Slashdot Mirror
Identifying Compromised Websites
linuxwrangler writes "'An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.' Thus begins an interesting column in InfoWorld's Gripe Line in which Ed Foster discusses the astonishing secrecy surrounding the identity of the sites that were compromised by Scob/Download.ject and spreading malicious code to their visitors. As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a business's server poisons our computer?"
The following web sites were infected: http://www.a=20 ]} } } }&..}=3Dr}'}"}[NO CARRIER]
Comment removed based on user account deletion
What inform the consumer?!? But then we can't sue for spilling hot coffee on our laps, or dying from cigarettes (takes a drag). Oh the humanity!! Of course they should, but they won't because that would mean they have to admit they suck. The first rule of recovery is admit your problems.
They're probably too scared of being sued, or seeing the share price fall through the floor.
Unlike the food example, where bad food could kill you, a computer virus in your home machine won't, so they think its best to cover it up and not admit to anything, by which time the user is more concerned with getting rid of the virus than working out where it came from.
-- Soruk
I suppose there's a lot to be said for open security policy, but people don't die from compromised serveritus.
If a site I ran was hacked, I sure wouldn't go out telling everyone about it, nor would I want anyone else to either. I'd want to handle things as quietly as possible, yet the article implies there's something wrong with that.
What's up with that?
-- d'arcy poirot
In one case, public health is at stake. Lives. In the other, an annoying computer problem.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
The question is, what is the most effective way to do so? Legislation? I prefer to keep as much power away from politicians as possible, and since companies have deeper pockets than I do it doesn't often work. Customer protest is effective, but you have to find out who caused the problem. The same with email campaigns.
Posts on Slashdot with links to the offending site might be the most effective because they can take down the infected server directly under the bombardment of thousands of page requests all at once.
Although this is not true of Scob/Download.ject, most malicious code is found on sites of ill repute (p0rn and w4r3z). Obviously most people don't admit to visiting these sites and thus the problems go unmentioned.
I, personally, feel that is a more problematic situation in terms of ultimately haulting the spread of malicious code, not necessarily the unwillingness of reputable sites to go public about their (relatively few) malware/trojan/virus problems.
Here in the UK to serve people hot food you must have a certificate to show you know basic hygene.
Should we force web administrators to prove they know how to keep their boxex clean?
If it can hurt/damage you or your property, then you should be informed.
If not, there's no reason for you to be informed.
Yes, the organizations should disclose the info, and for them, they have nothing to lose, since they are just a third-party security organization. But you can bet they then would be the target of lawsuits. Blame America's litigation-happy society for this paranoia.
There's 10 types of people in this world, those who understand binary and those who don't.
In the event of a food poisoning lives are at risk, while in the case of an infected computer, the worst case is lost $$$. That being said, this could be a litmus test for sites that were compromised. The ones that come clean right away gain respect, the ones that try to hide are shunned and ridiculed. But in answer to the question, a content provider should not be required to disclose infection, only encouraged. The government has too many fingers in my pie already.
is cya.
It sounds like a good idea for a moment, before you think about it. First of all, most web content is offered as free with no warranties or guarantees of anything. You surf at your own risk. Second, a person may go through hundreds of web sites in a day, and tens or hundreds of thousands of people may hit your site. Third, most people with any sense have some form of antivirus on their computers, and those that do not are either asking for it and they know it, or wouldn't know what to do if they did get a virus. In reality, virus protection is the responsibility of the user. True, it is absolutely insane that people have unprotected web sites out there, but since the web is a public forum, there is really no way to say who does what without limiting the "for all people" part of it. The web is a beautiful thing because it is open to everyone, regardless.
...for two reasons. First, an infected website has never killed anyone. Second:
when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected.
There is no such thing as a health department for your computer. There are virus tracking sites, spyware removal programs, sites that offer updates to your protection programs...lots of things to help kill active infections and keep you informed of current ones. But there is no "USDA stamp" for clean websites.
Nor can there be. The internet has bounds beyond a single country. Any office claiming to have jurisdiction over all websites would be ridiculous.
Weaselmancer
rediculous.
Yes, if a trojan silently installed itself as I innocently browse a web page from an infected web server, and if as a result of that my banking details are compromised and my bank account is emptied, it would be rather annoying.
