Home > Offensive Computing > Everybody Wing Chun Tonight & “ISPs Providing Defense By Engaging In Offensive Computing” For $100, Alex.

Everybody Wing Chun Tonight & “ISPs Providing Defense By Engaging In Offensive Computing” For $100, Alex.

You say "defense" I say "offense."  I know the argument’s coming, but it’s just a matter of perspective.  What am I talking about?  ISPs ultimately going on the "offense" to provide a defense to protect their transport networks customers from the ravages of bots, worms and viri.

Let’s look at the latest spin on how services which are represented as protecting customers are really meant to transfer accountability and can potentially punish subscribers by addressing the symptoms instead of fixing the problem. 

Saving money operationally across a huge network makes for a better P&L.  It goes back to my posting on some of the economics of Clean Pipes here.

I’m guessing I won’t be getting a Qwest service discount any time soon after this…

Qwest’s announcement regarding their "Customer Internet Protection Program" in which they will "help a customer remediate an infected machine connected to it’s network" can be perceived in one of two ways.  I’m a cynic, but to be fair let me first present Qwest’s view:

The Qwest(R) Customer Internet
Protection Program (CIPP) notifies Qwest Broadband customers about
viruses and malware that may be on their computers, informs them of
safe Internet security practices and helps them clean viruses and
malware from their computers. The CIPP is part of Qwest’s ongoing
commitment to make the Internet safer for customers and is available to
residential and small-business Qwest Broadband ADSL* customers at no
additional charge.

That’s a nice concept and is meant to give us the warm and fuzzies that Qwest "cares."  I would agree that on the surface, this sounds terrific and Qwest is doing the "right thing."  Now we just need to explore what the "right reason" might be for this generous outreach.

Given the example above, the client machines are only actually "protected" and "more secure" once they have been discovered to be infected.  Now, this means that either they became infected whilst connected to Qwest’s "secure" network (thus bypassing all that heady protection levied by their network defenses) or during some out of band event.  More on that in a minute.

Here’s some additional color from Qwest:

The proliferation of cyber crime continues to require individuals,
businesses and even government agencies to take action against
ever-changing methods of attack. Because viruses and malware can cause
problems not only for individual Qwest Broadband customers, but also
for the online community, Qwest proactively monitors its network to
detect viruses or malware. When one of these is discovered, the Qwest
Customer Internet Protection Program notifies the specific customer of
the infection; gives the customer information on how to remove the
infection; educates the customer on good Internet security practices;
and provides the customer with additional resources, including
downloadable or online anti-virus software.

The Qwest CIPP only acts on malicious network traffic on the public
Internet; the program does not scan or otherwise monitor content on
customers’ computers.

Again, that sounds nice, but let’s back up a second because there’s something missing here.  What happens when they can’t remediate an infection and a zombie continues to spew crap across the network?  What happens if I’m running a BSD, Linux or Mac and not Windows?  What then?  Geek Squad in black helicopters?

Larry Seltzer gives us an idea in his write-up:

What Qwest is doing is something like NAC for ISP clients, however
there are a lot of differences, so I don’t want to take that analogy
too far. The system actively monitors clients for behaviors
characteristic of malware; spamming, for example. When it determines
that the system meets its profile, it takes action.

The monitoring is entirely at the network level. No software is
installed on any PC, nor are there any active probes of them. SMTP and
HTTP are blocked; other services like POP3 and VOIP are unaffected.
Attempts to send e-mail, legitimately or not, will fail. This is
something like the "walled garden" idea of NAC implementations where
the user is isolated from the rest of the network and expected to spend
their time cleaning up the system.

The next time the user attempts to connect to the Web they are
presented with a special page that warns of a possible "virus" on the
computer. (Their use of the word virus on this page is technically off,
but they’re trying to be colloquial and accessible, not strict-geek.)
The page says that malicious traffic has been monitored coming from
this computer or another on the same account; they can’t know which
computer behind your router is the dirty one.

The page gives you three options: remove the virus now, remove
it later, or assert that you have already removed it. In the first
case, they enter a removal process, the details of which I don’t have,
but it could be something like Trend Micro’s HouseCall.

In the second case you are allowed to connect even though your system
is infected, but you will be given the same warning again soon, and
after a few times you won’t have the "later" option anymore. In the
third case, I presume they let you back on the Internet and monitor you
once again.

In the second case, where they actually block out users who
refuse to clean up their systems, we’ve got big news. Will they really
shut off customers? Anecdotal evidence will come out of course, but we
won’t know how many times they really had to do this unless Qwest
volunteers the numbers.

Wowie!  That last paragraph presents a doosie of a case.  You mean you’re going to prevent me from accessing the network I am paying to use when I’m not knowingly engaging in malicious activity (I’m stupid and got infected, remember?)  I don’t really care about the mechanism for doing so, but this is offensive in multiple meanings of the word.

Oh, but wait.  The security remediation "service" Qwest is generously donating to their subscribers is free (as in beer) and there’s no guarantees, right?  Actually, there are.  They guarantee, based upon their terms of service, to remove you from service whenever and however they see fit.

If you look at the vagaries of Qwest’s Broadband Subscriber Agreement, you might have a hard time recognizing the rainbows and unicorns from the realities of what they "could" do should your machine, say, start transmitting SPAM on their network because you’re infected. 

It doesn’t matter why you’re doing it, because if you are, you’ve already agreed to them charging you $5 per spam message in the TOS!  It’s in there.  Don’t believe me?  Read it yourself in the AUP section.

What this really means to me is because ISPs can’t stop the infection across their network, can’t stop the true source of the infection in the first place, and are having to bear the brunt of the transport and security costs to alleviate financial strain due to operational impacts on their networks, they’re going to penalize the users.  Why?  because they can.

