DHS and NIST proposal suggests American ISPs should assist in stopping botnets

Filed Under: Featured, Law & order, Malware, Privacy

Internet police badgeWhen I do public speaking, I often rant about how distracted we are by high profile attacks like Stuxnet even though few of us are responsible for protecting nuclear centrifuges.

The vast majority of attacks are using our own computing resources to compromise our infrastructure. Our identities are being stolen, and we're spamming and DDoS'ing ourselves into oblivion.

So it's great news that the Department of Homeland Security and National Institute of Standards and Technology have published a request for comment from the community on a proposal for voluntary notification of consumers whose computers are infected by malware.

Considering the large number of unprotected or poorly protected PCs in the United States, I welcome any effort to raise awareness among consumers that their computers are infected.

I think it's great that the United States is taking this problem seriously and learning from initiatives in Germany, Japan and Australia.

iCode compliantThe iCode project in Australia has been operating for some time. Hopefully the US will consult with their teams as well.

I expect that we can also learn a bit from the experience of Comcast, who implemented their own infection notification system last October.

If effective this initiative could also raise the cost to cybercriminals of renting botnets. As was noted in research on the economics of the pay-per-install malware distribution method, bots are already the most expensive to acquire in the US, Canada and United Kingdom.

But having ISPs inspect your traffic for potential botnet activity also raises privacy concerns. If we agree to having our packets inspected as they traverse the internet, will the temptation to use this information to track your activities, or sell your surfing habits to marketers, be too great for ISPs to resist?

This proposal is in very early stages of development and leaves many questions unanswered. Should enforcement be done by ISPs? Can other private security companies contribute? Who should help the users clean up?

It is clear to me that there are many questions to be answered and challenges overcome to implement this as a policy, but if DHS, NIST, privacy watchdogs and the private sector work together, we can make the net a safer place.

Do you think users should be blocked from the internet if their computers are infected? Who should pay to man the call centers required to support consumers in cleaning up their act? Share your thoughts in the comments below.

, , , , , ,

You might like

8 Responses to DHS and NIST proposal suggests American ISPs should assist in stopping botnets

  1. Peter Piksa · 943 days ago

    ISPs should not be misused as agents to fight crime. Fighting crime is the exclusive and official role on the relevant authorities. Such a proposal would encourage a dangerous marriage of government functions to private-sector actions that impact adversely on the privacy of all Internet users and hold great potential for power abuse. The experience with government authorities on internal security and intelligence tells us that these authorities want to gain more knowledge (this is their nature!), which would culminate in the fact that ISPs would give the authorities more and deeper insights into their customers' communications.

    In the fight against malware in general and botnets in particular look at the first place, the vendors of operating systems, who failed to develop adequately software that removes the underlying attack-surface. Here, by securing the operating systems, the root of the problem should be the spotlight in the first place.

    The second, but at least equivalent point is the transfer of knowledge about computers to the public. I do not have an empirical study, but I think that educated users are more likely to be able to enforce preventive measures such as the non-use of admin privileges, reducing attack-surface by removing unnecessary software and updating software installed in advance - respectively, in the case of an existing infection to clean this up.

    ISPs should share their knowledge about the infrastructure of botnets with the investigating authorities, as it is already happening today. Interventions in the streams of customers should be avoided in view of the protection of privacy and related abuses especially in the absence of separation of powers. Whilst, ISPs are from today's point of view in legal understanding, none of the traditional powers, which is meant by the concept of separation of powers, but one may leave out of account, that in an age of increasing digitization of our communication and thus inevitably digitalization of our society, a special importance must be attached to the ISPs. For example, consider the dangerousness of fully comprehensive data retention in relation to the entering chilling effects. [1]

    Excuse me, if one or the other formulation is difficult to understand. Since I am german, english ist not my native language.

    [1] https://secure.wikimedia.org/wikipedia/en/wiki/Ch...

  2. D. Doyle · 943 days ago

    I like the idea, but don't know all the details of how it might be implemented, which might change my mind. It seems kind of basic that if someone is misusing their internet service like that in a way that puts many other people at risk, the internet service should be discontinued.

  3. Clashguy · 943 days ago

    Some comments for this are showing up on google plus, wish those comments would show up here, but check out either Chester's or Graham's google plus accounts. https://plus.google.com/107560422192807457465/pos... https://plus.google.com/102593062779602837630/pos...

