Our conversation with Commtouch resulted in our designing a joint survey aimed at site owners; from November 2011 to the end of January 2012, we offered the survey, through a variety of outlets, to webmasters whose sites had been compromised. At the end of the survey period, we had collected responses from more than 600 webmasters who provided us with stories about their experiences. Today, StopBadware and Commtouch published a new report based on this survey data: Compromised Websites: An Owner’s Perspective highlights webmasters’ struggles with hacked sites and presents statistics and opinions from site owners.

A few highlights from the survey:

• About half of the site owners surveyed discovered the hack when they attempted to visit their own site(s) and saw a browser or search engine warning.
• 26% of the respondents had not figured out how to resolve the problem at the time they completed the survey.
• 40% of site owners changed their opinion of their web hosting provider following a compromise.

Author: Anirban Banerjee, Co-founder at StopTheHacker
Contributor: Oliver Bock, Marketing Director at StopTheHacker

Thousands of websites are blacklisted on a daily basis. Many of these blacklisted websites are legitimate businesses, online portals, academic sites, entertainment outlets and more. the blacklisting often occurs as a result of the sites getting hacked and having malicious code injected without the permission of the websites’ owners. In this article we provide some best practices to help website owners stay safe and stay off blacklists—like Google’s Safe Browsing blacklist.

Why do sites end up on blacklists?
Malicious hackers and automated bots infect websites with malicious computer code (i.e., web malware). Security companies, search engines, browser manufacturers, and others will prevent or deter users from visiting these compromised sites in order to protect those sites’ visitors. Hacked websites may also be used to launch spam and phishing campaigns. For example, a compromised site might try to convince Internet users to visit a fake banking page, buy pharmaceuticals, or something similar. This can cause sites to be blacklisted, too.

How do sites get hacked?
Websites can get hacked and compromised in many ways. Below are some of the primary methods.

1. Poor choice of passwords. A lot of website owners use simple passwords. In a 2011 large-scale password analysis study, “123456″ was found to be one of the most common passwords used. Choosing weak passwords leaves webmasters vulnerable to brute force attacks, where criminals try to log in using tools that try every easy-to-guess password.
2. Insecure FTP connections. Many sites are infected after the FTP password and username are sniffed by a silent Trojan/rootkit that has been installed on the computer of a website administrator. Once a username and password are obtained, they’re automatically passed on to a master controller (e.g., through an IRC chat room). This malicious actor accesses the website and infects the site with malware.
3. Web application vulnerabilities. A lot of websites use Web 2.0 functionality in order to create a rich experience for users. This functionality takes many forms: posting comments (on blogs or Facebook, for example), signing up for newsletters, filling out support forms, and live chatting with others, to name a few. The applications that make these rich functionalities possible can all be avenues for malicious code injection, especially if they are not kept up to date.
4. Third party add-ons. Third party add-ons for websites have become extremely popular for their ability to provide more interesting site functionality. Add-ons can offer functions like dynamic IP geolocation, image resizing, and much more. These third party pieces of code may harbor vulnerabilities that the original website owner may not even be aware of. Many webmasters might not realize that third party add-ons need to be updated in addition to software like WordPress or Joomla.
5. Server level vulnerabilities. A large number of web servers on the Internet run vulnerable software, such as easily hackable FTP software. Sometimes, even though website and server administrators know about vulnerabilities in the server software, they forget to patch these security holes—leaving them vulnerable to hacks. These issues are primarily related to server setup and configuration. Improper permissions settings can give malicious hackers access to files they shouldn’t be able to get to.

StopTheHacker, a leading provider of website security services, will be joining our partner community as a Sponsoring Partner. The dedicated StopTheHacker team has been in our orbit for quite some time already: they’ve been active and valued participants in our online community forum for several years already and were also part of our expert web host working group. In addition to financial support, StopTheHacker will offer StopBadware access to their proprietary web malware scanning technology; this will help us detect malware more quickly and accurately during our independent review process. Given our shared interests in preventing and remediating badware websites and supporting webmasters, we’re thrilled to welcome StopTheHacker to our official list of partners.

