Request for comments on new best practices

Posted on January 20, 2011 by ccondon

We announced a while back that we were increasing our focus on web hosting providers with an eye to addressing some of the inconsistency within the industry about how to respond to malware reports. For the last several months, we’ve been plugging away at putting together a set of best practices for hosting providers to follow when malware is reported on their networks. We received fantastic insight from our distinguished Web Hosting Working Group and had quite a few spirited and highly productive discussions. After listening to concerns and pondering practicalities, we have a working draft of our document available for review. You can read the full draft of StopBadware's Best Practices for Web Hosting Providers: Responding to Malware Reports here in doc and pdf format.

This draft is the first public iteration of the Practices; it’s not meant to be set in stone. As ever, the thoughts and concerns of our community are of paramount importance to us: it’s our intent to clarify expectations and elevate standards within the hosting industry so as to better protect and empower users. Thus, we gladly welcome thoughtful critique of the Practices in the comments below or via e-mail: contact <at> stopbadware <dot> org.

We’ll accept comments until January 31, 2011. Further draft(s) will also be available for public review as the Practices evolve and near completion. If you’re interested in being kept up to date on our activities with regard to web hosting and other network providers, you can subscribe to our mailing list here.

5 Comments

StopBadware compiles Badware Events Calendar

Posted on January 10, 2011 by ccondon

One of our resolutions this year is to find as many innovative ways as possible to engage users and the industry in the fight against badware. With that goal in mind, we’ve compiled the Badware Events Calendar: our calendar contains upcoming badware events from well-known conferences and international workshops to local luncheon seminars. The Badware Events Calendar allows followers to keep track of annual conference locations, monitor registration deadlines, and find country or state-specific events and networking opportunities.

StopBadware’s Badware Events Calendar (HTML, iCal, and XML/RSS formats) is available at http://stopbadware.org/home/calendar

To keep the calendar as current and comprehensive as possible, we’ll add to it as new information becomes available. We also welcome calendar submissions from users and security experts (no marketing events, please!). You can send events to calendar(at)stopbadware.org.

4 Comments

StopBadware announces an unconventional T-shirt design contest

Posted on January 6, 2011 by ccondon

Attention, graphic designers, wordsmiths, and previously undiscovered doodlers: StopBadware is having a T-shirt design contest!

We’ve been racking our collective badware-busting brain this past week to come up with a great StopBadware T-shirt design. After much arm wrestling, chest beating, and rending of garments (okay, not really), we made an executive decision: we’re opening this up to all of you. After all, we’re working to protect you and yours online, so it’s only fair that you decide how we’re artistically represented. 

Here’s the gist: we’re looking for a T-shirt idea that’s fun, memorable, and communicates to the planet what we’re all about — stopping badware and fighting to keep you safe on the Internet. This idea could be an eye-grabbing design; it could also be a witty badware quote, an unforgettable badware-fighting stick figure, or a haiku about StopBadware’s ability to cripple badware through a lethal combination of lasers and interpretive dance. We’re leaving it open, and we encourage you to send us an idea that sums up what YOU would want on a StopBadware T-shirt. 

The winning idea will nab some free T-shirts, an ultra grateful shout-out from us via our social media feeds (Facebook, Twitter), and the satisfaction of contributing to our fight against badware. If you’re looking for a little extra street credibility (not to mention a great addition to your portfolio/resume/bragging rights), here’s a golden opportunity!

You can send files, ideas, and haikus to contact (at) stopbadware.org. We'll be accepting submissions until Jan. 31, 2011.

Tagged , , | 3 Comments

Smartphones need better security safeguards

Posted on January 6, 2011 by Maxim Weinstein

Are smartphone users more susceptible to phishing attacks than computer users? It would appear so, based on this recent case study posted by Trusteer CEO Mickey Boodaei.

Trusteer looked at the log files of several phished sites and found that mobile users were the first to visit the phishing sites and were far more likely than other users to submit private information.

The first of these is easily explained by the “always-on” nature of cell phones. The more interesting analysis is why smartphone users are more likely to be fooled than computer users. The answer, at least according to Trusteer (which, it should be noted, is trying to push its secure mobile browser), is that smartphone browsers don’t have as many safeguards as desktop browsers:

It’s very difficult to tell whether an email is fraudulent since the “From” field doesn’t include the sender’s address, but rather the name of the sender (such as ACME Bank)…In HTML mail (the most common format for fraudulent messages) when a link is embedded as a href such as Click Here to Login hovering over the link will not reveal the actual address.

