Security

ISPs asked to cut off malware-infected PCs

"All ISP's have to do is cut off anyone using Windows. Windows is solely responsible for 90% of the spam and junk out there. Cut them off and the Internet will suddenly have bandwidth it never knew ..."

By HyRax

Podcast: Conroy explains his net censorship regime

Conroy slammed for delayed ISP filtering report

Day 15: ISP e-security draft code held up as "reasonable steps"

Transcript: Conroy explains his net censorship regime

Breaking Stories

Microsoft denies Windows 7 battery problems

Ex-Intel executive owns up to insider trading

Optus to boost HFC network up to 100 Mbps

Microsoft launches Surface, unveils partners and customers

Opinion: Webjet brings 'cloud' claims back down to earth

By Ben Grubb

Sep 14, 2009 2:53 PM

Tags: iia | conroy | isp | malware

Voluntary code of conduct puts onus on service providers.

The Internet Industry Association (IIA) has drafted a new code of conduct that suggests Internet Service Providers (ISPs) contact, and in some cases disconnect, customers that have malware-infected computers.

The drafted code, which will not be mandatory, suggested ISPs take a four-step approach to protecting customers.

Identification of compromised computers
Contact affected customer
Provision of information and advice to fix the compromised system; and
A reporting function for alerting about serious scale threats, such as those, that may threaten national security.

"Once an ISP has detected a compromised computer or malicious activity on its network, it should take action to address the problem. ISPs should therefore attempt to identify the end user whose computer has been compromised, and contact them to educate them about the problem," the new code states.

Chief regulatory officer of ISP iiNet, Steve Dalby, said he would adhere to the code if the process could be automated and development costs weren't prohibitive.

"Potentially it's something that we would do. If there were some costs we might consider whether government funding was available, but again it's very hypothetical," Dalby said.

IBRS analyst James Turner welcomed the move and said ISPs should be able to find a way to fund the initiative.

"They'll find a way of commercialising it and making it, at the very least, cost neutral if not cost positive," he said.

Turner said it was reasonable to expect a form of "quality control" for computers connected to the internet in a similar way cars need to be roadworthy.

"The Government make laws and regulations about what you can drive on the roads. If you're in New South Wales, after your car gets over five years old ... you've got to take it over to the pits every year. A form of quality control for computers that are on the internet seems perfectly reasonable to me," said Turner.

Communications Minister Senator Conroy has voiced his support for the new code. In May, he said the "code will provide a consistent approach for Australian ISPs to help inform, educate and protect their clients in relation to e-security issues."

"It will contribute to the range of efforts being made by Government and industry to raise awareness of online security and to foster digital confidence," said Conroy at the time.

However, an IIA spokesman said that if Stephen Conroy was serious about addressing eSecurity he would fund more education initiatives. Government initiatives, such as the once a year e-security campaign that told Australians to change their password, was not enough, he said.

"The government has spent an awful lot of money on a single website," the spokesman told iTnews. "I think there's about two or three websites doing exactly the same thing and they all assume you've got to log on to the website. It's kind of like a web 1.0 style approach," he said.

Initiatives such as the recently announced Queensland Government war driving mission were praised by the spokesman.

The code of conduct was initiated on 10 June when the IIA, in association with the Government, ISPs, security vendors and consumer representatives convened a meeting to explore the merits of a new voluntary eSecurity code.

"The meeting agreed that A Draft Code Principles with representative from all stakeholders with a final version of the voluntary code envisaged by 1 December 2009," the IIA said.

ISPs that adhere to the code would be able to display an IIA tortoise log on their website.

Members of the public are asked to respond to the draft code by posting their comments and suggestions to securitycode@iia.net.au no later than Friday 30 October 2009.

What do you think? Should service providers be expected to invest in the technology to know when a user's computer is infected? Do they have the legal right to cut an infected user off?

Comments: 10

Thoughts on this article? Add a comment below.

