ABCs for ISPs

Today, an important step was taken in the fight against badware on consumer devices in the U.S. An advisory group to the Federal Communications Commission known as CSRIC III voted unanimously to release the U.S. Anti-Bot Code of Conduct for Internet Service Providers. Known as the ABCs for ISPs, or simply "the Code," this voluntary set of guidelines encourages ISPs to engage in bot education, detection, notification, remediation, and collaboration. Several major ISPs—AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable, and Verizon—committed to adopting the Code and two other security-related sets of recommendations released by CSRIC. The documents will be available soon on the CSRIC III web page.

I served on the group that developed the Code, the elegantly named CSRIC III Working Group 7. (Last week, I explained why fighting botnets is critical to StopBadware's mission to make the Web safer.) The finished product is a testament to the collaborative spirit of the group's members and the fearless leadership of the group's chairman, Mike O'Reirdan.

There is, of course, room for criticism of the Code. I was, for example, disappointed that telling customers "go to this website to check if we've found bot traffic from your IP address" is considered a valid form of customer notification. The lack of any formal system to track which ISPs have agreed to adopt the Code (let alone verify that they're actually following it) is also frustrating. If it had been up to me, I also would have more closely mimicked Australia's model, which supplements the code of conduct with a national data clearinghouse of bot detection data.

Still, with all these complaints, we should consider the Code a step forward. With broad support (and substantial early adoption) from the ISP industry, it's clear that millions of U.S. consumers will soon have more information to help them prevent badware, to learn if their devices are infected, and to assist them in cleaning their devices up. And the Code's requirement that ISPs share information should help drive improved measurement and better anti-bot strategies.

Several groups, including MAAWG, the Industry Botnet Group, OTA, and even CSRIC III Working Group 7 continue to build upon the work done to date. There's still plenty to be done, but it's great to see so much movement in the right direction.

What's in a name?

Posted on September 28, 2011 - 15:31 by mweinstein

One of the most interesting aspects of yesterday's announcement of another botnet takedown engineered by Microsoft was the naming of the owners of the domain in their lawsuit.

...this case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains –making it easy for domain owners to look the other way.

Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users.

Microsoft should be applauded for its effort, as well as for raising awareness of intermediary service providers' roles in perpetuating badware. I don't understand, though, their heavy handed focus on customer identification. True domain registrars, at least those accredited by ICANN, are already required to collect and publish valid contact information for domain registrants, yet this hasn't seemed to help a lot in preventing malicious registrations or tracking down the criminals. There are lots of reasons for that, such as privacy proxies that shield the identities of the registrants, weak enforcement by ICANN, use of stolen credentials, and the difficulty of verifying the validity of customer information.

I also wonder about dotFREE, the operator of the subdomain service. After the entire domain was pulled from Google Search results due to the high malware and low quality rates of subdomains, dotFREE claimed to be implementing a number of reasonable security precautions, from hiring more abuse staff to suspending accounts that appeared on popular badware blacklists. All talk, no action? Could be. Too little, too late? Maybe. But what if they were doing all these things and making a good faith effort to prevent continued abuse of their domain? Was the fact that they didn't verify and publish contact information for their customers enough to make them liable for the malicious use of their subdomains? Perhaps the fact that they were marketing their service like a registrar, but not behaving like an accredited registrar, is enough to do them in?

It will be up to the courts to decide on whether dotFREE is liable under U.S. law. I'd push back against Microsoft, though, and say the industry discussion shouldn't be about "public and accountable subdomain registration practices," but rather about identifying more broadly the philosophical and perhaps legal expectations for how such providers should contribute to the safety of the Internet.

Recommended reading

In the past couple months, we've come across some particularly informative and well-written reports and articles about badware. Here, for your reading pleasure, are a few of our favorites:

Botnets: Measurement, Detection, Disinfection and Defence by Daniel Plohmann, et. al. (ENISA)
This monster of a report by the European Network and Information Security Agency clearly describes the current state of the fight against botnets. It includes the techniques and challenges of detection, measurement, mitigation, and takedown.
Smartphones: Information security risks, opportunities and recommendations for users by Dr. Giles Hogben & Dr. Marnix Dekker (ENISA)
Another outstanding report by ENISA, this document outlines and prioritizes the risk factors inherent to mobile deviecs (e.g., smartphones) and key strategies for addressing them.
How a Remote Town in Romania Has Become Cybercrime Central by Yudhijit Bhattacharjee (Wired)
This article from Wired does a nice job profiling one town in which online crime has become a major industry.
Conficker Working Group: Lessons Learned [PDF] (The Rendon Group)
From 2008 to 2010, a group of security researchers organized themselves as the Conficker Working Group to fight the badware known as Conficker. After the group's work ended, the U.S. Dept. of Homeland Security commissioned a study by The Rendon Group to identify the lessons learned during this effort. It's a great read that evaluates an unusual and reasonably effective cooperative effort.