Feeds

Time to blacklist blacklists

Plenty of ways to overcome 'minor inconvenience'

Beginner's guide to SSL certificates

Blacklists have their place for detecting and identifying malicious content and activity, with the whole signature-based malware detection industry effectively being built around the concept that blacklists are reliable mechanisms.

The only problem is that they aren't.

They certainly are an important element of security models, but the last couple of decades of security research has shown that they quickly become ineffective in the face of a rapidly evolving threat.

Early in the life of antivirus tools, simple signature based detection was enough. An internal blacklist could identify all known pieces of malware because they did not evolve or spread very rapidly. When polymorphic malware began to exhibit better software development, the need for heuristic detection engines became more urgent. Most antimalware software now has a combination of blacklisting and heuristics in use to assist in identifying malicious activity (when they aren't busy deleting critical system files or being compromised by their own analysis engines).

Having an exhaustive blacklist helps companies claim that they detect many tens of thousands of viruses and malware, when in reality it may be many different versions of a few key pieces of malware, just different enough from previous versions to require a brand new blacklist signature.

Moving on to blacklists of known spam-generating IPs and malware-serving sites, we start to see significant problems emerge with this particular approach to protection.

Many mail server administrators will have encountered at least one period where they have found their IP on an RBL (Real Time Block List) alongside IPs that have seen to be spewing spam across networks (or they could have just had AOL mailing list subscribers who find it easier to report as spam than unsubscribe from something they manually subscribed to). With the use of dynamic IP addresses and virtual hosts, many have found that if they have a bad network neighbour, they can be hit with the same blocking (we've had it happen a few times) from indiscriminate RBL maintainers.

Even important registries are not immune from arbitrary blockage and ongoing annoyance from poorly developed RBLs.

The problem of misidentification becomes even worse when blacklists of websites that are hosting malware and phishing attacks are maintained. Microsoft, Mozilla, Opera, McAfee, and Google are just some of the large bodies that have invested significant resources to the creation, maintenance, and use of website blacklists to warn users of potential malicious activity on websites (and in some cases prevent access).

Anyone who spends even just a little bit of time involved with researching and observing the patterns and pace of website attacks, hacks and defacements will know that websites are essentially fragile entities and it doesn't take much for a well-trusted site to become a malware-spewing nightmare.

Like trying to use DRM to restrict the spread of copyright infringement, using blacklists / blocklists to limit access to sites will only stop the honest, and the casual attacker (extremely casual attacker) from getting people to see their site. Any attacker that is remotely serious about their work will have plenty of ways to bypass and overcome the minor inconvenience that the blacklists pose.

If any further evidence was required, a security researcher (Kuza) has published a small set of techniques that can be used to bypass these website blacklists. The set of techniques published reflects just a small number of the many different ways that it is possible to avoid these lists, not least of which is the fact that it takes time for a site to be added to a blacklist.

The response that Kuza received from Microsoft when he reported his techniques for phishing detection avoidance is actually quite an intelligent response - "[it] is not a security feature".

The only problem with this is that many, many people (including a lot of 'security' people who should really know better) consider these lists to be just that - a security feature.

It is time that people became aware that these lists are a small tool of their protection arsenal, and not the major innovation that their creators and maintainers describe them as. It is also time that people became aware of the problems that these lists can cause when improperly developed and maintained (and even when they aren't).

This article originally appeared at Sūnnet Beskerming

© 2007 Sûnnet Beskerming Pty. Ltd

Sūnnet Beskerming is an independent Information Security firm operating from the antipodes. Specialising in the gap between threat emergence and vendor response, Sūnnet Beskerming provides global reach with a local touch.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches
CloudPassage points to 'pervasive' threat of Bash bug
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.