PROTECT-IP, SOPA, and the real threat to national security

Posted on December 8, 2011 by imeister

A substantial portion of the broader technology policy community has stepped up its efforts to raise awareness of the current debate surrounding the PROTECT-IP Act, pending in the Senate, and the Stop Online Piracy Act (SOPA), pending in the House. Our friends over at the Center for Democracy and Technology have produced an excellent summary of opposition views from a broad range of interested parties, including public-interest advocates like the EFF and ACLU, law professors, and the Global Network Initiative. We at StopBadware are squarely opposed to both bills.

Others have identified the manifold ways in which the bills violate traditional norms of notice, disregard procedural and substantive due process, seriously undermine hosting provider immunity under the CDA and DMCA, and threaten the health of the global Domain Name System. The House bill's co-sponsors, Reps. Lamar Smith (R-TX) and John Conyers (D-MI), seem oblivious to the the threat it poses, claiming it addresses "critical intellectual property issues that relate to national security, public health and safety, and the expansion of respect for intellectual property abroad".

To claim that the bill will meaningfully improve America's national security posture is preposterous on its face — one must conflate risks to U.S. copyright holders with the national interest writ large — and, with the exception of rogue pharmacies, very few infringing websites facilitate threats to public health. But let's take SOPA’s sponsors at their word for a minute and consider it a given that they want to make a serious attempt to address these important issues. Why wouldn't they target websites distributing badware instead?

Let me be clear: even if, ceteris paribus, PROTECT-IP and SOPA targeted malware distributors rather than copyright infringers, they'd still be lousy bills. In all of its work, StopBadware strives to encourage private industry and regulators to respect the free speech and due process rights of Internet users, including web masters.

That said, Congress could do much more than it has to give the security community the power to take action (under strict judicial supervision) against operators of badware websites. Malware is indisputably a national security and public health issue. As we've mentioned before in The State of Badware, criminals can set up, co-opt, and maintain badware websites because control of the infrastructure that sustains them is split among webmasters, web hosting providers, ISPs, registrars, registries, and national governments. While security researchers can collect evidence of badware behavior on websites and inform appropriate parties (see our Best Practices for Badware Reporting for more on that), they have little power to compel these parties to take these reports seriously.

Imagine if Congress were to empower security researchers with civil causes of action like the ones PROTECT-IP and SOPA grant to copyright holders. For example, Congress might attempt any or all of the following:

  • require web hosting providers to disable access to malicious content they host;
  • require DNS providers to suspend nameserver services for domain names used primarily to spread badware;
  • require US-based registrars to suspend registrations of such domain names;
  • require US-based registries to revoke registrations of such domain names.

Drafting a statute like the above — one that respects issues of standing, free speech, and due process — would definitely pose a major challenge. (I suspect that's why Protect-IP and SOPA's sponsors made no attempt to do so.)  Practically speaking, bringing successful challenges against recalcitrant infrastructure operators could be an expensive, time-consuming endeavor. But it might produce better results than the status quo.

Why? A primary effect of the Computer Fraud and Abuse Act (18 U.S.C. 1030) is to make it a crime to infect computers with malware. From this we can infer that computer owners have a right to be free of malware. In practice, as we know, pursuing responsible parties, or even determining with certainty who they are, exceeds prosecutors' technical and logistical resources. It brings to mind an ancient and well-loved principle of equity — that there can be no right without a remedy. Congress should seriously consider creating remedies that support this right and enforce it against entities who are otherwise complicit.

An approach like the one I've sketched out isn't without its pitfalls. U.S. courts have very little experience with the malware threat landscape, and judicially sanctioned interventions against malware distributors have been chiefly limited to large botnet takedowns, frequently with the assistance of security researchers and large corporations. (See our write-up on the role of government and private parties in the Coreflood takedown here.) Most day-to-day badware website takedowns occur through private persuasion, not judicial compulsion.

