RE: A question for the list...

["Dave Sharp" <pcrepairs () rogers com>]

Hi, I'm new to this, so please excuse the posturing and or ignorance. :-)


> > > > > The discussion,
............................................................................
....................
Here is a link for a report on News.com and it contains some opinions by
legal folk. http://news.com.com/2100-1002_3-1003894.html?tag=lh<<<<<<


A bunch of ideas for discussion pop-up to me... some of these may not be
totally on-topic for this forum, if you can tie something back into incident
response, I'll likely allow it through.

> > > > > > > > > > What are the implications down the road?

Notwithstanding any legal implications I can see nothing but good arising
from a responsible associate taking action
against an active malevolent program. In proactively responding to a threat
to their own networks, they are doing the
whole community justice. Whether the malware propagates due to ignorance,
laziness or budget, I think the end justifies the means. 

I know what it is like to be on the other end of stick. When Nimda was
released, my ISP (sympatico) was heavily infected. At the time, the only
thing I knew was the internet had slowed to a crawl and my firewall was
racking log entries non stop. My newly installed NOD32 antivirus kept the
worm at bay while my Norton machines were infected and I had no idea what
was wrong. In the end, I had to take my computers and one server off the WAN
due to the constant attacks from my ISP.
After a little research, I did a port scan of my subnet to find that over
100 machines were actively infected on my DSL subnet and wrote to Sympatico.
Never did receive a reply. Wonder why?
 

> > > > > > > > > -Are there concerns that organizations have with this trend? Legal?
Precedure?

Given some of the legal tripe that has come down from the courts concerning
networks and the internet in the last year,
I think a precedence could be established in court if one responded to a
crisis situation on a neighboring network and shutdown malware. No sense
elaborating since it would be nothing more than legal speculation. Given the
legal state
of affairs in the US, and their penchant for siding with criminals who is to
say. (no different here in Canada either)

Just to reinforce my first statement.
http://www.freedom-to-tinker.com/archives/000336.html

To put the shoe on the other foot, why shouldn't the infectious networks be
held responsible for
propagating the malware code if preventive measures such as patching the
server exist in the first
place? Is it not their responsibility to ensure that their servers DO NOT
contribute to further infection
if the means exist and are widely known? Could this set a precedent to sue
an enterprise network for
virulent proliferation to extract the costs of infection cleanup?


> > > > > > > > > > > > -Is this any different than a similar activity that installs
malicious code on the target host?

I would say yes. There is currently no mechanism for a network that has been
infected from malware to recover costs
associated from an infection. One could block or otherwise prevent the
spread to their networks through passive means
but what about the loss of bandwidth while the malware constantly hammers
their networks? A properly planned and executed
tactical response against a rogue network responsible for spreading
infection would benefit the internet as a whole. 
I cannot see this as being erroneous. If a rogue network is responsible for
spreading infection and can be taken offline or rendered safe, where is the
downside? If it is a matter of moralistic semantics, I believe it to be a
moot point. 

One could argue the merits of an individual taking action against such a
network, but what if it were an organization?
Seems to me that there is a need to actively pursue some sort of organized
response against widespread infections in
networked communications. It would have to be more effective and responsive
than a UN type organization. Someone would
have to be responsible and make quick final decisions. It is a problem that
knows no borders or political boundaries and
therefore should not be a consideration. If they infect, they come down,
that simple. Right? If they don't they should
be held responsible for cross network infections as a result of inaction.
Host networks that are offshore could be
blocked altogether. Nonetheless I actively block complete known malicious
networks and subnets from my server as a matter of practice.



> > > > > > > > > > > -The approach that Tim advocated was significantly less intrusive
than the approach taken with the Fizzer virus, Tim's approach made no
significant changes on the targeted host, simply blocked the ability of
Nimda to replicate (if I remember correctly), and notify the owner that they
have been compromised and where to go to find help in removing the
infection. The approach taken to actually modify the system to remove Fizzer
seems to go significantly past that. Why was the reaction to Tim's advocacy
of discussion so hostile, and to date, I have seen no negative criticism of
the Fizzer removal.

