Two months ago, Comcast launched Constant Guard, a campaign to help stem the rising tide of botnets—software that takes over a consumer’s computer and sends spam or steals passwords in the background.
Consumers who are part of the technical trial in Denver for the “Service Notice” feature of the program are generally happy with the notifications, according to a Comcast spokesperson.
Threat and response
In the last few years, botnets have been growing significantly as hackers figured out new ways to profit. What is novel about Comcast’s approach is that they are proactively working to inform consumers about infections while balancing other concerns.
“We have 15.3 million cable modem customers, and there are so many inventive ways that hackers are getting at our customers’ computers,” Charlie Douglas, Comcast director of corporate communications, said. “This is a valuable investment into our data products for making sure it is a great customer experience. People will not want to use an Internet service if they are more likely to get infected.”
In a botnet, a hacker figures out how to take control of a group of computers, which can be directed to send spam, monitor keystrokes, or launch denial of service attacks on Websites. In some cases, hackers have been able to take control of thousands or millions of computers, which can be collectively controlled from a command and control server.
“The Internet is evolving and there are new technologies that balance the needs between security and privacy,” Douglas said. “We feel pretty good about the approach we have taken. We want to work with organizations like the IETF and other Internet security experts and engineers to make sure we are doing everything we can. Working collaboratively, the Internet community can help bring the best resources together to fight botnets because they are becoming so virulent.”
The number one reason people get infected is that they are not running up-to-date security software. As part of the program, Comcast gives away the McAfee Security Suite and toolbar for customers to use for free.
Balancing security and privacy
There are numerous techniques for determining if a computer is infected with a virus and/or is part of a botnet. But Comcast is taking precautions not to use techniques that might violate a consumers’ privacy. For example, Comcast will not be using deep packet inspection to look at the specifics of the traffic, even though this would give them better control over security.
Likewise many bots can be found because they respond to a special request to the PC. But this also creates privacy concerns.
With Constant Guard, Comcast will focus on tracking communications with known bot command-and-control servers. “We are looking at the router level of activity to see if a computer is talking to a known bot rendezvous point,” Douglas said. “If we see a lot of traffic being shepherded to or from a known infected IP address, that generates a red flag that that needs to be investigated.”
(For an IETF Internet-Draft recommendation from Comcast on identifying bots, click here.)
One of the biggest challenges lies in communicating with consumers. Comcast had considered numerous approaches such as sending physical letters, or emailing consumers. But letters are too slow and consumers might not be using the email address Comcast has on hand.
So Comcast found a way to send a notice within the top pane of a browser window. For now, the Comcast security team manually sends these messages in order to provide some control over the system.
The notification service is only happening in Denver. It has already sent out hundreds of notifications. Only one notice is sent at a time so as not to annoy the customer.
“We are gauging customer interest and reaction, and once we have the right technological and operational elements in place, we will launch the whole thing nationally,” Douglas explained. “The notification platform will allow us to bring more scale to the customer assurance team to be able to notify more people faster when it appears they have been compromised by a bot.”
Comcast had considered putting bot infected machines into a walled garden, as other ISPs have done, but decided not to take that approach, which would have prevented customers from working. Comcast wanted to give consumers the choice of addressing the problem when it was convenient, rather than annoying them.
So how will consumers know that the Comcast notification is genuine? Suggesting that this anti-bot program could “backfire in the long run,” one of the first posts responding to the news of Constant Guard on DSLReports.com flagged the potential for rogue anti-virus programs that duplicate the Comcast message.
It’s a contingency that Comcast has considered, with links in the banner alerts explicitly addressing the question: “How do I know this notice is from Comcast?” (For an IETF Internet-Draft example from Comcast of a web system notification system, click here.)
So far, consumers appear to be accepting the new system. “The vast majority of users are generally happy that we are calling them,” Douglas said. “In some cases, there is a sense of disbelief that they have been infected. When we show them how to disinfect their computers they are relieved.”