Yet given the growth and persistence of badware websites, the security community should take a long, hard look at the existing system of badware report handling and ask itself if private self-regulation has been effective at stemming the tide of the malware onslaught. Consider the global WHOIS system, which was theoretically intended to link domain names and IP addresses to the people responsible for their use (or abuse). Any badware website reporter will tell you that WHOIS results are rarely the end of an inquiry, and frequently contain outdated or outright fraudulent information. This makes investigation much harder, and is still no guarantee that a complaint will receive an airing from any party, much less an appropriate resolution. In short, we have an accountability problem: one can cry 'malware' all one likes, and no one has to listen.

Not so in the courts. If fraud, deception, negligence, and organized crime are properly the province of the judiciary in meatspace, why not in cyberspace?

I present this image of government regulation to the cybersecurity community as an invitation to to prove to the U.S. government, and to the world, that it can bridge this trust and accountability gap themselves. StopBadware has always sought to help embody the change we seek in the Internet through voluntary, collaborative efforts with industry experts (as in our badware reporting and web hosting best practices work). But bills like PROTECT-IP and SOPA should remind us that when the Internet community fails to act, intrusive and ill-informed legislation may seek to ‘solve’ our problems for us.

In short, we agree with others in our community who have come out forcefully against PROTECT-IP and SOPA. Not only does it fail to solve the problems it identifies (and creates massive new ones), but reflects completely misguided thinking on the root causes of those problems and ignores approaches that might solve them. SOPA’s sponsors want to improve cybersecurity by giving copyright holders a license to 'kill' infringers with no notice. We'd have them do it by giving malware victims their day in court.

Tagged , , , , | 4 Comments

StopBadware gains two new Partners: Sophos and Tucows

Posted on December 8, 2011 by ccondon

It’s December already! We’re not really sure how that happened, but we have good news to share, so we’ll postpone our calendar confusion. Over the past year and change, we’ve had the pleasure of working with a number of distinguished security experts and respected companies. Today we’re happy to report that two of those respected companies have decided to officially join the StopBadware Partner community: we happily welcome Sophos, a well-known leader in IT security, and Tucows, wholesale domain name registrar and a recognized leader in the Internet industry since 1994.

Both companies have long been active in the security space, and recently they’ve contributed knowledgeable members to our Malware Reporting Working Group, which advised us in the development of our Best Practices for Reporting Badware URLs. It’s part of our culture at StopBadware to seek out organizations and individuals who are committed to sharing knowledge and taking a community approach to security. Tucows and Sophos definitely fit that bill: we’ve benefited from working with both companies in the past, and we’re excited to further our collaboration with each of them as we prepare to ring in 2012. 

Comments Off

Collaborative survey on compromised websites

Posted on November 23, 2011 by ccondon

If you've been following us this past week, you may have seen a few blips about a survey we're conducting together with Commtouch on compromised websites. It's fairly common knowledge at this point that legitimate websites are frequently compromised by malicious actors and used to host malware. Infosecurity Magazine yesterday talked with Commtouch about a recent scam that used spam email campaigns and social engineering  to convince users that their "Delta airlines booking was rejected." The emails used compromised sites as destination URLs to complete the scam and infect end users' computers.

It would be a great Thanksgiving present for us to go even a day without seeing dozens of legitimate sites that have been compromised without their owners' knowledge. Unfortunately, we're not there yet, but one of the best defenses the Web ecosystem has is information—and the sharing of that information. As one of our community forum moderators says, "Silence is a hacker's best friend," and shared knowledge is one weapon we'll brandish readily.

With that, we'll get to the point: if you're a site owner whose site has been compromised, please take a minute or so to answer a few quick questions about what happened, how you found out, and how your site was used. We're not collecting any identifying information (e.g., your name, email, or IP address), just the answers you provide and the date. A few fast answers about your experience can make a difference in the way we and others help defend the Internet ecosystem from badware and its distributors. 