Arbor Networks, a well-known and highly respected name in security, has also joined our roster as a Sponsoring Partner. We’ve worked with representatives in a (mostly) unofficial capacity before; needless to say (we’ll say it anyway!), we’re quite pleased to formalize the relationship by welcoming them as a partner. Arbor Networks has a history of experience and excellence in the security industry; their entry to our partner discussions, and particularly our Partners Forum, will undoubtedly be invaluable.

If you’ve been paying attention to our blog or other outlets, you may have noticed that the past several months have yielded a windfall of new partners and enhanced engagement opportunities. This is fantastic news for StopBadware and, we believe, for our constituencies at large. To keep an eye on our growth, see http://www.stopbadware.org/partners.

StopTheHacker has a press release mentioning the partnership available here.

This is the second half of a two-part blog post. For exposition, see “Bridging the awareness gap: the need for better communications in the anti-malware space (Part 1).”

One person who read The New York Times’ first piece on Dr. Epstein’s battle with Google’s security warnings remarked on the Times’ follow up piece that “The day is fast approaching (or may have already passed) when the problem surmounts any attempt to solve it…when the utility of the Net is overwhelmed by ubiquitous evil.” The despair is understandable, but I don’t believe in throwing in towels—and neither does StopBadware.  Technology will continue to evolve on both sides of the malware battle, but the real hard part here isn’t technological—it’s creating a fundamental shift in social behavior. Thus, we come to the crux of the issue as I see it. To create awareness and effect behavioral change that mitigates the malware problem, better communication isn’t just desirable; it’s absolutely and undeniably essential.

So, what to do? A by-no-means-complete list of suggestions:

• Better branding and clearer explanations on interstitial malware warnings. I take it for granted that malware warnings exist for a good reason and that highly experienced blacklist operators like Google have false positive rates so low they’re basically negligible. If I see a warning, I run the other way. I know at least three different places to look for warnings before I navigate to a site directly. I’m a product of my work environment (and, harkening back to yesterday’s whole “litigious society” bit, I’m liable for what I, as an employee of a security organization, expose my work computer to—and like many others employed by nonprofits, my work computer also happens to be my personal computer, so this liability is round-the-clock). That said, even I get confused by the various warnings. It’s inordinately difficult to figure out who’s issuing a warning, where to go for more information about the source of that company’s warnings, and perhaps most importantly, why a malware warning looks so little like anything else that particular company produces. When I explain to people who’s issuing various warnings, my explanations are frequently met with suspicion: “This doesn’t have the same colors or look like anything else (insert company) makes.” No kidding. If I were a webmaster unfamiliar with malware warnings and I encountered one of these ambiguous interstitial pages whilst navigating to my own site, I’d suspect foul play, too. Yes, claiming clear and decisive ownership of blacklists and/or malware warnings is unsavory; so was the need to maintain/issue them in the first place, but far-sighted companies like Google, Mozilla, and others did it for the good of their customers anyway.  Anti-malware technology continues to evolve; malware warnings need to evolve, too.

• Clearer differentiation between PC security and website security. When I explain to family and friends what I do, I’m perplexed when almost nobody understands the difference between protecting a website and safeguarding a computer. StopBadware employees see this lack of understanding frequently: owners of compromised sites don’t understand that their desktop anti-virus does nothing to protect (or detect malware on) their websites. Within the security community, the differentiation is often simply assumed. Clarification costs a measly extra sentence or two, if only we could program ourselves to consistently ask whether it might be beneficial.

• Better information, in more places, more often. On a recent Partners Forum call, someone in our partner community had the inspired idea of coordinating a website security awareness day, on which participating security (or non-security) organizations would post on their blogs about the pervasiveness of site compromise and how to both prevent and deal with it. The security community can do a lot to bridge the understanding gap merely by talking about how and why site compromise occurs. That said, “teachable moment” information for webmasters might prove much more effective. For instance: highlighted “Security” sections of control panels and other site management applications; security tutorials for new customers who sign up for blogging platforms, web hosting, and other website services; clear, easy-to-understand information about malware websites on social media sites where users are frequently sharing links and creating trends.

• Reiterate, reiterate, reiterate. Also, reiterate. We’re as guilty of this omission as anyone else. An occasional blog post or compelling mainstream media article on the unfortunate prevalence of hacked sites isn’t enough to make a real dent in the awareness problem. If those in the security space want to see a collective light bulb start to flicker, whether it hangs over the heads of webmasters or resellers or end users, then the most important strategy is repetition, pure and simple.

