[Discussion] Discussion Digest, Vol 1, Issue 14

• Previous message (by thread): [Discussion] IPS features: traffic normalization
• Next message (by thread): [Discussion] Discussion Digest, Vol 1, Issue 14
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Concur.  Pushing reputational data to home users (with no interaction
required by the home user) offers opportunities.  WOT and the paid
version of SiteAdvisor are attempting to do this in the browser, but
require some user interaction.

There are hundreds of thousands of misconfigured, compromised and
ineffective home routers out there.  If we could work with the
manufacturers, it might be possible to return these devices to
productive use.


> Or do we go with just pushing reputational data to the home user? What I
> mean is if we build this engine to generate and act upon IP reputation
> data could we know enough about the Internet collectively to simply push
> a blacklist to the home user's router/firewall?
>
> On the more sophisticated devices where software could be installed
> maybe it does run a stripped down detection engine and help feed IP data
> back to the group. But overall it's still primarily benefiting only from
> the blacklisting and whitelisting of the whole?
>
> How many false positives would we encounter that might actually affect a
> home user?

We can take steps to ensure that this is not a big issue.



> I think it'd be a very interesting day if we were to have essentially a
> Spamhaus/SURBL for IPs, thus pushing the bad guys to have to be even
> more IP mobile than they are now.
>
> Take atrivo/intercare/mccolo for example. Infested with crap, and have
> been for years. But since they can't really be blocked on the backbone
> home users still hit the same scam AV sites, give their credit card
> info, and get screwed. We know the sites are there, the registrars won't
> take them down, the ISP is colluding with the bad guys so they'll stay
> online. What can we do? (besides scream to our representatives for more
> effective laws)
>
> We can block those bad IPs at the home user's level. That'll make them
> start moving of course, just like bots being used to spam until they're
> listed. So we have to be able to immediately move quickly with the.

Shut them out in real time with multiple daily updates; most of the
data would not change, so the diff would usually be a very small file.


> What does everyone think there? The basic idea being to use a normal
> engine model by most security pro's to feed IP reputation into a global
> database, and then the home user gets some sort of very basic tool or
> button they can click on to benefit from that data? Maybe even feed back
> to us.
>
> Matt
>

>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>

-- 
James McQuaid
http://www.jamesmcquaid.com

• Previous message (by thread): [Discussion] IPS features: traffic normalization
• Next message (by thread): [Discussion] Discussion Digest, Vol 1, Issue 14
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]