Low-hanging fruit in walled gardens | SC Media
Architecture, Network security, Strategy, Threats, Cybercrime, Malware

Low-hanging fruit in walled gardens

July 10, 2012

A thoughtful article by Tom Brewster revives (in the aftermath of the DNSChanger problem) an issue that generated some heat back in 2010, when Scott Charney, corporate VP of Trustworthy Computing at Microsoft, proposed applying a quarantine model for the users of infected systems based on public health management models.

I don't have a problem in principle with suspending internet access for infected systems. I don't think it's a human rights issue – the individual has no intrinsic, inalienable right to leave his own system unprotected if by doing so he puts others at risk. The problem I have is with the assumption that some entity, whether or not it's Microsoft, can accurately identify a unique infected system in every case.

First there's the question of what technical process is used to identify the presence of an infection. That's a tall order if you don't have any direct access to a possibly infected system, without even considering the possibility that individuals may be disconnected inappropriately because of transient false positives (FP). FPs are a more widespread problem than you might think. Fortunately, the nature of the malware problem (i.e. enormous glut) means that in most cases, only a few individuals are affected in each case. The big stories where innocent system files are inadvertently misdiagnosed, affecting thousands or millions of users, are actually not typical. They attract attention because they're untypical in the number of people affected.

There is another issue, though: long ago the internet ceased to be mappable in terms of one IP address equalling one individual machine (hence the confusion as to how many systems are actually impacted by the DNSChanger problem). The diagnosis of malware based on an IP address presents huge problems where addresses are dynamic, or gateway addresses used by multitudes of users. Even a media access control (MAC) address, while unique to a network interface, isn't granular enough. You're likelier to pick up a MAC ID that belongs to a gateway server than you are that of an individual infected machine.

“The problem I have is with the assumption that some entity, whether or not it's Microsoft, can accurately identify a unique infected system in every case.”

– David Harley, senior research fellow, ESET

An ISP might be in a better position to identify an individual machine, but getting that sort of universal cooperation is a whole different ball game. Another approach is to have some kind of agent software on a machine that may or may not monitor its infection status directly, but enables traffic monitoring, patch status, presence of security software and so on, in order to analyze the probability of infection. Some of that technology has been in place in some enterprises for a long time. But that approach is not going to be implemented worldwide any time soon. I suspect that most providers will simply assume that the problem is too intractable, and that the cure is likely to be worse, or at any rate, less popular and more expensive than the disease.

It's not the first time that the Microsoft proposal has been cited in the context of DNSChanger, or that I've been asked about it in this context, but the DNSchanger problem is a little different to the Charney proposals. The FBI didn't cut people off because they're infected. In fact, the cleaned server was maintained to give DNSChanger victims a chance to fix their systems, rather than simply closing it down. That's because it wasn't just a matter of removing the infection but adjusting the DNS settings on their computers. The truth is, DNSChanger has long been effectively neutralized, so while there was some risk posed by infected users, the likely consequences weren't particularly significant in this case. Except to individuals who hadn't taken basic precautions, which I guess takes us full circle.
prestitial ad