3

Suppose your Aunt or Uncle is easily fooled by phishing attempts and their computer has multiple root kits and key loggers running. Assume their computing habits will never change.

Looking at his wireless router you can see that he only visits a few dozen or a few hundred websites multiple times in a month. Instead of trying to keep the bad guys out, set up the firewall's default outbound rule to be block (deny/reject) everything to prevent the bad guys from getting out.

If this non-technical relative had a simple python program running with an ssh connection into the firewall, the program could monitor the IP addresses as they get blocked. The program would then ask the user if they want to access 72.21.211.176 Amazon.com (USA). If the user says yes, the program might then ask: Allow outbound access to all 72.21.. networks? This is an attempt to save some time creating a whitelist.

I know opinions vary as to the value of egress filtering. But with all the technology advances in the last 20 years, I find it frustrating that there is not a simple way for non-technical users to prevent sending data to that village in Wales (Llanfairpwllgwyngyll) that we all know is full of nation state hackers.
http://en.wikipedia.org/wiki/Llanfairpwllgwyngyll

Since I am more of a SQL developer than a security expert, I am posting this to see if this would realistically help secure the home network in the example above. Of course the solution is not perfect, but it seems like it would help. This thought came about after reading about DGA malware that have been known to create thousands of new domains per second and realizing that attackers are way more sophisticated than I imagined. http://en.wikipedia.org/wiki/Domain_generation_algorithm

UPDATE As both answers indicate, this is not a good way to approach the problem. Too many IPs in the world and the user can't be trusted to allow only safe domains.

user584583
  • 215
  • 1
  • 12
  • Computer: "Do you want to access 666.666.666.666 amazon.com.phishing.co.tk?" User: "Yes, duh, that's why I clicked it. Of course I want to go to Amazon." – user253751 Jan 08 '15 at 01:13
  • It might actually say "Do you want to access 666.666.666.666 amazon.com.phishing.co.tk (New Zealand / Tokelau)". Being an good American the user would say No. – user584583 Jan 08 '15 at 01:53

2 Answers2

3

The problem with a outbound filtering solution of the nature suggested is that modern web applications and software contact a bewildering array of servers on the Internet and it would be very difficult for a non-technical user (or indeed anyone) to make informed decisions about this (To get a good illustration of the problem try running glasswire or Little snitch both of which show you when a program makes outbound connections).

Also with the proliferation of cloud services there's no way by IP address to differentiate between a legitimate service using say Amazon AWS and a compromised AWS instance being used by malware, they could literally sit side-by-side in the same datacentre.

My personal recommendation would be for them to use a platform that is less targeted and/or less prone to malware. An environment where their user account has fewer privileges to install malware is likely to be less of a problem. Perhaps consider something which automatically resets the machine to a default config. on a regular basis as one option.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • I see what you mean about AWS and I have installed glasswire. Currently the internet is the wild west. Local or National law enforcement can't do anything if 100 of us complain that someone in another country is trying to send key logger data out of all 100 of our networks. However, if the location is within the USA, local or Federal law enforcement has authority to do something about it. The creator of Snort, Martin Roesch touches on this when he talks about extradition during this excellent talk on youtube. https://www.youtube.com/watch?v=ooVZk7w4kqo – user584583 Jan 07 '15 at 19:31
  • Local or Federal law enforcement may have the authority to target a local hacker, but except in high profile cases, they are unlikely to actually do so. Plus, it's likely that the "local" hack is actually controlled remotely from a foreign or obscured location so even if the police do end up finding the source of the attack, that doesn't mean that they'll find and stop the attacker. – Johnny Jan 07 '15 at 23:35
  • I agree, the "local" hack from AWS in my comment is assumed to be remote. That means, most likely, the hacker will not be caught. But the local server could be shut down. Of course the hacker could use thousands of servers. I know there are sites where network or security admins can report malicious activity, scanning, etc.. It would be really cool if there was a way to auto report attempted data theft where millions of independent home or business networks all over the country reported to some org. The power of crowd sourcing the attacks is, um, powerful. US Government does not... – user584583 Jan 08 '15 at 01:19
  • ...have the skills or initiative to build anything like this that will both work and be trusted. Part of the law enforcement problem is they don't have the tools or information they need to know that 1,000 servers in Virginia are attempting to steal passwords from X homes and businesses in the country. If the data theft attempt were automatically reported, the currently "invisible" attack would be known. Even if law enforcement did nothing, the data could be used to react. This is something that needs to be opensource and crowdsourced. Not owned by a business . – user584583 Jan 08 '15 at 01:25
  • Here is a sourcefire / snort / cisco product that does this for money. "Advanced Malware Protection for FirePOWER™: A comprehensive malware-defeating solution that enables malware detection/blocking, continuous analysis and retrospective alerting and leverages Sourcefire's vast cloud security intelligence. Available via a subscription add-on to FirePOWER appliances, simply software-enable these additional protections when you're ready - no need for additional hardware. " – user584583 Jan 08 '15 at 01:28
3

DNS management is the modern way to do this for the non-technical. Managed DNS services keep track of valid and non-valid entries in an effort to protect the non-technical in this way. Yes, you lose the granular control of whitelisting only those sites that a particular user goes to, but the admin overhead in case the user wants to change their behaviour is high.

Also, a web proxy can be installed that provides granular control over the sites and IPs that the user visits. Proxies vary in their ease of use and administration.

schroeder
  • 123,438
  • 55
  • 284
  • 319