Slashdot Mirror
Identifying Compromised Websites
linuxwrangler writes "'An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.' Thus begins an interesting column in InfoWorld's Gripe Line in which Ed Foster discusses the astonishing secrecy surrounding the identity of the sites that were compromised by Scob/Download.ject and spreading malicious code to their visitors. As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a business's server poisons our computer?"
Yes, the organizations should disclose the info, and for them, they have nothing to lose, since they are just a third-party security organization. But you can bet they then would be the target of lawsuits. Blame America's litigation-happy society for this paranoia.
There's 10 types of people in this world, those who understand binary and those who don't.
In the event of a food poisoning lives are at risk, while in the case of an infected computer, the worst case is lost $$$. That being said, this could be a litmus test for sites that were compromised. The ones that come clean right away gain respect, the ones that try to hide are shunned and ridiculed. But in answer to the question, a content provider should not be required to disclose infection, only encouraged. The government has too many fingers in my pie already.
It sounds like a good idea for a moment, before you think about it. First of all, most web content is offered as free with no warranties or guarantees of anything. You surf at your own risk. Second, a person may go through hundreds of web sites in a day, and tens or hundreds of thousands of people may hit your site. Third, most people with any sense have some form of antivirus on their computers, and those that do not are either asking for it and they know it, or wouldn't know what to do if they did get a virus. In reality, virus protection is the responsibility of the user. True, it is absolutely insane that people have unprotected web sites out there, but since the web is a public forum, there is really no way to say who does what without limiting the "for all people" part of it. The web is a beautiful thing because it is open to everyone, regardless.
...for two reasons. First, an infected website has never killed anyone. Second:
when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected.
There is no such thing as a health department for your computer. There are virus tracking sites, spyware removal programs, sites that offer updates to your protection programs...lots of things to help kill active infections and keep you informed of current ones. But there is no "USDA stamp" for clean websites.
Nor can there be. The internet has bounds beyond a single country. Any office claiming to have jurisdiction over all websites would be ridiculous.
Weaselmancer
rediculous.
If your server was compromised, and served up a keylogger, which was then used to empty punters bank accounts, you bear responsibility for notifing your customers of the breach.
To not do so is negligence
It seems like one could create a distributed site monitoring system for this purpose. A simple sandbox web app would periodically reload a list of sites and log a signature of either the contents or attempted actions encoded in the site. Each participant would offer to monitor a few sites in the background. A P2P comparison process would then correlate signature elements across sites -- peers would transmit their findings to other peers looking for something like Download.ject that appears as a new object/behavior across disparate sites. The peers could then alert each other across the mesh of the system when suspicious new objects show up.
Lacking a central authority, the companies would be powerless to shutdown publication of these types of security breaches.
Two wrongs don't make a right, but three lefts do.
Tracing the ancestry of a bacterial strain that affected hundreds of people is relatively easy compared to tracking down the sites that affected millions. Disease outbreaks take hundreds of man-hours to actually track down, and frankly I don't think its possible to get to the root of a computer based problem that affects thousands (if not millions on a worldwide scale).
Maybe someday.. just not now.
Watch, as the internet becomes more and more part of the infrastructure of the worldwide information systems, companies in the future will lobby for a similar bogus-security rationalization for keeping internet-infrastructure compromises secret.
Not that relevant to the article I suppose, but an interesting angle.
"'Yrch!' said Legolas, falling into his own tongue."
What if the website where you got the virus was set up by a kid, or some high school students, or just a hobbiest? You can't sue them, or expect them to do anything... they probably haven't looked at their page in months. And people don't pay for web content in most cases, so how can you expect a guarantee for it? And, would you really want government inspectors coming to your business, going through your personal web pages to see if they are properly protected? Would you want to have to submit them paperwork saying that you had taken proper precautions? Nobody wants that. Keep the web free and available to anyone with a voice, for all. I am against ANY form of government conrol over the web (except for stuff like kiddyporn and other such garbage). But this is just my opinion.
No single security company is willing to do the finger pointing. It doesn't make sense for the reasons explained in the article.
What we need is for the various anti-virus software makers to agree on a protocol.
What this means is that, as soon as the anti-virus software is able to identify the threat, any time it encounters a web-server infected (as the user browses such site) it should send an alert to a centralised web-site. This site would list all the infected sites.
A smarter step would then be for the anti-virus software to regularly cross-check your recent browser history against the infected-listed sites.
This way no one company is doing the finger-pointing. It is rather a distributed effort, based on a common protocol.
From a legal perspective you may well be right, but in my book it's still negligent. You have information that could prevent many others from serious consequences to their financial stablity. Imagine if your bank account were emptied because you got a keylogger from cnn.com, and you only found out about it after the fact? And yes you should be telling the public. defending yourself in keeping it secret is a disgrace in this kind of instance. You should be ashamed.
The thing is that the web has a life of its own and it would be really hard to control it like that. Anyone can open a website anywhere and put almost anything on it. How would you force that random individual to be guilty for the virus they spread? The internet was not originally designed to be a controlled environment where you can hold others responsible if something bad happens to you; its not America. You have to watch your own ass.
Some things might be "morally" right, but could never happen in reality.
Unlike the food example, where bad food could kill you, a computer virus in your home machine won't.
Explain that to the sailors on the USS Yorktown.
Yes, I know it wasn't a virus. It was bad SQL Server-based code. Sadly, Microsoft is equally vulnerable to both.
