Identifying Compromised Websites

linuxwrangler writes "'An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.' Thus begins an interesting column in InfoWorld's Gripe Line in which Ed Foster discusses the astonishing secrecy surrounding the identity of the sites that were compromised by Scob/Download.ject and spreading malicious code to their visitors. As Foster notes, when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a business's server poisons our computer?"

I have the truth

The following web sites were infected: http://www.a=20 ]} } } }&..}=3Dr}'}"}[NO CARRIER]

Comment removed

[account_deleted]

Comment removed based on user account deletion

Running Scared.

[Soruk]

They're probably too scared of being sued, or seeing the share price fall through the floor.

Unlike the food example, where bad food could kill you, a computer virus in your home machine won't, so they think its best to cover it up and not admit to anything, by which time the user is more concerned with getting rid of the virus than working out where it came from.

Re:Running Scared.

[jdreed1024]

Unlike the food example, where bad food could kill you, a computer virus in your home machine won't,

Until it's used as a bot to distribute kiddie porn, and the FBI comes and knocks on your door and they throw you in jail for 50 years. Yes, yes, death is irreversible, whereas you can always get acquitted later, but it comes pretty darn close to ruining your life.

An odd analogy.

[DP]

I suppose there's a lot to be said for open security policy, but people don't die from compromised serveritus.

If a site I ran was hacked, I sure wouldn't go out telling everyone about it, nor would I want anyone else to either. I'd want to handle things as quietly as possible, yet the article implies there's something wrong with that.

What's up with that?

Re:An odd analogy.

[finkployd]

Because to me, the security of my PC and identity is infinitely more important than your reputation and "ego" as a webmaster (or corporate entity). I'm sure restaurant chains would prefer that nobody know when a food poisoning outbreak occurs either.

The bottom line is, if anyone is going to come away with some pain from something like this it should be the one who directly due to negligence caused it (the website), not the innocent consumer who was kept in the dark about the abhorrent security track record of someone they do business with.

How's THAT for a run on sentence.

Finkployd

Re:An odd analogy.

[finkployd]

I'd be pretty upset if some third party then went and blabbed to everyone about it afterwards.

Meaning no disrespect to you, this is EXACTLY what I want to happen. For the reasons you outlined, nobody can rely on the company to come clean about the danger they have (and in some cases repeatedly) put their customer in. Therefor we need some form of third party to do this. I like the idea mentioned elsewhere about gathering and publishing this information via p2p so it cannot be "targeted" and shut down.

Of course there would be a serious concern with libel. Some form of validation or authenticity would have to be dreamed up, and I have no idea how to attack that problem.

Yes, obviously, to a consumer, the security of _your_ computer is more important to _you_ than _my_ reputation.

And as the consumer I ultimately have the power to make this happen. If enough people demand this, it will happen.

Finkployd

Of course we should demand accountability

The question is, what is the most effective way to do so? Legislation? I prefer to keep as much power away from politicians as possible, and since companies have deeper pockets than I do it doesn't often work. Customer protest is effective, but you have to find out who caused the problem. The same with email campaigns.

Posts on Slashdot with links to the offending site might be the most effective because they can take down the infected server directly under the bombardment of thousands of page requests all at once.

User embarrassment?

[Propagandhi]

Although this is not true of Scob/Download.ject, most malicious code is found on sites of ill repute (p0rn and w4r3z). Obviously most people don't admit to visiting these sites and thus the problems go unmentioned.

I, personally, feel that is a more problematic situation in terms of ultimately haulting the spread of malicious code, not necessarily the unwillingness of reputable sites to go public about their (relatively few) malware/trojan/virus problems.

Certify all sysadmins?

[CelticLo]

Here in the UK to serve people hot food you must have a certificate to show you know basic hygene.

Should we force web administrators to prove they know how to keep their boxex clean?

Re:Of course

[lukewarmfusion]

If it can hurt/damage you or your property, then you should be informed.

If not, there's no reason for you to be informed.

Fear of lawsuits

[Ryu2]

Yes, the organizations should disclose the info, and for them, they have nothing to lose, since they are just a third-party security organization. But you can bet they then would be the target of lawsuits. Blame America's litigation-happy society for this paranoia.

The analogy doesn't hold

[Weaselmancer]

...for two reasons. First, an infected website has never killed anyone. Second:

when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected.

There is no such thing as a health department for your computer. There are virus tracking sites, spyware removal programs, sites that offer updates to your protection programs...lots of things to help kill active infections and keep you informed of current ones. But there is no "USDA stamp" for clean websites.

Nor can there be. The internet has bounds beyond a single country. Any office claiming to have jurisdiction over all websites would be ridiculous.

Annoying?

[ktorn]

Yes, if a trojan silently installed itself as I innocently browse a web page from an infected web server, and if as a result of that my banking details are compromised and my bank account is emptied, it would be rather annoying.

Let the lawsuits begin

[Fryth]

I say, let them be identified, and let the lawsuits come. The article is wrong in implying that negligence to patch Windows is an innocent mistake. IT pros should either know to run a different OS or patch their Windows -- or they should be fired. Anything else is complete idiocy and they deserve to get the s**t sued out of them.

That being said, if this is found to be a vulnerability that MS never patched or patched improperly, the blame rests solely on them.