• Man up, and own up. 2011 was widely hailed as the Year of the Data Breach. Smart companies caught on eventually that silence was anything but golden as PR strategies went; those who immediately acknowledged security breaches and provided quick support to customers were lauded as upstanding organizations who valued honesty and put the welfare of their customers above their own fear of losing face. Fair enough—so why should admitting to a site compromise be any different? Over the past year and a half, we’ve seen warnings issued about major university websites, the London Stock Exchange, the photography section of National Geographic, and even The New York Times website. This is definitively not a phenomenon limited to small-time websites with feckless owners who bask in their own ignorance. We encounter some brave people from time to time, and many of them are consumer webmasters; they acknowledge what happened, advise their visitors to heed the warnings until the problem is resolved, and then post their stories afterward. If every webmaster with a compromised site posted a short narrative about his or her experience—heck, if even a small fraction of them did—the amount of time spent explaining malware warnings and what they mean would probably be cut in half.

On that last point, it’s worthwhile to mention that high-traffic sites in particular have a golden opportunity to promote some real understanding after they’re compromised.  Big-name sites that are warned about, however transiently, can make lemonade by turning their misfortunes into social change leadership. Can you imagine the results if high-traffic websites, like The New York Times or Comcast (whose corporate page was briefly blacklisted by Google last week), posted a short explanation and linked to information about website compromise after the fact? As StopBadware friend and BadwareBusters moderator Redleg says, “Your silence is a hacker’s best friend.” That goes for the big guys, too. Disclosure isn’t a strategy for survival in this case; it’s a strategy for transcendence.

In the security world, aphorisms to the effect of “You can’t secure the end user” (or, as it were, the consumer webmaster) are commonplace.  As the sole non-techie in an office full of computer security fanatics, this frequent and largely impractical dichotomization of IT consumer vs. IT expert annoys me more than it does my colleagues. In the current climate, essentially everyone is at risk. Sites belonging to or run by the experts are as liable to be hit with a malvertising campaign or other compromise as a novice blog. At StopBadware, we consider webmasters to be an underserved constituency. Many of them are grappling in the dark when it comes to security, not because they’re inept but because website security is a space with so little consistent illumination. Expecting site owners like Dr. Epstein to know how to respond when suddenly faced with a malware warning is a bit like peering through a tiny peephole in a mile-long fence. What you can see is not all there is, but it can seem like it if you never knew there was another side of the fence to begin with.

In the wake of his ordeal, the single most courageous and far-reaching action Dr. Epstein could choose to take is to tell his visitors—or The New York Times—how he cleaned up his site and why his first instinct was to blame (and then sue) instead of to believe there was really a problem. A reasonable explanation of the factors that led him to believe he was being wronged by Google could go a long way toward illuminating which parts of the awareness problem need to be tackled first. From where I sit, his reaction wasn’t without logical foundation, even if the legal foundation was absent.

Recently, The New York Times published a story chronicling a webmaster’s fight with Google over a security warning Google had issued about his website. The main character in this story, Dr. Robert Epstein, woke up one day to a slew of emails from Google informing him that his site had been compromised, and that Google had begun showing a warning page to users who attempted to visit the site. Dr. Epstein, like so many website owners before him, became enraged at Google, convinced that the company had blacklisted his site in error. Unlike most webmasters in his situation, Dr. Epstein “responded to Google’s e-mail, this time copying Larry Page, Google’s chief executive; David Drummond, Google’s legal counsel; Dr. Epstein’s congressman; and journalists from The New York Times, The Washington Post, Wired and Newsweek.” He maintained that his site was harmless, accused Google of incompetence, and demanded that the warning be removed. Google informed him that his site was still infected and, of course, refused to remove the warning.

At StopBadware, stories like this are familiar—particularly to me, the resident communications specialist. I spend the first hour of most mornings clearing out our contact email inbox, responding to webmasters just like Dr. Epstein—logical, irrational, and everything in between—whose sites have been compromised by badware and blacklisted by Google (or our other data providers). They get to us by clicking a “for more information” link in the warnings; this is how I end up with pages of emails threatening to sue StopBadware, threatening to sue Google, and/or desperate for help understanding what happened and how to fix it. As misguided as the threats are, I can sympathize; they are not entirely unreasonable responses, for reasons I’ll explain a bit later on.

