Hi, I'm new to this, so please excuse the posturing and or ignorance. :-) >>>>>The discussion, ............................................................................ .................... Here is a link for a report on News.com and it contains some opinions by legal folk. http://news.com.com/2100-1002_3-1003894.html?tag=lh<<<<<< A bunch of ideas for discussion pop-up to me... some of these may not be totally on-topic for this forum, if you can tie something back into incident response, I'll likely allow it through. >>>>>>>>>>What are the implications down the road? Notwithstanding any legal implications I can see nothing but good arising from a responsible associate taking action against an active malevolent program. In proactively responding to a threat to their own networks, they are doing the whole community justice. Whether the malware propagates due to ignorance, laziness or budget, I think the end justifies the means. I know what it is like to be on the other end of stick. When Nimda was released, my ISP (sympatico) was heavily infected. At the time, the only thing I knew was the internet had slowed to a crawl and my firewall was racking log entries non stop. My newly installed NOD32 antivirus kept the worm at bay while my Norton machines were infected and I had no idea what was wrong. In the end, I had to take my computers and one server off the WAN due to the constant attacks from my ISP. After a little research, I did a port scan of my subnet to find that over 100 machines were actively infected on my DSL subnet and wrote to Sympatico. Never did receive a reply. Wonder why? >>>>>>>>>-Are there concerns that organizations have with this trend? Legal? Precedure? Given some of the legal tripe that has come down from the courts concerning networks and the internet in the last year, I think a precedence could be established in court if one responded to a crisis situation on a neighboring network and shutdown malware. No sense elaborating since it would be nothing more than legal speculation. Given the legal state of affairs in the US, and their penchant for siding with criminals who is to say. (no different here in Canada either) Just to reinforce my first statement. http://www.freedom-to-tinker.com/archives/000336.html To put the shoe on the other foot, why shouldn't the infectious networks be held responsible for propagating the malware code if preventive measures such as patching the server exist in the first place? Is it not their responsibility to ensure that their servers DO NOT contribute to further infection if the means exist and are widely known? Could this set a precedent to sue an enterprise network for virulent proliferation to extract the costs of infection cleanup? >>>>>>>>>>>>-Is this any different than a similar activity that installs malicious code on the target host? I would say yes. There is currently no mechanism for a network that has been infected from malware to recover costs associated from an infection. One could block or otherwise prevent the spread to their networks through passive means but what about the loss of bandwidth while the malware constantly hammers their networks? A properly planned and executed tactical response against a rogue network responsible for spreading infection would benefit the internet as a whole. I cannot see this as being erroneous. If a rogue network is responsible for spreading infection and can be taken offline or rendered safe, where is the downside? If it is a matter of moralistic semantics, I believe it to be a moot point. One could argue the merits of an individual taking action against such a network, but what if it were an organization? Seems to me that there is a need to actively pursue some sort of organized response against widespread infections in networked communications. It would have to be more effective and responsive than a UN type organization. Someone would have to be responsible and make quick final decisions. It is a problem that knows no borders or political boundaries and therefore should not be a consideration. If they infect, they come down, that simple. Right? If they don't they should be held responsible for cross network infections as a result of inaction. Host networks that are offshore could be blocked altogether. Nonetheless I actively block complete known malicious networks and subnets from my server as a matter of practice. >>>>>>>>>>>-The approach that Tim advocated was significantly less intrusive than the approach taken with the Fizzer virus, Tim's approach made no significant changes on the targeted host, simply blocked the ability of Nimda to replicate (if I remember correctly), and notify the owner that they have been compromised and where to go to find help in removing the infection. The approach taken to actually modify the system to remove Fizzer seems to go significantly past that. Why was the reaction to Tim's advocacy of discussion so hostile, and to date, I have seen no negative criticism of the Fizzer removal. I can see no relevant argument against such a response. Again, where is the downside to this? Most times, when a network is responsibly managed, these infections do not take place. I stress MOST times. If a network admin were hostile to taking preventative measures, one would have to ask why and deserve and answer. In the mean time, down he comes despite the arguments. >>>>>>>>>>>>>>>>-Is this a catalyst for a group (IETF?) of some kind to debate these issues to find a resolution? I think that most people would agree that the increasing risk that these distributed networks pose to every Internet connected host is grave, and a better method is required to deal with them. Are there other ideas that don't get us into "arms races" with malcode writers. Being new to this (less than a year) and a user of 5 years, I think this is an idea's who's time has come. A group? Yes. A responsible group, with authority to take appropriate and swift action. In fact in the US, could this not be actively reconciled as part of Homeland Security? Networks compromised by malware would indeed be ripe for further intrusions and exploits while being brought to their digital knees. An infected network could be effectively "quarantined" while the group takes action to provide effective cleanup and provide network forensics. Cause and effect have to be established and preventative measures brought up to speed. >>>>>>>>>-If this becomes standard practice, will this force the communication and update channels underground/encrypted (the "arms race" that I mentioned) I wouldn't like to think so, but as long as there are malware purveyors there will always be a war. Taking into account what is at stake, I believe tactical responses are appropriate and necessary. Many networks, ISP's and enterprises have too much to lose not to take a proactive stance in shutting down virulent networks. The problem is than a large majority of casual users do not recognize the threat, and a similarly large amount of network admins do not do their jobs, or respond inappropriately or ineffectively to an network infection. At this point, I would have to ask why it took so long for ISP's to respond appropriately to Nimda and Slammer? Why were servers not patched and protected? Why after infection did they remain actively networked for so long? Why are infected networks not FORCED offline or blocked? Who the hell is in charge??????????????? If no one, then the question that begs to be answered is why this is even an issue? If a contentious educated individual who's network is under attack responds to that attack in a friendly tactical manner, where is the problem? Who is to stop him, and why would they want to? If my server was actively infecting a network and someone stepped up to the plate, stopped it and informed me of what they did, I would feel "schooled", and would be thankful for the education. From what I see from these newsletters, there are many, many, individuals on this list who meet those criteria. >>>>>>>>>>>>-What are some of the strategies that organizations are implementing to control their exposure to these communication channels? Good question. :-)Lots of talk, lots of available software and hardware not to mention educational facilities! The Slammer worm is still the proof in the pudding. One would think that the Nimda worm taught a world wide lesson, but apparently not. How many of the SQL servers online belonged to enterprises with large budgets and IT staff. Why did they not take the appropriate measures to prevent the spread of the slammer worm when so many avenues of prevention clearly exist is my question? To not patch a server in my opinion is inexcusable. If you haven't got the budget or the time, then you shouldn't be networked to others that do. >>>>>>>>>>-If a command can be given in a channel to "shut down" the network of hosts, what is the view on the legality of doing this? If you had a host on your network that was suddenly shut down by a well meaning (or not so well meaning third party), what would your response be? Like I said above, I'd feel "schooled". Especially if I received an email outlining what they did, how they did it, and why. If I am actively infecting a network or subnet, I should be thankful. Are we not all members of the same loose community? If a particular network admin fails in his duties, why should his lack of action or education serve as a (loosely)" Typhoid Mary" for the rest of the net? Shutting down infectious networks is a responsible reaction. To use a medical analogy with which the computer community loves to flirt with, (Dell Support Interns?) If the virus was a medical problem, and the code writer a doctor, he would be deemed a HERO, and not in the loose terms that it is being used today. I say write and deploy your (SARS) corrective code who ever you are! Sincerely, Dave Sharp apprentice networking and admin ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue May 20 2003 - 12:59:40 PDT