Take the survey here!

A very happy and safe Thanksgiving to all of you in the U.S., and an equally happy and safe non-Thanksgiving to everyone outside the U.S. We're grateful for a lot of things this holiday, and the outstanding participation, collaboration, and feedback we receive from our community is at the top of our list.

Tagged , , , | 1 Comment

Supporting a voluntary code for ISPs

Posted on November 21, 2011 by Maxim Weinstein

Earlier this week, we submitted comments in response to a request for information from the U.S. Departments of Commerce and Homeland Security. The topic was development of a voluntary code of conduct for industry, particularly ISPs, to help address botnets. The RFI follows similar national efforts in Australia, Germany, and Japan.

StopBadware, of course, already helps to reduce the threat of botnets by helping to prevent and clean up websites that deliver malware to end users. That said, there’s much still to be done, and we support the approach broadly proposed by the government’s RFI. Here’s a brief summary of our comments:

  • Prevention of malware infection is multi-faceted, including everything from cleaning up badware websites to educating end users. We detail several of these facets, highlighting examples of effective tools and approaches within each.
  • When discussing industry-driven initiatives, it is critical to look to users’ needs. We use our experience working with owners of compromised websites to suggest how industry can effectively meet the needs of users whose devices have been infected.
  • A voluntary code of conduct for ISPs is a good step, but there are several opportunities where pooled resources could do more than each industry player working independently. We suggest three such cases and argue that independent non-profit organizations are better suited than for-profit companies or government to offer such resources.

Here’s the full set of comments. Please let us know if you have any additional thoughts on this topic!

Tagged , , , | 3 Comments

20 providers. 10 countries. 5 continents. 1 goal.

Posted on November 3, 2011 by ccondon

Two months after its launch in August, our We Stop Badware™ Web Host program has garnered 20 hosting providers from around the world who have pledged to protect their networks and their customers by responding decisively to badware reports. We’re impressed and encouraged by the diversity of the providers who have voluntarily pledged to implement policies and procedures consistent with our best practices. We Stop Badware™ now boasts participating providers from 10 countries on 5 continents, and participants include everyone from small providers who pride themselves on uncompromising security to several of the largest web hosting companies in the world. We at StopBadware know what a crucial role web hosting providers play in both badware prevention and remediation; in fact, we’ve submitted badware reports to several of these companies ourselves, so in some cases we can vouch firsthand for their responsiveness. We commend these providers for their commitment to security and collaboration.

We Stop Badware™ Web Host participants:

13StudioHost Portugal
Blacknight Ireland
Coolhandle Hosting United States
Daycohost Venezuela
DiscountASP.Net United States
Host TugaTech Portugal
InlandHost.NET India
InNucleo, Alojamento Web Portugal
Serverminds Netherlands
SoftLayer* United States
SpeedPartner GmbH Germany
tetoOnline Portugal
Texo Web Hosting South Africa
TVCNet United States
VEXXHOST Canada
WebTuga Hosting Portugal
WinHost United States
WiredTree** United States
World4You.com Austria
ZoneGS Portugal

 

*StopBadware Sponsoring Partner

**Previously recognized for exemplary responses to badware reports

A few points we’ll reinforce, at (acceptable) risk of sounding like a broken record: 

Websites are prime attack vectors. Hosting providers who address malware on websites within their zones of control protect countless users and additional website owners from infection. Self-evident? Perhaps. Still, we’ve been aware from the beginning that web hosting providers operate within an extraordinarily competitive market and are often subject to diverse legal constraints. We also recognize that hosting providers are frequently the first to feel the ire of site owners whose domains have been infected, blacklisted, or taken down. In a competitive market, taking responsible action shouldn’t ever mean losing business. For this reason, we publicly acknowledge and commend web hosting providers who commit to doing their part to stop badware, and we work hard to educate site owners about badware prevention and remediation. 

