 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
 Posted: Thu Jul 15, 2004 10:21 am Post subject: Identifying Compromised Websites |
 |
|
Identifying Compromised Websites
Thursday, July 15, 2004
By Ed Foster
An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.
In the wake of the Scob/Download.ject attack a few weeks ago, a reader wrote with an interesting observation. "The successful compromise of IIS 5.0 servers worldwide, leading to infection of many client machines visiting them that used IE web browser, has been covered massively," the reader noted. "It has also been widely reported that many popular and well known sites were infected, thus infecting their users. OK: WHO WERE THEY? … There appears to be a concerted cover-up. What this tells me is some heavy hitters were probably hit, they infected a whole lot of visitors, and they are now afraid of lawsuit city."
After some diligent searching, neither I nor the reader could find published reports with anything more than vague rumors about which sites were compromised and may therefore have deposited some serious malware on the computers of unsuspecting visitors. And no amount of Googling turned up even one website that had chosen to post a warning that it might have been compromised around June 24th. Was a code of silence in effect? If so, who was enforcing it?
So I made it my business to ask everyone who ought to know why the compromised websites were not identified during or after the outbreak. The one common theme in the answers I got, from both public and private sectors, was that those who deal with security threats like this have to keep the victims' identity confidential. Otherwise, they may not get the cooperation and the information they need the next time to warn others.
OK, I can certainly buy that when it comes to the early warning organizations like the Internet Storm Center or the United States Computer Emergency Readiness Team (US-CERT). "Our policy would be not to comment on a specific site, as the organizations we work with need to know we will maintain their confidentiality or we might not be able to provide this information in the future," said a US-CERT spokesperson.
I can even understand Microsoft saying they could only recommend I point enterprise and client customers to their webpage on the attack (http://www.microsoft.com/downloadject) for information on how to protect themselves. We can talk all we want about what Microsoft's level of responsibility for our security woes, but one thing Microsoft can't be responsible for is publicly identifying which of their IIS customers were compromised.
But what about the websites themselves? If their only sin was not to be running the latest Microsoft softwarewith the latest Microsoft patches (hey, let he who is certain he has every patch for every Microsoft product cast the first stone), I would think they'd feel some sense of responsibility to those who visited while they were compromised. Once they've fixed their site, why not issue a warning?
"I think it's a very good question, but it's kind of complicated," says Paul Kurtz, Executive Director of the Cyber Security Industry Alliance (CSIA), a public policy advocacy group for security products vendors. "It certainly seems like something a company might want to do, but what are the legal and the liability issues? And it brings up the issue of awareness, and whether you can wait to update."
"From a consumer perspective, you'd like to see a Better Business Bureau of the Internet where you can go find who has the best security, but we're just not there yet," says Marcus Sachs, Director of the Internet Storm Center of the SANS Institute. The compromised websites --- which he says included a number of well known sites but not, as rumored, biggies like eBay -- really aren't in a position to identify themselves. "Culturally that's just not acceptable behavior right now, and it would put the website at a great competitive disadvantage. And it could expose the Internet to something akin to the malpractice lawsuits you see in the medical field, and that could derail everything."
There's something missing here, though. Several observers pointed to a different analogy with the medical field, that of public health. If an outbreak of food poisoning is traced to a particular store or restaurant, for example, public health officials post notices on the establishment's door and make announcements through the news media. Yes, it's bad for business, but the public health has to come first.
The security health of the Internet should come first, too. If a website faces liability for inadvertently exposing visitors to a Trojan, shouldn't it face even more liability for keeping quiet when a warning might save some previous visitors from having their bank accounts drained?
Nobody wants to hear this, but I'm going to say it anyway. Those compromised but unidentified websites are sending a very clear warning about Internet security: industry self-regulation is always going to translate into industry self-protection. The Internet right now is a very sick place, and it's going to take some distasteful medicine to make it well.
========================================
Read this column on-line and post your own comments at http://www.gripe2ed.com/scoop/section/Columns, or write me directly at Foster@gripe2ed.com.
In my weblog this week):
Is Copyright Protection Constitutional?
Does DRM on software violate constitutional prohibitons against unreasonable searches and seizures and/or the deprivation of life, liberty, or property without due process of law?
http://www.gripe2ed.com/scoop/story/2004/7/13/0301/68024
Reduced Runtimes
Are free runtimes in danger of extinction? One Crystal Reports thinks so.
http://www.gripe2ed.com/scoop/story/2004/7/12/84442/9333
GripeLog Poll: Which Anti-Virus Vendor Do You Trust?
Computer Associates, F-Prot, Grisoft, Kaspersky, McAfee, Panda, Sophos, Symantec, or Trend Micro? Cast your vote and see the poll results at
http://www.gripe2ed.com/scoop/story/2004/7/10/163331/710
In the UnFairUse section:
Used News: Constitutional Protections, Hooked on Phonics Can't Spell Privacy
Jeff ponders why people use Internet Explorer.
http://www.gripe2ed.com/scoop/story/2004/7/12/44259/3146
========================================
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd |
|
| Back to top |
|
 |
Moore
Moderator
Joined: 31 May 2004
Last Visit: 05 Jan 2011
Posts: 758
Location: °°.MooreLand.°°
|
| Posted: Sat Jul 17, 2004 11:39 pm Post subject: |
|
|
Good post  , nice to know no one's looking out for the internet users as usual , all we really are in their eyes are cash cows. 
*****Locked By TeMerc*****
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts | |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
