[Discussion] What are we making? - Target User

Matt Jonkman jonkman at jonkmans.com
Sun Oct 19 16:32:19 UTC 2008


Splitting to s second thread as there are many good ideas here:

Rob, grandpa of Ryan, Trevor, Devon & Hannah wrote:
> However, given the current computing environment, I think it would be relatively 
> easy to make a case that such a device is not going to do all that much good.  That 
> a more accessible device, intended for "Grannyx" users, would actually do more to 
> protect the infrastructure.  After all, it isn't major nodes on the net that make up 
> botnets, it's the little guys.  Protect them, and you reduce the threat.  This is the 
> "low hanging fruit" for the blackhats, so protecting that crop is going to give us 
> the greatest benefit for the commitment of resources.

Very well put. We've always left the home user to fend for themselves
because it's just too complicated to run IDS unless you're a security
professional. Thus in the botnet world we chase command and control
servers and leave the bots infected. Not the best approach.

So if we were to make this tool capable of being run "out of the box" as
a simple install and it'll do the rest on it's own, what would that mean?

Would we need it to run on a WRTG style router OS?

Would we need to approach the home router makers about a plugin?

Would we want to go desktop stuff? (not my preference as the fox can't
be trusted to watch the henhouse IMHO)

Or do we go with just pushing reputational data to the home user? What I
mean is if we build this engine to generate and act upon IP reputation
data could we know enough about the Internet collectively to simply push
a blacklist to the home user's router/firewall?

On the more sophisticated devices where software could be installed
maybe it does run a stripped down detection engine and help feed IP data
back to the group. But overall it's still primarily benefiting only from
the blacklisting and whitelisting of the whole?

How many false positives would we encounter that might actually affect a
home user?

I think it'd be a very interesting day if we were to have essentially a
Spamhaus/SURBL for IPs, thus pushing the bad guys to have to be even
more IP mobile than they are now.

Take atrivo/intercare/mccolo for example. Infested with crap, and have
been for years. But since they can't really be blocked on the backbone
home users still hit the same scam AV sites, give their credit card
info, and get screwed. We know the sites are there, the registrars won't
take them down, the ISP is colluding with the bad guys so they'll stay
online. What can we do? (besides scream to our representatives for more
effective laws)

We can block those bad IPs at the home user's level. That'll make them
start moving of course, just like bots being used to spam until they're
listed. So we have to be able to immediately move quickly with the.

What does everyone think there? The basic idea being to use a normal
engine model by most security pro's to feed IP reputation into a global
database, and then the home user gets some sort of very basic tool or
button they can click on to benefit from that data? Maybe even feed back
to us.



> In terms of my recommendation of a paran-o-meter, it makes a difference.  
> Actually, I see huge debates over initial settings: do we keep it low to keep from 
> crying wolf, or keep it high to keep people as safe as possible.  But one thing that 
> should be done is make the paranoia settings not-quite-obvious up front, so that 
> somebody needs to know a little about the implications before they start fiddling 
> with settings.
> 
> Heck, if it's a professional device, we don't need to worry about the interface at 
> all.  If it's for Granny, we definitely do.

Agreed. I don't think we can satisfy any of the needs of either granny
or us in the same tool. It'd either be too dumbed down for us, or too
complex for granny. I don't see any middle ground personally.

I like the home router plugin thing though. If it could feed back to us
what IPs it was blocking we'd learn a lot!

Matt

> 
> It also makes a difference in terms of the technology to be included.  If it is for 
> professionals, we can throw in everything.  If for Granny, we need to make a 
> careful choice about maximum protection for minimum performance drain.
> 
> ======================  (quote inserted randomly by Pegasus Mailer)
> rslade at vcn.bc.ca     slade at victoria.tc.ca     rslade at computercrime.org
>         I'm getting so absent-minded that sometimes in the middle of
> victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Discussion mailing list