Re: [swinog] Blocking Malware distribution sites
* on the Thu, Nov 11, 2010 at 11:17:43AM +0100, JIm Romaguera wrote: Seriously, cert authorities have often delayed outing security holes from buggy software/hardware manufacturers until they have time to patch the bug. This has taken sometimes a very long time. Indeed. This (and the NDA) is why I normally directly contact any other involved organization directly, without contacting cert. And, in case of security holes, go to bugtraq if nothing happens. How come then that a maybe malware infected site (read the previous poster's comments - one man's malware is another man's security protection service) has no real time to react and is effectively nuked. Honeypots? Anyway, as I see it, the whole thing adheres to the usual the opposite of good is well-meant approach. That, and it illustrates of course a very bad tendency of having the administration writing laws (well, technically not a law, but close enough). Cheers Seegras -- Those who give up essential liberties for temporary safety deserve neither liberty nor safety. -- Benjamin Franklin It's also true that those who would give up privacy for security are likely to end up with neither. -- Bruce Schneier ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
Dear Serge On 11/11/2010 08:22 AM, Serge Droz wrote: From different third parties we receive a fairly large number of URLs in .ch/.li ccTLDs which distribute malware. We're talking a few hundred URLs per week. In a first step SWITCH verifies that this claim is true. On the first glance, this seems to be a neat thing. But then again, who decides if 'something' is considered to be malware or not? This actually could be mistreated to a cencorship on DNS level. My 0.02€. Regards, - Dan ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
On 11.11.2010 09:01, Daniel Kamm wrote: Dear Serge On 11/11/2010 08:22 AM, Serge Droz wrote: From different third parties we receive a fairly large number of URLs in .ch/.li ccTLDs which distribute malware. We're talking a few hundred URLs per week. In a first step SWITCH verifies that this claim is true. On the first glance, this seems to be a neat thing. But then again, who decides if 'something' is considered to be malware or not? This actually could be mistreated to a cencorship on DNS level. Seconded. The information part is certainly very useful. But disconnecting the delegation is excessive and may have huge liability consequences as well. What are the reaction times required from the delegation contacts? Not everyone has a 24x7 NOC. What are the criteria and definition for malware? How can Switch verify that malware is indeed distributed? If it can be done for malware, it can also be done for anything else illegal. For example a site distributes a picture, sound file or movie file without authorization from the claimed copyright holder. Will Switch turn off the delegation as well? Where is the threshold? How do you prevent opening the can of worms? How about libel cases? Will those also cause a delegation suspension? How is due process handled? Is Switch the accuser, judge and executioner in union? Is it turned off first and have the accused prove that he doesn't distribute malware anymore? What if the accused claims that the malware in fact isn't? What happens if some subdomain of, lets say bluewin.ch, is distributing malware Will Switch suspend the delegation of bluewin.ch until is cleaned up? If not, because bluewin.ch is too popular, then why is there unequal treatment compared to less popular domains which will be suspended without regard for any collateral damage? I think with this Switch is going far beyond their mandate, purpose and official role as registry for .ch domains. Due process, which is an integral part of our constitution and the European Human Rights Charter, is violated with this plan. If this is done it's only a matter of days until all other rights holders want to use this method as well to enforce their claimed rights. How is this whole delegation suspension plan even possible with the law as codified in AEFV SR784.104 and SR 784.101.113/2.13? IMHO this delegation suspension plan is entirely broken by design and should be immediately stopped. -- Andre ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
