Re: Cyberterrorism [was: Re: NSA wiretap, Friday night]

Kevin the Drummer wrote:

responder <no@xxxxxxxxxxxx> wrote lots of good observations about
unconstitional and illegal NSA wiretaping which is one form of computer
insecurity.

One thing that the US administration has been very lax in is improving
cyber security. With so much relying on a working Internet, we need to
keep it working. What can we do, as people who presumably care about
this stuff enough to read this newsgroup? I don't think we have the
luxury of waiting for someone else to do it for us. Maybe they don't
even want to do it for us? If the Internet were more hardened against
cyber terrorists, maybe the same hardening would lessen their ability to
do their own spying?

So, what can WE do?

I'm glad you asked. Thanks for your kindness and support. I approve of
the subject change, although not all software handles that well (mine is
OK with it.) I will try to answer both your questions as well as I can,
but only wish I could do better. Whether any particular illicit activity
is most correctly called criminal or terrorist, the results inevitably
lead to increased costs for everyone and for everything, and possibly
damages other than financial.

1. ("Preaching to the choir" here...) Keep your own systems in order,
updated and secure so you don't become part of the problem.

2. Use a (firewall) log aggregation service like dshield or mynetwatchman.
It takes most of the work out of monitoring your own logs, costs nothing
and helps systemetize reporting of the most seriously offensive sources.
The aggregators, particularly at SANS watch the reports and often detect
new threats very quickly, and publish warnings and collect details from
and for all readers. F-secure also keeps a similarly informative blog.
These three all seem trustworthy and diligent about keeping private
information private.

Those two suggestions are easy to make because they don't involve
advocating anyone take any real new independent action, and so are fairly
safe. The following are more difficult to say well, and there is always a
danger that someone will misconstrue and do something unintended or
counterproductive. So please be circumspect.

3. Advocate (gently) for computer and network security, to people you know
personally, especially if they are doing unsafe things. Children and
young people are often among the most computer literate people. But they
also need to learn from somewhere. If you can give a simple suggestion or
two to a receptive child, along with a simple explanation of what and why
it helps, you can sometimes get remarkably good results for very small
effort. Parents also often need and appreciate a small, kind suggestion
or two. If people are not receptive, don't pursue it.

4. This is potentially more controversial and more subject to going wrong.
I'll try to say it as simply as I can.

I think that there needs to be a generally accepted and acceptable
standard that if a connected computer is compromised, it should be
disconnected. We do not have that today. I see the primary reason for
that failure as resulting directly from a system where the ISP is the
enforcer. A conflict of interest arises because the most diligent
application of that standard will at best antagonize many customers, and
might result in loss of customer (and revenue) base.

In order for such a system to be uniformly applied in a fundamentally
non-punitive and non-disruptive way, the enforcer role must be essentially
separated from from the discretion of the ISP. Good planning and careful
attention to detail is indispensable. But it needs to be a statutory
standard to be able to work.

I expect that technical issues would be minimal, initial set up costs
relatively low, and initial and ongoing costs to be reimbursed to the
government authority through non-punitive fees or fines by those requiring
help or attention. I do not foresee any significant disruption to any
currently operating business or other type of organization, except of
course for the user who is temporarily disconnected. Even that
disconnection time could be minimized or eliminated when the machine is
clean. Everyone who is currently working in related efforts could
continue as before, except they would cooperate with a coordinating
authority.

Detection of compromised machines could be done the same way and by the
same people who now do so: namely log aggregation services. Additional or
alternate strategies could also be used, but would not seem to be
necessary.

A "Standard Operating Procedure" would be developed to specify what
actions would happen and when they would happen. This procedure would be
drafted with the input of all users and providers. This SOP would then be
enforced by the statute. And the statute could authorize a procedure for
modification of the SOP.

The essential elements are:
(1) the ISP is notified (as now) of a compromised machine and then
notifies the customer _and_ the coordinating authority. The customer's
identity would need to be included for the plan to be effective, but that
information need not be retained indefinitely or necessarily reported to
others. (There could be a "mandatory disconnection" of one day to be
assured that the customer did indeed get the message, which could also be
waived at the customer's request for reason and with some restrictions.)

(2) The ISP hosts a (paid) proxy server on their premises that is built
and maintained as specified in the SOP. When the customer is reconnected
(for reason or need or when repaired) his connection is proxied through
this server for a (specified) few days. This allows the ISP time to know
that the machine is clean, certify this to the CA and resume a normal
connection.

The proxy server would be built to some standard to minimize or mitigate
the transmission of malware vectors by the (previously?) compromised
machine(s). And it would allow (limited?) connection for the need or
convenience of the customer.

For example, if a customer's machine gets a (0-day?) virus and starts
sending a stream of traffic while trying to spread, it is detected and
reported, that customer is immediately disconnected by the ISP while
concurrently notifying the CA and the customer. (The ISP *calls" the
customer or the customer calls the ISP.) The (irate) customer says "Why
isn't my connection up?" The ISP can say "We had to; it's the new law.
...." Customer complains "I need to connect to get the new antivirus
sigs." ISP replies, "No problem." I have reset your connection so it
will go through the Coordinating Authority's Proxy Server, which will
protect other users of the network from infection until you can get your
machine fixed up.. You can get your sigs. And if they (really we, since we
run it under contract) don't see any more indication of the virus activity
by Friday we'll set your connection back to normal. If you have any
problems using the proxy server, give us a call. We're sorry for any
inconvenience. But we are required to do this under the new law, to try
to limit botnets and prevent cyber-terrorism. Is there anything else I can
help you with this afternoon? ..."

It would probably need to be planned and vetted and deployed in a small
jurisdiction initially. To be really effective, it would want to be
deployed at least nationally. But a test run to shake out all the details
could probably be set up in almost any state or county.


What do you think? Is this doable? Is it advisable? Are there other
suggestions that are better?

Thanks for asking, thanks for writing, thanks for reading.
.

Relevant Pages

  • Re: Cyberterrorism [was: Re: NSA wiretap, Friday night]
    ... Wouldn't someone move from one ISP to another if it was really ... This SOP would then be enforced by the statute. ... of a compromised machine and then notifies the customer _and_ ... his connection is proxied through this server for a ...
    (comp.os.linux.security)
  • Re: Plusnet failing....
    ... >> Well my 2Mb ADSL connection has been up and down now for 10 days ... > Plusnet have passed it to BT - you didn't wait 72 hours before your next ... > (or A N Other isp) to sort out as it will Plusnet. ... > FWIW, I am a customer of Plusnet, *not* a fanboy. ...
    (uk.telecom.broadband)
  • Re: Orange.. .any good?
    ... Following immediate failure to connect I called your technical support ... to be done about my connection with the next week then I wanted to end ... I telephoned customer service and was told ... to end the contract would be to pay the entire year in advance. ...
    (uk.telecom.broadband)
  • Re: isp Re: intrusion via ssh
    ... >dont forget to add the isp to the list to file against if they were ... worm or some variation on it, and the ddos attacks comeing from their ... One of our clueless sales types insisted she hadn't opened a message ... The ISP refused to disconnect a good customer, and the customer, when ...
    (Debian-User)
  • Re: How to make the app run?????
    ... throwing an error if the connection never was opened, ... How can i tell if i'm using ADO as in VB or .Net ADO ?? ... First of all, it was not shown to my customer, I took it to a very nice ... How do you get in "installed" on client computer? ...
    (microsoft.public.dotnet.general)