Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: User Notification for Possible Infected Systems - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
User Notification for Possible Infected Systems

One of our readers, Roy, came across this article from Yahoo! this morning reporting that Comcast is planning to enlist it's customers help in the fight against botnets by using pop-up alerts. Comcast's general idea is that, if Comcast notes traffic associated with known botnet activity, a pop-up will appear on the user's computer. The article gives the full details as reported by the Assosciated Press.

The last paragraph, from an overall security perspective, is the most concerning to me, and that is the use of hoax popups and sites. I quote "Phil Lin, marketing director at network security firm FireEye Inc., said hackers could mimic Comcast's pop-up banner or the confirmation ads. And unsuspecting customers wouldn't know they should expect to see a confirmation from Comcast in the first place."  We know it is only a matter of time, and my guess is it will be a very short time, before the botnet farmers start making use of hoax notification pop-ups and sites. 

The bottom line: Good security practices up front, solid software and applications, and user awareness would almost eliminate the need for any effort of this type.

Tony

150 Posts
ISC Handler
I agree with the bottom line. First you need good security practices within you environment, and applications. As an consultant I suggest Comcast not enlist their customers to fight security issues and let customers be customers, and get the right tools to do the job right.


Sid Brydel
//gRp//
Anonymous
Is Comcast restricting outbound port 25 to their own mail server yet?

(looks at spam filter)

How about they start there, which will actually help, and find out how to train their users on how to do that, before they start thinking popups are going to be a magic bullet?
peter

17 Posts
I agree with Peter and Sid on this:

I doubt they have restricted port 25 to internal net users. I haven't used ComCast in a few years. They really should go with submission ports (587) internally and force usrs to authenticate. Doesn't stop spammers from actually acquiring a legit account to do their dirty work, but may make it more complex for botnets to spam from inside their network. Overall reduction in malicious email practice should go down drastically.

I also see their current path becoming yet another way to socially engineer users into clicking those fake pop-ups much like the current variations being used for M$'s virus defense pop-ups. I think it will end up doing more harm than good.
GuenTech

16 Posts

Sign Up for Free or Log In to start participating in the conversation!