[Dshield] Blackworm liability with ISPs?

Mark markt442 at yahoo.com
Fri Feb 3 03:15:28 GMT 2006

Sorry but I'm on digest and catch up when I can.

Liability in this sense is about being in the position
to avoid damage and failing to act.

I don't think an ISP is under the continous pressure
to ensure every machine is safe, but if they fail to
act when it is blatantly obvious (legal eagles jump in
here), then again they are liable for 
While there is technology out there to prevent a
machine from joining before it is safe, that
technology is expensive and fraught with hurdles if
there is no "client" s/w on said machine.

There are technologies that we've deployed as well as
many open source efforts that will quarantine a
machine that is identified as a security risk.
However, these technologies work on an "identity" and
either require that the identity (IP) remain fairly
static (or suffer afterglow) or use an authentication
technology that matches the user and dynamically
assigns the machine to a quarantine group.

The hell of quarantine.

I had a meeting with a Gartner analyst last spring
reviewing the necessary cycles for "Self-Service
Remediation". This is a key concept for any entity
that is going to quarantine a user or group of users.
Thru quarantine, you are transitioning the problem
from the network to the helpdesk. Successful
quarantine solutions require a "self-service"
function. Without self-service, even the best of
intentions at isolation will fail.

Many efforts/techniques are out there - commercial and
open source. I've consulted with a very large
university in the southeast (50,000 users) that is
using a commercial solution I co-developed. It
leverages IDS events and then locates the user's port
and isolates the IP. The user is then assigned to a
new VLAN (port up/down to refresh the IP) and then
they use wild card DNS to re-direct the user's next
web page to a dedicated web server that reads the IDS
logs and presents the user with the "why", "how to get
out" and "who to call". This system has very
efficiently allowed the university to reduce the
amount of helpdesk calls and quickly and efficiently
isolate users that pose a threat. We're working with
major universities and commercial accounts (no we're
not Cisco) around the world.

There are Open Source technologies such as "Ungoliant"
and "Packet Fence" that attempt similar things. Both
are excellent technologies although I haven't seen
them to scale (not saying they won't, I just haven't
seen it).

But I think we've all jumped off target - the original
post was in the spirit of "If the ISP knew your
computer was going to self-destruct and didn't tell
you, should they be held responsible"? To paraphrase -
If a 3rd party knew that a person was going to hurt
you and took no action, would they be held
responsible? The answer is yes. 

Will this result in a change? Not likely. Security is
managing Risk. Managing risk is often determined
financially. If Blackworm results in a large financial
impact to end-users, and it becomes known that there
"was a list" and "the list" was in the hands of the
ISPs - "who knew which IP belonged to who" and "failed
to notify" - then you will see the representatives in
congress (USA) call for an "investigation". But this
will have to have a mass effect with it proven that a
party had an opportunity to act and didn't. But then
again I am Not a Lawyer - though I've seen enough of
these to predict the outcome with reasonable accuracy.

End User Culpability

Let's travel back to when Sony put a rootkit on a end
user's machine without their consent. How many users
are still out there running that? How many zero day
exploits do we wade thru every day? And we expect
luddites who are supporting the internet thru their
online shopping to survive? Much of today's malware
can come thru in many vectors. Ebay is the perfect
site for infecting people via the WMF vulnerability.
Put up a fake ad, offsite link to a loaded WMF and bam
- you've exploited yet another victim. Hell, even
Fortune 100s are having a difficult time during these
times - And they have the degrees, tools and training.
Read Richard Bejtlich's blog and his coverage of some
of the conferences - pay attention to his chat on
Kevin Mandia's talk (BlackHat Federal Part 4). I've
met Kevin back at CyberCrimes and his talks are very
enlightening. If the big guys can't solve it, do we
really expect the end user?

Sure there are reasonable expectations of security. I
spoke with a typical user tonite (our 70 year old
security gaurd). He ran his av (up to date sigs) last
night and his machine was dead 30 minutes later. The
A/V found nothing and Zone didn't put up a fight. He's
fairly conscious of where he goes and doesn't open
emails with attachments he's not expecting. Yet a
security issue (with his fully patched box) deleted
most of his C: drive.

The internet is driving down the cost of doing
business. E-commerce has enabled many persons that are
unable to get out (handicapped etc) to shop for items
from around the world. The internet has allowed people
to keep in touch and freely exchange ideas. An
operator's license for the internet just isn't going
to fly. Nor should it. To do so would mean turning
control to a regulating body - to do so would result
in taxation to support it.

Let us focus on what we can do, educate others about
what we've found to work and not work. Educate one
another on new tactics used by malware authors.
Educate those we touch on what they can do to increase
their security posture and reduce their exposure.

Only then will we have improved.


Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the list mailing list