A follow up New York Times piece, titled “Readers and Experts Weigh In on a Site Owner vs. Google,” boiled commenters’ reactions down to two basic opinions on the issue: the first is that webmasters alone are responsible for the security of their sites; the second is that Google (and by extension other entities who own and operate blacklists) somehow “owes” its users help, or at least some two-way mechanism for dialogue, where blacklists are concerned.

For the record, we’ve always maintained that site owners are responsible for the security of their sites. And we’re squarely on the side of Google in this particular case: our executive director investigated Dr. Epstein’s site himself, as documented in the Times’ follow up post. The site was compromised. Visitors who ignored the warning (and visitors are able to ignore warnings, whether they’re from Google, Firefox, or several other browser makers who use Google’s blacklist to warn users of potentially harmful sites) would have been automatically redirected to a malicious Indian site. Moreover, while Dr. Epstein’s site is no longer on Google’s Safe Browsing blacklist, Google diagnostics indicate that Dr. Epstein’s site functioned as an intermediary for the infection of several other sites—two of which are presumably still infected and remain on Google’s blacklist.* And one further point: Google is a private company, and the warnings they issue themselves are, I believe, native only to their products (Chrome, Google Search, etc.). Other browsers that issue warnings do so because their makers have decided independently that protective measures are desirable and necessary. This is a conclusion that has been reached time and again by disparate companies because malware became a widespread enough problem that it couldn’t be ignored.

Okay, so what’s the problem here? Dr. Epstein was wrong, Google was right, site owners are responsible for their own site security, end of story. Right? Not quite.

The problem is that Dr. Epstein, like the webmasters filling the contact inbox I empty every day, probably had no idea malware infection was something he even needed to prevent on his website. He might never have heard of a “harmful site” before a strange screen and a shower of emails informed him that he was operating one. That lack of awareness is more than just his problem; it’s a collective problem, whether you own a website or not.

In a wired, fluid, and (let us admit) highly litigious society, the assumption of responsibility is a tricky and often risky thing. Individuals and organizations can register and set up a blog or website in a matter of minutes, and rarely in those minutes does anyone or anything freeze the process and give those unsuspecting people a lecture about website security. When end users visit a compromised site, malware frequently installs instantaneously and with few (if any) visible signs; in most cases, site owners certainly don’t want their visitors put at risk, but we’re visual creatures, and it’s hard to believe in the legitimacy of something we can’t see and whose damage we can’t accurately assess. And finally, there’s a pervasive stigma around assuming responsibility for website hacks, even after infections have already been verified and addressed. Denial upon notification, silence upon resolution: this, it seems, is the norm.

Over the past year and change, I’ve populated a list of ways communications can improve in the anti-malware space and, in doing so, reduce the awareness gap that poses such a problem. Tomorrow, part two of this article will enumerate some key ways industry and the public sector (for starters) can evolve their communications approaches.

*At time of writing

]]> http://blog.stopbadware.org/2012/01/23/bridging-the-awareness-gap-the-need-for-better-communications-in-the-anti-malware-space-part-1/feed/ 6 http://blog.stopbadware.org/2012/01/19/sotn-2012-not-just-sopa/ http://blog.stopbadware.org/2012/01/19/sotn-2012-not-just-sopa/#comments Thu, 19 Jan 2012 17:14:34 +0000 imeister http://blog.stopbadware.org/?p=491 Continue reading →]]> It was my privilege to spend Tuesday in Washington, DC for the Congressional Internet Caucus Advisory Committee‘s State of the Net Conference 2012, which definitely reflected the degree to which PROTECT-IP and SOPA loom large over the American Internet policy landscape, and to which many policy-shapers from across the political spectrum have woken up to how critical sound Net policy really is. There was a lot to love: the debates were full-throated, civil, and constructive; both panelists and attendees were clearly engaged and happy to be there; and if Paul Brigner of the MPAA is to be believed, the superlaser on the SOPA Death Star, pointed squarely at the integrity of the global DNS, is going offline as soon as the bill hits the Senate floor.