Hello Serge, hello all without Serge, On Thursday 11 November 2010 08:22:53 Serge Droz wrote: On 25 November 2010 SWITCH will launch an new initiative to maintain the high security standards of Swiss websites. Let me briefly explain what we will do, as it is relevant to the SWINOG community: From different third parties we receive a fairly large number of URLs in .ch/.li ccTLDs which distribute malware. We're talking a few hundred URLs per week. In a first step SWITCH verifies that this claim is true. If the site is indeed distributing malware we will contact the domain holder and technical contact by e-mail and ask them to remove the problem within one working day. This is a difficult task and I see many problems. First of all you have to know, what is malware and what is not. This decision sounds simple but if you go to the details you see that lawyers have much work with such cases. The other thing is that you are responsible for domains which is a logical thing. It's not an dedicated computer with internet connectivity. DNS can do round robin for example, DNS can change every hour, every day. Somebody who manages a domain is in reality not the same person who manages computers. You get in trouble if you ignore all these facts. DNS is NOT a 1:1 mapping for IP addresses. This view is oversimplified. And you have also cases where it is not very easy to know on one server who is responsible. Imagine you have a file hoster - do you want to kill this business? If the they fail to do so, we will delete the name server delegation from the zone-file [1]. We report this to MELANI, as required by law [2]. The domain holder will be informed about this. So if a big company with slow decisions has maybe(!) a malware problem (remember the difficulties to decide what is malware) you kill the whole swiss traffic after one day? Do you know that if you have a malware problem it's not always easy to solve the problem? Great DoS opportunity against companies. If you don't give me money I attack your systems which you can't clean within a day and I call Switch immediatly. Bye bye business. Do you know that it is one thing to distribute the malware the other thing to have vulnerable software asking for a exploit? What you suggest is not a solution for anything. Distributing malware works perfect without domains. And distributing malware works perfect without the whole swiss internet. And I'm sure that your reaction is much slower than tons of bots which attacks thousands computers per second. You change nothing related to malware. I have to make it clear: As somebody who knows IT security very well I will avoid in the future swiss domains if this happens. I don't support systems with so many flaws. Yes I support fighting malware but I don't agree that the problem are people who supports downloading malware. The overall problem is the stupid patch management on many platforms. And if you want to change something, you should support people with patch management and maybe use of rating systems against browser exploits. This would be a constructive way to change the things instead trying to be repressive against domain holders. Remember, being a domain holder don't means that this guy is responsible for any system. They even don't have to know each other. Regards Oli signature.asc Description: This is a digitally signed message part. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
Hi Andre You did mention AEFV SR784.104. Art 14bis requires Switch to do this: Die Registerbetreiberin muss einen Domain-Namen blockieren und die diesbezügliche Zuweisung zu einem Namenserver aufheben: a. wenn der begründete Verdacht besteht, dass dieser Domain-Name benutzt wird: 1. um mit unrechtmässigen Methoden an schützenswerte Daten zu gelangen, oder 2. um schädliche Software zu verbreiten, und b. wenn eine in der Bekämpfung der Cyberkriminalität vom BAKOM anerkannte Stelle die Blockierung beantragt hat. Source: http://www.admin.ch/ch/d/sr/784_104/a14bist.html Regards, Martin ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
Hello Im Auftrag von Andre Oppermann Gesendet: Donnerstag, 11. November 2010 09:55 On 11.11.2010 09:01, Daniel Kamm wrote: Dear Serge On 11/11/2010 08:22 AM, Serge Droz wrote: On the first glance, this seems to be a neat thing. But then again, who decides if 'something' is considered to be malware or not? This actually could be mistreated to a cencorship on DNS level. Seconded. The information part is certainly very useful. But disconnecting the delegation is excessive and may have huge liability consequences as well. What are the reaction times required from the delegation contacts? Not everyone has a 24x7 NOC. That's what I am concerned about too. I have got a server hosting a couple of sites (private ones, a few clubs websites or support applications like eGroupWare) and I am the only one operating it. If I am on holiday for 2 weeks that stuff will be offline before I have a chance to react. Since I have a tor node running it is possible that some malware finds a way to exit through that node. The exit policy is restrictive, but some ports can be abused and even tor itself