EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

4 user empowerment and botnets – Japan’s Cyber Clean Center – a pragmatic approach

November 6th, 2007 · No Comments ·

Related stories:

2 govcert.nl 2007 conference – user empowerment and information security

1 govcert.nl 2007 conference – user empowerment and information security

The above posting discussed some of the interesting materials presented at the govCERT.nl 2007 conference regarding end user empowerment.

Addressing this issue a bit differently during a presentation given at the govCERT.nl 2007 conference was a presentation given by Junko Hayakashi, JP-CERT. In her presentation, Ms Junko Hayakashi outlined how Japan’s botnet removal service assists users whose PC has become part of a botnet.

To detect a network of bots, Cyber Clean Center uses honeypots (see also NOAH). With these it collets IP addresses of infected computers.

With the help of the Internet Service Provider, who knows who is behind the IP address (ie. which user is assigned which IP address), the owner of the infected computer can then be identified.

The owner is then sent an email telling the person that one’s PC has been infected by malware and is part of a botnet. Most important is that the e-mail sent to the owner of the infected PC contains an URL address allowing one to connect quickly and easily to the “BOT disinfestation website.”

The BOT disinfestation website contains information about how the person can remove the malware from the PC. The service functions by giving the user a choice, namely to either

1) download software, install the software and get the PC’s cleaned of any malware including worms,

2) permit the BOT desinfestation website to access one’s PC’s hard-drive and scan and remove any malware found whilst staying online

3) or use another way to remove the worm (malware) from the PC’s hard-drive.

LIMITATIONS

A) If users do nothing, there is no legal recourse that allows the ISP to just shut off the user from the system. But Japan may bring regulatory changes resolving this problem sometime in the not so distant future.
B) As well, how the Cyber Clean Center can cope with what is called fast-flux networks is not yet clear. In those cases, honeypots can work but new approaches are needed (see also –Research that matters – more insights into NOAH the European Network of Affined Honeypots research project) and the system, as it is set up is probably too slow. This means that IP addresses that are being faked and altered too quickly make a counter strategy used by the Cyber Clean Center less effective, at least as we were made to understand its inner workings during this presentation.

C) How this might work in in Europe is not clear because IP addresses are considered to be personal data. Hence, in Europe it would be possible for ISPs to contact the user but surely under strict privacy rules….. or else, national privacy regulation has to be adjusted to allow such a procedure to work nice and easy. How Europe’s national privacy officers see this issue regarding IP addresses and privacy in general does not suggest it can be done easily without some regulatory work:

EU regulation – IP addresses are considered personal data
TIDBIT

Unique to Japan is that doing e-mail with the help of one’s computer is far less popular than doing it via one’s mobile phone.

If the person does not respond to the e-mail sent informing the owner that his or her PC is part of a botnet, a reminder is being sent via e-mail. If this does not help, the user is being sent a letter via snail mail or normal post.

At this stage, ISPs particpate in this scheme run by the Japan CERT voluntarily.

CONCLUSION

The Cyber Clean Center service offers users some way of getting assistance in case their PCs have become part of a botnet.

While the approach has its limitations as outlined above and possibly others we have not mentioned, nonetheless it is one way to help home-users and SMEs to get a better handle on this challenge.
GET MORE DETAILS – download the presentation slides here:

2007-10-18-presentations_end_users-hayakashi.pdf

Get an overview chart of how it works here:

Cyber Clean Center helping users in Japan whose computers have become part of a botnet from JP-CERT

SUBSCRIPTION

To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.



|

→ No CommentsTags: affined · conference · empowerment · govcert · govcertsymposium · honeypots · noah · symposium