ThreatSTOP Blog

Don't let your computers talk to countries they aren't allowed to

Written by threatstop | June 10, 2011

Many organizations are subject to government regulations such as ITAR or OFAC that prohibit any dealings with certain foreign nations. Many others have countries that they will not do business with for reasons of corporate policy - because of rampant piracy or fraud for example. However with the Internet it isn't always where another computer is located. At least not from the domain name it reports or the place a user fills in as contact address. This means that, wittingly or unwittingly, computers in any organization may be connecting with other computers in locations that they are legally forbidden to have any communication with.

ThreatSTOP has always had the ability to block countries - but we have not extended the capability beyond two countries (Russia and China) before today. As of today we have created 5 new combination lists for our standard mode subscribers and a list of some 30 or so countries for our expert mode subscribers. This extension of the geographic block capability now allows our subscribers to do far more than just block China, they can now block based on specific sanctions regimes such as ITAR or OFAC and we have also added a specific Eastern Europe list that blocks countries that are currently major sources of malware. This list - currently Russia, Ukraine, Romania, Moldova and Latvia - is a list of countries that consistently provide far more than their 'fair share' of malware because they offer lax enforcement which in turn means they are able to provide bullet-proof hosting and other related facilities for criminals.

If (when?) countries make a clear effort to clean up their ISPs and hosting providers then they will be removed from the list, likewise other countries may be added if they are seen to be worth adding. Of the 5 listed, Ukraine and Latvia vie for the "prize" of being the worst country for malware that has more than an handful of IP addresses. Our lists have blocked roughly 5% of Ukraine's total IP addresses ever since we started tracking which countries and about 6% of the (much smaller) address space of Latvia. The other 3 - while far less bad proportionally - are also highly significant sources of malware.

The ITAR and OFAC lists of countries are less complex. These are countries that certain organizations are legally forbidden contact with and hence should not let their computers communicate with. The advantage of using the ThreatSTOP lists is that we will keep track not just of changes in IP address allocation but also in the state of the laws so that as counties are added and removed from the various lists so the block lists will change.

ITAR: Afghanistan, Belarus, Burma (Myanmar), China, Cote d'Ivoire, Cuba, Cyprus, Congo (Dem Rep), Eritrea, Haiti, Iran, Iraq, Lebanon, Liberia, Libya, North Korea, Sierra Leone, Somalia, Sri Lanka, Sudan, Syria, Venezuela, Vietnam, Yemen and Zimbabwe

OFAC Embargo - Cuba, Iran, Syria

OFAC Sanction - Libya, Sudan, North Korea, Myanmar (Burma), Liberia, Iraq, Zimbabwe, Serbia, and the Cote D'Ivoire

Finally there is the Modified ITAR list - this is a list countries that are generally suspected of industrial espionage and potentially other acts against US interests, many are on the ITAR and OFAC lists but not all and the list does not include some countries that are on these lists. Currently this list contains: China, Brazil, Russia, India, Korea (both), Vietnam, Ukraine, Cuba, Czech Republic, Estonia, Georgia, Iran, Latvia, Lithuania, Moldova, Romania, Pakistan, Serbia, Somalia, Venezuela and Yemen.

It is worth repeating that neither the Eastern Europe nor the Modified ITAR lists are based on a legal requirement. They are however considered to be useful as a shorthand for protecting against certain sorts of attack. If you are a technology company worried about industrial espionage then the Modified ITAR list is probably of great interest, and anyone who has no particular reason to do business with Eastern Europe will find it useful to block the attentions of the criminals there that operate botnets using ZeuS and related trojans. With the growth of ACH fraud and the current state of US case law, failure to protect against these trojans is great way to see your organization bankrupted.