This is the second half of a two-part blog post. For exposition, see “Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1).”
One person who read The New York Times’ first piece on Dr. Epstein’s battle with Google’s security warnings remarked on the Times’ follow up piece that “The day is fast approaching (or may have already passed) when the problem surmounts any attempt to solve it…when the utility of the Net is overwhelmed by ubiquitous evil.” The despair is understandable, but I don’t believe in throwing in towels—and neither does StopBadware. Technology will continue to evolve on both sides of the malware battle, but the real hard part here isn’t technological—it’s creating a fundamental shift in social behavior. Thus, we come to the crux of the issue as I see it. To create awareness and effect behavioral change that mitigates the malware problem, better communication isn’t just desirable; it’s absolutely and undeniably essential.
So, what to do? A by-no-means-complete list of suggestions:
- Better branding and clearer explanations on interstitial malware warnings. I take it for granted that malware warnings exist for a good reason and that highly experienced blacklist operators like Google have false positive rates so low they’re basically negligible. If I see a warning, I run the other way. I know at least three different places to look for warnings before I navigate to a site directly. I’m a product of my work environment (and, harkening back to yesterday’s whole “litigious society” bit, I’m liable for what I, as an employee of a security organization, expose my work computer to—and like many others employed by nonprofits, my work computer also happens to be my personal computer, so this liability is round-the-clock). That said, even I get confused by the various warnings. It’s inordinately difficult to figure out who’s issuing a warning, where to go for more information about the source of that company’s warnings, and perhaps most importantly, why a malware warning looks so little like anything else that particular company produces. When I explain to people who’s issuing various warnings, my explanations are frequently met with suspicion: “This doesn’t have the same colors or look like anything else (insert company) makes.” No kidding. If I were a webmaster unfamiliar with malware warnings and I encountered one of these ambiguous interstitial pages whilst navigating to my own site, I’d suspect foul play, too. Yes, claiming clear and decisive ownership of blacklists and/or malware warnings is unsavory; so was the need to maintain/issue them in the first place, but far-sighted companies like Google, Mozilla, and others did it for the good of their customers anyway. Anti-malware technology continues to evolve; malware warnings need to evolve, too.
- Clearer differentiation between PC security and website security. When I explain to family and friends what I do, I’m perplexed when almost nobody understands the difference between protecting a website and safeguarding a computer. StopBadware employees see this lack of understanding frequently: owners of compromised sites don’t understand that their desktop anti-virus does nothing to protect (or detect malware on) their websites. Within the security community, the differentiation is often simply assumed. Clarification costs a measly extra sentence or two, if only we could program ourselves to consistently ask whether it might be beneficial.
- Better information, in more places, more often. On a recent Partners Forum call, someone in our partner community had the inspired idea of coordinating a website security awareness day, on which participating security (or non-security) organizations would post on their blogs about the pervasiveness of site compromise and how to both prevent and deal with it. The security community can do a lot to bridge the understanding gap merely by talking about how and why site compromise occurs. That said, “teachable moment” information for webmasters might prove much more effective. For instance: highlighted “Security” sections of control panels and other site management applications; security tutorials for new customers who sign up for blogging platforms, web hosting, and other website services; clear, easy-to-understand information about malware websites on social media sites where users are frequently sharing links and creating trends.
- Reiterate, reiterate, reiterate. Also, reiterate. We’re as guilty of this omission as anyone else. An occasional blog post or compelling mainstream media article on the unfortunate prevalence of hacked sites isn’t enough to make a real dent in the awareness problem. If those in the security space want to see a collective light bulb start to flicker, whether it hangs over the heads of webmasters or resellers or end users, then the most important strategy is repetition, pure and simple.
- Man up, and own up. 2011 was widely hailed as the Year of the Data Breach. Smart companies caught on eventually that silence was anything but golden as PR strategies went; those who immediately acknowledged security breaches and provided quick support to customers were lauded as upstanding organizations who valued honesty and put the welfare of their customers above their own fear of losing face. Fair enough—so why should admitting to a site compromise be any different? Over the past year and a half, we’ve seen warnings issued about major university websites, the London Stock Exchange, the photography section of National Geographic, and even The New York Times website. This is definitively not a phenomenon limited to small-time websites with feckless owners who bask in their own ignorance. We encounter some brave people from time to time, and many of them are consumer webmasters; they acknowledge what happened, advise their visitors to heed the warnings until the problem is resolved, and then post their stories afterward. If every webmaster with a compromised site posted a short narrative about his or her experience—heck, if even a small fraction of them did—the amount of time spent explaining malware warnings and what they mean would probably be cut in half.
On that last point, it’s worthwhile to mention that high-traffic sites in particular have a golden opportunity to promote some real understanding after they’re compromised. Big-name sites that are warned about, however transiently, can make lemonade by turning their misfortunes into social change leadership. Can you imagine the results if high-traffic websites, like The New York Times or Comcast (whose corporate page was briefly blacklisted by Google last week), posted a short explanation and linked to information about website compromise after the fact? As StopBadware friend and BadwareBusters moderator Redleg says, “Your silence is a hacker’s best friend.” That goes for the big guys, too. Disclosure isn’t a strategy for survival in this case; it’s a strategy for transcendence.
In the security world, aphorisms to the effect of “You can’t secure the end user” (or, as it were, the consumer webmaster) are commonplace. As the sole non-techie in an office full of computer security fanatics, this frequent and largely impractical dichotomization of IT consumer vs. IT expert annoys me more than it does my colleagues. In the current climate, essentially everyone is at risk. Sites belonging to or run by the experts are as liable to be hit with a malvertising campaign or other compromise as a novice blog. At StopBadware, we consider webmasters to be an underserved constituency. Many of them are grappling in the dark when it comes to security, not because they’re inept but because website security is a space with so little consistent illumination. Expecting site owners like Dr. Epstein to know how to respond when suddenly faced with a malware warning is a bit like peering through a tiny peephole in a mile-long fence. What you can see is not all there is, but it can seem like it if you never knew there was another side of the fence to begin with.
In the wake of his ordeal, the single most courageous and far-reaching action Dr. Epstein could choose to take is to tell his visitors—or The New York Times—how he cleaned up his site and why his first instinct was to blame (and then sue) instead of to believe there was really a problem. A reasonable explanation of the factors that led him to believe he was being wronged by Google could go a long way toward illuminating which parts of the awareness problem need to be tackled first. From where I sit, his reaction wasn’t without logical foundation, even if the legal foundation was absent.
