Posted by Jason Remillard on Tue, Mar 09, 2010 @ 12:35 PM
Subscribe in a reader
A note about transparency and a Special Offer to ControlScan Customers
By now, many have become aware of the settlement between the Federal Trade Commission and ControlScan.
From companies specifically created to sell seals without doing ANY scanning or verification what so ever, to individuals and businesses misrepresenting their status at the Better Business Bureau ; there is long and sorry history of this type of deceptive practice. It is refreshing to see the FTC finally catching up to some of these people. The deceptive and fraudulent actions of a few tarnish the hard work and honesty of the rest of us. Rarely does a day go by that I don't have to answer a question in one form or another about whether we're for real, and can we prove that we actually do scans. These are honest inquiries that I can not fault.
The FTC ruling against ControlScan for their past activities and inactivity, will not help us with this.
Adding to the questions about our legitimacy, there will now be lingering doubt in some people's mind about scanning frequencies. To clarify, yes we really do scan for Malware every single day. We really do scan for Web Vulnerabilities at preset schedules. For most of our customers, that's everyday too. In your Control Panel, you can see when the last Malware scan was completed and also when your last Web Vulnerability scan was completed.
For those of you reading this that are ControlScan customers who still have some natural lingering doubts about the service you're getting, we'd like to help set your minds at ease. To be clear, we have no reason to doubt that ControlScan is providing you with scans. We do know that they scan only for known vulnerabilities and not for the lastest and fastest growing segment of security challenges, Malware.
So to ControlScan customers we'd like to offer you 50% off the package of your choice, with no obligation. Simply contact me either by phone at 717-704-0061 or email and I'll be happy to answer any questions that you might have, to get your sites enrolled immediately and to hopefully restore for you some peace of mind.
Doug McDonald
VP Sales & Business Development
SiteSecurityMonitor.Com
Posted by Jason Remillard on Mon, Mar 08, 2010 @ 08:07 AM
Subscribe in a reader
Much like Mr. Reagan, we nned to trust but verify.
Very interestingly enough, in the past five or six days we have been detecting ad networks including Google Adsense, Adultadwords, and Adbrite allowing malware-laden ads on their networks. We are not the only ones who have identified this issue, check out the following links for more information about them:
Google Adsense distributes malware - Google blocks own publisher!
AdultAdWorld (AAW) -distributes malware - doesn't answer the phone
This highlights a major issue that we have been discussing for a long time with all of our customers -- that is, the need for ongoing Malware detection scanning. Your site might be nailed down. Your site might be clean from SQL injection, Apache flaws, cross site scripting, and the myriads of other issues associated with open source and custom developed software. However if you run any sort of ad network, widgets, or anything else that inserts code from other sites you are running a major risk.
In these cases you are a very simple publisher. You trust your ad network since they are your partner. And now those lovely people are inserting Malware into your site.
Looking further, although humorous but serious, Adsense itself inserted malicious ad code into a customer's website -- and then proceeded to ban them and slapped the nasty Malware alert window on this board buggers website.
Now, how are going to react in this sort of scenario? I'd be interested in your comments, however at the end of the day you have to trust somebody and I like trusting by a verification -- and in this case we use several third parties for our validation services since I don't trust anyone on its own.
That is our commitment to you as a client of sitesecuritymonitor.com. We bring the best of breed to you, from a solution perspective, from a resource perspective, from a research perspective.
Again, I am interested in any comments regarding this subject -- it is very unfortunate that the Malware purveyors have chosen to attack this vector to distribute their wares, but did you really expect them to stop? We certainly didn't.
Is Google Adsense a Trojan horse itself?
Posted by Jason Remillard on Thu, Mar 04, 2010 @ 12:49 PM
Subscribe in a reader
ok so I suppose we should explain why we were so quiet for the past 2 weeks... As many of you know, we're a little crazy about our winter sports up here - especially our hockey.
Since the olympics took priority over marketing, we took a break of sorts - and wore out 2 couches (or sofas) and gained more pounds than I'd like to admit cheering one all athletes of the games. So kudos to the staff, organizers and our country as a whole for pulling off an incredible games and party!
So, what does this have to do with web security? Admittedly, not much. What was interesting however that since we 'let things sit' for about two weeks, other things got done :)
In the next week or so we'll be announcing a great new free product that we hope will be well received by the community.