So what he's trying to say is that Infoworld's servers were among the infected, right?
I say, let them be identified, and let the lawsuits come. The article is wrong in implying that negligence to patch Windows is an innocent mistake. IT pros should either know to run a different OS or patch their Windows -- or they should be fired. Anything else is complete idiocy and they deserve to get the s**t sued out of them.
That being said, if this is found to be a vulnerability that MS never patched or patched improperly, the blame rests solely on them.
It seems like one could create a distributed site monitoring system for this purpose. A simple sandbox web app would periodically reload a list of sites and log a signature of either the contents or attempted actions encoded in the site. Each participant would offer to monitor a few sites in the background. A P2P comparison process would then correlate signature elements across sites -- peers would transmit their findings to other peers looking for something like Download.ject that appears as a new object/behavior across disparate sites. The peers could then alert each other across the mesh of the system when suspicious new objects show up.
Lacking a central authority, the companies would be powerless to shutdown publication of these types of security breaches.
Two wrongs don't make a right, but three lefts do.
Tracing the ancestry of a bacterial strain that affected hundreds of people is relatively easy compared to tracking down the sites that affected millions. Disease outbreaks take hundreds of man-hours to actually track down, and frankly I don't think its possible to get to the root of a computer based problem that affects thousands (if not millions on a worldwide scale).
Maybe someday.. just not now.
Watch, as the internet becomes more and more part of the infrastructure of the worldwide information systems, companies in the future will lobby for a similar bogus-security rationalization for keeping internet-infrastructure compromises secret.
Not that relevant to the article I suppose, but an interesting angle.
"'Yrch!' said Legolas, falling into his own tongue."
What if the website where you got the virus was set up by a kid, or some high school students, or just a hobbiest? You can't sue them, or expect them to do anything... they probably haven't looked at their page in months. And people don't pay for web content in most cases, so how can you expect a guarantee for it? And, would you really want government inspectors coming to your business, going through your personal web pages to see if they are properly protected? Would you want to have to submit them paperwork saying that you had taken proper precautions? Nobody wants that. Keep the web free and available to anyone with a voice, for all. I am against ANY form of government conrol over the web (except for stuff like kiddyporn and other such garbage). But this is just my opinion.
No single security company is willing to do the finger pointing. It doesn't make sense for the reasons explained in the article.
What we need is for the various anti-virus software makers to agree on a protocol.
What this means is that, as soon as the anti-virus software is able to identify the threat, any time it encounters a web-server infected (as the user browses such site) it should send an alert to a centralised web-site. This site would list all the infected sites.
A smarter step would then be for the anti-virus software to regularly cross-check your recent browser history against the infected-listed sites.
This way no one company is doing the finger-pointing. It is rather a distributed effort, based on a common protocol.
The Spanish variant is worse. It turns those funckey upside-down question-marks at the beginnings of the sentence into little Microsoft MSN butterfly-man icons.
Can you imagine that. I know it makes me fearful.
fifth sigma, inc.
The issue is ultimately about the public's lack of concern for computer, and more generally, digital security. My opinion is that this lack of concern stems from a lack of knowledge about the technologies we use.
I think the situation is more dangerous than most professionals realise. The majority of the people in IT shrug off security concerns. "We can always reinstall" or "we'll upgrade later" are common responses to warnings about insecurity and vulnerability. Most businesses and even governments entirely ignore digital security concerns.
We have a modern economy that depends entirely upon computer networks and data flow. All of our communication depends upon it too. So do public utilities and emergency services.
But at the same time, we perpetually neglect to protect these systems that we rely on. OS security is literally a joke; server security may or may not be a concern depending on how anal the operator is; and data encryption is still, for the most part, undiscovered by the masses.
>>If not, there's no reason for you to be informed
Define hurt.
If say some code gets onto my machine and jsut spins processor cycles..even though it's not really 'hurting' anything I still have the right to know.
Granted, I'd see the CPU spike, and I'd kill the process and track down the executable/script. But Joe Sixpack doesn't know how to do this.
wbs.
Huh?
Slashdot was not one of the infected communities because we're not allowed to link to offsite graphics in HTML code on this site.
However, any community that does allow this, which is a factory-equipment feature in all of the major webboard packages, was at risk and most likely got hit. All it takes is one user posting an image on an infected server in a popular thread and that site would be spreading the virus to any reader who isn't running a properly protected computer.
