Security Watch

British ISP Fires Back at Spammers

Plus: A botnet study; bad password education?

• By Russ Cooper
• 12/06/2006

Well, this is something that has been a long time coming. Finally an ISP is going to start protecting its customers from other customers, for a start. When a client within an ISP is infected with botnet malware, typically their first victims come from the same ISP. BT's new feature will identify these zombies, block them from communicating with other customers and the Internet-at-large and eventually get them cleaned.

Of course, there is concern that there will be false positives, but StreamShield Networks is sure its Content Forensics product will keep those to a minimum, if not avoid them entirely.

We certainly hope that this live implementation will yield glowing reports of decreased spam and malware originating from BT networks, and that they, BT, announce an incredible improvement in response time for their customers as their networks become less congested with garbage traffic. This will be needed to inspire other ISPs to adopt similar strategies.

In 2001, I spelled out what I termed the "Internet Penalties Plan" which basically described an identical process.

A Multifaceted Approach to Understanding the Botnet Phenomenon
Members of the John Hopkins University Computer Science Department have conducted an excellent study analyzing bots and botnets (download the PDF here). It's an extremely comprehensive study of botnets over a three-month period from early 2006. They constructed a sophisticated environment within which they were able to become infected, determine what the infected code doeso, monitor the actions of the code, as well as the Command and Control (C&C) channel used by the bot-master, and, finally, details the actual tasks performed by the bot-infected systems.

Without getting into human motivations, this study is extremely informative to anyone attempting to prevent or detect bot activity. It shows the difficulty in monitoring, detecting the sources and identifying the bot-masters.

It also provides some insight into the size and scope of botnets, indicating they are likely smaller than many of the media claims have been. They provide and understanding of why that is, namely, the fact that IRC servers have functional limitations on the number of computers they can simultaneously control. They explain their observations of how a few bot-masters attempt to overcome that limitation.

It's well worth a read. Hopefully this study will lead to more research in this area. This study, coupled with the BT announcement mentioned above, may well show signs that we may be making progress against the bot-herders.

Study: Workers Often Jot Down Passwords
More sophisticated passwords and better user education have done nothing to improve IT security, says a study involving 325 U.S. employees. The study recommends biometric controls instead of passwords.

The senior analyst for the study said; "This is really a lot like mom and dad buying a great new security system for the house and junior leaving the combination under the door mat."

Well, this simply isn't true. It is true if the password is pasted to the front of the monitor, and, the attacker is present at the monitor. It isn't true if the password is on the monitor and the attacker is entering via the Internet.

In other words, knowing the password isn't all that's required to gain access to password-secured systems. You have to have either physical or network access, and many other layers of security can enforce further restrictions such as MAC or IP address permission, time restrictions, and so on.