Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Spamhaus Shows What's Next For Block Listing
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Shepy
Shepy,
 User Rank: Apprentice
11/28/2013 | 7:14:57 AM
Needs more
  • Legitimate organizations and users will abandon providers with poor reputations and flock to those with better reputations.
  • Providers with poor reputations will take remedial actions to avoid or recover from customer attrition and continued erosion of their reputation.
  • Users or organizations that switch will get better services from their new provider.
  • Providers with poor reputations cannot inflict reputational harm on their industry segments.

    In a perfect world this sounds ideal, but it's really starting to feel like SMTP needs an overhaul from the ground up, it's too long in the tooth and doesnt cate for spam prevention among other things nearly enough
davepiscitello
davepiscitello,
 User Rank: Apprentice
11/26/2013 | 5:29:30 PM
Re: How can we trust them?
I work with folks from many of the reputation, block list, or "intervenor/responder" communities. My experience is that block listing relies heavily on information sharing and collaboration, and that these processes put a great deal of time and consideration to minimize false positives or collateral harm. 

I think these checks and balances make reputation scoring more reliable and much less prone to malice or retaliation or vigilantism than user submitted phish or web trust sites. 

 
a_synonymous
a_synonymous,
 User Rank: Apprentice
11/26/2013 | 3:31:56 PM
How can we trust them?
Hi Dave,

You mentioned that there was no public outcry or condemnation.  The question is:  are we allowed to publicly oppose Spamhaus?  Recently, a person had edited their Wikipedia article to mention the recent conflict with the group "Stophaus".  The edit was immediately reverted by someone from Spamhaus, and the editor's IP was added to Spamhaus' blocklist.  People in the ISP community walk on eggshells around Spamhaus out of fear of reprisal.

In regards to reptuation scores, have you ever had someone say they hate your favorite restaurant or sports team?  How can businesses be sure that they are receiving all their legitimate correspondence when they rely on the subjective opinions of a group of people that assumes no responsibility for their actions, and triggers blocking of email from entire swathes of the internet with impunity?

Synonymous
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/25/2013 | 10:55:52 AM
Re: Malicious blacklisting is never acceptable> Or is it?
Thanks for calling attention to the Web index for 2013, Brian. I totally agree with your point relating economic development with freedom and human rights. It's good to see it quantified. 

As for the "gray area"  of block listing, I think Dave lays out a pretty good case about the reasons organizations may choose to blocklist. Those that do, (as he added on his comment) take those actions when they reach the point that  harm to their  users is at greater risk than not blocking. 

I'm not sure that the industry is at a point where it's necessary to codify those malicious behaviors into standards. But it's certainly a subject worth considering and discussing. 
Brian.Dean
Brian.Dean,
 User Rank: Apprentice
11/24/2013 | 2:48:11 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Thank you for the links Dave, and yes I agree that blocking is an area where choosing sides are of no value, understanding motives and reacting according is where we can find value.

The World Wide Web Foundation has recently released a Web index for 2013 that measures development by evaluating universal access, relevant content, freedom, openness, impact and empowerment of different countries -- it is not surprising to see that the five countries at the bottom of this list also have low performing economies at the moment. I guess it means that blocking powers are being misused in those economies. In our global village we also have malware like i2ninja etc that is created with the exact intention to cause harm, I feel this is where a block can be justified.

Basically, it is all a gray areas until and unless we look deeply into the motives behind a block.
davepiscitello
davepiscitello,
 User Rank: Apprentice
11/23/2013 | 3:52:24 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Good points, all Brian.

FWIW, I have also written columns that explain how blocking actions typically taken by private network admins have different affects - and can result in unacceptable collateral harm - when taken by public operators, ISPs, or governments. 

You can find a summary of these and links to three related articles at Making Sense of Shutdowns, Takedowns, Seizures and More...
davepiscitello
davepiscitello,
 User Rank: Apprentice
11/23/2013 | 3:45:17 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Hi Marilyn,

I'm neither advocating or opposing block listing but as you say, positing a future direction that block listing may take if (or when) harm to an organization's own users vs collateral harm reaches a tipping point.

One answer to your question " Are there acceptable limits to malware blacklisting?" is answered nearly every day: risk tolerance dictates limits for private network admins, and risk from malware has become a largely untolerated risk.

