will, no doubt, become equally cynical should a real virus for mobile phones or PDAs actually appear.

Obviously, customers want to receive simple, objective alerts when new viruses are discovered, even if they are non-threatening. But who does a press announcement hyping up the threat serve? Not customers, who would already have the information, and certainly not the public at large. These hyped announcements serve only the vendors which issue them, anxious to keep fear high and please their shareholders.

Next time you see a frenzied report about a new virus, ask yourself if it truly poses a threat to your organisation, or whether the vendor quoted is just trying to make the newspaper headlines.

Next edition: 22 September