IBM report reviews Internet crime

Tue Feb 12 21:40:11 UTC 2008

On Feb 12, 2008 12:17 PM, Owen DeLong <owen at delong.com> wrote:
> Considering that the US is also consistently among the top three sources
> of desirable content, I'm not sure that this ranking necessarily proves
> much of anything, but, I do agree that ISPs could do a better job of
> shutting down mal-sites.

Good thread; nice summary, Owen.

There are ways for ISP's to get involved with stopping/controlling
botnets e.g. the very recent work here -
http://www.offensivecomputing.net/?q=node/623 and here -
http://www.secureworks.com/research/threats/storm-worm/ - and the
not-so-distant work here -
http://www.bleedingthreats.net/index.php/2007/11/14/encrypted-storm-sigs/

ISP's are in a uniquely powerful control situation with software
vendors.  We can demand audits from vendors that include SAS 70 Type
II / SOX 404 / AS5 or PCI-DSS (even better would be PA-DSS) on the
specific parts of their applications that their customers use.  We can
provide a five-star rating system of "approved OS and applications"
that work on our networks.

I suggest starting with Microsoft, Adobe, Mozilla, and Google -
specifically on products such as Windows, Office, Acrobat Reader,
Firefox, and Google search.  Make sure that any relationship you have
with these vendors starts with a conversation about application
security five-star rating systems and ends with
http://www.sans.org/whatworks/poster_2008.pdf

Establish relationships with two companies you may not have head of:
ESET and Avira.  Avira's AntiVir is the most proven
free-for-non-commercial-use AV (http://free-av.com). ESET's Nod32 is
the most proven AV that costs a minimal amount of money.  Advertise
both like they are going out of style everywhere you possibly can.
For example, when I call your ISP the phone shouldn't ring, I should
go through a menu, and then I should hear, "If you run Microsoft's
Windows - consider FreeDashAVDotcom - AntiVir - the safest and free AV
solution for your personal computer".  Then the technician/salesperson
who gets on the line should mention it right after the initial
greetings again.  All email correspondence should include it at the
top of every message.  Your websites should have it on the front page,
at the top.

I chose AntiVir and Nod32 because of http://www.av-comparatives.org
and safety issues (although Symantec is the safest because they have
an internal file fuzz testing harness called SEEAS that could
certainly stand to be open-sourced or sold commercially). Be careful
not to oversell AV as the only fix for security problems because of
the inherent difficulties of these products to avoid vulnerabilities
themselves (I know it's a contradiction, but life is full of
contradictions) - see
http://www.nruns.com/aps/The_Death_of_AV_Defense_in_Depth-Revisiting_Anti-Virus_Software.pdf
I saw that other people mentioned AVG and avast, so you can just
ignore their comments, please.

Because of the problems with AV being particularly vulnerable to
common software weaknesses (those "in the know" refer to these by
their MITRE CWE definitions), I suggest adding ESET and Avira to our
list of "vendors we harass about application security" and demand
audits from.  I understand that SAS 70 Type II and even SOX 404 do not
typically cover "non-financial IT infrastructure", but we don't have
to tell the vendors that.  Similarly, PCI/PA-DSS do not cover
applications that do not contain or transmit cardholder data, although
I would argue that all of the vendors named have just gotten away with
murder if you think about the reality of this presupposition.

It's our fault for not pushing AV on your customers, and it's the AV's
fault for not providing audit data to us, and it's the software
vendors' fault for causing us to have to recommend AV and for AV to
exist.  The liability should land on the software vendors.

Make the five-star security rating systems a company-wide movement
from the top-down with support from C-level upper-management and your
general counsel.

Did I mention product literature?  Don't forget to include the
five-star security product ratings in this product literature.  E.g.
Windows 98 (0 stars), Windows Vista (4 stars), Mac OS X (2 stars),
Windows 2000/XP (1 star), Adobe Acrobat Reader (0 stars), Mozilla
Firefox (0 stars), Internet Explorer 7 (1 star), Internet Explorer
3/4/5/6 (0 stars), Google Search (0 stars), MSN Search (1 star),
Microsoft Office 2007 (1 star), Symantec Norton AV (3 stars), ESET
Nod32 (2 stars), Avira AntiVir (1 star), McAfee AV (1 star), all other
AV (0 stars), etc.

Do similar security five-star ratings for your recommended/supported
router, DSL, and Cable modem devices, but base it on their software
from the audit reports.  Hardware security is not worth time/energy.
If this means that Cisco (sans Linksys) and 2WIRE are 1 star
contenders in a market full of zeros (well ok Juniper gets a 2), then
so be it.  We've got to show improvement somehow and at some point, so
this gives everyone room to grow.

Finally, run Honeyclients against all of your hosting.  Promote SpyBye
(FOSS) and Tenable PVS (commercial) to your hosting customers in the
same way you promote ESET and Avira to your access customers.  Be
careful how you run Honeyclients because there is a lot of malware
that responds to these.  It used to be that you could run
low-interaction Honeyclients and then follow these scans up with
high-interaction Honeyclients.  Unfortunately, the career-criminals
have advanced their methods to prevent this tactic by using
elusive/evasive malware.  I suggest running taint-mode tools such as
Argos because of their efficiency, although Capture is another good
high-interaction Honeyclient -
http://en.wikipedia.org/wiki/Client_honeypot_/_honeyclient

I suggest running your Honeyclient infrastructure on systems with
hardware virtualization running Xen with the ability to shift VM
guests around using xm-migrate.  This requires shared-storage such as
OCFS2 with iSCSI (or something old like NFS).  Management systems such
as http://en.wikipedia.org/wiki/Enomalism can verify that hundreds of
VM guests are at certain patch levels and deployed in mass.

If anyone needs any individual advice, please let me know.  I'd also
like to hear how you're implementing any of these ideas/concepts and
how successful they are - but also encourage you to send to the
mailing-list for the benefit of others.

Cheers,
Andre