Home Internet Users Website Owners Software Producers Press Blog

WEIS Recap: Review of "Might Governments Clean Up Malware?"

Posted by Oliver Day Fri, 25 Jun 2010 19:01:48 GMT
Richard Clayton wrote on the more interesting papers presented at WEIS.  In his paper “Might Government Clean Up Malware” [pdf] he suggests some possible goverment intervention to aid consumers in cleaning up their computers.  His paper explains the reasons as follows.  
1) ISPs do not have an incentive to act
2) The problem has public dimensions very similar to public health issues
3) The math behind this issue requires someone (the government) to seed the funding for experts to act
I agree with the contention that ISPs do not have incentives to act.  Of the web hosts that I have communicated with not a single one has found it financially rewarding to deal with the problems I highlight.  This really isn’t how it is supposed to work either.  As Clayton points out “in principle the market should deal with ISPs who skimp on abuse activity.”  Which put another way means that those ISPs who do actively clean up infections in their consumer base should have a better image and thus more business.  The market should reward those ISPs who go out of their way to make sure that its customers remain protected.  But as pointed out in many of the papers who grace WEIS and other conferences like it the margins are extremely slim.
Clayton’s paper even references  another paper which makes the claim that a single interaction with a customer by an ISP will eat up all of the profit generated by that customer for the entire year.  (In a footnote he mentions that this may be exaggerated but not greatly so)  
The one issue I have with this paper is that it doesn’t quite cover the issue I’m most concerned about.  And obviously that isn’t a valid criticism of the paper so much as a want from my side.  The paper deals with helping out web “surfers” instead of web masters.  Often the problem that I’m studying involves both levels.  Web sites are infected because the web master’s personal computer was infected and the attacker gathered the login details from there.  So fixing one may in fact help fix the other.  But there is a major difference worth noting.  The paper made a good point in writing about the hesitation of an ISP in engaging with its customers this way.  When margins are thin profit is only acceptable through volume.  So any actions which drive customers away in any number are dangerous.  Accusing customers of infections isn’t always rewarded with gratitude.  Customers can feel angry, ashamed, alienated or all three at once.  It is difficult to find new options for bandwidth provision for many people.  In Cambridge I have my choice between one cable company and two DSL (one who just resells the others at a mark up).  And the change from cable to DSL (or vice versa) comes with considerable costs as well.  But for web hosting providers there isn’t that much cost and there are a lot of choices.  So the dangers of customer alienation for web hosting firms are very very high.  


1 comment

Australian ISPs on the right track

Posted by Maxim Weinstein Thu, 17 Jun 2010 14:17:44 GMT

In early June, the Australian Internet Industry Association, an ISP industry trade group, published icode [PDF], a voluntary code of conduct for ISPs to follow to better fight bots on their networks. Like the previously-mentioned IETF draft, this document lays out a rationale for, and recommendations on how to implement, an ISP-level response to bots. Unlike the IETF draft, icode is a reflection of a coordinated effort by a large number of ISPs to buy in to a common framework for how to respond.

The icode framework has four parts:

  1. Education. ISPs that adopt icode are expected to educate their customers about keeping their computers from becoming compromised.
  2. Detection. ISPs can implement their own detection methods and/or get data from trusted third parties. Even better, they can get data from the Australian Internet Security Initiative, a government-led effort to centralize bot reporting by collecting bot reports from trusted providers and then distributing ISP-specific data daily to participating ISPs. (Wouldn’t it be great if we had something like this for infected URLs and hosting companies?)
  3. Action. ISPs are encouraged to act on the information about bots, through whatever combination of customer notification, password resets, bandwidth throttling, walled garden quarantining, smtp blocking, or other measures they consider appropriate.
  4. Reporting. ISPs are expected to report “significant cyber security incidents” to governments.

icode also recommends, though doesn’t require, that participating ISPs share threat data with each other, facilitated by the Australian CERT.

One could quibble over some of the details, but it’s clear that the Australian ISPs that created and will be adopting icode are light years ahead of most ISPs (and web hosting providers) globally in tackling the spread of malware.

Tags , , ,  | no comments

Recent spikes in badware reports

Posted by Maxim Weinstein Wed, 16 Jun 2010 20:12:57 GMT

We have generally seen an increase in the number of badware URLs reported by our data providers lately, but in the past few weeks, we’ve seen unusually big spikes on three autonomous systems (simplifying slightly, an AS is a set of networks operated by a single entity):

AS16276 (OVH) graph
AS9809 (Nova Network, China) graph
AS22489 (Castle Access) graph

We have attempted to notify all three network operators via abuse@domain_name. The report to abuse@nova.net.cn bounced, so if you know another contact address there, please let us know.

Most likely, these spikes in infection numbers are the result of either targeted attacks at these networks or opportunistic attacks that happened to find their way into large numbers of identically configured (or misconfigured) web servers.

Tags  | no comments

StopBadware welcomes a new board member

Posted by Maxim Weinstein Fri, 11 Jun 2010 15:22:17 GMT

StopBadware is pleased to announce that Paul Mockapetris will join our
board of directors.

Mockapetris created the Domain Name System (DNS), an essential part of
today’s Internet infrastructure, in the 1980s. He is now the Chief
Scientist and Chairman of the Board at Nominum, a global provider of DNS
and DHCP solutions to communication providers. He has previously served
as chair of the Internet Engineering Task Force (IETF) and as a program
manager at the Advanced Research Projects Agency (ARPA).

The board, chaired by PayPal CISO Michael Barrett, also includes Vint
Cerf, Esther Dyson, John Palfrey, Ari Schwartz, Mike Shaver, and
executive director Maxim Weinstein.

Press release: http://www.stopbadware.org/home/pr_06112010

no comments

Thoughts on WEIS 2010

Posted by Oliver Day Wed, 09 Jun 2010 14:58:42 GMT

Earlier this week I sat in on the Workshop on the Economics of Information Security.  One of the more lively research papers presented was on insecurities in the online pornography industry.  The paper 0 has also been written about by Threatpost 1.  As noted by Naraine’s article the team crawled just over 35,000 websites using an automated system.  Interestingly the team discovered that about 3.23% of those sites were also infected with drive by downloads.  One aspect of the research I was curious about was the degree to which those infected porn sites were popular.  I spoke with Dr Wondracek after his talk to speak about the possibility of figuring this out.  In my own thesis last semester I discovered that of the sampled sites we receive from our data partners less than 3% of the those were listed as popular by Alexa.


To determine this one simply downloads Alexa’s “Top 1,000,000 Websites” list 2 and formats the list for comparison appropriately.  (Alexa’s list uses canonical hostnames) Then simply take the intersection of that list (find which hostnames appear on list A and list B) and use that to create a percentage.  This statistic should answer Pr(Popularity|Infection) or the probability of popularity given an infection.

[edit: moved links to bottom in footnote format for better readability]
0 http://weis2010.econinfosec.org/papers/session2/weis2010_wondracek.pdf
1 http://threatpost.com/en_us/blogs/understanding-porn-malware-connections-060810
2 http://s3.amazonaws.com/alexa-static/top-1m.csv.zip

Tags , ,  | no comments