Bottom line, the restaurant analogy is flawed... it wasn't anything done wrong in the kitchen, but rather it was a virus that was brought in and spread around by the customers. The solution to that would be a web equivilent of "No shirt, no shoes, no service" being that web boards shouldn't be allowing remote linking because of this possible threat vector... but, uh, try stuffing this genie back into the bottle.
eBay was among the notable victims because they allow remote image hosting. On the other hand, if they didn't they'd either be on the hook for all of the bandwidth or have to take the picture features out or at least scale it back. Since pictures are a key thing that makes action prices higher and eBay's revenue mostly come from taking a percentage of the auction result... I don't think that's gonna happen.
Clearly you have never been a victim of identity theft and thus forced to spend years correcting the problem, all the while racking up debt. Certainly no where near as bad as death by food poisoning, but certainly a little more serious than reformatting your computer.
Finkployd
This story reminds me of those inane AOL commercials about computers getting sick. Lets get sensible here. Computers do not "get sick." They do not become "poisoned."
A virus sometimes infects the Windows OS. At best, run a virus checker and stop it before you are infected. At worse, do a reformat and be done with it. You have a backup anyway. Right?
If you don't want to deal with virii in any form then run OS X or Linux. Problem solved.
The thing is that the web has a life of its own and it would be really hard to control it like that. Anyone can open a website anywhere and put almost anything on it. How would you force that random individual to be guilty for the virus they spread? The internet was not originally designed to be a controlled environment where you can hold others responsible if something bad happens to you; its not America. You have to watch your own ass.
Some things might be "morally" right, but could never happen in reality.
Disclosure of sites that were infected isn't the same thing as the owners being liable for damage done.
Makes me wonder about your diet.
Unlike the food example, where bad food could kill you, a computer virus in your home machine won't.
Explain that to the sailors on the USS Yorktown.
Yes, I know it wasn't a virus. It was bad SQL Server-based code. Sadly, Microsoft is equally vulnerable to both.
I think the focus on Ject's infection of web browsers visiting the IIS servers is incorrect--if having an infected IIS server is a crime and must be acknowledged publically, then having possessing infected normal desktop should also have a mandatory public acknowledgement--I want to see a list of every American who had a Blaster infected computer. If you want biology analogies, this is equivalent to insisting on mandatory publications of the names of HIV positive individuals.
No, on the internet everyone is responsible for making themselves secure--if people without malicious intent are imprisoned for secuirty violations, we would never have enough room in all the prisons in our country.
But if a security break in reveals information that I have entrusted on the remote cite--there should DEFINITELY be required publication of that, at least privately to the victimized individuals. This is something the marketplace cannot selfregulate--how can I choose a secure business to cooperate with when I don't when the security of my information is being violated?
"So which is more serious? Death of body or death of personality" Are you serious? DEATH is more serious moron. God damn man, "death of personality" isn't even a real problem. You write a few letters, make a few calls, maybe at the worst get a lawyer and spend some money. DEATH is non-fucking-negotiable. You're dead? Good luck getting that undone. How about this, I'll let you have all my personal details if I can chop your head off afterward. What, you're not interested?
I knew that recent "downtime" wasn't just for "upgrades". It's an imposter! It's a Phisher site! Its of the body! One of the pod people! :)
That is the troubling information that comes from this type of misreporting and nondisclosure when it comes to security issues involving computers. Other posters have compared this to food poisoning incidents at a restaurant. While not completely accurate, the real comparison would be if a newspaper stated that some restaurants had bad meat but they wouldn't report it due to the bad image this may give those businesses.
News organizations should not be concerned with the impact on a business's image!
Ibsen wrote a play about it, that's how old it is. It was made into a movie with Steve McQueen. The plot seemed scarily current, like it was taking place today, not almost a century ago.
Excellent timing of this; the Spokesman Review had an article a few days ago about how grocery store names in Washington state who got shipped potentially bad meat from the Mad Cow epidemic are being withheld, and the newspapers were denied their information requests on some obscure grounds. I'd say the website attacks are being treated like any similar situation.
"...when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer.
