Take the Fight Upstream

A few years ago most internet email providers began scanning attachments. The result has been a drastic reduction in the volume of malware distributed by email.

Unfortunately, the malware guys have taken to hacking legitimate websites and using them for drive by downloads. There are lots of systems out there that have not been updated, lots of potential vulnerabilities from non Microsoft software (mostly media players) and probably some unpatched Microsoft exploits we have not heard about yet.

I wonder if there is some way ISP's could detect these hacked sites. Various things come to mind:

1. Massive HTTP scanning. This would mainly help the large numbers (estimated at over 50%) of computers without updated AV's.

2. Behavioral analysis. Someone would have to invent this.

3. Blacklisting. This is already being used by Google. Some sites are being marked as unsafe. In some cases it is not possible to get to the site by clicking on the link. The address must be cut and pasted into the browser address bar. Perhaps this information could be shared with ISP's or organizations like Open DNS. The result is a bit like a hosts file. Not everyone is able to install a hosts file, and the big ones can slow down older computers.

OK security geniuses, any other ideas?

 

Sandboxing could be a good answer

MaB

PS : of course i'm not a security genius

 

A default-deny security policy with only your existing system process and trusted applications allowed to run.
Rick

 

Yes, with the latest cutting-edge technology available, we all know it's now possible for ISPs to do that for end users.

That aside, for such a restrictive policy, I'd rather install a reboot-to-restore system and be done with it. Less hassles, less prompt windows.

 

Judging from the above responses, either no one read my post, or no one understands what I am saying. The whole point is to get the ISP's to do more because in the big picture security, for whatever reason, is not working at the user level well enough to discourage malware authors. Its not about adding yet another security program to the client machines of those that are knowledgeable.

 

I am just an average computer user, not at all a techie, and I do not have an advanced understanding of the technology behind ISPs, or the types of technologies that ISPs have at their disposal. I agree that the ISPs should somehow be very actively involved in screening or being aware of what their servers are handling. I don't have any idea of how intrusively or aggressively ISPs are currently screening what their customers are doing, or what their customers are trying to send over their service, and how they can do this without engaging in "censorship." Are you thinking that the ISPs should analyze more in-depth what their customers are doing on their service, so that they can do more to catch any malware or other shady types of things? I think there has to be a balance between the individual user arming himself with good security programs and the ISPs taking on more of an aggressive role in protecting the user. Again, I am saying this without any real knowledge of what protections the ISPs typically incorporate. But, yes, I'd like the ISPs to help in any way they can to stop malware, spam--anything that is harmful. Is this even close to addressing your topic?

 

I think it should be possible to set up HTTP scanners to automatically scan all traffic passing through their servers without having to specifically identify what the content is and who it's going to/coming from, the same way it's done on email servers.

Come to think of it, this DOES sound like a good idea.

 

Email scanning/spam blocking at the gateway level seems to be working fine so far. So has blocking some vulnerable ports at the server before the request reaches users.

In any case the ISPs could just enter an agreement with an antivirus vendor who provides the scanning, and all the ISP does is supply the necessary infrastructure.

 

Working fine with Wildblue (satellite internet provider) here. They use McAfee (AV) and Postini (antispam). It is rare when one slips through.

 

ISP scanning/blocking of anything... is a bad thing.

i always miss loads of emails, some important ones.

if they went into other things, im sure i would only have more problems.

 

While I use Windows Mail to retrieve my mail, I can also go online and look at the filtered mail. Most of the time the mail is...uh...of a sexual nature, lol. I probably found maybe 3 legit ones in there all year.

 

I don't see how an ISP could reliably protect a PC. Scanning and blacklisting sites is an excercise in futility. The best they could do is catch a percentage of them. Phishing sites come and go in a couple of days. Keeping up would be impossible unless you had an army of bots to do the checking. Even assuming they could filter out all the malicious web pages, they can't protect a user from what they choose to install. You mentioned behavior analysis. Same problem, too many to be feasible. Even if it were possible for an ISP to perform behavioral analysis on every application a user downloads, I question if this would be desirable from any point of view. I wouldn't want them analysing everything I downloaded.

Partnering with AVs wouldn't make that much difference, except for those who don't run an up to date AV. Whether the scanning is done locally or by an ISP, the result is the same. It's still scanning for known threats with conventional tools.

It's not possible to filter out of keep tract of all the malicious content that's on the web or to intercept all the code that could potentially be used to exploit an operating system or specific applications. There's just too much of it and it's spread too fast. As long as we have operating systems that allow malicious code to run being used by people who will open or click on anything, the problem won't ever be fixed. Educating users is a waste of time. We've been hearing that for years. If education was going to work, it would have worked by now. With trusted sites being compromised, using common sense in your browsing isn't going to be enough.

