Re: [fw-wiz] The home user problem returns

From: Mason Schmitt (mason_at_schmitt.ca)
Date: 09/08/05

  • Next message: Antonomasia: "Re: [fw-wiz] The home user problem returns" 
    To: Kevin <kkadow@gmail.com>
Date: Thu, 08 Sep 2005 00:13:28 -0700

    Kevin wrote:
    >>>We take this a step further -- let all traffic that hits the blocks talk
    >>>to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter,
    >>>quarantine the source host.
    >
    > We just run a very basic IRCd, modified to generate a log event for
    > each PRIVMSG, JOIN, NICK and other similar command issued by
    > any client. We can also look at the original destination IP they
    > addressed, and check this against a list of known C&C channels.
    >

    That's a very cool approach. I imagine that I could do that for all
    outbound IRC traffic, by using a snort sig. That would be easier for me
    to maintain as it would be part of a more generic tool that I would
    already have in place (don't have an IDS yet, but it's on my list for
    sometime in the next few months).

    >>I'm somewhat sceptical that some "live chat" buttons actually invoke IRC.
    >>Or Invader Zim webboard for that matter ;) Are you sure? Can you give me
    >>a real example?
    >
    >
    > The first "real" user who complained had clicked through from JDate,
    > and suddenly found himself chatting with 37 instances of SDBot...
    >

    I imagine that SDBot wouldn't make a very good date.

    > As for Invader Zim, see http://www.badbadrubberpiggy.com/chat.php/
    >

    Man, I thought you made that up!

    Well, now that you have pointed this out, that pushes me back a step.
    Perhaps I should approach this in a similar manner to the way that
    spammassassin tackles spam. Rather than make black or white decisions
    based upon a single bit of info, perhaps I should check for multiple
    events and attempt to correlate them... Ugh, that sounds like a lot of
    work. Maybe ossim can handle some of the event correlation for me.

    Isn't that the idea behind sourcefire's 3d system? Have multiple agents
    and correlate data in real time in order to block threats? I think that
    multiple agent event correlation makes a ton of sense. Is anyone doing
    it well (that we could afford...)?

    I know that somewhere Marcus is getting ready to unfurl his IPS rant
    (/me braces himself). Sorry Marcus, I honestly don't see how I can
    avoid this kind of system. I actually had customers that got angry when
    I tried to block spam from getting to them! They said that it was
    theirs to block, not mine. We've since moved to a subscription model
    for spam protection. A public ISP just cannot be run like a corporate
    network, it's a totally different beast. In fact, I know a lot of
    techies that would argue that ISPs should be totally transparent. In
    this day and age, I consider that view to be selfish and irresponsible.
     If we had a full customer base of nothing but security conscious
    computer geeks, then it wouldn't be an issue, but that's not the case.
    This network if full of boomers and retirees, running version of windows
    other than XP SP2, that are paying us for access to the net and some of
    them get upset when we call them up because they have a virus.

    Marcus and most of the rest of you, please keep preaching solid security
    principles to businesses and governments, but when it comes to the home
    user, you're wasting your breath.

    As with any security endeavour, a multi faceted or "defence in depth"
    solution is the best solution. When it comes to the home user, this is
    equally true. Here are a few of the issues that I see and some of my
    thoughts on the matter.

    User education
    ----------------
    User education still needs to happen, but this is going to be a very
    slow ship to turn around, because right now, there is just too much
    flashy crap distracting everyone. Home users are getting digital
    cameras and colour printers then trying to hook them up; they're getting
    wireless devices and struggling with those; they've heard about free
    music and movies and they want a piece of that and they want to burn
    them to dvds; they want to have animated smiley faces in their email and
    IM conversations; they want it to be dead easy for their cell phones to
    do all sorts of things and on and on and on. Those struggling with
    their new wireless router have probably never heard of WEP or WPA, and
    if they have, it's likely not enough to know that WEP, WEP+ and WPA are
    all eminently crackable and that such a thing as war driving exists.
    The average home user downloading music and movies may have heard that
    it's illegal, but that they don't see how it can be, because everyone is
    doing it. They probably also don't know, that britney spears song they
    just downloaded that didn't play was actually a trojan. They are
    probably unaware that the free p2p app they used came with 10 pieces of
    spyware that will report all sorts of interesting things to people they
    have never met. What about going to a site that offers free smiley
    faces? That seems innocuous doesn't it? Wrong again. Now some IE bug
    has just been exploited to install more spyware.

