Three more to go, yay!!! Matt 2008.02.19 Paul Fergusen, Trend Micro, Law enforcement engagement and response handling, NANOG engagement. Not geared towards just ISPs who are bitshippers; some issues will overlap into their areas of responsibility. this is a subset of slides for anti-phishing talk to be given in Tokyo. Mostly the issue is in EU, Asia, where contact information for responsible party is incorrect or outdated. Problem--web threats have moved from highly visible media events to financially motivated threats. Attacks to infrastructure are waning, mainly just kids being pissed off, or someone has a grudge. The true financial attacks don't want to lose connectivity, so infrastructure DoS attacks are counterindicated. Not just windows, now hitting Linux and Mac as well, aiming to comporomise Linux servers. You end up with thousands of compromised websites infecting more and more machines. Used for click fraud and other financial engagements. Notifying the victims as well as notifying the users, two different challenges. Contacting the owners of the IP space on both ends is tough. Large rise in misconfigured, rogue DNS resolvers; many sitting on compromised boxes, on home connections, etc; boxes will resolve anything, possibly incorrectly; estimated 300,000 compromised DNS servers. Threat vectors now moved to web; Google finding 180,000 web servers serving malicious code in their crawls. Even trusted websites getting used to source malware. Government sites/city/county are targets as people trust them. Primary goal of security company is to protect the customer; they have a staff who implements honeypots, sandboxes, reverse-engineered binaries, they incorporate new AV signatures, etc. Try to notify owners of compromised sites; can't handle that for 75,000 servers. Secondary goal is to actually find the criminals; so very few staff who work with law enforcement agents, work with national CERTs/CSIRTs, etc. Stuff massively falls through the cracks. abuse@ is falling through the cracks more and more often. Don't dumb down the language used; this isn't just 'cracking', this is criminal activity; serious moving of money from account to account, using moneygrams, western union, and Xboxes. Some of the activity now is more properly organized crime; the internet is a success, as the activities of the real wold have moved online; the criminals follow the money, and the money is now online. Much unwanted traffic is actually backscatter from criminal activity. There's enough low-hanging fruit to make this a multimillion dollar a year industry for them. Many criminals operating in the open, as there's not enough resources to track them down and stop them. Goal and desired results better two-way communication for all stakeholders law enforcement NGOs (non-government organizations) National and organizational CERTS and incident response teams. We're up to 700+ registrars, so it's getting harder and harder to track people. Hasn't been much backlash against it, as credit card companies are eating the losses; but some areas are making customers more liable for losses, and bank may reserve right to investigate your PC to make sure it is kept up to date, or you may be liable for the loss. Trying to work with the unwitting middleman between criminals and the victims. Need to get better reporting mechanisms for cybercrimes, engage the ISPs better at picking up the ball; if we don't police ourselves better, we may find ourselves getting stuck with having the policing forced on us. For NGOs, already have some piecemeal relationships in place. FIRST.org affiliate list of CERTs/CSIRTs as a baseline is a good start. When an issue comes up, start trying to contact people up through the contact lists; worst case scenario is having to publicize the issue to try to get in touch with people. Use the FIRST.org list--it works! ISP and network operations engagement is not an easy path, but it has to be done. Biggest challenge is internal processes are weak; domain information is often completely incorrect. discipline is everything, and disciplined process is crucial. Registry info (RADB, RIR, RIPE, ARIN) tend to be pretty good, as that's a registry of resources. NANOG is uniquely positioned to take a leadership role in trying to get these principles adopted. We're on a good path, but there's lots of course corrections; we see the threats in near realtime, the same compromised server on tens of thousands of webservers all over the internet; many .gov and .edu hosting malicious code, fake canadian pharmacies, etc. Need NANOG community to act as one voice with internal engagement. Is this the right way to take action? Do people prefer to handle things this way. Q: Carl at mike notes that "bulletproof hosting" is a red flag--beware of it. Q: There's a set of at least 5 ISPs in the US who are very black, who are *not* helping in our efforts in this war; why are they still allowed to advertise routes on the internet? Q: Mike at the mike, from Cisco; from NIAG, the idea was to have a /security page on each webserver that told you how to contact people at a company when there's an issue, as now root@, hostmaster@, and abuse@ are generally black holes. What we're really lacking at the moment is process; how can you make sure that contacts are reachable? Q: port scanning, if we're considering that 'criminal', why not also come down hard on the copyright violators? In finland, there are criminal cases from banks against port scanners. We're 13 minutes overdue, so hold rest of questions for later.