On that note, this one’s for the site owners (and future site owners): your web hosting provider matters, and not just to you. Hosting providers who take action to limit malicious content on their networks benefit you individually—whether your site is currently infected or not—and the Internet as a whole. Security isn’t just a consideration; it’s a necessity. Is your hosting provider on this list? If not, why? 

StopBadware’s Best Practices for Web Hosting Providers, on which the We Stop Badware™ Web Host program is based, are designed to be implementable by hosting providers of every size and type. To address concerns about legal liability for malicious content on providers’ networks, we commissioned a legal whitepaper from the renowned Berkman Center for Internet & Society at Harvard University. The white paper, the best practices, and additional resources for web hosting providers are available at http://www.stopbadware.org/best-practices/web-hosting-providers. Learn how to sign up for the We Stop Badware™ Web Host program here. Free resources for site owners who want to prevent or remove badware on their websites are available here

 

Tagged , , , , | Comments Off

New best practices for reporting badware URLs

Posted on October 7, 2011 by ccondon

We’re happy to announce today the public release of our second best practices document: Best Practices for Reporting Badware URLs. These best practices lay out steps that individuals and organizations can follow to effectively report badware URLs to the parties best able to address them. 

The seeds for our new set of best practices were sown during the development of our Best Practices for Web Hosting Providers earlier this year. A common question during our Web Hosting Working Group’s tenure was, “What about best practices for reporting?” The reasoning behind the question was simple: after spending several months determining the most responsible and effective ways for web hosting providers to respond to badware reports, it seemed eminently sensible to develop a complementary set of best practices for reporters so as to shape a clear path all the way from badware detection to resolution. 

After a summer full of discussion with another brilliant and distinguished cross-industry working group, we have a new set of Practices that we feel we can confidently say are “best” when it comes to reporting badware URLs. Our best practices divide the reporting process into four main stages: determining report targets, identifying contact information, assembling contents, and delivering the report. Best practices are laid out for each stage, along with specific steps for report escalation should initial reports fail to receive a satisfactory response. It’s our intention and our hope that the final document will promote reporting in a way that’s useful to hosting providers and other report recipients while offering reporters both clear instruction and flexibility.

Last month, we wrote that “a full 67% of the URLs we reported [in accordance with the reporting best practices] were cleaned up, many within a short time.” Happily, that statistic is holding steady as our sample size (and our reporting experience) increases; moreover, when the report recipient acknowledged receipt of the report, the badware URL cleanup rate jumped to 75%. Our Best Practices for Reporting Badware URLs take a different approach than the Best Practices for Web Hosting Providers, but the goal, of course, is the same: to get badware URLs noticed, acknowledged, and either cleaned up or taken down—quickly and responsibly.

You can download a copy of StopBadware’s Best Practices for Reporting Badware URLs here. Today’s press release is available here.

Tagged , , | 1 Comment

Why Finland has so little malware

Posted on September 30, 2011 by Maxim Weinstein

Tim Rains from Microsoft’s Trustworthy Computing group recently posted an excellent series of short blog posts titled Lessons from Some of the Least Malware Infected Countries in the World. Tim asked local security experts in each of these countries why they believed their nations were consistently lower than most on Microsoft’s “Computers Cleaned per Mille (CCM)” measure. A brief summary of the findings can be found here, but I encourage you to read the six part series. (None of the individual parts are more than a couple pages of text.)

One interesting tidbit is that there is not necessarily a correlation between low PC infection rates (as measured by CCM) and low rates of badware websites (as measured by either malware hosting sites per thousand hosts or drive-by download sites per thousand hosts). This isn’t terribly surprising, I suppose. Although the basic goals of prevention, mitigation, and remediation are the same for PCs and websites, the practical implementations are quite different. Germany, for example, has a national center for providing remediation of bot-related malware detected on consumer PCs. No such national resource exists for addressing compromised websites. (It’s a good thing StopBadware and BadwareBusters.org are here, isn’t it?)