There was also a surprising and very welcome amount of attention paid to section 230 of the Communications Decency Act. StopBadware has spilled some ink in the past over the degree to which the CDA at once protects Net infrastructure intermediaries in a valuable way, but, as drafted, does much to discourage self-policing when dealing with malware reports. In particular, Brian Cute (late of ICANN and now head honcho of Public Interest Registry, the stewards of .org) and John Morris (late of the StopBadware board and now at NTIA, the legal stewards of the root zone) spoke eloquently of the urgent need for infrastructure stakeholders to take good netizenship seriously, notwithstanding the current statutory status quo. For StopBadware, there was a lot to love.

My one big wish coming out of the conference, though, is that policymakers display somewhat more willingness to reframe the debates around SOPA, DNSSEC, CDA 230 (and various other wonky acronyms) in terms of service abuse. The problem that undergirds “rogue sites” (a term I have never heard used more times than in the opening plenary), whether they be fake pharmaceuticals, malware distribution, or “dedication to copyright infringement” (whatever that really means) is one of accountability. I believe, unreservedly, that when domain names or hardware under US jurisdiction is used to abuse the laws of the United States, the legal personality responsible for that abuse, or part of the problem, should be held to account in an Article III court. We need the real deal, with every due process protection imaginable, and with hefty, easily collectible default penalties if they ignore the court. In my view, holding intermediaries like domain name registrars, web hosting providers, and other infrastructure operators responsible for obfuscating or evading this bedrock principle of Western law is an important element of achieving this state of affairs. SOPA’s liberal construction of U.S. jurisdiction is, in this very limited sense, the right idea. It’s also important to maintain an accurate and universal directory of domain name owners and IP address lessees, with protections for owner anonymity but the ability to pierce its veil for good cause shown. (No more paper airplanes, please! We believe in anonymity too!)

So why doesn’t SOPA, or whatever alternative DC policymakers are considering, address the issue of domain name accountability head on? Why has Congress not laid out a statutory structure to govern disputes over Internet “land” when disputes over real property are some of the best understood legal frameworks anywhere? The solution could be deceptively simple. (As I’ll explain in a subsequent post, we’ve had the tools to fix this since the heyday of Anglo-Norman law.) Not that government intervention is necessarily required – yet.

This is where my question to Dr. Crocker, the chairman of ICANN, about WHOIS comes into play (as tweeted here). ICANN has the (bureaucratic and necessarily glacially-paced) tools to fix the accountability problem, as their own WHOIS Review Team has elegantly pointed out. But WHOIS records continue to list fake addresses or junk data, many registrars can’t be bothered to do anything about it (since they’re effectively on the take), and ICANN itself seems insufficiently motivated to use the tools at its disposal to force the issue. I hope to attend ICANN’s next public meeting in Toronto in October to observe and, if so permitted, to make the case for real WHOIS reform.

All told, however, it is an unambiguously positive development that the US government has made cybersecurity a legislative and executive priority, and StopBadware very much looks forward to working with everyone at the policy table to secure a safer Internet in 2012.

As many of you know, one of our core programs here at StopBadware is our independent review process, whereby website owners whose sites have been blacklisted by our data providers can request a review from us. Our team manually tests blacklisted sites, checking for false positives and other mistakes. this process promotes fairness and transparency for both blacklist operators and the webmasters whose sites are affected, and it’s extremely important to us to maintain the quality of our reviews. The website testing process for independent reviews is necessarily rigorous and time-consuming; happily, as part of the new partnership, SiteLock is providing StopBadware with highly customized malware scanning technology that will help us more quickly and accurately detect malware and streamline our independent reviews. This is great news for us, for our data providers, and for website owners.

We’ll doubtless work together in many different ways over the coming months, and we can’t wait to let you all know how we’re combining forces to make the Internet safer. Welcome, SiteLock!

SiteLock has a press release about the new partnership available at http://www.prweb.com/releases/malware/scanning/prweb9112336.htm

• Congress should revisit PROTECT-IP and CISPA with an eye towards addressing the problem of badware websites, and creating civil causes of action that allow motivated cybersecurity researchers to seek the suspension or revocation of domain names being used for malicious purposes.
• The FCC should use its statutory authority to promote greater data sharing among firms with cybersecurity data and an interest in maintaining the integrity of their networks, and should consider imposing sanctions on ISPs and hosting providers who act with reckless disregard for the health and safety of their networks.
• The Department of Commerce, as the legal guardian of the global DNS, should strongly encourage ICANN to adopt the recommendations of the WHOIS policy review team and act with all deliberate speed to improve the accuracy of the WHOIS system and the accountability of those who disregard it.

