Re: Why I should have the right to kill a malicious process on your machine

[InfoSec News <isn () c4i org>]

Forwarded from: H C <keydet89 () yahoo com>
Cc: jericho () attrition org, thor () hammerofgod com

I agree w/ most of Jericho's hypothetical solutions, and will snip
those portions for brevity's sake.
 
> Heed your own insults Tim. Your proposal falls in the category of
> theoretical rose-colored solutions. Hopefully you enjoyed your
> coffee as you pontificated.

While this may be true to a degree, it's also abundantly clear that at
least some of those making comments against Strikeback are doing so
w/o reviewing...well, anything on the subject.  Gene in particular has
not reviewed Tim's paper.
 
> There are several issues that you do not clearly address in such a
> way to sell this idea.

To some extent, I think this is central to the concept.  I'm not
saying that I fully agree, 100%, w/ what appears in Tim's whitepaper.  
But I am saying that there are issues that need to be sorted out w/
regards to both the conceptual and technical implementations of this
idea.

I've seen commments on other sites that refer to a "state run" or
"state sponsored" organization being responsible for handling this.  
NOT a good idea, folks.

> If you find yourself asking what else can be done to stop these
> problems, one answer that comes to mind is simple. ISP's need to be
> more reactive to complaints about abuse on their network. Their
> customers already sign an agreement stating they will follow an
> Acceptable Use Policy. Every AUP I have seen covers malicious
> activity like you describe, and puts the liability on them. If your
> system attacks mine, be it from automated worm or not, and I report
> that activity to your ISP.. they need to kill your conneection until
> the problem is solved. If they read the logs I sent, they can then
> make the determination if it is a serious problem, contact you, or
> monitor your traffic to find their own verification of the activity.
> Once they find it, they pull your plug and problem is solved
> temporarily. While this system is not flawless, it is certainly more
> feasible and responsible than any strikeback proposal.

Of course, some of the same arguments apply to this solution, as well.  
Does log files sent from someone to "abuse () ISP com" or
"security () ISP com" constitute a violation of the AUP?  Probably not.  
As someone who had to deal w/ "abuse () winstar com" emails for a while,
I saw quite a bit of...let's just say "clueless users of BlackICE and
ZoneAlarm".

That aside, though, logs can also be forged in such a way as to push
past the ISP's threshold and get them to disconnect the system...even
if it's not actually the culprit.  Open up a few Yahoo or HotMail
accounts, forge some logs, and send them in...if it's enough, maybe
you can get the ISP to disconnect the system first, ask questions
later.

The same arguments of the "human factor" apply.  Given your examples,
it looks as though w/o refinement, strikeback will have only extremely
limited success...it may only work against specific worms on specific
platforms.

However, one potential outcome of strikeback is to raise the bar.  
Look at the current landscape...corporate, home, and gov't
users/admins don't seem to have caught on that they need to secure and
monitor their systems.  If the bar is raised, maybe they can get to
the point of actually putting a little more effort in on the front end
(there seems to be an even greater lack of basic troubleshooting and
IR skills).  Maybe it's better to raise the bar w/ something like
strikeback, rather than wait for the malware authors to raise the
bar...

Carv



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.