Perhaps the most important lesson, though, is that strongly coordinated efforts to educate the public, notify victims, engage providers, and coordinate response seem to be highly correlated with low infection rates. We can all draw inspiration from that as we work to strengthen these efforts within and across our own areas of focus.

Tagged , , , , | Comments Off

What’s in a name?

Posted on September 28, 2011 by Maxim Weinstein

One of the most interesting aspects of yesterday’s announcement of another botnet takedown engineered by Microsoft was the naming of the owners of the .cz.cc domain in their lawsuit.

…this case highlights an industry-wide problem pertaining to the use of subdomains. Under U.S. law, even pawn brokers are more effectively regulated to prevent the resale of stolen property than domain owners are to prevent the use of their digital properties for cybercrime. For example, pawn shop operators must require a name, address and proper identification from customers, while by contrast there are currently no requirements necessitating domain hosts to know anything about the people using their subdomains –making it easy for domain owners to look the other way.

Through this case, we hope to demonstrate that if domain owners don’t hold themselves accountable for knowing their customers, they will be held accountable for what is happening on their infrastructure. Our goal is for this case to spur an industry-wide discussion for more public and accountable subdomain registration practices to enable a safer, more secure Internet for all users.

Microsoft should be applauded for its effort, as well as for raising awareness of intermediary service providers’ roles in perpetuating badware. I don’t understand, though, their heavy handed focus on customer identification. True domain registrars, at least those accredited by ICANN, are already required to collect and publish valid contact information for domain registrants, yet this hasn’t seemed to help a lot in preventing malicious registrations or tracking down the criminals. There are lots of reasons for that, such as privacy proxies that shield the identities of the registrants, weak enforcement by ICANN, use of stolen credentials, and the difficulty of verifying the validity of customer information.

I also wonder about dotFREE, the operator of the .cz.cc subdomain service. After the entire .cz.cc domain was pulled from Google Search results due to the high malware and low quality rates of cz.cc subdomains, dotFREE claimed to be implementing a number of reasonable security precautions, from hiring more abuse staff to suspending accounts that appeared on popular badware blacklists. All talk, no action? Could be. Too little, too late? Maybe. But what if they were doing all these things and making a good faith effort to prevent continued abuse of their domain? Was the fact that they didn’t verify and publish contact information for their customers enough to make them liable for the malicious use of their subdomains? Perhaps the fact that they were marketing their service like a registrar, but not behaving like an accredited registrar, is enough to do them in?

It will be up to the courts to decide on whether dotFREE is liable under U.S. law. I’d push back against Microsoft, though, and say the industry discussion shouldn’t be about “public and accountable subdomain registration practices,” but rather about identifying more broadly the philosophical and perhaps legal expectations for how such providers should contribute to the safety of the Internet.

Tagged , , , | Comments Off

Last chance to submit feedback on new best practices for reporting badware URLs

Posted on September 12, 2011 by ccondon
Several weeks ago, we put out a request for comments to anyone who might have feedback on our newly developed best practices for reporting badware URLs. As a reminder, we’ll be accepting comments on the new best practices until  this Friday, September 16.

As we mentioned previously, one of the catalysts for our developing these best practices for reporting was feedback we received while creating the first installment of our Best Practices for Web Hosting Providers. We’re extremely interested in any comments web hosting providers may have on these new best practices. Please see our previous blog post on this topic for a list of specific questions about which we’d like feedback.

You can see for yourself the results of our first shot at reporting badware URLs according to these best practices. Given the success of these initial attempts, we’re excited to hear comments on the reporting best practices and integrate them so as to make the final document as complete and effective as possible. Comments can be submitted here or sent to contact/at/stopbadware/dot/org.
 

Download the draft as a Word doc (.docx) or as a PDF.

