Originally published at: http://community.ca.com/blogs/securityadvisor
October 29 2009, 09:13 PM by Benjamin Googins
Earlier this month Comcast announced in a blog http://blog.comcast.com/2009/10/security-scene-introducing-constant-guard.html the launch of Constant Guard. The program will alert users when they are infected with a virus – the program seems specifically focused on bandwidth consuming bots. ISPs have done little to leverage their unique position to help combat bots, so it is encouraging to see Comcast taking this step. Comcast launched the program in the Denver area a few weeks ago on a trial basis under the premise it will be replicated to other user areas. I believe this is the first of its kind from a provider as large as Comcast, so I have concerns with some of the implementation choices, as described below.
Here is basically how the program works: First, once a Comcast user is determined to be infected with a bot, they will receive an email like the one at this link (for copyright reasons, I could not post actual image): http://security.comcast.net/constantguard/faqs/FromComcast_2.htm This email will arrive at their primary Comcast email account. Second, the infected computer will receive a popup “service notice”. Click on this link and you will see the notice in the middle of the page (again, avoided adding directly to blog here because of possible Copyright problems): http://security.comcast.net/constantguard/ Note the popup is received by the “user” of the computer that is infected, not necessarily the Comcast subscriber. So if a wireless network is not password protected, someone using the network, unaffiliated with the subscriber, will receive the popup (when the subscriber receives the email, they might be a little confused after spending time unsuccessfully scanning their computer for a virus). Third, if the user clicks on the link in the email or popup, they will land here: http://security.comcast.net/avcenter. This site gives tips on updating the user’s operating system and installing and/or updating an antivirus product. Fourth, the user can click the ‘how do I know this notice is from Comcast’ link in the popup, which tries to explain that the popup and email are really from Comcast. Fifth, the user needs to remove any infection from the computer that received the popup notice. If they do not, Comcast will notify them again.
Positive aspects of Constant Guard Overall, I like the fact that Comcast, a major ISP, is starting to take on the problem of virus bots. The average user has no clue they are infected unless their anti-virus program tells them or someone else. Once a user understands they are infected and understand the consequences, I am confident they will put energy into making sure their system gets cleaned up — helping themselves and Comcast. The email and popup use clear and straightforward messaging. I like the lack of dramatic and hyped language. I also like the fact that Comcast is using two methods to contact users. Repetition in this instance is good. If a user misses one, hopefully they will get the other.
Things I don’t like about Constant Guard Unfortunately, spam is far more frequent than desired-email on a daily basis and the majority of webpages with supposed security content are fraudulent, so I am not sure these two methods are the best way to communicate with users. Both of the messages above could have just as easily been created by a virus writer trying to sell fraudulent software. How will the average user know the difference? The use of the ‘how do I know this notice is from Comcast’ link could be just as easily mimicked. There is nothing preventing a virus writer from creating a webpage that says the same thing: “I am good, really, trust me.” This language is not reserved for software that is actually legitimate. Virus writers could just as easily raise their hand and say the same thing and then go on to infect your computer and take your money. How will the average user know the difference between a virus saying ‘I am legitimate’ and something legitimate saying ‘I am legitimate’? I find the message odd. Given the number of computers infected with bots, I can imagine a lot of Comcast users being contacted via these emails and poups. They will start to be conditioned to have trust in these forms of communication. If there is a major phishing campaign launched, using Comcast mimicked messaging and delivery, subscribers will already be conditioned to click. Who is going to pay for all of the collateral damage of this conditioning, Comcast? It is a commonly held view by security experts that user’s should totally avoid clicking links in emails or at the very least exercise extreme caution when doing so. The same generally goes for popups: “don’t click or believe them.” So, I think it is a dangerous precedent for Comcast to start conditioning users to have trust in links in popups and links in emails. If you are unfamiliar with the huge problem of fake security software, look at one small example, a blog here: http://community.ca.com/blogs/securityadvisor/archive/2008/10/14/two-good-looking-windows-security-centers-one-fake-one-real.aspx Fake websites and security programs can look identical to legitimate ones, with no obvious way of telling them apart.
Recommendations and thoughts I think Comcast should seriously consider taking this trial run of Constant Guard in Denver as a chance to modify the mechanisms they use to deliver messages about bot infections. Here are a few thoughts and suggestions off the top of my head:
- First, I understand how convenient popups and emails are for delivering information to Comcast users on a large scale. If Comcast needs to use emails and popups, they should remove the hyperlinks. Hyperlinks like this will condition bad browsing habits.
- Second, Comcast should consider using alternative mechanisms to alert users. No method is foolproof, but Comcast could notify user’s via their online account. Also, Comcast should consider how they can use snail-mail and phone messages. Snail mail might be unrealistically slow, but might be good for a follow up if the user is infected. It could be used in other ways to compliment overall messaging. Phone messages might be another option. I think a mixture of communication vehicles are necessary. .
- Third, communicate to subscribers about Constant Guard prior to implementing the program in the user’s geographic area. This will help them know what emails or popups to expect to receive if they are infected. For example, paying the Comcast bill is one thing users can be relied upon to do (generally), so whether the user pays online or via snail mail, Comcast should include a note about Constant Guard in the monthly bill. Comcast should include screenshots of what the popups and emails will look like. Users, who have prior knowledge, will be better prepared and will not dismiss the popups and emails when they do arrive. Hopefully, they will generally continue to regard popups and emails with suspicion, but will make exceptions for the Comcast messages. The trust will be established before it is needed, but not extended beyond Comcast.
- Fourth, I think Comcast should give users the ability to opt-out of Constant Guard. The program could be turned on by default, but there are circumstances when users do not want it and it becomes intrusive, so they should have the opportunity to opt-out.
Again, I commend Comcast for taking on bots. I hope other ISPs begin looking at creative ways they can make a dent in bots that plague the Internet. I fear that the messaging Comcast plans to use for Constant Guard will set a dangerous precedent and encourage bad browsing behavior and confuse users.
What Do Comcast Users Think? I am really interested in hearing from you and getting your overall opinion. Do you think the popups and emails could cause problems? Who should pay for unintended consequences? Will Comcast’s approach to Constant Guard cause greater insecurity than the intended improved security? References: http://security.comcast.net/constantguard/ http://security.comcast.net/avcenter/ http://blog.comcast.com/2009/10/security-scene-introducing-constant-guard.html
By: Benjamin Googins
Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..
Comments from original posting:
have not experinced much of anything yet.did have one problem with comcast.someone got ahold of my wifes password and sent it out over the net api comcast.the people there toyed with me for two weeks before i finally found someone who knew what they where doingand got my email straightened out.i am constantly on the lookout srange things Posted by: dave, November 1, 2009 4:21 PM
I haven’t used Constant Guard but rather McAfee. I guess the Mcafee brand sold me and I trust it a little more. It lets me know if a virus has been detected and there’s always upgrades and updates. This is a good feature that Comcast gives it’s customers. Posted by: Jordan Everwood, November 19, 2009 4:23 PM