I think the focus on Ject's infection of web browsers visiting the IIS servers is incorrect--if having an infected IIS server is a crime and must be acknowledged publically, then having possessing infected normal desktop should also have a mandatory public acknowledgement--I want to see a list of every American who had a Blaster infected computer. If you want biology analogies, this is equivalent to insisting on mandatory publications of the names of HIV positive individuals.
No, on the internet everyone is responsible for making themselves secure--if people without malicious intent are imprisoned for secuirty violations, we would never have enough room in all the prisons in our country.
But if a security break in reveals information that I have entrusted on the remote cite--there should DEFINITELY be required publication of that, at least privately to the victimized individuals. This is something the marketplace cannot selfregulate--how can I choose a secure business to cooperate with when I don't when the security of my information is being violated?
I think a better analogy would be a person with an infectious disease. They are not sued, as they are victims themselves, but they require quarantine and attention so they do not infect other people.
If any company, gov't organization or health service did not report an infectious disease, then there would be cause for lawsuits. Acting responsibly for the public good should not be penalized.
I know I would want to know if I was exposed, wether to an infectious disease, or a potential viral problem. ( I use linux, but some inside the network use windows. )
IT should put the blame where it belongs, right at MacroShaft's doorstep. They have been unable to mitigate the virus.worm problem for over 15 years.
It doesn't hurt/damage you or your property. What you own in your computer is hardware. There are very few viruses that can effect it.
As far as the software/OS, all you own is a license -- an abstraction that remains unaffected by viruses or worms. Even if your XP installation is completely foobar, you still have the exact same legal rights to use them.
I understand where you're coming from here, but businesses can't operate this way. Of course, everyone would like be completely and scrupulously forthright about everything, but in practice, that stuff will kill you. As a consumer, I'd like to see this kind of thing too, but I may find myself on the wrong side of it some day and end up losing my job, hence my sentiments.
I suppose it's possible that consumers will demand this sort of accountability, but in practice, they'd have no mechanism by which to do so. By the very nature of this issue, it would be impossible to know whether some company had been hacked and said nothing about it (without expending massive resources gathering information from and educating users). Even the government would probably not have the competence to make something like this stick. I'm afraid you're just going to be stuck in a world of secretly hacked servers.
We need some public education then. Like, if you're having gay anal sex, wear a condom. Same thing really... If you're crusing for warez, don't use IE, and make sure you're firewalled. Ideally carriers/ISPs would tell their customers, but that's like admitted you know what goes over your wires or something.
Forget thrust, drag, lift and weight. Airplanes fly because of money.
Ibsen wrote a play about it, that's how old it is. It was made into a movie with Steve McQueen. The plot seemed scarily current, like it was taking place today, not almost a century ago.
Recently a virus called Scob/Download.ject infected various high profile websites running Windows based webservers. This virus also infected visitors to the sites through a bug in the Windows operating system. The virus was able to keylog your computer and transmit information such as passwords, web addresses you typed in the browser. This information was being redirected to a website in Russia. However the US-Cert department refused to publish a list of infected sites citing damages to the business.
My complaint is if a resturant down the street came down with E. Coli and people became sick or died the US FDA would of notified the public about this resturant and we would be aware of that resturant's name and location. It happens at IHOP's and Taco Bells and many other types of ressturants. I have yet to see either of those two chains shut down due to people avoiding them due to one E Coli outbreak. I would expect the same notification about a Website also.
Those websites that were infected were run by American businesses and not operated by foreign countries. US-CERT is just one portion of the Department of Homeland Security. And it calls into question if one department is afraid to release the truth becuase it may hurt someone's bottom line then maybe another group would decide to skip out on notifing people of a biohazard at some posh vacation spot in fear that they would ruin business there.
Thanks for your time Mr Senator.
"if you are not If it can hurt/damage you or your property, then you should be informed.
If not, there's no reason for you to be informed.
I would suggest that once a sight has been compromised, they have an obligation to inform their customers of that fact, and the damage that the customers might be susceptible to. If a vendor's site doesn't propagate virii or other malware, then they should let their userbase know!.
I have worked in several hardhat industries, and so often see "XX number of days since last accident". Web sites might want to (honestly) consider providing something similar.
With all of this SCO/Linux/IBM fud flying around, I really wish that there was something like an open source Vax/VMS solution for I386+ machines out there......
Not to mention, the coffee in question and it's temperature are completely irrelevant. That's what the defense wants you to discuss because that is the only avenue under which they may have had a case.
But the real issue was whether or not a beverage vendor is responsible when someone has purchased a beverage, left their establishment with it, and spills it on themselves due to their own negligence or any other factor which is completely outside the vendor's control.
Of course the answer SHOULD BE no.
If the container was faulty in some fashion... maybe. If the accident occured within the establishment, aggrevated by something the vendor did or didn't do (like an employee bumping into the customer, or a wet floor, or trash on the floor, etc) yes.
If the customer was hit by a semi, no, the accident and coffee injury would be the fault of whoever was at fault for the accident.
The only way I could see the temp of the coffee mattering whatsoever in THIS case would be if the defendant were burned by the coffee while drinking it.
After all it wasn't the temperature of the coffee which made her spill it.
Earlier this year there was some BSE infected cows that were traced to meat that went to a restaurant or grocery store. The health department refused to name which place had the meat.
This administration still denies ranchers from voluntarily testing for BSE on all their cows.
There was also a story about how the Office of Management and Budget will review all health advisories before allowing them to reach the public.
Actually, the best analogy would be if you saw a news report saying "An automobile manufacturer warns that one of it's late-model vehicles might have a defect." It specifies neither which manufacturer, which vehicle, or even which part is affected. Now, when an Explorer blows a tire and kills a little league team, who's at fault?