[Dshield] Blackworm liability with ISPs?
ed.truitt at etee2k.net
Thu Feb 9 11:36:04 GMT 2006
The article Neil is referring to was written by Marcus Ranum, and is posted on his web site. The title is something like 'The six dumbest ideas in computer security.' If I ever become a manager, it will be required reading.
From: Neil Richardson <neilr at ieee.org>
Date: Wed, 08 Feb 2006 22:08:13
To:General DShield Discussion List <list at lists.dshield.org>
Subject: Re: [Dshield] Blackworm liability with ISPs?
-----BEGIN PGP SIGNED MESSAGE-----
on 2/7/2006 12:03 PM Micheal Patterson said the following:
> Would it really be so terrible to have a prospective PC user sign
> either stating that they know how to operate the unit or are required to
> take a short course in it's operation before they're allowed to
> equipment? What about requiring ISP's to do the same before they're allowed
> to offer network service to a prospective buyer?
I've been following this thread as much as I can, and I would like to
(re)-propose an alternate solution.
Most of the solutions discussed here have their benefits, no doubt.
Obviously, they also have their drawbacks. But what all of them have
in common is that they require radical changes in order to produce a
rapid fix. I think we can all agree that no company/organization/ISP
is going to employ something that requires radical change and the
associated radical cost. (Users will also resist--how many
uncles/aunts/cousins are still running Windows 95 because it "works
for them" ?)
So since radical changes aren't likely, what about smaller things that
make a large cumulative impact?
* Firewall routers should always be shipped with one of
[ingress/egress | IP-based filters] turned on by default: "if it's a
non-routing IP" or "if it's the same subnet as the LAN side, it
shouldn't be coming from the WAN side." Techies can tweak or turn off
this filter, but it requires an explicit step. This'll block spoofed
packets and a few worms. (See "Deny by Default" )
* Computers are sold with *SOME* kind of inbound firewall. (Or better
yet, don't have 'listening services' to begin with.) With XP+SP2,
Microsoft has taken care of this for the 95% of computer users we're
worried about about. (Yes, not everyone runs XP--I'll get to that in
a bit.) This takes care of most automated worms, although Zone Alarm
et. all will undoubtedly resent the loss of their primary revenue
stream. (Again, see "Deny by Default")
This leaves social-engineering. Not sure we can do much about
that--the old saying "There's a sucker born every minute" is still
applicable today. Recent articles about Windows Vista running in
Least-Privledged Mode give hope, but that requires programmers
actually program for such an environment. (Several years on, I'm
still steamed that my favorite IM client won't run without either
Administrator privileges or some serious Registry hacks. I now use
the web-based version for the few times a year I feel that it's worth
Getting back to social engineering, the only solutions I can think of
are overly-complex or otherwise impractical:
* Public-key-signed emails: don't open if it didn't come from someone
- Everyone has to learn crypto
* 3rd-party scanned mails: your emails are forwarded through an
anti-virus vendor which scans for viruses or "suspicious"
URLs/attachments that might indicate phishing.
- Everyone has to have their ISP forward their emails to A/V vendor
* Disable hyperlinks in email
- Doesn't protect against malformed-attachment based exploits
* Disable live previews and HTML content
- (Yeah right, like people are gonna go for that.)
- Microsoft has tried this by turning off [mumble mumble, some
feature of HTML rendering] in Outlook, obviously hasn't helped much.
IMHO the best solution (to the social-engineering problem) is one
that'll employ some form of "Deny by default," but danged if I can
figure out what it'd be. (Short of "Deny-ing access to the computer
by default." ;-)
 There was an article linked-to from Slashdot a few months back
about "10 worst ideas in computer security" or similar that basically
said any system not based on "deny by default" was fundamentally
flawed. Unfortunately, I can't find it now. :-(
- -Neil R.
Supreme Lord High Commander and Keeper of the Holy Potato
PGP Fingerprint: A663 1ACB 84E6 F4DE B86E 0AA1 7A36 F817 E098 F32E
"Don't make me send you to the reeducation clamps."
"Don't you mean 'reeducation camps'?"
"I'll be good." -Sluggy Freelance
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Learn about Intrusion Detection in Depth from the comfort of your own couch:
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-E D Truitt
Sent via my BlackBerry from Cingular Wireless
More information about the list