In cybersecurity practice, 2011 also saw a number of high-profile botnet takedowns: Rustock in March, Coreflood in April, and DNSchanger in November, among others. The FBI has successfully modeled a public-private partnership that places the government in the driver’s seat, draws on private sector expertise, and submits disputes about the legality of malware distribution to the appropriate judicial authorities. This is cause for celebration and substantial hope. In 2012, I hope that other companies well placed to assist the DoJ and FBI will go out of their way to do so, following Microsoft’s lead.

• By the numbers: Nearly 5 million people searching for information on preventing, identifying, and getting rid of badware found that information on our website. Those millions of people came from 211 countries and territories and spoke 204 different languages. Over 900 webmasters on our community forum, BadwareBusters.org, asked for and received help getting rid of bad code that had compromised their websites. Our blog flourished, and our social media following grew by an average of 55%. And if that weren’t enough, we also processed over 16,000 independent review requests from webmasters whose sites ended up on our data providers’ blacklists.
• We gained eight new partner companies this year, and all of them are fantastic, responsible, forward-thinking organizations dedicated to making the Web more open and secure: thanks for the great year, Verizon, Qualys, SoftLayer, Sophos, and Tucows! The other three we can’t yet tell you about yet (though you’re welcome to guess!), but look for announcements very soon. We also completely revamped our Partner Program so as to better engage and recognize our Partners. Have a look.
• We published our inaugural State of Badware report, which analyzed badware trends, identified systemic weaknesses in the security ecosystem, and discussed key ways industry and policymakers could evolve to make the Internet more resilient to badware. It also leapt tall buildings in a single bound.
• With advice from our cross-industry working groups, we developed and released two sets of industry best practices. Yep, count ‘em. Two: Best Practices for Web Hosting Providers: Responding to Badware Reports, and Best Practices for Reporting Badware URLs. These best practices were a big first step for us in creating a collaborative, realistic industry standard that helps both reporters and report recipients streamline the badware reporting process, from detection to cleanup.
• We commissioned a legal white paper on web hosting provider liability for malicious content from Harvard’s Berkman Center for Internet & Society; this helps allay hosting provider concerns about taking good faith steps to address badware on their networks.
• We launched the We Stop Badware™ Web Host program to recognize web hosting providers who are committed to security and to drive adoption of our web hosting best practices among the responsible hosts of the world. The program now has 28 participating providers from 13 countries across five continents. It’s a big step, both for us and for the hosting industry.
• We started a pilot reporting project, in which we reported URLs from our community feed in accordance with our Best Practices for Reporting Badware URLs. A research publication on the statistical results of this project will be forthcoming in 2012, but even preliminary results indicated that our initial foray into reporting was yielding a positive outcome.
• We made appearances! Our executive director graced multiple panels and conferences with his badware-busting wisdom, a few of us rocked out and raised badware-awareness (badwareness?!) at HostingCon in San Diego, and we hosted our first-ever dinner in the Bay Area to get an in-depth discussion going on the badware threat and what industry players can do to combat it.
• We got an award! Thanks to the ever-obliging Online Trust Alliance for bestowing us with the Online Trust Leadership Award for excellence in collaboration. We’re digitally blushing.

We also physically moved this year: we left our beloved shared office in Harvard Square and hustled on over to the Cambridge Innovation Center, where espresso flows freely and start-ups of all stages huddle in iPad-controlled conference rooms. Staff Technologist Isaac regularly abuses snack privileges and our raconteur Caitlin still can’t figure out how to use the office phones, but we have an office of our very own and two white boards on which we’ve already reinvented the Follow Friday Twitter hashtag. It’s from here that we’ll continue to build StopBadware and expand our badware karate chopping capabilities; with our amazing StopBadware Partners, hard working staff and intern, and lofty Board of Directors, the future is looking bright! 2011 has clearly been a big year for us (yeah yeah, we know—we said that last year, too). We’re feeling like 2012 will be even better.

We’re entering the New Year with our strongest group of StopBadware Partners yet. There’s still much to be done; if you’re interested in joining the discussion and the action in our partner community, let us know. We also welcome individual donations to help us continue and expand our existing programs.