ISPs found innocent of aiding zombie attacks in 'trial'

IDG News Service - WASHINGTON -- Internet service providers were put on "trial" this week with hundreds of IT security professionals serving as jurors, for not doing enough to keep subscribers' computers from being compromised and used as tools in attacks on corporate networks.
The plaintiffs, a couple of fictional companies hit by denial-of-service attacks, argued that ISPs could do more to prevent "zombie" machines used in attacks by scanning subscribers' computers, monitoring traffic and shutting down suspicious network uses.
"ISPs are in the best position to take reasonable steps to diminish the threat," argued real-life cybersecurity lawyer Ben Wright, during a mock trial at the Gartner Inc. IT Security Summit in Washington. "It's very difficult to go out and find the hackers who are responsible for these attacks."
But defense lawyer Stewart Baker, a partner in the Washington office of Steptoe and Johnson LLP, argued that it would be a violation of privacy for ISPs to check subscribers' computers. It would be nearly impossible for ISPs to distinguish between legitimate Internet traffic, such as a subscriber's browser updating a weather map every few seconds, and a computer being used in a denial-of-service attack, added Baker, representing a group of fictional ISPs.
In a distributed DoS attack, hackers often first take over a group of thousands of computers by sending out a computer worm. The bad guys then use the group of so-called zombie machines, often tied together through an IRC (Internet Relay Chat) server called a botnet, to mass attack and crash a Web server. Some hackers use these DoS attacks to extort money from companies by demanding cash to make the attack stop, according to some IT security experts.
Wright compared the ISPs' relative lack of enforcement to the owner of a dangerous piece of property who doesn't buy a fence to keep others out. But Baker suggested it is a computer owner's responsibility to protect against malicious viruses and worms, not the ISP's.
Baker asked the audience how many would be willing to stay at a hotel that offered Internet access in exchange for being allowed to scan their computers for possible security vulnerabilities or illegal files such as music downloads. No one in the audience raised a hand.

"Suing us is like suing the telephone company for a bomb threat because they allowed it to be called in," said Rich Mogull, a cybersecurity analyst for Gartner Research and the expert witness for Baker and the ISPs. "There has to be an attacker someplace, and it doesn't seem like they're suing

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.