Boodaei goes on to point out that the browsers and/or “are you sure you want to visit [URL]” warnings, display only the beginning of the URL, which can be easily engineered to deceive.

It’s reasonable to assume that the same lack of attention to security safeguards in mobile browsers puts smartphone users at risk of malware, as well. Yes, I know that mobile platforms are more likely to use sandboxing and other anti-malware measures, but exploits will be discovered eventually. In the meantime, users are at risk of being tricked by fake AV sites and other scam sites tailored to mobile phones.

Trusteer uses this discovery to recommend greater adoption of its own secure mobile browser. To me, the better recommendation is for all web browser and e-mail app creators to increase their attention on security safeguards, much like major desktop app creators have been doing in recent years.

Tagged , , , | Comments Off

StopBadware to update Software Guidelines

Posted on January 5, 2011 by ccondon

When StopBadware started several years ago, we collaborated with the community and our Applications Working Group to formulate a set of badware guidelines for applications. For the past few years, our Software Guidelines have served us well: they have acted as a practical framework for software developers and a reference point for users making decisions about which applications to use. Still, we at StopBadware feel the time has come for an update to these guidelines. Over the last several months we’ve worked with various groups to get a sense of how we can improve the guidelines and keep them current. After listening to feedback from our community, several major software companies, and our Applications Working Group, we have a release candidate ready.

You can view the proposed updates to StopBadware’s Software Guidelines here (PDF). Thoughts and comments, as usual, are both welcome and strongly encouraged. Your input is crucial to us as we continue to revise these guidelines in order to improve the way we uphold your rights online.

Tagged , , | Comments Off

StopBadware’s 2010 Checklist

Posted on December 30, 2010 by ccondon

As the end of 2010 approaches, we at StopBadware are taking stock of what we’ve accomplished during our first year as a standalone organization. Here are a few of the ways we’ve worked with our partners and the community to protect and support Internet users this year:

  • We spun off from Harvard University’s Berkman Center for Internet & Society in January of 2010.
  • We’ve assembled a distinguished and eminently knowledgeable Board of Directors and an energetic, dedicated staff.
  • We established collaborative partnerships with four industry leaders: Google, Mozilla, PayPal, and our newest partner, Nominum.
  • We provided over 8.5 million users with badware education and objective advice via our website.
  • Over 350,000 webmasters read our Tips for Cleaning & Securing Your Site.
  • Volunteers from our community forum, BadwareBusters.org, answered more than 2,500 questions from users and webmasters; we also started StopBadware Stories to illustrate the human impact of badware.
  • We processed more than 30,000 requests from webmasters for independent review of URLs on our data providers’ blacklists.
  • We provided insight into current badware issues and how they affect end users via our blog, public comments, and speaking engagements.
  • We took a crucial step in strengthening the Internet’s chain of trust by increasing our focus on web hosting providers and their role in protecting users. With the collaborative input of our awesome working group, we’ve made significant progress developing of a set of best practices for hosting providers responding to malware reports.
  • We held several events to encourage discussion about how the industry and public policy can take steps to better protect users: our joint event with The Commonwealth Club–featuring Vint Cerf, Paul Mockapetris, and Esther Dyson–discussed the health of the Internet and the future of network security, and we hosted a web chat with Brad Arkin (Adobe) and Johnathan Nightingale (Mozilla) on the role applications play in protecting users from badware.

As you can see, 2010 has been a busy and happily productive year for us. We’re looking forward to new projects in 2011, and we’re excited about the opportunities the coming year offers for greater collaboration and engagement with the community. To make the most of these engagement opportunities, we now accept individual donations in addition to corporate sponsorship. Should you want to contribute to our fight for your safety online, please consider donating to StopBadware this holiday season!

As always, we’re grateful for your support, and we wish you a happy, healthy, badware free new year!

3 Comments

Great report on DDoS attacks

Posted on December 22, 2010 by Maxim Weinstein

A group at the Berkman Center—led by StopBadware's co-founder and Board member emeritus, John Palfrey—just released a great report about the impact of distributed denial of service (DDoS) attacks on the websites of independent media and human rights organizations.

From a badware standpoint, there were several interesting bits. For example:

[A sysadmin for a human rights site] reported that attackers hacked into his site to insert malicious code with the intent of triggering anti-virus warnings for the site and thereby scaring users from accessing the site and slowing their Internet connections by causing them to download large packages of Trojan horse software.

