Talk:Lecture 12

From CyberSecurity
Revision as of 18:07, 18 November 2005 by Fleizach (talk | contribs) (Insurance, Liability, and Federal Assistance)

Jump to: navigation, search

Liability in Honeypots

Chris Fleizach - Here's my idea to prevent liability issues in honeypots. What you want is your infected computer to communicate with the master (and issue IRC commands for example) so it appears to be an active bot, but you don't want it to participate in infection and DDoS attacks. So when data comes in, it's allowed to infect a computer. Any further data that it produces gets sent to a buddy computer and a gateway. The gateway holds up the data. The buddy computers runs network services in sandboxes that allow it to examine what happens to the system. If surreptitious files are created or modified, sockets opened or memory changed in unpredictable ways, then we assume the data coming from the infected bot is malicious, so we tell the gateway to discard that output. If nothing happens (ie an IRC command is sent), then the buddy computer notifies the gateway and allows it to proceed. The same idea applies for a DDoS, but it should be easier to identify since a dramatic increase in bandwidth can be noticed quickly. One issue that this doesn't address immediately is what if an infected bot then sends out exploits that affect other OS's (ie. Win 2000 or WinXP SP2 and the buddy is running SP1). So the buddy computer won't get infected and allow it to proceed, possibly causing problems. The immediate solution is to multiplex your buddy to run various versions of OS's, which shouldn't be that difficult with virtual machine software (VMware, Xen), but could raise complications if you need to model various patch states.

Daryl Sterling Jr - What if a bot were created that "phoned home" and downloaded the latest version of Adaware and ran in on the "infected" computer, then deleted itself then slowly distributed itself to other machines? And it ONLY did cleaning when the machine was idle and only spread itself when the network had low usage? Also, to get around legalities, before it installed itself, it ASKED to user to click "Yes" or "Ok"...because we all know how well that works for spyware, why wouldn't it work for good stuff?

Lecture 12 Comments & Questions

Mr. Varian, in the news recently, there has been some discussion of anti-piracy software that Sony included on some of its newer CDs and DVDs that automatically and unbeknownst to the owner of the PC, uploaded itself when the CDs/DVDs were placed into the PC's drive. It turns out that the software is riddled with exploits that can and have been utilized by persons to add malware or turn PCs into Zombies --the software is also extremely difficult, impossible for most common users -- to remove once it has uploaded itself. Do you have any thoughts on the legal implications for Sony here? Have similar cases been brought, if so, what have courts determined -- is there a common law standard developing? The series of cases that are being or will likely be brought as a result of the Sony debacle seem to provide a great place for the courts to come in and place liability -- be it least cost avoider or due care. Might you have any thoughts on the matter?

Mr. Varian, it seems to me that the call for a private representative organization or regulatory body to step in and set cyber security standards is a pretty good idea -- which agencies do you envision doing this, is there one or more with the statutory authority to do so or would Congress have to pass new legislation authorizing such authority?

Mr. Varian, it also seems, at this point, that cyber crime isn't affecting most consumers/citizens -- we here about it but with the exception of those in the field or those that are hit with something particular damaging, I don't think it comes across to people as pressing; I think many people, so long as being a zombie doesn't disrupt their use of their computer, don't see the connection enough to care -- do you think that is really is what is responsible for the lack of this issue being addressed by regulators or private industry? After all, it is going to impose some sort of extra cost on those participants, industry/regulators. Maybe the critical mass of public understanding just isn't there yet. A bit of education and PR then would seem to be in order, some directed at Joe Public.

Mr. Varian, do you think there is any place for introducing strict liability or a product liability type regime into the cyber security world? Should manufacturers of software have to prove they have used the best technology possible to avoid liability?

Mr. Varian, just out of curiosity what imposes the greatest overall societal cost, a part from distribution, the American or UK model with respect to ATMs?

Mr. Varian, are there any statistics on how many individuals/companies are purchasing cyber attack insurance?

Professor Savage, if 99% or viruses are zoos just put out to prove a point, does that demonstrate that the criminal penalties should be greatly increased -- if that's the case and the problem is largely coming from an intellectual exercise it seems like deterrence here would be fairly easy to impose effectively. Any thoughts?

From a real cynical point of view, it seems almost like you have two groups within an already very small segment of society who understand enough to either attempt to do good or bad within the cyber world -- like the two are just battling eachother and that that battle actually provides money, jobs, etc. to the narrow segment -- ensures employment. Should that factor into how we go about fighting the problem or dealing with cyber issues?

Regarding liability concerns brought about by traking worms, it seems ot me that if it was clear that the set up was designed to further security and was diagnostic, that regulators would be willing to issue some sort of waiver of liability -- is that where we are heading or is that not even on the radar yet? I just have trouble believing that liability concerns are really that much of an issue here -- from an equity, legislative, regulation, public good standpoint it seems clear that liability concerns shouldn't stand in the way. Is somebody working on appropriate legislation or regulation here -- specific interest groups and/or politicians?

Professor Paxson, can you provide me with a list of countries/states that either do not allow the recording or monitoring of any personal info (I think those are going to be mostly Euro, right?)and those that don't care what is monitored/recorded at all (I am guessing China and ...)? Thanks.

Insurance, Liability, and Federal Assistance

abc As part of last night's lectures, there was discussion of how insurance companies could potentially provide coverage for damage caused by CyberAttacks. One observation I have is that it seems the vast majority of cyberattacks are more widespread than a singleton attack on a single host. Worms that take out the Internet, clog internal networks, and disrupt a company's computing resources are big, messy events. So, essentially, unless coverage is scoped to discrete, singleton attacks, it would seem that every big worm that has a broad impact on the Internet could essentially make insurance companies go bankrupt. Slammer, Code Red, and others are all like mini-Hurricane Katrinas. Given this assertion, what burden should be placed on the federal government (in the US) to step in and help either individual companies (or insurance companies if some sort of scheme could be worked out effectively) when these Big Ones hit? In many cases, the damage caused to these companies is caused by outside forces (perhaps similar to an "Act of God") and may not be preventable at all. Does the government have a responsibility to step in and help? Should the government also invest in providing infrastructure, response and capacity measures to help cope with these threats? Just some thoughts...

Chris Fleizach - I think you're going to find it would be difficult to classify a devastating worm as a "natural disaster," and not only because it's man made, but because it's something, with due diligence you can prepare for and mitigate. There are anti-DDoS products and ways to filter even the largest of attacks if you're prepared to spend the time and money to do so. Similarly, corporate machines can all have firewalls, all have limited ability to send data back out, all be included in some sort of bandwidth shaping to avoid them becoming part of the problem. Network Access Control can force computers on your network to be secure to a degree. The only issue is that it takes skill and money to do these things.

Another interesting point to note relates to our speakers having said our computers exist in a hostile world and that we're just waiting for the next terrible thing to happen. But, it hasn't really. In fact, there haven't been any devastating worms since SQL slammer almost 3 years ago that have taken down the Internet. The reason, it seems, is that there's little monetary remuneration with just taking down the Internet. Instead, more money could be made taking down one high value victim. Or instead of using an exploit to wreak havoc, you would use the exploit to install bots on as many computers as possible. The introduction of organized criminality into hacking has removed a lot of the prank-ish nature that previous "generations" were familiar with. This new age is more insidious in a way, but they have a vested interest in keeping the network up and running.

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Talk:Lecture_12&oldid=2838"