Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identifying Compromised Websites

Posted by timothy on from the or-not dept.

linuxwrangler writes "'An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.' Thus begins an interesting column in InfoWorld's Gripe Line in which Ed Foster discusses the astonishing secrecy surrounding the identity of the sites that were compromised by Scob/Download.ject and spreading malicious code to their visitors. As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a business's server poisons our computer?"

37 of 390 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  2. What?!? by Concrete+Nomad · · Score: 3, Insightful

    What inform the consumer?!? But then we can't sue for spilling hot coffee on our laps, or dying from cigarettes (takes a drag). Oh the humanity!! Of course they should, but they won't because that would mean they have to admit they suck. The first rule of recovery is admit your problems.

  3. Running Scared. by Soruk · · Score: 4, Insightful

    They're probably too scared of being sued, or seeing the share price fall through the floor.

    Unlike the food example, where bad food could kill you, a computer virus in your home machine won't, so they think its best to cover it up and not admit to anything, by which time the user is more concerned with getting rid of the virus than working out where it came from.

    --
    -- Soruk
    1. Re:Running Scared. by jdreed1024 · · Score: 4, Insightful
      Unlike the food example, where bad food could kill you, a computer virus in your home machine won't,

      Until it's used as a bot to distribute kiddie porn, and the FBI comes and knocks on your door and they throw you in jail for 50 years. Yes, yes, death is irreversible, whereas you can always get acquitted later, but it comes pretty darn close to ruining your life.

      --
      There is no sig, there is only Zuul.
    2. Re:Running Scared. by slashjames · · Score: 3, Insightful

      Yeah, it won't kill you. But falling victim to identity theft because your computer was infected when you visited a (normally) safe web site can make your life hell. And the operator of the web site would be none too happy if someone could prove conclusively the identity theft happened because of one of those exploits and not something else.

  4. It's a shame that... by Anonymous Coward · · Score: 1, Insightful

    ...ISPs don't block access to these sites as well.

    1. Re:It's a shame that... by Anonymous Coward · · Score: 1, Insightful

      The last thing you want is your ISP monitoring and controlling your access to websites.

  5. An odd analogy. by DP · · Score: 4, Insightful

    I suppose there's a lot to be said for open security policy, but people don't die from compromised serveritus.

    If a site I ran was hacked, I sure wouldn't go out telling everyone about it, nor would I want anyone else to either. I'd want to handle things as quietly as possible, yet the article implies there's something wrong with that.

    What's up with that?

    --


    -- d'arcy poirot
    1. Re:An odd analogy. by finkployd · · Score: 5, Insightful

      Because to me, the security of my PC and identity is infinitely more important than your reputation and "ego" as a webmaster (or corporate entity). I'm sure restaurant chains would prefer that nobody know when a food poisoning outbreak occurs either.

      The bottom line is, if anyone is going to come away with some pain from something like this it should be the one who directly due to negligence caused it (the website), not the innocent consumer who was kept in the dark about the abhorrent security track record of someone they do business with.

      How's THAT for a run on sentence.

      Finkployd

    2. Re:An odd analogy. by DP · · Score: 2, Insightful

      Yes, obviously, to a consumer, the security of _your_ computer is more important to _you_ than _my_ reputation. On the other hand, my ability to continue to do business is important to me.

      You don't have to have an abhorrent track record to get hacked. Sometimes you just get unlucky. Unfortunately, no one is going to be very understanding about bad luck and, like you, they'll assume it's my fault. That is exactly why I would want to deal with it quickly and quietly. I'd be pretty upset if some third party then went and blabbed to everyone about it afterwards.

      --


      -- d'arcy poirot
    3. Re:An odd analogy. by finkployd · · Score: 4, Insightful

      I'd be pretty upset if some third party then went and blabbed to everyone about it afterwards.

      Meaning no disrespect to you, this is EXACTLY what I want to happen. For the reasons you outlined, nobody can rely on the company to come clean about the danger they have (and in some cases repeatedly) put their customer in. Therefor we need some form of third party to do this. I like the idea mentioned elsewhere about gathering and publishing this information via p2p so it cannot be "targeted" and shut down.