P2P site monitoring system

[G4from128k]

It seems like one could create a distributed site monitoring system for this purpose. A simple sandbox web app would periodically reload a list of sites and log a signature of either the contents or attempted actions encoded in the site. Each participant would offer to monitor a few sites in the background. A P2P comparison process would then correlate signature elements across sites -- peers would transmit their findings to other peers looking for something like Download.ject that appears as a new object/behavior across disparate sites. The peers could then alert each other across the mesh of the system when suspicious new objects show up.

Lacking a central authority, the companies would be powerless to shutdown publication of these types of security breaches.

Homeland Security

[smclean]

Remember the article the other day about the secrecy surrounding cell phone outages because the Homeland Security folk believe it serves as a "terrorist blueprint"?

Watch, as the internet becomes more and more part of the infrastructure of the worldwide information systems, companies in the future will lobby for a similar bogus-security rationalization for keeping internet-infrastructure compromises secret.

Not that relevant to the article I suppose, but an interesting angle.

Shouldn't we, indeed.

[philovivero]

Shouldn't we demand the same when a businesses server poisons our computer.

Have you heard about the latest virus. It silently converts all question marks (.) into periods (.). How did this happen. It is unknown.

The Spanish variant is worse. It turns those funckey upside-down question-marks at the beginnings of the sentence into little Microsoft MSN butterfly-man icons.

Can you imagine that. I know it makes me fearful.

It wasn't the restaurant, it was the customers...

[LostCluster]

Slashdot was not one of the infected communities because we're not allowed to link to offsite graphics in HTML code on this site.

However, any community that does allow this, which is a factory-equipment feature in all of the major webboard packages, was at risk and most likely got hit. All it takes is one user posting an image on an infected server in a popular thread and that site would be spreading the virus to any reader who isn't running a properly protected computer.

Bottom line, the restaurant analogy is flawed... it wasn't anything done wrong in the kitchen, but rather it was a virus that was brought in and spread around by the customers. The solution to that would be a web equivilent of "No shirt, no shoes, no service" being that web boards shouldn't be allowing remote linking because of this possible threat vector... but, uh, try stuffing this genie back into the bottle.

eBay was among the notable victims because they allow remote image hosting. On the other hand, if they didn't they'd either be on the hook for all of the bandwidth or have to take the picture features out or at least scale it back. Since pictures are a key thing that makes action prices higher and eBay's revenue mostly come from taking a percentage of the auction result... I don't think that's gonna happen.

Re:Flawed analogy...

[finkployd]

Clearly you have never been a victim of identity theft and thus forced to spend years correcting the problem, all the while racking up debt. Certainly no where near as bad as death by food poisoning, but certainly a little more serious than reformatting your computer.

Finkployd

Re:Of course

[elleomea]

Disclosure of sites that were infected isn't the same thing as the owners being liable for damage done.

What good are reporters

[MrWa]

The question is not whether a company should report that their website was infected or not - the most obvious answer is that, unless they are a overly honest company, they will not divulge anything embarrassing that may affect their stock price unless required by law. The real issue here is that supposed news websites were complicit in this by not reporting the affected websites when they supposedly knew which ones they were. What, other than advertising dollars, would prevent a news organization from reporting something that would be useful and important for the customers of said news organization to know?!?

That is the troubling information that comes from this type of misreporting and nondisclosure when it comes to security issues involving computers. Other posters have compared this to food poisoning incidents at a restaurant. While not completely accurate, the real comparison would be if a newspaper stated that some restaurants had bad meat but they wouldn't report it due to the bad image this may give those businesses.

News organizations should not be concerned with the impact on a business's image!

Re:Of course

[John+Hurliman]

Excellent timing of this; the Spokesman Review had an article a few days ago about how grocery store names in Washington state who got shipped potentially bad meat from the Mad Cow epidemic are being withheld, and the newspapers were denied their information requests on some obscure grounds. I'd say the website attacks are being treated like any similar situation.

There's a key difference...

[jerkychew]

"...when food-poisoning is traced to a store or restaurant the health-department makes every effort to inform those who may be affected. Shouldn't we demand the same when a businesses server poisons our computer.

Here's the key difference... when a food poisoning outbreak is detected, it's traced and made public because it has been investigated by a government agency, usually the health department, and that department has regulations and rules in place that tell them they have to publish said information.

When a website is compromised, the owner is not legally bound to tell the visitors anything, even if the visitors are suddenly succeptible to an attack. (I suppose they could conceivably sue for damages done to their computers, but that's a different avenue) They are not bound by this, because they are not regulated by any government agency.

So, what's the solution? Have the gov regulate the interweb? Perhaps you have to have your site approved by a governing body before it can be made public? Do you have to get said body's approval every time you update a page? Where's it end?

Sure, in a perfect world, the owner of a site should make news of an attack public, but one of the great things about the internet is that it's left to the owner's discretion, not mandated by a government body. I think it's a fair tradeoff, IMHO.

If you visit a cheap whorehouse...

[panamahank]

...in Tijuana and don't wear a condom, you deserve what you get. Surfing the Internet with Internet Explorer is no less risky than unprotected sex in a cheap Tijuana whorehouse.

Re:Of course

[XryanX]

"On the flip side, you could also be blamed for not keeping your computer patched, so it's your own fault for not securing your bank info."

If you're walking down the street, and someone beats you up and steals your money, does that mean that it's your fault for not taking karate?