  4. ibookboyuk · 942 days ago

    Interesting idea. If someone has a deadly and contaminating illness, we put them in isolation, with glass or plastic separators and people in sealed radiation-style suits. Similar but much less so for people with cold or flu.

    Maybe we could react appropriately according to the danger present to the Internet, and also, hopefully, still protect the privacy of the individual.

  5. Usama · 942 days ago

    Why not depending on users reports. Who have security tools that reports attacks can report on someone and then ISPs or others can start investigating. Why to monitor every one?

  6. Vito · 941 days ago

    In principle, I don't have a problem with ISPs notifying their users about malicious activity on the users' computers, as long as it's opt-in only. It's a legitimate service; it could be valuable to those users who don't have the knowledge necessary to protect themselves...and realistically, that includes a great many users.

    The part that's problematical is actually twofold:

    1. What ensures the integrity of the ISP? I think it's possible to do so, but only if that task is performed by a trusted watchdog whose livelihood depends upon satisfied users, each of whom can fire the watchdog if he blows it. That would NOT be any agent of the state. The state usually demands a monopoly in the "services" they provide, and there is no recourse when they blow it...which they often do.

    2. I'm utterly opposed to any ISP monitoring the content of user traffic IF there is not an ironclad guarantee that such information cannot be accessed by the state. Otherwise, the potential for Orwellian intrusion will soon become a reality. Big Brother really WILL be watching.

  7. Jam-Jul Lison · 941 days ago

    I don't like this idea. I understand trying to reduce the viruses and malware, but this isn't the answer. Something that would help is if ISPs offered good anti-viruses for free to their customers. However here lies a problem. Comcast used to offer Mcafee which as we know really sucks. Now they seem to offer Norton which also sucks. Anyone seeing a pattern? All the pay anti-virus programs pretty much suck. Yet those who don't know a lot about computers or think they know a lot but don't, end up buying these. These same people also tend to use the Windows Firewall. Many also continue to use Internet Explorer. Though some seem to like the resource hog Chrome. In order to solve this problem people need to become more educated. Here are my typical dos and donts I tell people. Though it doesn't always do any good.

    Dos
    Use Avast Antivirus
    If for some reason Avast isn't working right for you, then use AVG. AVG might also be better for a beginner user. Some like Trend Micro though I find it too resource heavy.
    Find you a good software firewall. Especially if your using Vista or older. I recommend Comodo. Though some people still like Zone Alarm.
    Get a good anti-spyware program. Spyware Terminator is a good one. Spybot Seach & Destroy used to be decent but seems to have gone downhill. As has Ad-Aware. Used to recommend those.
    For your web browser I highly recommend firefox. Be sure to get adblock plus. Other good alternatives is Opera and Comodo Dragon. Dragon is based off of Chrome but is more secure.

    Donts
    Don't use Internet Explorer.
    Don't Use The Windows Firewall.
    Don't trust any microsoft virus scanner/spyware scanner.
    Don't Waste money on anti-viruses such as Norton and McAfee.
    Don't use any P2P's unless you really know what you are doing. Lots of people got viruses from Limewire when it was around because they didn't know what they were dooing.
    Don't go to any porn sites unless you really know what you are doing and have really good virus and spyware protection. Even then you got to be careful.
    Don't click on banner ads.
    Don't use myspace.
    Don't install toolbars.
    Don't click on random links.
    Don't download screensavers from the internet unless you really know what you are doing. So many come with lots of spyware.
    Don't open any suspicious emails or emails that sound somewhat sexual. Even if it is from someone you know.

    There are plenty of other don'ts but i am too tired to remember some of the others. lol

    Donts

  8. Chih-Cherng Chin · 939 days ago

    As someone who has been doing botnet detection and notification for 2 years (I publish the top 10 networks and countries with most bots daily at http://botnet-tracker.blogspot.com/ ), I'd like to share some thoughts on this.

    There is more than one way to detect malware-infected computers, and some of them don't involve packet inspection, thus shouldn't raise privacy concern. I detect botnets with fake open relay and greylisting, which accept SMTP connections originating from malware-infected computers passively. Honeynet are also often used for botnet detection.

    The problem with private security companies might not be 'can they contribute?' I think the real problem is 'are they willing to contribute?' Different security companies publish their so-called monthly, quarterly, and yearly security threat reports regularly, telling us how many malware-infected computers they found daily, pointing out that botnets is a serious security problem. If they really want to help, they would have shared their data long ago. At least they can notify the ISPs where botnets reside, right?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.