may be cracked. In such a case nine.ch will geht the complaints and what will they do if they can't reach me in a few hours? To safe themselves from getting their whole network cut off (*.nine.ch) they will have to take my server down immediately. In *less than one day*! That server is also my MX and IMAP-Service so it will cut off the e-mail-addresses nine.ch or switch has stored with my address. Besides that: How do you make sure (legally) that any of your e-mails really got through? You all should know that SMTP can't guarantee anything! Even if you get the delivery message it might have ended in the junk mail bin without the recipient ever noticing (I just switched my MX for p-guhl.ch for that reason; that Canadian ISP has a too harsh filter which users can't change or remove). I second all the lagal and political concerns of the others too. We all know that copyright holders (real ones and fakes) are fighting dirty. Most likely you even have malware senders accusing other malware senders to kick them out of business. Regards Peter ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
Im Auftrag von Martin Jaggi Gesendet: Donnerstag, 11. November 2010 11:01 You did mention AEFV SR784.104. Art 14bis requires Switch to do this: Die Registerbetreiberin muss einen Domain-Namen blockieren und die diesbezügliche Zuweisung zu einem Namenserver aufheben: a. wenn der begründete Verdacht besteht, dass dieser Domain-Name benutzt wird: Ah, it doesn't seem to need a real proof... 1. um mit unrechtmässigen Methoden an schützenswerte Daten zu gelangen, oder 2. um schädliche Software zu verbreiten, und b. wenn eine in der Bekämpfung der Cyberkriminalität vom BAKOM anerkannte Stelle die Blockierung beantragt hat. Who is controling them? A judge? Aparently legislation managed to already break the system without us noticing. I will have to inform my boss; we are holding around 100 .ch-domains and most of them have got Google Ads on them. If somebody breaks into that system all those domains may become malware distributors at once. Let's see if he wants to pay the money for fixing this in such a case *and* lose the AdSense-income the same time. Regards Peter ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
Hi Serge, Gotta agree with Olivier, Andre Mike. This is a strange decision and a strange process (2 weeks to react to this new world order???). Makes me wonder why such a strange strategy couldn't be extrapolated to where .ch is disconnected unless some subdomain spreading malware stops within 24hrs?!? I seem to recall 15 or more years ago (details are obviously a bit hazy) ... a) Milo decided to disconnect Finland from the then Internet (for some reason he thought was important). b) SWITCH decided to ban distributing any newsgoup dealing with sex (SWITCH was the main way for the vast majority of Internet users to receive their newsgroups). Both decisions were very arbitary (agree that no malice was intended except for Milo's case ;-( ). No chance to discuss the how to achieve the goal and how to implement the goal. Seriously, cert authorities have often delayed outing security holes from buggy software/hardware manufacturers until they have time to patch the bug. This has taken sometimes a very long time. How come then that a maybe malware infected site (read the previous poster's comments - one man's malware is another man's security protection service) has no real time to react and is effectively nuked. One could argue that all sites that use known buggy software and hardware must fix within 24hrs or else be disconnected. One thing is for the police to ask an ISP do something (at least they are following laws where a particular process is involved where debate, enhancements, etc occur AND as Andre correctly states the ISP can shield himself from legal liabilty by stating I did what the police told me to do.). But for SWITCH to decide to do something to an even lower level entity, such as a domain, and in this manner is truely abit scary and a bad decision as a process - SWITCH also makes mistakes from time to time (see above). SWITCH should raise suspect sites to the police who would decide and then instruct SWITCH what it should do. Lastly, law or no law, would you really treat bluwin.ch the same as smallISP.ch and disconnect them within 24hrs if their cisco ios was buggy - such a bug ain't gonna be fixed within 24hrs? Also my 2cents worth...Cheers JIm On 11/11/2010 10:28, Mike Kellenberger wrote: Hi all (again) The more I think about it, the less I think SWITCH thought about it, before publishing such nonsense. On 25 November 2010 SWITCH will launch an new initiative to maintain the high security standards of Swiss websites. Hello? Since when