We can't fix the users. We can't stop the writing of malware and exploit code. That leaves the operating system as the only place we can effectively address the problem. The only OS that is truly secure is one that can't be written to, like a live CD. The next best choice is a tightly configured system with a default-deny security policy enforced on it, one that doesn't allow any unknown processes to execute.
Rick

 

Rather than "filtering" the downloading-habits of their users, some ISP's are instead choosing to deal with the effect rather than the cause of their dLo-habits. They are monitoring the amount of upLoading-activity as a symptom of infection, such as spam-bots. Discussed here https://www.wilderssecurity.com/showthread.php?t=185251 is what one (mine) ISP does. Basically, if we don't take care of the "prevention"...they take care of the cure!

 

If there is not a law specify their duty, they for sure will not do this, no gain from their own side, just effort and possible complain.

 

I do believe that a recent survey done by McAfee shows the difference between the number of people who think they have up-to-date AV protection and the number of people who actually do have up-to-date AV protection.

While it's nice and all to be enamored with HIPS and default-deny doodads, do take a step back every now and then to look at the bigger picture, and you'll see that an up-to-date antivirus scanner does still provide a good level of protection for the majority of joe schmoe, "next-door grandma" users.

A good scanner will still stop 98% of the nasties from getting through. It's when you obssess over the remaining 2% that you lose sight of the overall picture.

 

They do, it's called "enforcing the cap"...

Over the past year or so, they have increased the up/download speeds (and the $/mo.) twice. (So there are gains.) As far as complaints, their answering machine doesn't mind)

 

That 's also a good example of the futility of educating users. It's amazing how many there are that don't understand that expired equals unprotected.

A few years ago, I wouldn't have been that concerned about that remaining 2% either, but much of todays malware is designed to steal passwords, account numbers, etc. One piece of undetected malware can result in a financial disaster or identity theft, even if it's only one day that it's undetected. With much of the malware being rootkits, a missed detection can become a long term problem, unless the user runs anti-rootkit tools, many of which are beyond the average users ability to understand. Even if the rootkit module of an AV does detect a rootkit, oftntimes they can't remove it.

Security software has advanced much faster than the typical users ability to understand and effectively use it. HIPS is just one example. Default-deny doesn't have to be a policy that only a security expert can use. The tools already exist to offer such a service remotely. Default-deny and HIPS software are viable options with such a service. Users already pay yearly rates for AVs which only provide partial protection thats limited in scope. A service that addressed new vulnerabilities, updates user software as needed, and creates secure HIPS and firewall rules based on user requirements would easily be worth more that what an AV charges for yearly subscriptions. The market is wide open for those offering a security service that updates, protects, and cleans.
Rick

 

Just two pennies, if I may.

There is no point to a default-deny policy. By itself, it means that you are either utterly restricting yourself or forced to deal with dozens of popups on a regular basis. Default-deny is also pointless when you need to install new software.

Excellent (near-perfect, even) security can be achieved using a good layered setup: firewall, blacklist scanner, sandbox, behavior blocker, software vulnerability patches, non-IE browser, LUA, reboot-to-restore etc. Just pick the ones that suit you and your needs. Using combined solutions provide equally excellent protection, and alert you only when something really needs attention. Compare this with a default-deny policy that cannot distinguish whether something is malicious or not, and at least ten times more intrusive and restrictive than the average layered setup.

There is no point in championing ONE single solution as the end-all to every problem - doing so just creates other problems. Multiple solutions are equally viable, equally secure and much more practical for everyday use. And for all their intrusiveness, default-deny solutions are far from bulletproof either. A malicious HTML shellcode file can easily instruct iexplore.exe to delete c:\ntldr, for example. Default-deny is also weak or entirely useless against helper applications that load data or software with vulnerabilities, for another example.

But I think we're getting off-topic here.

 

Not sure where you're going with this "non Microsoft software"

Are you suggesting that the ISP scans the url's inside an e-mail message and either delete or manipulate them? Maybe prefix the url with something like LinkScanner?
This is highly debatable ...

I don't think this applies here, since we are a dealing with static message objects.

Yes, Google already provides anti-phishing support to Firefox: http://www.google.com/tools/firefox/safebrowsing/
IMHO, this is not an "Upstream" issue, it is up to the end-user.

 

I work closely with a webhost and managed bandwidth provider..who has their data center right upstairs from my office. For a long time..he's been doing scanning of e-mail for viruses/spam, for both POP, and "smart hosting" to wash mail heading to my clients Exchange Servers. His bandwidth is for business accounts..where he provides T's of various flavors, bridged DSL, managed WANS, Motorola Canopy, etc. So he has considerable DNS resources.

"Washing" mail with gateway appliances is relatively easy..he has his own custom built box for that. But "washing" clients web browsing...wow...while technically..on paper, it can be made to work...I can't begin to fathom the amount of resources it would consume for the ISP. Not to mention the performance hit in browsing and DNS response for the clients. Not to mention the manpower required to handle the supports calls from "I can't connect to blah blah blah".

What I'm starting to do more and more of...is for clients gateways...using gateway appliances which scrub web traffic at that level.
www.untangle.com
Really cool UTM appliances.

 

Well said.