Monday, October 12, 2009

Botnets and Proactive System Defense

I finally took the time to sit down again and read an article with the provocative title "Botnets and Proactive System Defense" (2008, Springer Link) by John Bambenek and Agnes Klus. From the title I assumed it would be about using botnets as weapons for a proactive defense strategy, but I was mistaken.

Instead, they start off with a nice survey on how commerce has moved to the web and why the old security measures no longer protect the consumers. They touch upon the problems with making transactions with credit card and social security numbers (basically, single factor authentication), as well as several other computer security issues like the reactive patch cycle. Next they review the growth and development of malware, using the Shadowserver graphs to illustrate their point. All this is not new, but it does a good job of surveying the problem.

Getting to more interesting bits, they propose that an ideal botnet strives to maximise six key properties: "high capacity, low overhead, fast responding, flexible, anonymifying [anonymizing?] and quiet." They show how IRC meets these requirements and point out that other technologies, such as RSS, will replace the IRC bot as more and more network administrators grow suspicious of IRC traffic.

For proactive defense, they consider offering the consumer free security software and encrypting their sensitive traffic. Another proposal is to switch from "allow all" to "deny all" or "deny most" principle in terms of antivirus software default settings for running programs. They assume that signing software would solve this problem, as
"There are a finite number of reputable software vendors and applications out there and far more disreputable software vendors and applications."
Not sure I agree with what this claim implies. You cannot have a complete list of "good guys" that will keep you safe from malware. If that were true, we could also say that there are a finite number of reputable ISP-s, so we can just drop all packets that come from the jungle. Unfortunately, this is not true in either case. Reputable businesses have engaged in malicious activity (Sony rootkit, for example) and a lot of cyber attacks come from the networks of reputable ISP's (by default, a potential malware victim would sign a contract with a "reputable" ISP to get access to the net).

One more proposal for making the defense more proactive is to enable remote security validation on computers. While this may sound good in theory and there are even ways of doing this, I do not see it passed into law or practice due to privacy concerns.

Finally, they point out that the great debate over the need for a national ID in US may be moot, as the social security number already acts as one, and a poor one at that.

They conclude by reiterating that the main strategy against botnets is to make them economically nonviable for the criminals. While a nice overview and an easy read, I did not find much new in the paper, however. What I did find is an interesting example of how parts of the US sometimes seem to lag behind in adopting technology:
"Banks already are starting ... requiring one-time passwords with keyring tokens or other devices so that even if an attacker gets the one-time password, they cannot compromise the account."
In many parts of the world, one-time passwords and passcode generators have been the norm for on-line banking for years. In Estonia, for example, the lowest level authentication still in use by the general banking sector uses a set of 20-30 randomly repeating passcodes. This is not safe, sure, and that is why the clients using this method have a ~300 USD daily transaction limit (the system itself is being phased out). If you want more, you need either a passcode generator or the national ID card with valid certificates. In both cases, you need to know something (pin) and have something in order to carry out your transaction.

No comments:

Post a Comment