RE: [gnso-ff-pdp-may08] Definition V4.2: concern about "consumer-grade"

["Greg Aaron" <gaaron@xxxxxxxxxxxx>]

According to Microsoft, both unpatched and older versions of Windows are
much more vulnerable to malware:

http://download.microsoft.com/download/f/f/d/ffd1f8b8-afcc-4ed1-a635-2caa8b9
6ac2f/KeyFindings_MS_Security_Report_Jul-Dec07.pdf

 

Doesn't compare Windows to other operating systems, but I think it's
established that Mac and Linux are less of an issue.

 

All best,

--Greg

 

  _____  

From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Dave Piscitello
Sent: Friday, August 01, 2008 1:54 PM
To: Eric Brunner-Williams; Joe St Sauver
Cc: gnso-ff-pdp-May08@xxxxxxxxx
Subject: Re: [gnso-ff-pdp-may08] Definition V4.2: concern about
"consumer-grade"

 

Eric,

If you feel we have dismissed your assertion, then let's discuss it now.

I asserted that we should "use multiple markers and anomalous behaviors to
characterize malicious activity." 

I think operating system is a reasonable, additional marker. We can disagree
whether this is the root cause of one of many but that doesn't make this
marker any less valuable.

We have strong evidence that (unpatched or unlicensed) Windows versions have
a higher incidence of hosting malware than other OSs (we may even get this
from Microsoft, I recall they presented this information at some conference
I attended). We've discussed the possibility of having ISP's employ NAC or
an equivalent "agent free" admission control mechanism. We could add this to
a list of desirable/best practices. 

Several methods of determining operating system (OS fingerprinting nmap
style) exist even if NAC is not implemented. I can imagine a scenario where
an access provider non-intrusively determines the OS of a subscriber and
uses this as a factor in assessing that endpoint's behavior. We could study
this. 

I don't think singling Microsoft out is necessary or sufficient. I think
that we need something more than a boolean "MS or not" here so I'd want to
add a weighting factor that today lends more suspicion to various Windows
versions over others, that acknowledges that other operating systems can
host bots today and that the exploitation of OS by malware writers will
change over time.


On 8/1/08 12:49 PM, "Eric Brunner-Williams" <ebw@xxxxxxxxxxxxxxxxxxxx>
wrote:



is this for my benefit joe, or are you just spouting off?

if it is for my benefit, then you have to be addressing the assertion,
mine, that autonomous system is less determinitive of risk than whether
the network attached device is a microsoft operating system product, and
therefore a poor substitute, if the root cause is not to be ignored.

reputation has been discussed more than once on nanog, which i know even
if you don't.

hold the "regards", i prefer real ones over what's available.


Joe St Sauver wrote:
> Eric mentioned:
>
> #Further, using AS as determinative is vastly less accurate to the root
> #problem than using if-MS-then-NO as a gating mechanism, regardless of
> #how much corporate chrome there is on the AS and its commercial
> #operations. Since I don't think people want to go down the
> #if-MS-then-obvious-conclusion path, the AS-is-guilty false equivalent
> #should be dismissed.
>
> In general, ASNs do accumulate reputation, just as domains accumulate
> reputation, and just as netblocks accumulate reputation. One particularly
> notorious example of this from recent years would probably be the "RBN"
> case, although there are others.
>
> The real value of ASN-based reputation accumulation, however, is that:
>
> -- there are relatively few ASNs (at least until 4 byte ASNs get
>    widely deployed)
>
> -- it is possible to mechanically and scalably map IP's to ASNs
>
> -- if you route a network block, you also have the option of not routing
>    all or part of that block (e.g., there is a connection between an
>    ASN associated with an activity, and the ability to control that
>    activity)
>
> Most ASNs live somewhere on the vast continuum rightward of clean-as-
> the-driven-snow and leftward of dirty-as-a-deep-rock-coal-miner-at-
> end-of-shift, although there are some AS's that truly do anchor the
> extremities of that scale. (Arguably, a trivial example of a
> "100% guilty ASN" is one that has been hijacked, for example.)
>
> Regards,
>
> Joe
>
>
>
>