Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-06-14 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Office of Cyber Public Health?

Published: 2007-06-14
Last Updated: 2007-06-14 18:09:09 UTC
by William Stearns (Version: 3)
0 comment(s)

Joe St. Sauver, security and spam researcher at the University of Oregon, points out that botnets are a symptom; the cause is infected systems.  We can't clean up the bots without cleaning up the infected systems first.

His paper for the Anti-Phishing Working Group is here
http://www.uoregon.edu/~joe/ecrime-summit/ecrime-summit.pdf

As you read it, ask yourself these questions.  If you think his proposal wouldn't work, what would you recommend instead?  Would your proposal be more likely to succeed?  Why?
-- Bill

 

Update:  We've had lots of feedback.  Some paraphrased comments from you, the readers:
        
- Get the ISP to block outbound port 25 and all incoming connections with exceptions made on request.
        
- This would be just a bureaucracy, one that would miss more serious security issues while focusing on bots and spam.

- What are the privacy concerns of a system like this?

- Partition the Internet into "clean" and "infected" systems.  Clean systems get access to everything, while infected systems get limited access until they clean themselves up.  "Nothing wakes folk up quicker than a lack of access to YouTube or MySpace and the like :)" (Bill: I personally like this at the ISP level; limit infected system access to/from the outside world)

- "Good public policy puts the costs of a problem on the shoulders of those who can best control it.  So, the costs of the new Cyber agency should be allocated to technology companies in proportion to the percentage of remediation performed on those company's technologies."  "That financing system is the only one that provides a strong incentive for vendors to clean up their acts. Hopefully, it also makes the new Cyber agency a temporary agency."

- "Can't we use another example from the natural world and envision a way to isolate infected systems the way a tree isolates a wound?"

- Much like how a homeowner with a pool with no fence can be sued if a child falls in it and drowns, isn't an infected system an attractive nuisance that begs for a lawsuit?

- "I wonder if a cyber-militia might be an alternative approach. A volunteer organization (perhaps coordinated by a well-respected organization like SANS) would be more approachable than a government-run entity."

- A few problems are not currently addressed: reinfection, instability after cleaning, user education (which might be the best role for a government agency), and developer education.  The fundamental flaw is the unauthenticated nature of the Internet.  The real fix is in a hardened OS and applications that actually check user input.  See http://www.hackerfactor.com/blog tonight for more on this.

Many thanks to Povl, Jan, Pedro, Andrew, Doug, Roger, Tom, Neal, RJ, Arlen, and Dan for their feedback.

Keywords:
0 comment(s)
Diary Archives