      Of course there would be a serious concern with libel. Some form of validation or authenticity would have to be dreamed up, and I have no idea how to attack that problem.

      Yes, obviously, to a consumer, the security of _your_ computer is more important to _you_ than _my_ reputation.

      And as the consumer I ultimately have the power to make this happen. If enough people demand this, it will happen.

      Finkployd

    4. Re:An odd analogy. by Artifakt · · Score: 2, Insightful

      And if I find out you have been in the habit of dealing with everything quietly, and it still impacted me negatively, I will immediately assume you have not sufficently meant your promise to do it quickly, and have not had the professional ethics to treat me with equal respect to what you are expecting in turn.
      At that point, I will believe you deliberately chose to screw me, your customer, over. I will then do my level best to see to it that you never run a business again, including making damned sure you are in the papers for your mistakes and that any bank that is thinking of giving you a recovery loan simply does not want to do business.
      So, do you want to risk my not being understanding when you tell me the truth, or risk slipping over the line into a lie and get me pissed enough that I will happily work at getting you, and the wife and kids if necessary, added to the rolls of the homeless?
      Now what was that about an ability to continue to do business? Lie to me, either explicitly _or by omission_ , and that's exactly what I want you to lose.

      --
      Who is John Cabal?
  6. Perspective! by MightyYar · · Score: 3, Insightful
    Shouldn't we demand the same when a businesses server poisons our computer.

    In one case, public health is at stake. Lives. In the other, an annoying computer problem.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    1. Re:Perspective! by Anonymous Coward · · Score: 1, Insightful

      So, when the terrorists use their gigantic network of zombie infected computers to take down banks, important web sites, etc, then you'll care?

    2. Re:Perspective! by platypibri · · Score: 3, Insightful

      What?!?!?!?!?! More like in the other, possibly millions of dollars down the toilet as the infrastructure of business in major countries crawls to a halt. Not to mention any compromised financial data, that I might not know about until I get turned down for some credit application. Hell yes! They ought to tell somebody.

      --
      Yeah, I guess I'm funny like that.
  7. User embarrassment? by Propagandhi · · Score: 5, Insightful

    Although this is not true of Scob/Download.ject, most malicious code is found on sites of ill repute (p0rn and w4r3z). Obviously most people don't admit to visiting these sites and thus the problems go unmentioned.

    I, personally, feel that is a more problematic situation in terms of ultimately haulting the spread of malicious code, not necessarily the unwillingness of reputable sites to go public about their (relatively few) malware/trojan/virus problems.

    1. Re:User embarrassment? by Anonymous Coward · · Score: 1, Insightful
      "Like, if you're having gay anal sex, wear a condom."

      Dunno if I should inform you about this : But I would also wear a condom if you are about to have heterosexual , vaginal and/or anal sex : Kinda sucks to get AIDS, ifnot a nice STD, don't it ?

  8. Certify all sysadmins? by CelticLo · · Score: 5, Insightful

    Here in the UK to serve people hot food you must have a certificate to show you know basic hygene.

    Should we force web administrators to prove they know how to keep their boxex clean?

    1. Re:Certify all sysadmins? by nuclear305 · · Score: 3, Insightful

      Something tells me such a certificate would be about as credible as having a 419 scammer send "proof" that they are Nigerian businessmen needing your help.

    2. Re:Certify all sysadmins? by damgx · · Score: 2, Insightful

      Can't belive this is modded 'Insightful'

      Just because you have a paper in how to do xyz, does not equal you do what the rules say (or what you learned).

      Every truck driver got a license, yet some (many?) break the speeding limits...

      The paper might state I know how to wash my hands, not that I did so after I handled money or went to the restroom.

      Who would you go about enforcing this certificate for web administrators?

      What is a 'web administrators'?

      --
      I only read slash. for the articles...
  9. Flawed analogy... by bc90021 · · Score: 1, Insightful

    In the case of food poisoning, a person can get violently ill, or even die. In the case of an infected website, the worst that can happen is that their computer needs to be reformatted, or the worm copies private information off to some random email.

    Food poisoning typically can't be avoided until after the fact; people can take preventative measures against worms.

    Also, many of those sites do business online, while we'd like to think they'd be forthright with their customers, many PHBs would rather die a slow painful death than ever admit to their customers that their site got infected. Since full disclosure is nice but not necessary, PHBs will take the easy way out.

    --
    libertarianswag.com
    1. Re:Flawed analogy... by finkployd · · Score: 5, Insightful

      Clearly you have never been a victim of identity theft and thus forced to spend years correcting the problem, all the while racking up debt. Certainly no where near as bad as death by food poisoning, but certainly a little more serious than reformatting your computer.

      Finkployd

  10. Re:Of course by lukewarmfusion · · Score: 4, Insightful

    If it can hurt/damage you or your property, then you should be informed.

    If not, there's no reason for you to be informed.

  11. Annoying? by ktorn · · Score: 5, Insightful

    Yes, if a trojan silently installed itself as I innocently browse a web page from an infected web server, and if as a result of that my banking details are compromised and my bank account is emptied, it would be rather annoying.

    1. Re:Annoying? by MightyYar · · Score: 2, Insightful
      Again, money != life.

      I can't be the only one here who thinks that theft and death are not at least an order of magnitude apart...

      --
      W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    2. Re:Annoying? by finkployd · · Score: 3, Insightful

      Food poisoning doesn't always equal death. It might just be a temporary "annoyance". The point is, regardless of the scale with which you rank these things, the consumer has a right to know, thus making informed decisions.

      Finkployd

  12. Let the lawsuits begin by Fryth · · Score: 5, Insightful

    I say, let them be identified, and let the lawsuits come. The article is wrong in implying that negligence to patch Windows is an innocent mistake. IT pros should either know to run a different OS or patch their Windows -- or they should be fired. Anything else is complete idiocy and they deserve to get the s**t sued out of them.

    That being said, if this is found to be a vulnerability that MS never patched or patched improperly, the blame rests solely on them.

  13. Digital security by bigberk · · Score: 2, Insightful

    The issue is ultimately about the public's lack of concern for computer, and more generally, digital security. My opinion is that this lack of concern stems from a lack of knowledge about the technologies we use.

    I think the situation is more dangerous than most professionals realise. The majority of the people in IT shrug off security concerns. "We can always reinstall" or "we'll upgrade later" are common responses to warnings about insecurity and vulnerability. Most businesses and even governments entirely ignore digital security concerns.

    We have a modern economy that depends entirely upon computer networks and data flow. All of our communication depends upon it too. So do public utilities and emergency services.

    But at the same time, we perpetually neglect to protect these systems that we rely on. OS security is literally a joke; server security may or may not be a concern depending on how anal the operator is; and data encryption is still, for the most part, undiscovered by the masses.

  14. It wasn't the restaurant, it was the customers... by LostCluster · · Score: 4, Insightful

    Slashdot was not one of the infected communities because we're not allowed to link to offsite graphics in HTML code on this site.

    However, any community that does allow this, which is a factory-equipment feature in all of the major webboard packages, was at risk and most likely got hit. All it takes is one user posting an image on an infected server in a popular thread and that site would be spreading the virus to any reader who isn't running a properly protected computer.

    Bottom line, the restaurant analogy is flawed... it wasn't anything done wrong in the kitchen, but rather it was a virus that was brought in and spread around by the customers. The solution to that would be a web equivilent of "No shirt, no shoes, no service" being that web boards shouldn't be allowing remote linking because of this possible threat vector... but, uh, try stuffing this genie back into the bottle.

    eBay was among the notable victims because they allow remote image hosting. On the other hand, if they didn't they'd either be on the hook for all of the bandwidth or have to take the picture features out or at least scale it back. Since pictures are a key thing that makes action prices higher and eBay's revenue mostly come from taking a percentage of the auction result... I don't think that's gonna happen.

  15. This is good, really by ravenspear · · Score: 2, Insightful

    This story reminds me of those inane AOL commercials about computers getting sick. Lets get sensible here. Computers do not "get sick." They do not become "poisoned."

    A virus sometimes infects the Windows OS. At best, run a virus checker and stop it before you are infected. At worse, do a reformat and be done with it. You have a backup anyway. Right?

    If you don't want to deal with virii in any form then run OS X or Linux. Problem solved.

  16. Re:Of course by elleomea · · Score: 5, Insightful

    Disclosure of sites that were infected isn't the same thing as the owners being liable for damage done.

  17. What good are reporters by MrWa · · Score: 4, Insightful
    The question is not whether a company should report that their website was infected or not - the most obvious answer is that, unless they are a overly honest company, they will not divulge anything embarrassing that may affect their stock price unless required by law. The real issue here is that supposed news websites were complicit in this by not reporting the affected websites when they supposedly knew which ones they were. What, other than advertising dollars, would prevent a news organization from reporting something that would be useful and important for the customers of said news organization to know?!?

    That is the troubling information that comes from this type of misreporting and nondisclosure when it comes to security issues involving computers. Other posters have compared this to food poisoning incidents at a restaurant. While not completely accurate, the real comparison would be if a newspaper stated that some restaurants had bad meat but they wouldn't report it due to the bad image this may give those businesses.

    News organizations should not be concerned with the impact on a business's image!

  18. There's a key difference... by jerkychew · · Score: 4, Insightful

    "...when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer.

    Here's the key difference... when a food poisoning outbreak is detected, it's traced and made public because it has been investigated by a government agency, usually the health department, and that department has regulations and rules in place that tell them they have to publish said information.

    When a website is compromised, the owner is not legally bound to tell the visitors anything, even if the visitors are suddenly succeptible to an attack. (I suppose they could conceivably sue for damages done to their computers, but that's a different avenue) They are not bound by this, because they are not regulated by any government agency.

    So, what's the solution? Have the gov regulate the interweb? Perhaps you have to have your site approved by a governing body before it can be made public? Do you have to get said body's approval every time you update a page? Where's it end?

    Sure, in a perfect world, the owner of a site should make news of an attack public, but one of the great things about the internet is that it's left to the owner's discretion, not mandated by a government body. I think it's a fair tradeoff, IMHO.

  19. Maybe in the US... by SilveRo_kun · · Score: 2, Insightful

    As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer."

    Maybe in the US it's like this, but not elsewhere.... In Italy, for a long time some nut would inject bleach and other similar liquids in water bottles... Quite a few people ended up in the hospital, but fortunately nobody died... Well, there was no way to find out the brands of the water bottles that where poisoned.... The media kept it all hush-hush, and it does the same for lots of other things...

  20. Re:Of course by XryanX · · Score: 4, Insightful

    "On the flip side, you could also be blamed for not keeping your computer patched, so it's your own fault for not securing your bank info."

    If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?

  21. Re:Of course by mrwiggly · · Score: 2, Insightful
    If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?

    No, that's a bad analogy. A better one is if your car has a recall on its brakes, you don't get it fixed, and then get in an accident, Who is at fault?

  22. eBay not at fault. MSIE was. by SgtChaireBourne · · Score: 2, Insightful
    Many MSIE users got infected in indirect association with their use of eBay, but the flaw did not rest with eBay, but with MSIE. There is nothing inherently dangerous in using external links, even for graphics. Note that the SRC attribute of the IMG element is defined as a URL. So, even though most link only to local files, remote files are allowed by the standard and their absence would decrease the utility of services like eBay, not to mention greatly increase their band with and storage costs.

    The fault lies squarely with people still using MSIE and with OEMs for not bundling a proper web browser.

    However, in a different context, Ed Foster does have a good point ... as he often does. In the case were sites have been compromised or used to spread malware, it is essential that the public be informed.

    --
    Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.