Here's the key difference... when a food poisoning outbreak is detected, it's traced and made public because it has been investigated by a government agency, usually the health department, and that department has regulations and rules in place that tell them they have to publish said information.
When a website is compromised, the owner is not legally bound to tell the visitors anything, even if the visitors are suddenly succeptible to an attack. (I suppose they could conceivably sue for damages done to their computers, but that's a different avenue) They are not bound by this, because they are not regulated by any government agency.
So, what's the solution? Have the gov regulate the interweb? Perhaps you have to have your site approved by a governing body before it can be made public? Do you have to get said body's approval every time you update a page? Where's it end?
Sure, in a perfect world, the owner of a site should make news of an attack public, but one of the great things about the internet is that it's left to the owner's discretion, not mandated by a government body. I think it's a fair tradeoff, IMHO.
...in Tijuana and don't wear a condom, you deserve what you get. Surfing the Internet with Internet Explorer is no less risky than unprotected sex in a cheap Tijuana whorehouse.
Serial Meta Moderator
As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer."
Maybe in the US it's like this, but not elsewhere.... In Italy, for a long time some nut would inject bleach and other similar liquids in water bottles... Quite a few people ended up in the hospital, but fortunately nobody died... Well, there was no way to find out the brands of the water bottles that where poisoned.... The media kept it all hush-hush, and it does the same for lots of other things...
"On the flip side, you could also be blamed for not keeping your computer patched, so it's your own fault for not securing your bank info."
If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?
Recently a virus called Scob/Download.ject infected various high profile websites running Windows based webservers. This virus also infected visitors to the sites through a bug in the Windows operating system. The virus was able to keylog your computer and transmit information such as passwords, web addresses you typed in the browser. This information was being redirected to a website in Russia. However the US-Cert department refused to publish a list of infected sites citing damages to the business.
My complaint is if a resturant down the street came down with E. Coli and people became sick or died the US FDA would of notified the public about this resturant and we would be aware of that resturant's name and location. It happens at IHOP's and Taco Bells and many other types of ressturants. I have yet to see either of those two chains shut down due to people avoiding them due to one E Coli outbreak. I would expect the same notification about a Website also.
Those websites that were infected were run by American businesses and not operated by foreign countries. US-CERT is just one portion of the Department of Homeland Security. And it calls into question if one department is afraid to release the truth becuase it may hurt someone's bottom line then maybe another group would decide to skip out on notifing people of a biohazard at some posh vacation spot in fear that they would ruin business there.
Thanks for your time Mr Senator.
I can see a scenario where somebody announces thier web site was hacked. Then a greedy ambulance chaser threatens to sue for neglegence. In order to "prove" negligence, he'll supoena all you computer systems, drown you in bad press, and lock you in expensive legal battle. It'll be easier to pay him off, and thus a new industry is born.
"Your superior intellect is no match for our puny weapons!"
IF you are referring to the McDonalds Hot Coffee lawsuit, perhaps you need to read up on the facts of the case, the coffee wasn't merely hot, but was scalding.
From the link: The sweatpants Liebeck was wearing absorbed the coffee and held it next to her skin. A vascular surgeon determined that Liebeck suffered full thickness burns (or third-degree burns) over 6 percent of her body, including her inner thighs, perineum, buttocks, and genital and groin areas. She was hospitalized for eight days, during which time she underwent skin grafting. Liebeck, who also underwent debridement treatments, sought to settle her claim for 20,000, but McDonalds refused.
Sara
Designer, Gamer, Macgrrl in an XP World
Just don't conceal it.
How would you go about concealing a katana?
No, that's a bad analogy. A better one is if your car has a recall on its brakes, you don't get it fixed, and then get in an accident, Who is at fault?
Actually, the best analogy would be if you saw a news report saying "An automobile manufacturer warns that one of it's late-model vehicles might have a defect." It specifies neither which manufacturer, which vehicle, or even which part is affected. Now, when an Explorer blows a tire and kills a little league team, who's at fault?
The fault lies squarely with people still using MSIE and with OEMs for not bundling a proper web browser.
However, in a different context, Ed Foster does have a good point ... as he often does. In the case were sites have been compromised or used to spread malware, it is essential that the public be informed.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
You don't need to conceal a katana. I saw in this film once, they'll just let you take it right onto the plane with you.
Real Daleks don't climb stairs - they level the building.