Security Scene: Introducing Constant Guard
If you've been reading this blog regularly, you know how serious we are about your Internet security. What most people didn't know is we've got a dedicated team here whose sole focus is to help protect our customers from bots, viruses, spam and other serious threats from hackers around the globe. Our team has been working behind the scenes, but now we want everyone to know they're on the case and they're not going to let the bad guys win.
Today, we're unveiling this comprehensive security program that we're calling "Constant Guard." It's designed to help protect our customers whenever they connect to our high-speed Internet service.
"Constant Guard" has three key components:
1. People: it all begins with highly skilled professionals in Customer Security Assurance (CSA) who proactively reach out to customers to deal with issues having to do with bots, spam, or virus infected PCs (to name just a few of the many security issues they help manage).
2. Tech: We've talked about the McAfee Internet Security Suite here before, but it warrants repeating. Our high-speed Internet customers can download this suite to their computers for free. They can also get the Comcast Toolbar which includes spyware detection and removal as well as a pop-up ad blocker with built-in anti-phishing software. And starting today in Denver, CO, we are testing a new "Service Notice" customer alert that lets people know if we have reason to believe their home computer has been infected with a bot. The Service Notice is sent to appear in their Web browser with a direct link to our Anti-Virus Center where they can diagnose the problem and take steps to fix it.
3. Education: A wise man once said, "Knowing is half the battle," Security Channel on Comcast.net is a great resource for all things security related.
Cybercriminals aren't taking it easy, so we continue to work hard to help make sure our customers are well protected from a variety of online threats.
We're among the very first ISPs in the U.S. to take this kind of proactive approach to help protect customers online. Let us know what you think and share your ideas about how we can keep improving Internet security.
Update: As of January 20th, Comcast High-Speed Internet subscribers can now receive the Norton™ Security Suite for no additional charge. Check out this post for more details.
Enter Comments
Please note that all comments on the Comcast Voices blog must follow the guidelines outlined in the blog policy. All comments will be moderated prior to appearing on the blog. This is important to prevent spam and personal attacks. If posting a comment about a specific customer service problem or personal account issue, please contact us here, or post your question to the Comcast Help & Support forums.
Comments (15)
Hey thanks for this software.I like ti own it to aware hackers.You are providing such a good service to avoid bots, viruses, spam and other serious threats.........
Thanks,
IT Support Los Angeles
Well I have Been With Comcast Since September 13 2008 i Know You All Work Very Hard To Provide Service For Your Customer ImVery Happy With My Triple Play Bundle With HD Services (No Problems So Far) Things Happen For A Reson I Understand Keep Up The Good Work Okay One More Thing In The Beginning Had Decided To Switch To AT&T (Trouble With Services) But Since Comcast Was Working Very Hard On Improving My Services Now Over A Year Later I Decided Against AT&T & Decided To Stay With Comcast & I Have Been Happy Ever Since I Have Been Telling My Friends Every Chance I Get To Go With Comcast They Will Be Just As Happy As I Am In The Long Run You All Must Be Doing Pretty Good When I Go To The Comcast Payment Center It Is Always Crowded Must Be Something About Amazing Services I Have A good Idea For You All Start A Comcast Celluar Serbvice Think This Over All Those Cell Phone In The World More Money For Comcast Okay E-Mail Reply Back To Me Like To Hear What You All Think About My Messages God Bless You All Anthony R Gibson
That would definitely be a cool added feature to enhance customer's PC Security. Knowing when a computer is infected with viruses/spyware is critical because it enables the customer to determine the best course of action at the most appropriate time. Additionally, customers do need a proactive remote computer repair service to help overcome the sudden outburst of malicious codes being increasingly complex with virus infections involving more system elements than ever before.
I'm going to paste the relevant section from our FAQs http://security.comcast.net/constantguard/faqs/notification.html:
To help you verify the Service Notice is from Comcast, you should receive an email confirmation of this Service Notice to your Primary Comcast.net email account. Please click here to sign into your Comcast.net email.
The email will come from "csa-noreply@comcast.net" and will have a subject line of "Constant Guard Security Notice".
Noted below is a sample of the email sent to your Primary Comcast.net email account.

From: csa-noreply@comcast.net
Subject: Constant Guard Security Notice
Customer Security Assurance Notice
Dear Comcast Customer:
Constant Guard has identified that one or more of your computers may be infected by a computer virus known as a bot.
A bot is a form of virus that is used to gain control over a computer, typically without the owner’s knowledge. Online criminals can use bots to collect personal and private data such as Social Security numbers, bank account information, and/or credit card numbers. This can also lead to identity theft.
We recommend that you take a few minutes to visit the Anti-Virus Center for instructions to assist you in removing the virus from your computer. To help stay protected, we strongly advise you to perform regular Operating System and anti-virus software updates.
Comcast also makes extensive information available about the latest security alerts on the Comcast.net Web site. To view this information we urge customers to visit www.comcast.net/security .
Thank you for choosing Comcast!
Sincerely,
Customer Security Assurance
____________________________________________________
We tend to agree as our tests reveal the walled garden can be very disruptive to internet applications and isn’t the best vehicle for delivering an important service message. That being said, the walled garden can be useful when applied in the appropriate situations.
