[Discussion] Discussion Digest, Vol 1, Issue 14

Tue Oct 21 18:05:31 UTC 2008

So who are the major vendors we try to talk to? What are the OS's we'd
need to hit?

These things still running stuff like vxworks?

Or do we figure out a dns lookup kind of thing?

Anyone have contacts within the industry?

Matt

James McQuaid wrote:
> Concur.  Pushing reputational data to home users (with no interaction
> required by the home user) offers opportunities.  WOT and the paid
> version of SiteAdvisor are attempting to do this in the browser, but
> require some user interaction.
> 
> There are hundreds of thousands of misconfigured, compromised and
> ineffective home routers out there.  If we could work with the
> manufacturers, it might be possible to return these devices to
> productive use.
> 
> 
>> Or do we go with just pushing reputational data to the home user? What I
>> mean is if we build this engine to generate and act upon IP reputation
>> data could we know enough about the Internet collectively to simply push
>> a blacklist to the home user's router/firewall?
>>
>> On the more sophisticated devices where software could be installed
>> maybe it does run a stripped down detection engine and help feed IP data
>> back to the group. But overall it's still primarily benefiting only from
>> the blacklisting and whitelisting of the whole?
>>
>> How many false positives would we encounter that might actually affect a
>> home user?
> 
> We can take steps to ensure that this is not a big issue.
> 
> 
> 
>> I think it'd be a very interesting day if we were to have essentially a
>> Spamhaus/SURBL for IPs, thus pushing the bad guys to have to be even
>> more IP mobile than they are now.
>>
>> Take atrivo/intercare/mccolo for example. Infested with crap, and have
>> been for years. But since they can't really be blocked on the backbone
>> home users still hit the same scam AV sites, give their credit card
>> info, and get screwed. We know the sites are there, the registrars won't
>> take them down, the ISP is colluding with the bad guys so they'll stay
>> online. What can we do? (besides scream to our representatives for more
>> effective laws)
>>
>> We can block those bad IPs at the home user's level. That'll make them
>> start moving of course, just like bots being used to spam until they're
>> listed. So we have to be able to immediately move quickly with the.
> 
> Shut them out in real time with multiple daily updates; most of the
> data would not change, so the diff would usually be a very small file.
> 
> 
>> What does everyone think there? The basic idea being to use a normal
>> engine model by most security pro's to feed IP reputation into a global
>> database, and then the home user gets some sort of very basic tool or
>> button they can click on to benefit from that data? Maybe even feed back
>> to us.
>>
>> Matt
>>
> 
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc