Slashdot Mirror

← Back to Stories (view on slashdot.org)

Identifying Compromised Websites

Posted by timothy on from the or-not dept.

linuxwrangler writes "'An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.' Thus begins an interesting column in InfoWorld's Gripe Line in which Ed Foster discusses the astonishing secrecy surrounding the identity of the sites that were compromised by Scob/Download.ject and spreading malicious code to their visitors. As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a business's server poisons our computer?"

17 of 390 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  2. Running Scared. by Soruk · · Score: 4, Insightful

    They're probably too scared of being sued, or seeing the share price fall through the floor.

    Unlike the food example, where bad food could kill you, a computer virus in your home machine won't, so they think its best to cover it up and not admit to anything, by which time the user is more concerned with getting rid of the virus than working out where it came from.

    --
    -- Soruk
    1. Re:Running Scared. by jdreed1024 · · Score: 4, Insightful
      Unlike the food example, where bad food could kill you, a computer virus in your home machine won't,

      Until it's used as a bot to distribute kiddie porn, and the FBI comes and knocks on your door and they throw you in jail for 50 years. Yes, yes, death is irreversible, whereas you can always get acquitted later, but it comes pretty darn close to ruining your life.

      --
      There is no sig, there is only Zuul.
  3. An odd analogy. by DP · · Score: 4, Insightful

    I suppose there's a lot to be said for open security policy, but people don't die from compromised serveritus.

    If a site I ran was hacked, I sure wouldn't go out telling everyone about it, nor would I want anyone else to either. I'd want to handle things as quietly as possible, yet the article implies there's something wrong with that.

    What's up with that?

    --


    -- d'arcy poirot
    1. Re:An odd analogy. by finkployd · · Score: 5, Insightful

      Because to me, the security of my PC and identity is infinitely more important than your reputation and "ego" as a webmaster (or corporate entity). I'm sure restaurant chains would prefer that nobody know when a food poisoning outbreak occurs either.

      The bottom line is, if anyone is going to come away with some pain from something like this it should be the one who directly due to negligence caused it (the website), not the innocent consumer who was kept in the dark about the abhorrent security track record of someone they do business with.

      How's THAT for a run on sentence.

      Finkployd

    2. Re:An odd analogy. by finkployd · · Score: 4, Insightful

      I'd be pretty upset if some third party then went and blabbed to everyone about it afterwards.

      Meaning no disrespect to you, this is EXACTLY what I want to happen. For the reasons you outlined, nobody can rely on the company to come clean about the danger they have (and in some cases repeatedly) put their customer in. Therefor we need some form of third party to do this. I like the idea mentioned elsewhere about gathering and publishing this information via p2p so it cannot be "targeted" and shut down.

      Of course there would be a serious concern with libel. Some form of validation or authenticity would have to be dreamed up, and I have no idea how to attack that problem.

      Yes, obviously, to a consumer, the security of _your_ computer is more important to _you_ than _my_ reputation.

      And as the consumer I ultimately have the power to make this happen. If enough people demand this, it will happen.

      Finkployd

  4. User embarrassment? by Propagandhi · · Score: 5, Insightful

    Although this is not true of Scob/Download.ject, most malicious code is found on sites of ill repute (p0rn and w4r3z). Obviously most people don't admit to visiting these sites and thus the problems go unmentioned.

    I, personally, feel that is a more problematic situation in terms of ultimately haulting the spread of malicious code, not necessarily the unwillingness of reputable sites to go public about their (relatively few) malware/trojan/virus problems.

  5. Certify all sysadmins? by CelticLo · · Score: 5, Insightful

    Here in the UK to serve people hot food you must have a certificate to show you know basic hygene.

    Should we force web administrators to prove they know how to keep their boxex clean?

  6. Re:Of course by lukewarmfusion · · Score: 4, Insightful

    If it can hurt/damage you or your property, then you should be informed.

    If not, there's no reason for you to be informed.

  7. Annoying? by ktorn · · Score: 5, Insightful

    Yes, if a trojan silently installed itself as I innocently browse a web page from an infected web server, and if as a result of that my banking details are compromised and my bank account is emptied, it would be rather annoying.

  8. Let the lawsuits begin by Fryth · · Score: 5, Insightful

    I say, let them be identified, and let the lawsuits come. The article is wrong in implying that negligence to patch Windows is an innocent mistake. IT pros should either know to run a different OS or patch their Windows -- or they should be fired. Anything else is complete idiocy and they deserve to get the s**t sued out of them.

    That being said, if this is found to be a vulnerability that MS never patched or patched improperly, the blame rests solely on them.

  9. It wasn't the restaurant, it was the customers... by LostCluster · · Score: 4, Insightful

    Slashdot was not one of the infected communities because we're not allowed to link to offsite graphics in HTML code on this site.

    However, any community that does allow this, which is a factory-equipment feature in all of the major webboard packages, was at risk and most likely got hit. All it takes is one user posting an image on an infected server in a popular thread and that site would be spreading the virus to any reader who isn't running a properly protected computer.

    Bottom line, the restaurant analogy is flawed... it wasn't anything done wrong in the kitchen, but rather it was a virus that was brought in and spread around by the customers. The solution to that would be a web equivilent of "No shirt, no shoes, no service" being that web boards shouldn't be allowing remote linking because of this possible threat vector... but, uh, try stuffing this genie back into the bottle.

    eBay was among the notable victims because they allow remote image hosting. On the other hand, if they didn't they'd either be on the hook for all of the bandwidth or have to take the picture features out or at least scale it back. Since pictures are a key thing that makes action prices higher and eBay's revenue mostly come from taking a percentage of the auction result... I don't think that's gonna happen.

  10. Re:Flawed analogy... by finkployd · · Score: 5, Insightful

    Clearly you have never been a victim of identity theft and thus forced to spend years correcting the problem, all the while racking up debt. Certainly no where near as bad as death by food poisoning, but certainly a little more serious than reformatting your computer.

    Finkployd

  11. Re:Of course by elleomea · · Score: 5, Insightful

    Disclosure of sites that were infected isn't the same thing as the owners being liable for damage done.

  12. What good are reporters by MrWa · · Score: 4, Insightful
    The question is not whether a company should report that their website was infected or not - the most obvious answer is that, unless they are a overly honest company, they will not divulge anything embarrassing that may affect their stock price unless required by law. The real issue here is that supposed news websites were complicit in this by not reporting the affected websites when they supposedly knew which ones they were. What, other than advertising dollars, would prevent a news organization from reporting something that would be useful and important for the customers of said news organization to know?!?

    That is the troubling information that comes from this type of misreporting and nondisclosure when it comes to security issues involving computers. Other posters have compared this to food poisoning incidents at a restaurant. While not completely accurate, the real comparison would be if a newspaper stated that some restaurants had bad meat but they wouldn't report it due to the bad image this may give those businesses.

    News organizations should not be concerned with the impact on a business's image!

  13. There's a key difference... by jerkychew · · Score: 4, Insightful

    "...when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer.

    Here's the key difference... when a food poisoning outbreak is detected, it's traced and made public because it has been investigated by a government agency, usually the health department, and that department has regulations and rules in place that tell them they have to publish said information.

    When a website is compromised, the owner is not legally bound to tell the visitors anything, even if the visitors are suddenly succeptible to an attack. (I suppose they could conceivably sue for damages done to their computers, but that's a different avenue) They are not bound by this, because they are not regulated by any government agency.

    So, what's the solution? Have the gov regulate the interweb? Perhaps you have to have your site approved by a governing body before it can be made public? Do you have to get said body's approval every time you update a page? Where's it end?

    Sure, in a perfect world, the owner of a site should make news of an attack public, but one of the great things about the internet is that it's left to the owner's discretion, not mandated by a government body. I think it's a fair tradeoff, IMHO.

  14. Re:Of course by XryanX · · Score: 4, Insightful

    "On the flip side, you could also be blamed for not keeping your computer patched, so it's your own fault for not securing your bank info."

    If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?