does SWITCH have anything to say about the security of websites? Security of Domains: ok, but websites? Remember: Internet != WorldWideWeb Deleting the name server delegation of a domain not only shuts down access to one website, but to ALL Internet services depending on DNS in that domain. From different third parties we receive a fairly large number of URLs in .ch/.li ccTLDs which distribute malware. Exactly - specific URLs (or the websites behind those URLs) may spread malware, but not the domain itself, but again - since SWITCH cannot block access to specifiec URLs, there is no reason to block access to the whole domain. So I absolutely second Andre Oppermanns opinion: This delegation suspension plan is entirely broken by design and should be immediately stopped. Cheers Mike ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
On 11/11/2010 11:01 AM, Martin Jaggi wrote: You did mention AEFV SR784.104. Art 14bis requires Switch to do this: Die Registerbetreiberin muss einen Domain-Namen blockieren und die diesbezügliche Zuweisung zu einem Namenserver aufheben: a. wenn der begründete Verdacht besteht, dass dieser Domain-Name benutzt wird: 1. um mit unrechtmässigen Methoden an schützenswerte Daten zu gelangen, oder 2. um schädliche Software zu verbreiten, und b. wenn eine in der Bekämpfung der Cyberkriminalität vom BAKOM anerkannte Stelle die Blockierung beantragt hat. Source: http://www.admin.ch/ch/d/sr/784_104/a14bist.html Neither Serge nor Martin is noticing the next paragraph: 2 Wenn die Bedingungen gemäss Absatz 1 Buchstabe a erfüllt sind, aber der Antrag auf Blockierung einer Stelle gemäss Absatz 1 Buchstabe b fehlt, kann die Registerbetreiberin für höchstens fünf Werktage einen Domain-Namen blockieren und die diesbezügliche Zuweisung zu einem Namenserver aufheben. Nach Ablauf der festgelegten Frist hebt sie jede Massnahme auf, die nicht durch einen Antrag einer Stelle gemäss Absatz 1 Buchstabe b bestätigt wird. So this is only a temporary blockage of at max 7 days. After this periode, the zone file must be delegated again. If DNS caches are not flushed or overriden within this time, this non-delegation is futile. But what really makes me angry is, that Swiss parliament agreed in self judgement of a third party company. It really seems, that our parliament needs more technical understanding. - Dan ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
On Thursday 11 November 2010 11:08:16 mailinglis...@p-guhl.ch wrote: Besides that: How do you make sure (legally) that any of your e-mails really got through? Quite a challenge to send an E-Mail to a domain with non-existent NS and therefor no MX RRs... Or does switch give me a call? Or maybe you send a telegram? cheers, Michi ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
On 11.11.2010 11:36, Daniel Kamm wrote: On 11/11/2010 11:01 AM, Martin Jaggi wrote: You did mention AEFV SR784.104. Art 14bis requires Switch to do this: Die Registerbetreiberin muss einen Domain-Namen blockieren und die diesbezügliche Zuweisung zu einem Namenserver aufheben: a. wenn der begründete Verdacht besteht, dass dieser Domain-Name benutzt wird: 1. um mit unrechtmässigen Methoden an schützenswerte Daten zu gelangen, oder 2. um schädliche Software zu verbreiten, und b. wenn eine in der Bekämpfung der Cyberkriminalität vom BAKOM anerkannte Stelle die Blockierung beantragt hat. Source: http://www.admin.ch/ch/d/sr/784_104/a14bist.html Neither Serge nor Martin is noticing the next paragraph: 2 Wenn die Bedingungen gemäss Absatz 1 Buchstabe a erfüllt sind, aber der Antrag auf Blockierung einer Stelle gemäss Absatz 1 Buchstabe b fehlt, kann die Registerbetreiberin für höchstens fünf Werktage einen Domain-Namen blockieren und die diesbezügliche Zuweisung zu einem Namenserver aufheben. Nach Ablauf der festgelegten Frist hebt sie jede Massnahme auf, die nicht durch einen Antrag einer Stelle gemäss Absatz 1 Buchstabe b bestätigt wird. So this is only a temporary blockage of at max 7 days. After this periode, the zone file must be delegated again. If DNS caches are not flushed or overriden within this time, this non-delegation is futile. But what really makes me angry is, that Swiss parliament agreed in self judgement of a third party company. It really seems, that our parliament needs more technical understanding. Apparently the parliament wasn't involved at all. This is a change of the Verordnung by the Bundesrat without public and parliamentary consulting. -- Andre ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
