[Discussion] Discussion Digest, Vol 1, Issue 14

David Glosser david.glosser at gmail.com
Tue Oct 21 18:42:57 UTC 2008


>From this article
(http://www.networkworld.com/net.worker/columnists/2004/0329wolf.html)
back in 2004,

granny's home router is:
Linksys - 33%
Netgear 12%
D-Link 12%

then there's Belkin,  Buffalo, and everyone else. And dozens of
models, with probably as many firmware versions out there.


So, for Granny (home user),  reputational data could be pushed
(pulled?) at the following chokepoints:

Browser -- OS -- home router -- ISP -----> Internet

Some of these locations already have products (such as Browser-based
WOT & siteadvisor, OS antivirus, etc, which work with varying degrees
of effectiveness) and some don't...





On Tue, Oct 21, 2008 at 2:05 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> So who are the major vendors we try to talk to? What are the OS's we'd
> need to hit?
>
> These things still running stuff like vxworks?
>
> Or do we figure out a dns lookup kind of thing?
>
> Anyone have contacts within the industry?
>
> Matt
>
> James McQuaid wrote:
>> Concur.  Pushing reputational data to home users (with no interaction
>> required by the home user) offers opportunities.  WOT and the paid
>> version of SiteAdvisor are attempting to do this in the browser, but
>> require some user interaction.
>>
>> There are hundreds of thousands of misconfigured, compromised and
>> ineffective home routers out there.  If we could work with the
>> manufacturers, it might be possible to return these devices to
>> productive use.
>>
>>
>>> Or do we go with just pushing reputational data to the home user? What I
>>> mean is if we build this engine to generate and act upon IP reputation
>>> data could we know enough about the Internet collectively to simply push
>>> a blacklist to the home user's router/firewall?
>>>
>>> On the more sophisticated devices where software could be installed
>>> maybe it does run a stripped down detection engine and help feed IP data
>>> back to the group. But overall it's still primarily benefiting only from
>>> the blacklisting and whitelisting of the whole?
>>>
>>> How many false positives would we encounter that might actually affect a
>>> home user?
>>
>> We can take steps to ensure that this is not a big issue.
>>
>>
>>
>>> I think it'd be a very interesting day if we were to have essentially a
>>> Spamhaus/SURBL for IPs, thus pushing the bad guys to have to be even
>>> more IP mobile than they are now.
>>>
>>> Take atrivo/intercare/mccolo for example. Infested with crap, and have
>>> been for years. But since they can't really be blocked on the backbone
>>> home users still hit the same scam AV sites, give their credit card
>>> info, and get screwed. We know the sites are there, the registrars won't
>>> take them down, the ISP is colluding with the bad guys so they'll stay
>>> online. What can we do? (besides scream to our representatives for more
>>> effective laws)
>>>
>>> We can block those bad IPs at the home user's level. That'll make them
>>> start moving of course, just like bots being used to spam until they're
>>> listed. So we have to be able to immediately move quickly with the.
>>
>> Shut them out in real time with multiple daily updates; most of the
>> data would not change, so the diff would usually be a very small file.
>>
>>
>>> What does everyone think there? The basic idea being to use a normal
>>> engine model by most security pro's to feed IP reputation into a global
>>> database, and then the home user gets some sort of very basic tool or
>>> button they can click on to benefit from that data? Maybe even feed back
>>> to us.
>>>
>>> Matt
>>>
>>
>>> --
>>> --------------------------------------------
>>> Matthew Jonkman
>>> Emerging Threats
>>> Phone 765-429-0398
>>> Fax 312-264-0205
>>> http://www.emergingthreats.net
>>> --------------------------------------------
>>>
>>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>>
>>>
>>
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>



More information about the Discussion mailing list