This is the first we've heard of Google's or others' badware detection and warning systems being used deliberately for a de facto denial of service attack. Of course, because such attacks may often go unreported, it's likely there have been others. It's worth noting that this doesn't invalidate the use of such warning systems—the targeted site's visitors really were at risk once the site had been compromised. The core problem is the set of conditions that allow the site to become compromised in the first place. This is often due in part to a lack of technical/security expertise at the organization:

A main theme that we have heard from respondents [to a survey of organizations likely to be targeted] was the need to bridge the divide between technology organizations capable of protecting against attacks and the independent media who need protection.

The report also touches on a number of other themes of interest to the StopBadware community, such as the importance of disrupting botnets, the threat of targeted malware attacks, and the challenges of identifying the perpetrators of attacks. If you are interested in understanding more about DDoS attacks—how they work, how organizations can help protect themselves against them, or what the security community can do to help the targeted organizations—I urge you to read the whole report. (PDF)

Tagged , , | 2 Comments

A Novel Legal Tool in the Fight Against Botnets

Posted on December 6, 2010 by Maxim Weinstein

The following is a guest blog post by David Kleban, a Fall 2010 Cyberlaw Clinic Student at the Berkman Center for Internet & Society at Harvard University.

Significant amounts of spam, malware, and phishing scams are propagated via botnets—networks of hundreds or thousands of computers infected with code that, unbeknownst to their owners, causes them to respond to the instructions of a “herder.”  The herder can use the network—or sell the capacity to other malfeasants—to infect computers, capture personal data, initiate distributed denial of service (DDoS) attacks, or, commonly, to send vast amounts of spam to recipients all over the internet.  The Waledac botnet was a particularly prolific network, composed of up to 90,000 compromised computers across the globe and capable of sending 1.5 billion spam messages per day.

Microsoft effectively shut down Waledac this year through a legal tactic pursued in the federal district court for the Eastern District of Virginia.  The court issued an ex parte temporary restraining order (“TRO”), which gave Microsoft control of nearly 300 Internet domains that the company argued were being used in the command and control structure of the botnet.  An ex parte order is issued without giving the defendants (here, the owners of the domains) notice or an opportunity to respond or to argue before the court.  By acquiring access to the domains, Microsoft was able to sever the infected “zombies” from their herder, making the network unusable for continued criminal activity.  Last month, the court granted permanent ownership of the domains to Microsoft after the defendants failed to appear in subsequent proceedings.

The legal procedure used in the case is a novel one in combating botnets.  Microsoft argued that the rarely granted ex parte relief was necessary to prevent Waledac’s herders from reorganizing Waledac’s control structure and destroying evidence before it could be shut down.  Because those responsible for a botnet can be hard to identify (Microsoft’s action was directed against 27 so-called “John Does”), one can imagine how difficult it would be to take one down without access to such relief.

Nevertheless, the approach presents some interesting questions.  For instance, courts as a rule are reluctant to deprive people of their property—or transfer control of property to another private entity—without a hearing.  The court did so here in light of the risks mentioned above (i.e., that evidence might be destroyed or the botnet control structure reorganized).  And, defendants appear to have waived their rights by failing to appear not just initially but in later stages of the legal process as well.  But, at least one observer has noted the peculiarity and secrecy of the procedures followed in this case and the due process issues they raise.  A particular concern with ordering the transfer of control of domains without notice is that parties that may not be intentionally responsible for the underlying bad conduct (e.g., those whose domains have been hacked) will nevertheless be affected until they can respond and resolve the problem.  Indeed, although Microsoft alleged in seeking the TRO that “Doe Defendants have registered [the] domains at issue in this motion solely to control and grow the Waledac botnet” and that “[t]here is no legitimate activity of these domains,” one domain owner told the Wall Street Journal that he was doing nothing wrong from the domain.  (In a posting on its site, Microsoft notes that it “worked with” that defendant and another entity “to successfully address the problems with their respective domains.”  It describes those efforts in more detail in a later court filing.)

Another question raised by this case is the nature of the injury that a plaintiff must allege to demonstrate that it has “standing” to pursue a case like the one Microsoft brought against Waledac.  The most apparent victims of a botnet may be spam recipients, owners of stolen personal data, and users of computers infected with code that dramatically slows performance.  In its complaint and supporting documentation, Microsoft asserted that it too was a victim of Waledac, because Waledac represented an unauthorized intrusion into its software; because many recipients of spam messages were Hotmail users; because many spam messages were made to appear to originate from Hotmail; because it cost Microsoft a lot of money to filter spam from Hotmail; because spam caused a major burden on Microsoft’s servers; and because consumers of Microsoft’s software products would incorrectly think that Waledac-related problems were Microsoft’s fault.  Microsoft said that it had to expend resources to assist customers and correct such misperceptions.  The sufficiency of these interests to establish standing for Microsoft was not fully explored in this case; no parties came forward to challenge Microsoft’s standing, and—in the absence of any opposition—the judge did not view it as an impediment to granting relief. 

