Microsoft continues push for infected computers to be quarantined
Summary: Microsoft Scott Charney is pushing ahead with a proposal to implement a public health model to curb the damage from botnets of malware-laden computers around the world.
SAN FRANCISCO -- Microsoft's Scott Charney is pushing ahead with a proposal for a public health model to curb the damage from botnets of malware-laden computers around the world.
During a keynote presentation (see documentation) at the RSA Conference here, Charney trumpeted a "global Internet health model" that uses existing technologies and organizational policies to implement a system that limits what an infected computer can do on the Internet.
Charney's message was much the same as it was last year when the Microsoft Trustworthy Computing chief called on ISPs to be aggressive and consider shutting off Internet access to infected computers.
This year, Charney took his message further, suggesting that computer users can opt into a Web-based program that provides alerts when security risks are identifies.
"Notifying individuals of security problems or configuration issues in advance provides a first step in transforming current computer security posture from reactive to preventative," Charney added.
In an accompanying white paper (.pdf), Charney suggested the concept of device health can benefit from a more aggressive approach to pinpointing infected devices. Specifically, he called for an analysis and hte sharing of data from sinkholes, network traffic, and product telemetry to identify potentially infected devices.
"If a device is known to be a danger to the Internet, the user should be notified and the device should be cleaned before it is allowed unfettered access to the Internet, minimizing the risk of the infected device contaminating other devices or otherwise disrupting legitimate Internet activities," Charney declared.
In most cases, Charney said this can be done with current technology across multiple systems and platforms and pointed out that Comcast is already making attempts to quarantine dirty machines.
"It is our view that approaches like this need to be broadened significantly, even globally," he added.
On the consumer side, he said there is need for a mechanism for clean computers to demonstrate their "good health" (a health certificate) without rendering the systems more vulnerable, less reliable, or providing a conduit for leaking private information.
Second, the mechanism that produced the health certificate must be trusted (that is, infected devices should not have a way to fake a health certificate).14 Combining trusted software such as hypervisors and hardware elements such as a Trusted Platform Module (TPM) could further enable consumer devices to create robust health certificates and ensure the integrity of user information.15 Third, access providers and other organizations must have a way to request health certificates and take appropriate action based upon the information provided. Finally, we will need to create supporting policies and rules to ensure the effectiveness of this model.
Under this model, Charney said a consumer machine seeking to access the Internet could be asked to present a “health certificate” to demonstrate its state. Although the conditions to be checked may change over time, he said the health checks should ensure that software patches are applied, a firewall is installed and configured correctly, an anti-virus program with current signatures is running, and the machine is not currently infected with known malware.
If the health certificate indicates a security issue, such as a missing patch or out-of-date anti-virus signature, Charney said an ISP may provide a notice that assists the user in addressing the security concern or directs the user to resources for remediation.
"If the problem is more serious (the machine is spewing out malicious packets), or if the user refuses to produce a health certificate in the first instance, other remedies such as throttling the bandwidth of the potentially infected device, might be appropriate," he added.
The idea of quarantining infected users to secure the Internet ecosystem is not new but security experts say that unless ISPs have a financial incentive to implement these models, these initiatives will go nowhere.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
The only real strategy is to...
I guess a lot of people are just a glutton for punishment/abuse.
RE: Microsoft continues push for infected computers to be quarantined
RE: Microsoft continues push for infected computers to be quarantined
RE: Microsoft continues push for infected computers to be quarantined
Micro$oft doesn't control the internet
I'd rather deal with multiple threats than be controlled and used by one unelected corporate monopoly.
Thank God for Linux.
iOS Maybe, not OS X.
I can see how you could make the argument of the walled garden for iOS (Apple's in this case, but Cisco's too), but not of OS X. OS X is very open, and anyone can write software for it, and not go through Apple to sell it. This is exactly the same as Windoz.
Fool alert! james347 is speaking again!