Tailgator Sep 14, 2009 4:46 PM	So now some ISP's are prepared to monitor, detect, analyse, and advise when 'spam' or compromised computers on their network are involved but not when there is purported evidence of copyright infringement ie P2P? (I imagine the upload profiles could be very similar). Yes there are legal differences however this move could be just a foot in the door to another argument for ISP's being responsible for traffic over their network. Consider the accusations that could be leveled at the ISP's. Surely iiNet, of all ISP's, should be aware of the potential ramifications and future consequences. Don't do it! Stick with the premise that you are just a carrier and not responsible for the traffic sent/received on it. The customer controls and is responsible for the traffic over their connection. Push for a comprehensive and effective education program instead.
Reserved1 Sep 14, 2009 6:04 PM	There is no way that an isp can adhere to this code without its customers being affected, and compramising existing contracts. Lets face it, in most cases windows can't even tell when your running 3rd party Anti-virus software, so how are the isp's going to do it? And microsoft already run its malware removal tool with every months updates, and if they can't find it, then how can we rely on an isp to do it right. They would be better off targeting the web hosts and having them remove all the infected sites,and blocking outgoing email from identfied,infected accounts. This code sounds very poorly considered,and its author shoud rethink their career.
laman Sep 14, 2009 6:34 PM	I believe that disconnecting customers that have malware-infected computers is definitely no-go exercise. While the ISPs can develop and migrate the cost of such monitoring to users, general public would have to pay for a computer technician to fix the problem which could cost a few hundred dollars. In addition, disconnecting customers means the users have to contact their ISP to reactivate their accounts. Will the ISPs refund the period when the account is being disconnected? And people won't be able to download all the patches immediately after computers are fixed.
peterh_oz Sep 14, 2009 11:24 PM	If enouh countries did this, the internet would be almost spam-free and email would be usable. ISP costs would be reduced by the reduction in wasted bandwidth, this would offset the cost of monitoring. A couple of very simple scripts would detect this. Some ISps can already respond to copyright accusations automatically at NO cost, allowing the customer to either fix or deny the issue thus not taking sides nor getting involved legally. A temporary block screen "your internet connection has been detected as having a possibly infected computer. (ISP) suggests that you obtain professional analysis for your computer. (Click here) for more information (maybe link to a specific Dept Broadband & Communication page), and click here to dismiss this message. A 2nd warning (to be issued no less than 14 days after the first, thus allowing service to continue whilst the problem is being addressed) could be firmer, with a warning that failure to fix the problem could result in connection being suspended. Personally, I see the vehicle roadworthy analogy as a very good one. Unlike NSW's cars, it would NOT require an annual checkup - it would be more like a random roadside check: if you fail, you are given a notice and time to fix it. Customer's cost is irrelevant - if your car isn't roadworthy you MUST fix it regardless of cost. PC is the same. It shouldn't cost more than $400 (1 day's service cost) to get someone to format & reinstall your operating system and basic "office" software, if you're running more than that you should know how to do it yourself. Best idea I've heard for a long time, and MANY years overdue!
Mun Sep 15, 2009 9:22 AM	In 2006 i wrote a story about this for my previous employer (http://bit.ly/V2S7J) where a security expert tried to explain why ISPs prefer to ignore infected customers. "If somebody tells [an ISP] that this IP address -- which for example belongs to some grandmother in Queensland -- is a bot, what do they do? Most ISPs simply disconnect the IP address, which means the grandmother can't go online. She will spend the next two days trying to figure out the problem herself and then call support. This is what happens: Grandmother: Hello -- I can't go online. ISP helpdesk: That's because you have been disconnected Grandmother: Why have I been disconnected? ISP helpdesk: Because you have a bot Grandmother: What is a bot? ISP helpdesk: Long discussion happens Grandmother: Ok too bad, so what do I do about it? ISP helpdesk: You have to apply patches to your computer. Grandmother: How do I do that? ISP helpdesk: Well... err. You go to your friend's computer, download the patches to a CD ROM..." I believe this is still valid today and if ISPs do adhere to the code, it will cost them a fortune in support calls. Munir Kotadia
anonymous Sep 15, 2009 9:34 AM	Three cheers for Munir Kotadia! A voice of commonsense in what could become a rather distracted discussion.
MarcIrvin Sep 17, 2009 2:02 AM	I have been in the trenches fighting virus that have infected my company's systems. There is a lot of talk going on about sophisticated bots and trojans and such. All good. However, I want to applaud the Australians because the thing that has made me angriest about internet security issue is that machines can be infected by other machines that are are shot gunning known signatures at other machines, letting machines with vulnerabilities get sick. I found that we were totally on our own there because there was no coordinated effort between ISPs to stop that traffic. It was every man for himself. The argument I heard was some machines need to operate that way. I felt that was a lie because their were plenty of ways to tell the difference, but all the infectious traffic continued to move unfettered. Finally, if its such a bad practice why do major company intranets resort to those exact tactics so frequently. I know we do. Sorry, if my comments are unwanted or dated. I think someone should just cut the Australians some slack.
Sams Sep 17, 2009 10:50 AM	"general public would have to pay for a computer technician to fix the problem which could cost a few hundred dollars" Well, it is their machine that is causing the problem for others. That's like saying police shouldn't declare cars unroadworthy because the owner would then have to pay to get them fixed. I would have though "hundreds of dollars" is an exaggeration, but then I've never use a computer tech. There is a middle ground for ISPs rather than total disconnection. Maybe restrict ports to web protocols (they do this all the time for unpaid bills etc.) only and redirect the users to a notification/intructional web page. Perhaps also allow browsing to certain destinations (microsoft, google, etc.) to the user can get their patches/anti-virus, although that could get messy. There again, the notification web page could have a form allowing the user to selectively unlock the site(s) they need. That was just of the top of my head - I'm sure there are neater ways.
Tim Benham Sep 20, 2009 10:28 PM	The analogy with cars is a good one. If I fail to secure my car and it rolls down the hill trashing a few other cars there is no doubt that I will be liable for the damage. Yet computer owners expect impunity for the damage caused by their negligent administration of their machines. Viruses, spam, and takeover by botnets are all reasonably foreseeable consequences of attaching a Windows machine to the internet and not having a rigorous approach to updates and security. If granny can't cope with that then she shouldn't be allowed to connect a Windows machine to the internet in the same way we wouldn't let her drive if she's forgotten what the brakes are for.
HyRax Sep 21, 2009 8:47 AM	All ISP's have to do is cut off anyone using Windows. Windows is solely responsible for 90% of the spam and junk out there. Cut them off and the Internet will suddenly have bandwidth it never knew it had. Seriously, no-one can possibly expect an ISP to do this kind of monitoring. It's not their job to do this. If it was, then why don't we have checkpoints for dodgy cars on the road to prevent accidents, why don't pubs prevent people from actually getting drunk before it leads to other problems?