During the past two weeks, we continued to scan and alert - for current and new customers. I am pleased to note that our volumes have jumped significantly - both on the free and paid perspectives.
With the past weeks' action at RSA, and s
everal large competitors taking the lead from us, its been a great few weeks.
So stay tuned here, no remote control or weight gain required! :)
Posted by Jason Remillard on Fri, Feb 05, 2010 @ 04:06 PM
Subscribe in a reader
Recently - security and accessibility issuies -have become an important topic to me. Although I had always considered accessibility and more specifically usability important in my designs, since I'm now down to one active hand two to a surgery on the other hand, I am now much more sensitive to the issue of accessibility. Call a subjective I suppose, but digress.
Two weeks ago was speaking to a product manager for a product that most of us
use each and every day , and the issue of usability and accessibility came up. We were discussing how usability affects the success or failure of products in general. Something as important a security itself should have a large focus on usability and accessibility.
Lately for me, I've been doing a lot of research in the area of accessibility of tools and I'm happy to say actually that Microsoft has done a very good job with his speech recognition system built into windows 7. After spending just a few minutes training it, I plugged in my headset on off I went! I would say the speech recognition system has worked at about a 97% effective rate. Although right now I am using it mainly for dictation, to save on my typing efforts, obviously there are a lot of other functions like switching between windows, launching browsers, etc. At this point I'm using it just to save my good hand from too much work
On the mobile front I found a solution called VLinglo which works on the blackberry (of which I am a very heavy user of). It performs the same function as the speech recognition system in windows 7; essentially translates your voice phrases and commands into blackberry lingo and executes them on the platform. Again in this case I'm using it primarily to save my good hand from too much work. I wonder if people are utilizing the platform for true medical conditions like carpal tunnel syndrome or other issues. I would suspect that systems like this allow them to utilize technology in a much easier and more effective fashion.
So what does SiteSecurityMonitor have to do with usability and accessibility, specifically with windows or blackberry? Not much specifically to the platforms. However, I've realized that as a founding missions statement, SSM is providing very specific detailed security information in accessible and usable formats. We've always prided ourselves on our simple to use, and easy to understand reports - specifically the high, medium, low priority issues that come out of our reports by default. We've always heard comments from customers about the reports. Specifically they appreciated the delineation between issues which helps obviously managers and webmasters to understand where the priority issues are, and which to address right away. More importantly, from my perspective - putting the vulnerabilities into this criterion of issues, does a lot more for the business than the customers are actually telling us.
In this case we are actually helping you to prioritize your expenditures, manage resources, a truly focus on what's important. When we added Malware detection scanning services to our offering about six months ago, this also made the reporting more valuable. By combining their reporting were able to give the site owner of a holistic and whole site overview of their enterprise from a security perspective -perhaps in this case making it more accessible, but definitely more usable.
So, not to detract from any other true research or breakthroughs on the accessibility and usability front, we feel that we have done our own little part in the security side to provide this information to business owners in the format and fashion that one can understand and appreciate - and more importantly action!
Posted by Jason Remillard on Fri, Jan 29, 2010 @ 11:23 AM
Subscribe in a reader
Perhaps our children will 'get it' now :)
Not a bad track, enjoy!
http://www.youtube.com/watch?v=d0nERTFo-Sk
Posted by Jason Remillard on Tue, Jan 26, 2010 @ 12:05 PM
Subscribe in a reader
Malware… Yes, its been around for many years. However the attack vector has changed. Long ago the primary distribution method was by sharing dirty data (yes, exchanging floppy disks….remember those days?! 
Then it went onwards into distributing viruses and malware via email (this is the early days of outlook express!). Then, came the solutions to block this (antivirus on your email, desktop solutions that block installs on your PC, etc.)
Now however, it is much more sophisticated. As unfortunately some of you have experienced, the hackers are now cracking PCs and websites to inject malware. Hence the term ‘drive-by malware’. By infecting your website the hackers are now able to enjoy a free distribution method for their wares – your website. Target any sized website, inject your bad code, and watch the infections grow by the minute!
Consider this scenario… we have a customer who came to us (name not mentioned of course), that had been injected my malware. The alerts went up in Google HQ. His site was dropped from search engine rankings immediately. So, boom – there goes all of his google traffic (in this case, responsible for about 2,000 unique visitors a day).