The Service Notice is not tied to visiting Comcast sites and may be received by the customer when visiting non Comcast sites. Our objective is to use the most effective means to alert our customers to service related issues such as infected or botted PCs and our initial results over the past few days indicated the service notice is well received and is successful in offering helpful instruction. Assuming this success continues, we will look to use the Service Notice to communication other important service related messages.
At this time the Constant Guard Service Notification is only available to residential customers. That isn’t to say commercial customers are not at the same risk of being infected with Bots and we will look for solutions to assist our commercial customers in style complimentary to their needs.
Some questions I have about this:
How do users know that the warning is really from Comcast and not a malicious impersonation?
How do users know that a "warning" (a malicious impersonation they assume is real) is not from Comcast?
There are innumerable malicious websites on the internet that already display graphics that appear to be anti-virus programs telling you your computer is infected, only to get you to download their malicious software. Aren't those criminals going to take advantage your users trust and supply warnings identical to yours, except that it points them to malicious code? Especially when you're the largest residential ISP in the U.S.?
How are users that aren't knowledgeable enough to prevent themselves from getting infected in the first place going to know how to avoid the malicious impersonations of your "Constant Guard" service? Those are the people that need this service the most, but are most likely to be fooled by impersonations.
You could attempt to filter out impersonations with your proxies, but that can easily be worked around (https, obfuscate/encrypt it and use javascript to decode it in the browser, use images, etc). There have been browser vulnerabilities in the past that allow the address bar to display a different URL than the site you're actually visiting, and there's no guarantee similar vulnerabilities won't occur in the future.
Even if you went as far as allowing the user to setup an account for this, letting them choosing a special image and keyword to be displayed to them when the warning appears, similar to modern bank website logins, your warnings will be displayed on potentially malicious websites, which may have access to these things via javascript, and may upload that information to the malicious to store for later use.
Now I'm no security professional (though I do have a large interest in computer/network/info security and have been studying it a little for about 5 years), yet it seems as though there are numerous flaws to this system. This isn't just a notification system. This is a *security* notification system. Yet it seems that it is wide open to abuse by criminals. I wonder if you will unintentionally increase users' trust of malicious, "your computer may be infected", warnings, leading to more infected machines. In fact, as far as the client end is concerned, it appears that you are copying the techniques of criminals to inform them of their possible infections.
I glanced at the IETF draft for Service Notifications, and then only mention of "security" is that security considerations will be added in a future update of the draft (http://tools.ietf.org/html/draft-livingood-web-notification-00#section-11). Have any security experts been consulted while designing this system, or was security just an after-thought? I sure hope it wasn't an after-thought, since "Constant Guard" is in fact dealing directly with security issues. With the information I've seen about this so far, it appears it was initially designed with no thought of security whatsoever. I hope I'm wrong, and that you have already solved these problems (and any others I forgot to mention or haven't yet thought of).
My questions about the security of this system aside, I would much prefer this system to be at least opt-out, if not opt-in. I personally have no use for this system. At home I keep my machines and network locked down pretty well: run a linux router, use multiple linux machines, rarely use windows (though there is one windows machine on my network, with anti-virus, which I keep a careful eye on), watch traffic/connections, check logs, etc. I know it's not impossible for one of my machines to be compromised, which is why I'm always watching things. I certainly wouldn't trust this service enough to watch my machines/network any less than I currently do.
What mitigation steps have been thought of in relation to malicious attackers forging the Comcast in-page notifications?
It seems an ideal vector for phishing attacks once end users have become familiar with such notices.
As a Comcast subscriber, I DO NOT WANT THIS. I want to fully choose what is monitoring and protecting me, NOT big brother ISP.
This isn't truly related to post on hand, and a little off-topic, BUT!
I am beta testing browsers, specifically of Firefox Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) - Build ID: 20090824101458. It might behoove you and your sites to not be so picky on the version. Especially when the redirection goes to a 404 page. I hate to think of what happens when Firefox puts out another fix/version.
Sounds good, but I'm concerned over the "Walled Garden" approach. I hope this is only used in extreme cases, if at all. I like the web browser notification solution the best.
Excellent! I am sure there is a significant body of users who would get their infections fixed if only someone would tell them. Between privacy considerations, and the cost of human intervention, it hasn't been economically feasible.
Very good Comcast! This is a great new feature you are rolling out and it should both help a lot of people as well as save you some headaches by getting all of that infected bot and spam traffic off of your network. My question though is will this be triggered as the user just browses the web, or will the user have to visit a Comcast controlled site, such as comcast.net before they see the alert? If a user has to visit a Comcast site to see the alert, it's not as good as if you can just push this alert to the user regardless, as many users (myself included) never visit Comcast controlled websites or do so very rarely.
Also, I have to wonder what else you may do with this technology. Will you start alerting users to other things as well, such as high bandwidth usage, new services available, service outages, etc? While using this banner technology for stopping malware is a good thing, I can think of quite a few ways off the top of my head that something like this could be abused, whether it be for advertising or something else. Are there any other plans right now besides using this to stop malware? If so, I would be curious to hear them.
Is this going to affect both the residential side and business side? As a business class customer, I have taken the additional security precautions neccessary and dont appreciate the overhead potential that this could create for other various types of traffic such as VoIP and streaming video (which is very latency sensitive)? Also what is the false positive rate?