I can see no relevant argument against such a response. Again, where is the
downside to this? Most times, when a network
is responsibly managed, these infections do not take place. I stress MOST
times. If a network admin were hostile to taking
preventative measures, one would have to ask why and deserve and answer. In
the mean time, down he comes despite the
arguments.


> > > > > > > > > > > > > > > > -Is this a catalyst for a group (IETF?) of some kind to
debate these issues to find a resolution? I think that most people would
agree that the increasing risk that these distributed networks pose to every
Internet connected host is grave, and a better method is required to deal
with them. Are there other ideas that don't get us into "arms races" with
malcode writers.

Being new to this (less than a year) and a user of 5 years, I think this is
an idea's who's time has come. A group? Yes.
A responsible group, with authority to take appropriate and swift action. In
fact in the US, could this not be actively
reconciled as part of Homeland Security? Networks compromised by malware
would indeed be ripe for further intrusions and
exploits while being brought to their digital knees. An infected network
could be effectively "quarantined" while the 
group takes action to provide effective cleanup and provide network
forensics. Cause and effect have to be established and
preventative measures brought up to speed.


> > > > > > > > > -If this becomes standard practice, will this force the
communication and update channels underground/encrypted (the "arms race"
that I mentioned)

I wouldn't like to think so, but as long as there are malware purveyors
there will always be a war. Taking into account
what is at stake, I believe tactical responses are appropriate and
necessary. Many networks, ISP's and enterprises have
too much to lose not to take a proactive stance in shutting down virulent
networks. The problem is than a large majority
of casual users do not recognize the threat, and a similarly large amount of
network admins do not do their jobs, or 
respond inappropriately or ineffectively to an network infection. 

At this point, I would have to ask why it took so long for ISP's to respond
appropriately to Nimda and Slammer? Why were
servers not patched and protected? Why after infection did they remain
actively networked for so long? Why are infected
networks not FORCED offline or blocked? Who the hell is in
charge??????????????? If no one, then the question that begs to be answered
is why this is even an issue? If a contentious educated individual who's
network is under attack responds to
that attack in a friendly tactical manner, where is the problem? Who is to
stop him, and why would they want to? If my
server was actively infecting a network and someone stepped up to the plate,
stopped it and informed me of what they did,
I would feel "schooled", and would be thankful for the education. From what
I see from these newsletters, there are many,
many, individuals on this list who meet those criteria. 


> > > > > > > > > > > > -What are some of the strategies that organizations are
implementing to control their exposure to these communication channels?

Good question. :-)Lots of talk, lots of available software and hardware not
to mention educational facilities! The Slammer worm is still the proof in
the pudding. One would think that the Nimda worm taught a world wide lesson,
but apparently not. How many of the SQL servers online belonged to
enterprises with large budgets and IT staff. Why did they not take the
appropriate measures to prevent the spread of the slammer worm when so many
avenues of prevention clearly exist is my question? To not patch a server in
my opinion is inexcusable. If you haven't got the budget or the time, then
you shouldn't be networked to others that do. 



> > > > > > > > > > -If a command can be given in a channel to "shut down" the network
of hosts, what is the view on the legality of doing this? If you had a host
on your network that was suddenly shut down by a well meaning (or not so
well meaning third party), what would your response be?

Like I said above, I'd feel "schooled". Especially if I received an email
outlining what they did, how they
did it, and why. If I am actively infecting a network or subnet, I should be
thankful. Are we not all members of the same loose community? If a
particular network admin fails in his duties, why should his lack of action
or education serve
as a (loosely)" Typhoid Mary"  for the rest of the net? Shutting down
infectious networks is a responsible reaction.

To use a medical analogy with which the computer community loves to flirt
with,  (Dell Support Interns?)

If the virus was a medical problem, and the code writer a doctor, he would
be deemed a HERO, and not in the
loose terms that it is being used today. I say write and deploy your (SARS)
corrective code who ever you are!


Sincerely,

Dave Sharp

apprentice networking and admin 


----------------------------------------------------------------------------
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
----------------------------------------------------------------------------