The nature and immediacy of Microsoft’s injury in this case, along with the due process concerns discussed above, may lead some to question the appropriateness of enforcement actions like this one being brought by private entities rather than being reserved for government and law enforcement agencies.  It appears that the only previous issuance of an ex parte TRO to combat a botnet was at the request of the Federal Trade Commission.  On the other hand, given significantly limited law enforcement resources and the serious harm that major botnets can cause, private actions such as this one could represent an important new weapon in the fight against malware and spam.

The continued viability of strategies like the one Microsoft pursued will depend on the willingness of courts to grant the extraordinary form of relief that was granted in the Waledac case.  Parties going down this road will have to convince judges:

  • that the continued functioning of a botnet (a concept with which many judges may be totally unfamiliar) will cause irreparable harm to the party seeking relief if not halted immediately;
  • that it is necessary to immediately seize control over the assets of defendants without giving them advance notice or an opportunity to have a day in court; and
  • that the party seeking the TRO will likely succeed on the merits of its argument in a longer-term legal action.

Although the limits of the legal strategy employed in this case remain untested, there is no doubt that Microsoft and its lawyers have successfully employed a new tool in the continued fight against bot herders.

Tagged , | Comments Off

Proposed bill would slam pirates, ignore malware

Posted on November 17, 2010 by Maxim Weinstein

Ars Technica reported yesterday on proposed U.S. legislation, called the Combating Online Infringement and Counterfeits Act (COICA). One of the primary purposes of this bill is to provide a legal mechanism for interfering with the operation of a website that is "dedicated to infringing activities." With a court order, U.S.-based registrars may be ordered to suspend a domain name, and domestic DNS operators may be ordered to stop resolving the domain name. Financial transactions through domestic services (e.g., Visa card processing) can also be suspended.

There are some interesting technical and legal questions in this bill, but the part that interests me is how narrowly focused it is. If Congress is going to establish a mechanism for fighting websites dedicated to illegal activity, why not broaden it beyond copyright infringement (which, by the way, is a civil offense, not a criminal one) and include distribution of malware, phishing, or other criminal activities?

The answer to my rhetorical question can likely be found by following the money. Lobbying by copyright holders and their representatives (e.g., the Recording Industry Association of America and the Motion Picture Association of America, for example) is big business, while we in the malware world have relatively sparse resources dedicated to influencing policy. The reality, though, is that e-crime is a substantial drain on the U.S. economy, and the prescriptive measures in COICA could apply just as easily to e-crime sites as to piracy sites. (Again, I'm leaving aside potential critiques of these prescriptive mechanisms or other aspects of the legislation.)

It would be great to see some broader legislation that draws on the expertise of the law enforcement and tech communities, as well as past judicial precedent, to create a standard framework for taking legal action against any website that is dedicated to illegal activity.

Tagged , | Comments Off

StopBadware increases focus on web hosting providers

Posted on November 16, 2010 by ccondon

StopBadware’s activities have long been focused, in large part, on badware websites, their owners, and the companies—such as our partners Google and Mozilla—who warn users away from these sites. And we’ve recognized from an early stage that web hosting providers also play an important role in protecting users from badware.  We’re pleased to announce today that we’ve decided to increase our focus on the role of web hosting providers in protecting users. Our first major project in this realm will be to develop a set of best practices for web hosts to follow when they receive reports of malware URLs on their networks.

We’ve noticed that there’s quite a bit of inconsistency within the industry about how to respond to malware reports. The aim in developing our best practices document is to create a clear, useful set of common practices for hosting providers to follow upon receiving a malware report. We want this best practices document to be as complete and sensible as possible, so we’ve assembled an advisory working group to assist in its development. The members of this working group represent a diverse set of perspectives, and come from top hosting companies, security companies, and policy organizations. We’ll be working with them and taking their insights into consideration over the next few months as we develop the document. More information about the working group can be found at http://stopbadware.org/home/webhost.

We’re very excited about the level of enthusiasm and interest this project has engendered. The final document will be publicly available in early spring of 2011. You can read the full press release at http://stopbadware.org/home/pr_11162010

Tagged , , , | 1 Comment