"But Hoff," you say, "you’re overreacting to a gracious and no-cost way to make Internet denizens more secure!  You’ve got this all wrong!"

I’m sure that for every 1 user they can’t remediate they’ll be 5 more that think this is terrific.  Until they get nuked off the network a-la option #2 in Larry’s write-up above, that is.  Qwest maintains all is well in Mayberry:

Qwest Broadband customers have responded positively to the CIPP. In
fact, since the program began, more than three-quarters of infected
customers who were surveyed said they appreciated the CIPP and Qwest’s
efforts to help them get rid of viruses and malware on their computers.

I wonder what happened to the other 25%.  This is why Enterprise NAC deployments often have the potential to suck donkey balls (that is a technical term relating to the spherical multidimensional paradoxes faced by the burros who bear the brunt of operationalizing security technology.)  All’s well and good until someone important, like the CEO, can’t get on the network.  Flexible quarantine that like that above, you say?  Sort of defeats the purpose, doesn’t it?

Here is where the fluff falls away and we have to come to grips to how ISP’s are "combating" the waves of attacks which are overwhelming their "defenses."   This is when we have to start talking about what it means to truly defend networks. 

I reckon it means that we’re going to see the very subtle uptake of "offensive" measures to provide "defensive" capabilities in  many different forms.  I don’t know many wars that were "won" on defense alone.  I’m not a military historian, so can someone help me out here?

I’m sure Bejtlich can give you some cool martial arts fu analogy, so I’ll beat him to the punch (ha!) and offer up the fact that you need what Wing Chun Fu offers as a tenet of the art:

Wing Chun Kung Fu assumes that an opponent will be
bigger and stronger than you. Therefore, WC emphasizes fast and strong
structure over physical strength and speed and simultaneous attack and defense.

Wing Chun focuses on combining a defensive movement with an offensive
movement, or using offensive techniques that provide defense.  In
this way, WC is structurally faster that those styles that teach one to
defend first, then attack.

So it’s clear to me that we need offense paired with defense, described transparently and with expectations set as to what pushing the "launch" button might mean.  Again, what was the customer satisfaction of the remaining 25% who had this feature applied to them when Qwest prevented them accessing the Internet?

People don’t like talking about this within the context of networks because the notion of "ethics" and "collateral damage" bubble up.   Look, it’s happening anyway.  We’re pretty much screwed at the moment.  And you, dear broadband Internet user, are paying for the privilege of being bent over.

You go ahead and define DoS anyway you see fit, but when an ISP turns on the customer because they can’t combat the true attacker, I smell a rat because for what appears to be economic reasons, they can’t really be honest about what they’re doing and what they’d really like to do in order to defend "their" network.

Get ready for more offense(s.)

That’s my $0.02 ($5 if I sent this from Qwest’s network) and I’m stickin’ to it.


Categories: Offensive Computing Tags:
  1. October 12th, 2007 at 07:47 | #1

    It's all fun and games until the series of tubes gets stuffed up, then it's an "Oh shit!" =)
    Seriously, though, follow the money trail and you'll figure it out: Qwest sees worms as bandwidth hogs and wants to reduce/eradicate them–in order to save some Mo-nay.
    Now take it one step further: how are they going to know when you're being an insecure dirtbag? They're most likely just checking your bandwidth usage and when it spikes, they investigate just long enough to say "yep, you're all fuxx0red" and give you a call. That's hardly revolutionary, except where it gets to the point of cutting you off.
    Now the fun part of this is the catch-22 of the whole deal. If you're smart, you don't care what Qwest does because you're not becoming a wormhost, and so it's not really a value to you. If you are dumb then Qwest's service is um… fairly OK, but if you get shut off, you don't really have the mad skills to fix yourself and get reconnected. I won't even talk about the "how do you update your AV and anti-spyware (or even blow away your OS and install Debian) if you don't have an Internet connection" problem.
    I have a crazy idea? How about if they see you're hacked all 5 ways to Sunday, they throttle down your connection instead of killing it entirely? That way, Qwest gets what they wanted, and your Interwebblagospherethingie still works. A little.
    Then the calm, relaxed side of me realizes that deep down inside, it only takes a couple thousand "mysterious outages" for an ISP to mend its ways. =)
    OK, I gotta quit drinking as much coffee. =)

  2. October 12th, 2007 at 07:57 | #2

    This is to quench attacks from infected unsophisticated users to prevent abuse of network transport.
    Plain and simple. It's not about "saving the Internet" it's about saving Qwest money, but it's marketed as a public service announcement.
    Good marketing.

  3. October 12th, 2007 at 10:15 | #3

    Comcast has been "proactively monitoring" and reacting for quite a while. I received a nice message from them a few months ago telling me that we would have to change our email settings to send through Comcast SMTP servers because "your computer has a virus". We were switched to non-standard ports and servers which require authentication (why Comcast didn't originally require authentication on SMTP servers is another matter).
    I found "your computer is infected" mildly amusing- apparently Comcast has the skill to only display the email on the offending device (or it hasn't occurred to them that there may be more than one machine behind the firewall).
    The actual cause of the alarm was my son being a good Internet Citizen and delousing a friend's infested machine- including connecting it to an isolated segment of our home network to pull down cleanup tools, service packs and patches. The compromised host wasn't on our network for more than a few hours, but it earned us a Scarlet Letter from Comcast.
    At no time was I under any illusion that Comcast gave a crap about me or my system's health.

  4. October 12th, 2007 at 12:23 | #4

    But still, it's only an RCH away from saying "you're a dirtbag customer, we don't want your business." That's way bad marketing.

  1. No trackbacks yet.