    This is all far too much for your average home user to grasp let alone
    keep up with the details. I can't keep up with the details myself and I
    love this stuff and do it all day everyday. The root of the home user
    problem is really rampant consumerism, but fighting that battle is not
    one that's going to be won by computer security people.

    I think that we should start by helping people to understand that the
    Internet is not some *thing* that they connect to. When they go online,
    they become part of a very small world (literally - check out what small
    world theory experiments have shown about the net) in which anyone
    anywhere in the world, friendly or not, is able to reach their computer
    in under a second. This means that the bad parts of town (any town, all
    towns, all countries) are now right on your doorstep, knocking at the
    doors of your bank and favourite shopping haunts and even your
    government repositories of whatever information they have on you.

    However, I also don't think there is reason to panic. Home users upon
    hearing the preceding news, can be reassured that there are things that
    they can do to protect themselves and it won't require them to learn
    much about computers (a big fear for a lot of people). They can be told
    that if they do the 4 steps to basic security that they have just taken
    a big chunk out of the problem (firewall, antivirus....). And once you
    have told them that, then you should either do it for them or have them
    take it to a good tech. They can be told that a computer is like a car,
    it needs regular maintenance, by a PROFESSIONAL! The current state of
    computers and the security battle is too complicated for your average
    home user and is getting beyond the capacity of most back yard mechanic
    types too. Beyond those basic steps, it gets more difficult. Somehow
    people need to learn to question. They need to start thinking about
    trust and in whom they place their trust and whether that trust is
    warranted. Think of p2p file sharing and clicking on links in IM from
    people you have never met before.

    Business and Government Education
    -----------------------------------
    Hopefully that's as far as home user ed needs to go right now. Now we
    have business and government education to deal with. Both should be
    approached in the same way that home users were approached above. Start
    with some basic measures. Really, the same 4 measures apply, but just
    on a larger more complicated scale and with many more possible
    permutations of implementation. In addition to the fab 4, business
    needs to be more familiar with the fifth Beatle - BACKUPS. As with the
    home user, these basic defences start to take the edge off the problem.
     In order for business to not get stupid about how they implement these
    4/5 basics, they should read Marcus' "Low Carb Security" article in
    LOOP. Or think of the KISS principle. Or, if you admire Einstein think
    of his quote, "Things should be made as simple as possible, but not any
    simpler"

    Business and government also face the same issues as the home user when
    it comes to questioning and trust. Think of the recent thread on this
    list concerning CardSystems.

    Caretakers
    -------------
    I don't believe in a dog eat dog world. I think that those that have
    the means need to take care of those that don't.

    To that end, it is my opinion that ISPs need to provide some solid front
    line defences for their customers while not being so restrictive, or
    more importantly unwilling to really listen to their users, as to limit
    innovation and expression. ISPs have left their customers to the wolves
    for too long and are now paying the price.

    I also believe that the same applies to software houses. I know that
    everyone pokes at Microsoft, but they really are a prime example of a
    company that has left their users out to dry for a long time. They too
    are now paying the price. They also appear to be taking positive action
    so perhaps they will redeem themselves... _somewhat_

    In both these cases, greed and willing ignorance have played major roles
    in getting us to where we are now.

    The standards groups and all interested parties need to keep working
    diligently on really basic protocol issues such as SMTP.

    And again, we come back to trust. Trust is poised to be a huge part of
    the Internet infrastructure. We need functional, ubiquitous healthy
    trust systems so that home users can have some means of making the trust
    decisions they are faced with and which they are now completely
    incapable of addressing adequately. Most of the trust issues that home
    users face are not accessible to them anyway - again think of CardSystems.

    Law Makers / Enforcers
    ------------------------
    I may not think the world is a dog eat dog world, but I'm also not
    stupid enough to believe that there are not scads of people out there
    willing to get what they want in any way they can. This is where law
    and law enforcement comes into the picture. Because we are dealing with
    a global communications network, our laws and policing methods need to
    reflect that.

    It's getting late and I'm running out of steam, so I'll leave this
    stream of consciousness here, where it ground to a halt, and say good
    night. If any of you have had the patience to read this far, thanks for
    reading. 

    --
Mason
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Antonomasia: "Re: [fw-wiz] The home user problem returns"