On Thursday 11 November 2010 11:08:16 mailinglis...@p-guhl.ch wrote: Besides that: How do you make sure (legally) that any of your e-mails really got through? Quite a challenge to send an E-Mail to a domain with non-existent NS and therefor no MX RRs... Or does switch give me a call? Or maybe you send a telegram? AFAIK, the mails are sent immediately before inactivating the domain. (They already do that for domains they delete (late payments etc.), so we can clean out our DNSs) There was a recent event at the SWITCH HQ, where all this was discussed. SWITCH basically promised not to rush anything. If the ISP vetos a deactivation (e.g. because it's a subdomain of his main domain), the process is supposed to stop at that point. The idea is to remove the ignorants only, as each case is looked at specifically and individually. SWITCH only works 9-5-5, so the 24h period is really next business day. The process was tried out a couple of months ago. That's what I took home from the event. Mis-handling of individual cases is still possible, of course ;-) Regards, Rainer ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Blocking Malware distribution sites
Am 11.11.2010 um 11:36 schrieb Daniel Kamm: On 11/11/2010 11:01 AM, Martin Jaggi wrote: You did mention AEFV SR784.104. Art 14bis requires Switch to do this: Die Registerbetreiberin muss einen Domain-Namen blockieren und die diesbezügliche Zuweisung zu einem Namenserver aufheben: a. wenn der begründete Verdacht besteht, dass dieser Domain-Name benutzt wird: 1. um mit unrechtmässigen Methoden an schützenswerte Daten zu gelangen, oder 2. um schädliche Software zu verbreiten, und b. wenn eine in der Bekämpfung der Cyberkriminalität vom BAKOM anerkannte Stelle die Blockierung beantragt hat. Source: http://www.admin.ch/ch/d/sr/784_104/a14bist.html Neither Serge nor Martin is noticing the next paragraph: 2 Wenn die Bedingungen gemäss Absatz 1 Buchstabe a erfüllt sind, aber der Antrag auf Blockierung einer Stelle gemäss Absatz 1 Buchstabe b fehlt, kann die Registerbetreiberin für höchstens fünf Werktage einen Domain-Namen blockieren und die diesbezügliche Zuweisung zu einem Namenserver aufheben. Nach Ablauf der festgelegten Frist hebt sie jede Massnahme auf, die nicht durch einen Antrag einer Stelle gemäss Absatz 1 Buchstabe b bestätigt wird. So this is only a temporary blockage of at max 7 days. After this periode, the zone file must be delegated again. If DNS caches are not flushed or overriden within this time, this non-delegation is futile. But what really makes me angry is, that Swiss parliament agreed in self judgement of a third party company. It really seems, that our parliament needs more technical understanding. This is a denial of service potential with being accuser and judge in one. It violates the splitting of power. I think this will be challenged big time in court. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] Blocking Malware distribution sites
Hello Swinogers, On 25 November 2010 SWITCH will launch an new initiative to maintain the high security standards of Swiss websites. Let me briefly explain what we will do, as it is relevant to the SWINOG community: From different third parties we receive a fairly large number of URLs in .ch/.li ccTLDs which distribute malware. We're talking a few hundred URLs per week. In a first step SWITCH verifies that this claim is true. If the site is indeed distributing malware we will contact the domain holder and technical contact by e-mail and ask them to remove the problem within one working day. If the they fail to do so, we will delete the name server delegation from the zone-file [1]. We report this to MELANI, as required by law [2]. The domain holder will be informed about this. Removing the name server delegation is not really efficient as long as DNS caches, containing entries of that domain are not flushed. SWITCH plans to make the list of blocked domains available to relevant parties, i.e. ISPs operating name servers for their customers. If you want to receive this info send us an e-mail message to c...@switch.ch and we will get in touch with you. Since we don't want any finger pointing or bashing of affected sites, we want you to keep this info confidential. To join, we therefore ask you to sign a non disclosure agreement (NDA). Please get in touch with if you have any question. Best regards Serge Notes: [1] Details see Bakom http://www.bakom.admin.ch/themen/internet/03470/index.html?lang=de [2] The law [1] talks about a anerkannte Stelle zur Bekämpfung von Cyberkriminalität, a recognized organisation fighting cyber-crime. So far MELANI (http://www.melani.admin.ch/) is the only recognized organisation. -- SWITCH Serving Swiss Universities -- Serge Droz, SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 63, fax +41 44 268 15 78 serge.d...@switch.ch, http://www.switch.ch ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
