Comcast and Constant Guard – should you worry?by Steve Ragan - Oct 12 2009, 21:00
Comcast has started a trial in Denver that will alert customers if the network traffic coming from their system shows signs of being part of a botnet. The notion that an ISP is being pro-active to protect their network and customers is a good one, but there is still the chance that things can go too far, or horribly wrong.
Comcast’s new initiative is called Constant Guard, and what it does is alert customers with a “Service Notice” both in the browser, and email to the customer’s primary “Comcast.net” email account, that they are infected by “a computer virus known as a bot”.
Those who get the notice are instructed to head to the “Anti-Virus Center” and follow instructions to remove the bot from the system. This is just one of the features in the Constant Guard program. Along with the notices, Comcast said that customers can get access to McAfee Internet Security, the Comcast Toolbar, and internal technology on the Comcast network, such as Phishing and Spam protection from Cloudmark, Return Path, and blacklists from Spamhaus and TrendMicro.
If infected, McAfee Internet Security is the suggested choice to remove the Malware. However, while McAfee’s software is free to customers, Comcast will also sell the services of a technician to remove the infection.
Comcast has told several media outlets the same base information. Customers can close the warning, but they cannot opt out of getting them. If they are closed, they will return a few days later. Comcast also said that the Constant Guard program is an expansion on an earlier program where customers were alerted to infections by telephone. When it comes to how the detection works, this is where things get sticky.
Comcast is not looking into traffic, meaning there is no packet inspection (DPI), and nothing to suggest that anyone should worry about privacy issues. They are using third-party information to track IP addresses of known malicious hosts, as well as the aforementioned blacklists. So downloads from a known C&C for example will raise red flags.
Yet at the same time, Comcast has been known to mess with packets on their network. Last year, they stood in the middle of a firestorm thanks to traffic shaping. Comcast was caught red handed using TCP resets to block traffic based on protocol, the top issue was BitTorrent traffic.
The issue got worse when, after denying it at first, Comcast came clean and mostly admitted to the traffic shaping, but essentially said they couldn’t tell people about it because they would circumvent the process. They defended the traffic shaping by comparing it to a traffic jam, where a car is slowed from entering the freeway for a moment, not blocked from entering it entirely. They also added that the press and blogosphere would keep them honest, as one of the reasons for the FCC to take no action.
So while the pro-active security is awesome, the fact they have been under a microscope in the past because of network policies, and the fact they have the ability to launch DPI at any time of their choosing, is a bit of a cold chill.
There’s another aspect to the pro-active security that could haunt Comcast users. The method of notification will come from popup ads and email. Not to sound alarms or claim the sky is falling, but think about that.
Most Rogue anti-Virus infections start with popup ads, warning of infection. A fact the AP reminded people of when they covered the Comcast story, but the AP forgot some things. How long will it take until the Rogue anti-Virus popup warnings target Comcast users?
If criminals use a mix of known Web attacks and browser hijacks, it is possible for someone to spoof the general look of these notices, leading to massive installation payments for the Rogue anti-Virus affiliate systems. Comcast is admittedly aware of this potential issue. At the same time, while the plan to embed links to “how do I know this is real” type information in the notices is great, that wont stop a dedicated group of criminals.
Next we get into Phishing, because the other part of the Comcast notice is email. While Comcast will use IP reputation and blacklists from Spamhaus and TrendMicro, as well as Cloudmark and Return Path technology, they will never catch all of the Phishing attempts aimed at their email notification system. Some attempts will get by, and that could cause issues as well.
Comcast is starting in Denver, but fully plans to release Constant Guard to all of their customers by Q1 2010. Overall, despite the potential for criminals to single this out and cause mayhem, the idea is a solid one. Other ISP’s should do something similar. Instead they redirect URL mistakes and 404 pages to ad-laced search results, but that is another story.
More information on Constant Guard is here.
[This editorial is the opinion of Steve Ragan and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to firstname.lastname@example.org]