British ISP Fires Back at Spammers
Plus: A botnet study; bad password education?
British Telecom has implemented a system whereby they can identify those
customers who are sending spam, especially those that trigger zombies
in a botnet. After identifying the offending customer, they quarantine
or terminate the account, depending on the activity. If quarantined, BT
assists the customer in remediating their PC and returning it to the control
of the owner.
Well, this is something that has been a long time coming. Finally an
ISP is going to start protecting its customers from other customers, for
a start. When a client within an ISP is infected with botnet malware,
typically their first victims come from the same ISP. BT's new feature
will identify these zombies, block them from communicating with other
customers and the Internet-at-large and eventually get them cleaned.
Of course, there is concern that there will be false positives, but StreamShield
Networks is sure its Content Forensics product will keep those to a minimum,
if not avoid them entirely.
We certainly hope that this live implementation will yield glowing reports
of decreased spam and malware originating from BT networks, and that they,
BT, announce an incredible improvement in response time for their customers
as their networks become less congested with garbage traffic. This will
be needed to inspire other ISPs to adopt similar strategies.
In 2001, I spelled out what I termed the "Internet Penalties Plan"
which basically described an identical process.
A Multifaceted Approach to Understanding the Botnet
Members of the John Hopkins University Computer Science Department have
conducted an excellent study analyzing bots and botnets (download the
It's an extremely comprehensive study of botnets over a three-month period
from early 2006. They constructed a sophisticated environment within which
they were able to become infected, determine what the infected code doeso,
monitor the actions of the code, as well as the Command and Control (C&C)
channel used by the bot-master, and, finally, details the actual tasks
performed by the bot-infected systems.
Without getting into human motivations, this study is extremely informative
to anyone attempting to prevent or detect bot activity. It shows the difficulty
in monitoring, detecting the sources and identifying the bot-masters.
It also provides some insight into the size and scope of botnets, indicating
they are likely smaller than many of the media claims have been. They
provide and understanding of why that is, namely, the fact that IRC servers
have functional limitations on the number of computers they can simultaneously
control. They explain their observations of how a few bot-masters attempt
to overcome that limitation.
It's well worth a read. Hopefully this study will lead to more research
in this area. This study, coupled with the BT announcement mentioned above,
may well show signs that we may be making progress against the bot-herders.
Study: Workers Often Jot Down Passwords
More sophisticated passwords and better user education have done nothing
to improve IT security, says a study involving 325 U.S. employees. The
study recommends biometric controls instead of passwords.
The senior analyst for the study said; "This is really a lot like
mom and dad buying a great new security system for the house and junior
leaving the combination under the door mat."
Well, this simply isn't true. It is true if the password is pasted to
the front of the monitor, and, the attacker is present at the monitor.
It isn't true if the password is on the monitor and the attacker is entering
via the Internet.
In other words, knowing the password isn't all that's required to gain
access to password-secured systems. You have to have either physical or
network access, and many other layers of security can enforce further
restrictions such as MAC or IP address permission, time restrictions,
and so on.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.