I, too, welcome public outcry.

Especially when it takes the form of informed, reasoned debate. 
davepiscitello
davepiscitello,
 User Rank: Apprentice
11/23/2013 | 3:35:48 PM
Re: Malicious blacklisting is never acceptable
Thanks for your post. Let me set some facts before you, since you may not have found time to look at the chronology of events leading to Spamhaus' action.
  1. Spamhaus had identified 92 violations as far back as 2010. These went unresolved. They were listed at http://www.spamhaus.org/sbl/query/SBL201751 but you now have to go into the archives.
  2. The violations included botnet spam hosting, malware hosting, malware dropper hosting, DDoS botnet controllers and more. Using the SBL does more for an organization than block occasional junk messages: it protects users against the very botnets that you claim generate spam.
  3. They did not act zealously or without care, they did give CHINANET-GD time to resolve.

I'm most disappointed that you appear to have missed the important point that the use of SBL is a voluntary act by organizations who made the decision to protect their own users against malware distribution, spam, or DDoS at the expense of not processing mail from addresses on the block list.

 

 
Brian.Dean
Brian.Dean,
 User Rank: Apprentice
11/23/2013 | 1:44:26 PM
Re: Malicious blacklisting is never acceptable> Or is it?
Marilyn, excellent point as debates are good. From a business standpoint that wants to protect its customers from spam, I think blocking an ISP is a very small matter as any business that truly respects its customers would even get their own domain blocked, if they suspected their own domain to be spamming customers. From an economic perspective things are different, blocking anything becomes a mathematical equation that will eventually reduce or limit productivity on both ends, and roads etc were blocked in the past when roads were our main source of commerce. Today in this information age, information highways are blocked. As for customers, well I think every customer would like to open their spam folder and get the message "Hooray, no spam here!", and their main inbox would be no exception.

Definitely, it is a complex topic and it is extremely interesting to know about the "rapid chain of events" and moreover that it was "accepted without public outcry or condemnation", changing times I guess.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
11/23/2013 | 11:25:10 AM
Re: Malicious blacklisting is never acceptable> Or is it?
Andrew, I really appreciate your passionate opposition to malicious malware blacklisting and for taking the time to share your strongly-held views with InformationWeelk . While the author, Dave Piscitello, VP Security at ICANN, posits an opposing -- and apparently controversial --  point of view, I can assure you that he is no idiot and is very well-informed about the issues he raises in this column. 

I'll let Dave respond to the specific points in your post, but one thing in his column that stood out when I read it was his observation that the "rapid chain of events'" that lead to the Spamhaus blacklisting was "accepted without public outcry or condemnation." 

I can see by your comment, and another by 0id, that the public outcry has arrived at InformationWeek -- and we're delighted to have it. Let's have a thoughtful debate on the merits. Are there acceptable limits to malware blacklisting? If so, what are they? If not, why not. 

 
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-36312
PUBLISHED: 2022-08-16
Airspan AirVelocity 1500 software version 15.18.00.2511 lacks CSRF protections in the eNodeB's web management UI. This issue may affect other AirVelocity and AirSpeed models.
CVE-2022-38216
PUBLISHED: 2022-08-16
An integer overflow exists in Mapbox's closed source gl-native library prior to version 10.6.1, which is bundled with multiple Mapbox products including open source libraries. The overflow is caused by large image height and width values when creating a new Image and allows for out of bounds writes,...
CVE-2022-36306
PUBLISHED: 2022-08-16
An authenticated attacker can enumerate and download sensitive files, including the eNodeB's web management UI's TLS private key, the web server binary, and the web server configuration file. These vulnerabilities were found in AirVelocity 1500 running software version 9.3.0.01249, were still presen...
CVE-2022-36307
PUBLISHED: 2022-08-16
The AirVelocity 1500 prints SNMP credentials on its physically accessible serial port during boot. This was fixed in AirVelocity 1500 software version 15.18.00.2511 and may affect other AirVelocity and AirSpeed models.
CVE-2022-36308
PUBLISHED: 2022-08-16
Airspan AirVelocity 1500 web management UI displays SNMP credentials in plaintext on software versions older than 15.18.00.2511, and stores SNMPv3 credentials unhashed on the filesystem, enabling anyone with web access to use these credentials to manipulate the eNodeB over SNMP. This issue may affec...