Tagged , | Comments Off

Observations from StopBadware’s first foray into reporting

Posted on September 2, 2011 by ccondon

As we mentioned last week, we have a full and public draft of a new best practices document for reporting badware URLs. You may also be aware that StopBadware receives a feed of badware URLs reported by members of our BadwareBusters community, via this form. The community feed is represented in our Clearinghouse, but it’s discrete from any data we receive from our data providers (Google, GFI-Sunbelt, and NSFocus).

For the past six weeks, our testing team has been reporting the URLs from our community feed in accordance with the current draft of our Best Practices for Badware Reporting. This inaugural effort at reporting is only a pilot project, and we have not yet decided whether to continue or expand the work. That said, the reporting we’ve done these past couple of months has given us a much better feel for the reporting landscape and the needs of both hosting providers and reporters endeavoring to take down badware and protect users.

Naturally, our immediate goal when we started reporting URLs from our community feed was to put our new best practices to a practical test. A side effect of this test, however, was that we have begun to witness firsthand the variation in hosting provider responses to reports of badware on their networks. We’ve made some intriguing discoveries in the course of our reporting efforts; in the spirit of our commitment to transparency and improving the Internet ecosystem’s collective resiliency to badware, we’d like to share some of our results.

Our team’s reporting steps were as follows:

  1. They manually investigated the reported badware URL to determine whether badware was, in fact, present.
  2. If badware was observed, our testers used their considerable experience to determine (as much as possible) whether the URL was inherently malicious or a compromised, legitimate site.
  3. They contacted the appropriate entities as laid out by our Best Practices for Badware Reporting. In most—though not all—cases, our team simultaneously contacted the site owner and the hosting provider; please see the current draft of StopBadware’s Best Practices for Badware Reporting for an explanation of appropriate points of contact for various reporting scenarios.
Notable observations:
  • A full 67% of the URLs we reported were cleaned up, many within a short time.
  • Dropbox, who qualifies as a web hosting provider by the definitions set out in our Best Practices for Web Hosting Providers, was particularly responsive to badware reports. Every report sent their way was acknowledged and addressed quickly, many reports were met with personal responses, and some badware URLs on their network were taken down in as little as 45 minutes.
  • Dreamhost, Bluehost, Brazil’s Universo Online S.A., German host Hetzner Online, and Chicago-based WiredTree were also among the most responsive: frequently our team received personal responses from these hosting providers, and badware URLs we reported to them were, without exception, cleaned up or taken down.
  • Though two thirds of the URLs we reported were cleaned up, only 26% of the reports were acknowledged. (Note: Our Best Practices for Web Hosting Providers specify that providers should acknowledge receipt of badware reports within one business day and should follow up with information about action taken.)
  • Of the reports that did receive acknowledgments, 81% were cleaned up. When the acknowledgment was a personal response, that number rose to 95%.

Several conclusions seem clear to us from our experience thus far. Open communication channels are key to both reporting and responding to reports.  The framework provided by our reporting best practices held up, though implementation inevitably varied based on proactive replies from individual hosting providers; unsurprisingly, open communication was instrumental in those minute changes, too—for instance, when a hosting provider preferred the reporter to submit abuse complaints via a web form. Finally, size is not an impediment to responsible communication and follow-up, as evidenced by the varying sizes of the providers listed above.

Of course, the list of hosting providers we’re recognizing for exemplary responses is preliminary and not meant to be exhaustive. Undoubtedly, there are a great many responsive and proactive hosting providers to whom we haven’t yet reported badware URLs. (If you’re a hosting provider whose policies and procedures are in compliance with our Best Practices for Web Hosting Providers, you can sign up for our We Stop Badware™ Web Host program to show potential customers your commitment to fighting badware.)
 
We’re actively soliciting comments on our Best Practices for Badware Reporting until September 16, 2011. We welcome feedback from hosting providers, reporters, and other members of the security community, as well as from concerned users and members of our community. Feedback can be posted to our blog or sent to contact<at>stopbadware.org.
Tagged , , | Comments Off