Firewall Wizards mailing list archives
Re: The home user problem returns
From: Mason Schmitt <mason () schmitt ca>
Date: Thu, 08 Sep 2005 00:13:28 -0700
Kevin wrote:
We take this a step further -- let all traffic that hits the blocks talk to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter, quarantine the source host.We just run a very basic IRCd, modified to generate a log event for each PRIVMSG, JOIN, NICK and other similar command issued by any client. We can also look at the original destination IP they addressed, and check this against a list of known C&C channels.
That's a very cool approach. I imagine that I could do that for all outbound IRC traffic, by using a snort sig. That would be easier for me to maintain as it would be part of a more generic tool that I would already have in place (don't have an IDS yet, but it's on my list for sometime in the next few months).
I'm somewhat sceptical that some "live chat" buttons actually invoke IRC. Or Invader Zim webboard for that matter ;) Are you sure? Can you give me a real example?The first "real" user who complained had clicked through from JDate, and suddenly found himself chatting with 37 instances of SDBot...
I imagine that SDBot wouldn't make a very good date.
As for Invader Zim, see http://www.badbadrubberpiggy.com/chat.php/
Man, I thought you made that up! Well, now that you have pointed this out, that pushes me back a step. Perhaps I should approach this in a similar manner to the way that spammassassin tackles spam. Rather than make black or white decisions based upon a single bit of info, perhaps I should check for multiple events and attempt to correlate them... Ugh, that sounds like a lot of work. Maybe ossim can handle some of the event correlation for me. Isn't that the idea behind sourcefire's 3d system? Have multiple agents and correlate data in real time in order to block threats? I think that multiple agent event correlation makes a ton of sense. Is anyone doing it well (that we could afford...)? I know that somewhere Marcus is getting ready to unfurl his IPS rant (/me braces himself). Sorry Marcus, I honestly don't see how I can avoid this kind of system. I actually had customers that got angry when I tried to block spam from getting to them! They said that it was theirs to block, not mine. We've since moved to a subscription model for spam protection. A public ISP just cannot be run like a corporate network, it's a totally different beast. In fact, I know a lot of techies that would argue that ISPs should be totally transparent. In this day and age, I consider that view to be selfish and irresponsible. If we had a full customer base of nothing but security conscious computer geeks, then it wouldn't be an issue, but that's not the case. This network if full of boomers and retirees, running version of windows other than XP SP2, that are paying us for access to the net and some of them get upset when we call them up because they have a virus. Marcus and most of the rest of you, please keep preaching solid security principles to businesses and governments, but when it comes to the home user, you're wasting your breath. As with any security endeavour, a multi faceted or "defence in depth" solution is the best solution. When it comes to the home user, this is equally true. Here are a few of the issues that I see and some of my thoughts on the matter. User education ---------------- User education still needs to happen, but this is going to be a very slow ship to turn around, because right now, there is just too much flashy crap distracting everyone. Home users are getting digital cameras and colour printers then trying to hook them up; they're getting wireless devices and struggling with those; they've heard about free music and movies and they want a piece of that and they want to burn them to dvds; they want to have animated smiley faces in their email and IM conversations; they want it to be dead easy for their cell phones to do all sorts of things and on and on and on. Those struggling with their new wireless router have probably never heard of WEP or WPA, and if they have, it's likely not enough to know that WEP, WEP+ and WPA are all eminently crackable and that such a thing as war driving exists. The average home user downloading music and movies may have heard that it's illegal, but that they don't see how it can be, because everyone is doing it. They probably also don't know, that britney spears song they just downloaded that didn't play was actually a trojan. They are probably unaware that the free p2p app they used came with 10 pieces of spyware that will report all sorts of interesting things to people they have never met. What about going to a site that offers free smiley faces? That seems innocuous doesn't it? Wrong again. Now some IE bug has just been exploited to install more spyware. This is all far too much for your average home user to grasp let alone keep up with the details. I can't keep up with the details myself and I love this stuff and do it all day everyday. The root of the home user problem is really rampant consumerism, but fighting that battle is not one that's going to be won by computer security people. I think that we should start by helping people to understand that the Internet is not some *thing* that they connect to. When they go online, they become part of a very small world (literally - check out what small world theory experiments have shown about the net) in which anyone anywhere in the world, friendly or not, is able to reach their computer in under a second. This means