Run back to Steve Jobs an tell him nobody believes you and you need to try a new approach. :)
RE: Microsoft continues push for infected computers to be quarantined
Hey, I'm pacing myself, thank you very much!
It's not Windows, it's human nature
RE: Microsoft continues push for infected computers to be quarantined
And yet people still cheat at video games ...
RE: Microsoft continues push for infected computers to be quarantined
RE: Microsoft continues push for infected computers to be quarantined
The first worm was used in HP labs for diagnostics.
The first unintentional worm that I know of was from an engineer trying to map the DEC internal network... with a bug. Took down the internal network sometime in the early 80s.
Loverock Davidson said its all Linux & Mac fault
RE: Microsoft continues push for infected computers to be quarantined
RE: Microsoft continues push for infected computers to be quarantined
And that will last 7 days. Mac and Linux viruses and malware exist. If they pass 40% or so of the machine population on the internet, say goodbye to "security through obscurity".
RE: Microsoft continues push for infected computers to be quarantined
Security through obscurity is the Microsoft strategy. It has never worked. Crackers I know say that no Windows machine is safe, an none ever will be. Too many ways in.
Linux and some BSD variants are POTENTIALLY safe. There are vectors though. .NET/Mono, Java and a few others. On Windows, there is also ActivX, Visual Basic and friends.
Reality is that there are no internet viruses. There are however Windows viruses spread on the internet. There is a rumor of an Apple virus on the internet, but I don't know anyone who has encountered it. Apple forums are also silent on this.
Linux viruses are reported to have been created by security researchers, but have not been seen on the internet. There are a couple of .Net viruses that can infect a Linux machine running Novel's Mono. There are also a couple of Java viruses that can escape the sandbox. That's why Java should not be enabled for normal run time on any system.
There should also be no automatically executed programs on any Linux or BSD system. A user can execute malicious programs on any system, but that is a Trojan, not a Virus. There are other attacks that can effect any system, but they require more control, and cannot be mass executed. That is why most internet 'Bot Nets' are Windows machines. It's just easier to automate the suborning of that system.
If you want a safe machine for web surfing, I would suggest a Linux on CD approach. One of the live CD's will allow you to safely surf the internet. It can't infect your hard drive if the system can't address the hard drive. The only drive seen on most live CD's is the CD drive,and that is read only.
Paranoia is only a problem if you are wrong!
Sorry, WRONG!
Micorsoft allows both intentional and unintentional ways to load software. Apple does not.
If a Mac user has any common sense at all, he cannot be infected. He can NEVER be infected without a proactive stupid act.
RE: Microsoft continues push for infected computers to be quarantined
The article points to cross-platform usage so wouldn't it still be viable to say that it is needed?
Here at work, if you are on the domain, you have anti-ware pushed out to you. If you do not get the updates due to errors or have figured out ways to circumvent this, you are removed from the domain. Allowing you to still have access to the internet, but not any school/hospital applications and whatnot. If you have an outside PC/Laptop and want to connect VPN with the system, your system will be scanned for active Anti-Ware programs with current DATs. If your Anti-Ware is NOT current, VPN is refused and you are given a message to update this before trying again via a webpage of instructions for most of the major anti-ware vendors and links to their dat file downloads.
Luckily my Ubunto netbook has only been denied 1 time since I have started using it at home 3 years ago.
RE: Microsoft continues push for infected computers to be quarantined
It's not a solution to totaly remove any OS.
Windows it a prime target ONLY because it's the dominating OS.
If any other OS takes it's place, then THAT OS will becomes the new prime target. On the mobile platform, Android is the top OS and the prime target for the cyber crooks. Android is a Linux variation. Apple's iPod, iPhone and iPad are also under
attack from those criminals. Mac OS and iOS are Unix variants.
As long as the user is the weakest link in any security strategy, the OS used is don't mather. There days, most infections are done using social ingienering to circumvent security measures and hit some OS, or application, vulnerability.