March 2011 was a busy month with a number of very public announcements on systems being breached. These had different effects on each of us. This seems like a no brainer. If you see someone's house is on fire, you let them know. Only the small company with the startled shop assistant haven’t fixed their Lizamoon problem. Despite a couple of follow up emails to the company they are still compromised so I’ve been forced to block that site at our borders. That’s sadly a loss of income for them, but a necessity for us.
* e.g. things that could get me fired, arrested, dragged off to a dark room then forced to listen to pan pipes or anything mum wouldn't approve of
Chris Mohan --- Internet Storm Center Handler on Duty |
Chris 105 Posts ISC Handler Apr 7th 2011 |
Thread locked Subscribe |
Apr 7th 2011 1 decade ago |
- http://blog.sucuri.net/2011/04/lizamoon-mass-sql-injection-ur-php-updates.html
April 4, 2011 - "... good way to check if your site is infected, is by using our malware scanner*. If you see IIS:4 as the malware code, you know what happened..." * http://sitecheck.sucuri.net/scanner/ . |
Jack 160 Posts |
Quote |
Apr 7th 2011 1 decade ago |
This is something I do a few times a year. call about malware on their site, bugs on their site etc. Often I have to tell even large companies how to fix things, as they have no troubleshooting skills inhouse.
Most are happy, but there are the usual few I don't care people out there. They only care when their site is all the way down. And it is illegal to help them. |
Povl H. 79 Posts |
Quote |
Apr 7th 2011 1 decade ago |
I've had to do this in the past as well. I see it is part of the golden rule of treating others how you'd like to be treated. Hopefully if my company has an issue someone will have the decency to notify us in the case that we haven't caught it.
I've also located contact numbers and emails based on the whois lookup record though. I contact whoever is in there as the technical contact. That has always given me pretty good luck at contacting someone who knows what they're doing. |
Povl H. 3 Posts |
Quote |
Apr 7th 2011 1 decade ago |
At StopBadware, we do a lot of work with website owners and hosting providers that have fallen victim to website compromise. For exactly the reasons you've described, we're doing a few things to try to make this process easier for both you, as a reporter, and for the site owner and hosting provider, as victims.
First, we're working to develop best practices for reporting of compromised or otherwise malware-infected websites. We'll be advised by a volunteer working group. Chris, if you're interested in participating (and I hope you are), please send us a note at contact<at>stopbadware<dot>org. Second, we're trying to build a system that will allow someone who discovers infected URLs to report to a central location. The system will then parse the URL and whatever information we can collect (or have collected in the past) and attempt to notify the appropriate people and organizations, in accordance with the best practices. Third, we offer educational content (http://www.stopbadware.org/home/security) and a volunteer online community (http://www.badwarebusters.org) that can help site owners or small hosting providers figure out how to clean up their sites (and remove their sites from blacklists, if applicable). I think it's great that you went to the effort to identify and notify the site owners and provide them some guidance on your own. If more security professionals did this, compromised sites would get cleaned up far more quickly. Hopefully, some of the work we're doing—with the support of the security community—will help make this easier for you and others in the future. |
Povl H. 5 Posts |
Quote |
Apr 7th 2011 1 decade ago |
I'm not sure of the answer.
If I wake up one morning and find a strange looking tube with some big round tanks mounted on the roof of my car, I'm free to ignore it and drive to work per normal. However, when I later drive back home and discover that every house along my route has burned to the ground, and when a neighbor asks me why I put a flame-thrower on the roof of my car and burned down their house... ...well, what *should* happen when I deny that my car is related to those fires, and when I continue to drive it to work the next day? Am I free to napalm your house again and again, simply because I'm either incompetent, or because it'd be inconvenient for me to stop? At what point should I be prosecuted as being complicit? |
Steven 42 Posts |
Quote |
Apr 7th 2011 1 decade ago |
>>we're doing a few things to try to make this process easier for both you, as a reporter, and for the site owner and hosting provider, as victims.
I, for one, would love to see that happen. I come across many malware infected sites on a daily basis as part of my job as a Security Lead Analyst and, unlike Chris, my company does have an anti-disclosure policy. I therefore, being the good netizen that I am, inform the infected sites of the problem and mitigation without disclosing the company I work for. 99.999% of the time I am ignored - probably brushed off as spam/phishing/nut-case/extortionist - so I have to end up going down the public disclosure avenue. That is a minefield, reporting to - Malwaredomainlists, VirusTotal, McAfee GFI, Bluecoat, BadwareBusters, Sophos, F-Secure, Kaspersky, ad nauseum - while blocking and updating my own defences. I know some communication between these organizations exist - but the time to mitigate can be a while. And when you have major websites - like one here, I found in the UK, taking 3 weeks to mitigate a Zeus/ZBot drive-by from their site - thousands could have been infected. A One Stop shop of reporters and the infected would be a god send |
Steven 1 Posts |
Quote |
Apr 8th 2011 1 decade ago |
Seems to me that this (as with most things) falls under the purview of "The Golden Rule" i.e. What would you want someone to do if the situation were reversed? Keep in mind also that you (in the reversed role) aren't the tech guru in some cases. It seems as though Chris acted appropriately.
|
Anonymous |
Quote |
Apr 8th 2011 1 decade ago |
I also see an ethical issue here, especially for those of us who subscribe to a particular code of ethics because of a membership in a security organization or holding a certification (ISC2, ISACA, SANS, etc.)
I'm not saying that I think we are ethically bound to contact every hacked site we encounter. There are just too many of them, and we would not be living up to our committments to our own employers. What I am saying is that I would find it to be ethically questionable for a security professional to have a policy of never contacting such sites. |
John 13 Posts |
Quote |
Apr 8th 2011 1 decade ago |
I have mostly given up with notification - it appears to be ignored 99% of the time (no "thank-you" responses, no fixes)
Big companies don't seem to care, and small ones... "I don't understand this hacked thing, so instead of contacting my webmaster [brother in law] who hasn't a clue either we will just ignore it. And 'sploits only affect other people") So the luggage website continues to hawk boner pills, warez, and malware. And yet these websites want to be "trusted". They NEED to be trusted due to their idiotic, and mostly unnecessary use of js, ajax, flash, silverlight, java, 3rd party cookies, and other "ooo! shiny keys" which requires me to turn off multiple layers of defense to even view their homepage. |
lurk 4 Posts |
Quote |
Apr 9th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!