that the bad parts of town (any town, all towns, all countries) are now right on your doorstep, knocking at the doors of your bank and favourite shopping haunts and even your government repositories of whatever information they have on you. However, I also don't think there is reason to panic. Home users upon hearing the preceding news, can be reassured that there are things that they can do to protect themselves and it won't require them to learn much about computers (a big fear for a lot of people). They can be told that if they do the 4 steps to basic security that they have just taken a big chunk out of the problem (firewall, antivirus....). And once you have told them that, then you should either do it for them or have them take it to a good tech. They can be told that a computer is like a car, it needs regular maintenance, by a PROFESSIONAL! The current state of computers and the security battle is too complicated for your average home user and is getting beyond the capacity of most back yard mechanic types too. Beyond those basic steps, it gets more difficult. Somehow people need to learn to question. They need to start thinking about trust and in whom they place their trust and whether that trust is warranted. Think of p2p file sharing and clicking on links in IM from people you have never met before. Business and Government Education ----------------------------------- Hopefully that's as far as home user ed needs to go right now. Now we have business and government education to deal with. Both should be approached in the same way that home users were approached above. Start with some basic measures. Really, the same 4 measures apply, but just on a larger more complicated scale and with many more possible permutations of implementation. In addition to the fab 4, business needs to be more familiar with the fifth Beatle - BACKUPS. As with the home user, these basic defences start to take the edge off the problem. In order for business to not get stupid about how they implement these 4/5 basics, they should read Marcus' "Low Carb Security" article in LOOP. Or think of the KISS principle. Or, if you admire Einstein think of his quote, "Things should be made as simple as possible, but not any simpler" Business and government also face the same issues as the home user when it comes to questioning and trust. Think of the recent thread on this list concerning CardSystems. Caretakers ------------- I don't believe in a dog eat dog world. I think that those that have the means need to take care of those that don't. To that end, it is my opinion that ISPs need to provide some solid front line defences for their customers while not being so restrictive, or more importantly unwilling to really listen to their users, as to limit innovation and expression. ISPs have left their customers to the wolves for too long and are now paying the price. I also believe that the same applies to software houses. I know that everyone pokes at Microsoft, but they really are a prime example of a company that has left their users out to dry for a long time. They too are now paying the price. They also appear to be taking positive action so perhaps they will redeem themselves... _somewhat_ In both these cases, greed and willing ignorance have played major roles in getting us to where we are now. The standards groups and all interested parties need to keep working diligently on really basic protocol issues such as SMTP. And again, we come back to trust. Trust is poised to be a huge part of the Internet infrastructure. We need functional, ubiquitous healthy trust systems so that home users can have some means of making the trust decisions they are faced with and which they are now completely incapable of addressing adequately. Most of the trust issues that home users face are not accessible to them anyway - again think of CardSystems. Law Makers / Enforcers ------------------------ I may not think the world is a dog eat dog world, but I'm also not stupid enough to believe that there are not scads of people out there willing to get what they want in any way they can. This is where law and law enforcement comes into the picture. Because we are dealing with a global communications network, our laws and policing methods need to reflect that. It's getting late and I'm running out of steam, so I'll leave this stream of consciousness here, where it ground to a halt, and say good night. If any of you have had the patience to read this far, thanks for reading. -- Mason _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: stopping bots from phoning home Paul D. Robertson (Sep 01)
- Re: stopping bots from phoning home mason (Sep 07)
- Re: stopping bots from phoning home Paul D. Robertson (Sep 08)
- <Possible follow-ups>
- Re: stopping bots from phoning home mason (Sep 08)
- Re: stopping bots from phoning home Kevin (Sep 08)
- Re: The home user problem returns Mason Schmitt (Sep 08)
- Re: The home user problem returns Marcus J. Ranum (Sep 12)
- Re: The home user problem returns Mason Schmitt (Sep 12)
- Re: The home user problem returns Chris Blask (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Marcus J. Ranum (Sep 13)
- Re: The home user problem returns Chris Blask (Sep 13)
- Re: The home user problem returns Mason Schmitt (Sep 13)
- Re: The home user problem returns Jim Seymour (Sep 13)
- Re: The home user problem returns George Capehart (Sep 14)
- Re: The home user problem returns Dale W. Carder (Sep 13)
- Re: stopping bots from phoning home Kevin (Sep 08)
- Re: stopping bots from phoning home mason (Sep 07)