Worse yet, now that Google was aware to his sites problems, the browser vendors now pick up on this and start warning ALL people visiting his site with this nice little alert:
Malware Reported Attack Site
So now, he has -0- traffic from Google. ALL of his users are now getting told this is ‘an attack’ site. All bookmarked entries, links from other sites, etc. ALL reflect that this site is now worse than the worse of worse! You are evil! You are spreading the scourge of the earth! How could you!
Now, this guy is in a panic. He’d just started a major campaign (offline and online), and had paid for alot of advertising that was non refundable. He was loosing 
1000’s of dollars a day, and his business was evaporating before his eyes.
Personnally, I don’t like to scare monger my customers into solutions. I think it is a disservice that many of our competitors do. However, I do like to highlight true to life stories, and their true impacts.
In this case, we were able to quickly shut down his site to stop the spread. Taking the site offline also minimized any infections he was spreading (because, in reality, he was). After stripping out the hacked code, we scanned all of his site (100’s of pages) and plugged up any holes the web vulnerability scanner found (there were more than one in his shopping cart and forum systems). Turns out, some of the lovely little hit counters and subscriber forms he had on his site were wide open as well.
Anyways, after the cleanup, and a few runs through our malware scanner to ensure we were clean, we stood the site backup and asked please, please please!
Google, please allow his site to be back in your good graces…
After about 36 hours, Google’s scanners had verified that he was now indeed clean, and reincluded him in the indexes. Luckily, since we caught it quick enough, this did not affect his PR rankings and his SEO work he’d invested so much into was saved.
Now, the browser alerts were another problem. Firefox released their warnings within a few hours of Google. Microsoft IE shortly thereafter. Safari and a few other smaller footprint browsers took a few days.
All in all, this attack cost him well over $10,000 in immediate losses due to his PPC campaign and offline media buy losses. Of course, now he had a perception problem with his customers (yes you are safe, no I’m not a hacker, etc.), and on top of that, one very long, long weekend on the phone with customers.
How to protect from these effects? Well, since nothing is 100%, regular scanning is your best defense, since you’ll know before the hackers do that there is a problem with your site. Even more important, since we now test each and every URL on your site with over 120,000 attack patterns (yes, that many!), you are getting great coverage and risk mitigation from the standpoint that you know more, on a daily basis, about what the outside knows about your site.
This, all told, allows him to sleep better at night
Posted by Jason Remillard on Sun, Jan 24, 2010 @ 11:55 AM
Subscribe in a reader
Malware Infection, Cleanup and Vulnerability Analysis and Consulting Services…
ALERT: TRUE STORY BELOW..
Want to understand how simple it is to secure your site? Sure, we’ll take a real customer example from this week to document the story.
(Names and Certain Elements removed to protect confidentiality)
Context:
Large financial news information site that was recently infected several times. Running an older (but not so old) version of WordPress. Established site, running for years, great following.
Attacks:
Several different approaches, including a desktop infection, which then infected the site. Infections spread internally from there.
Impacts:
Malware was being distributed to its 2000+ unique viewers a day. Due to the depth of the attack, google has reindexed the site with all of the pornographic and male-enhancement site links, meta tags, etc. Effectively, the site (and business) is in bad shape, SEO results are suffering.
The Approach:
Customer signed up for a free scan, which resulted in the 1st metric on the chart below (roughly 1,640 High and Medium Vulnerabilities) – Keep in mind, this is a fairly large site.
The customer took the recommendations and executed some of them (upgrading Wordpress being the first). After contacting our support group, we went through the rest of the report, and summarized the findings, and recommendations.
Luckily the Malware Alert Attack Site! flags have been removed from most browsers..
Conclusion:
As a result, we’re now down to 2 high severity issues, and about 70 medium severity. Direct Malware injections were removed. Now we’re going through the last steps to remove the last stragglers of the infection, (some things are set to reinfect after removal, etc.), and CLOSE THE DOORS on the site.
We’ll wrap up the work in a day or so, and the customer will be free from the existing hacks, and we will be monitoring his site on a daily scan basis (for both vulnerabilities and Malware) for the next few months.
Actual Screenshots from the Reporting Tool @ SiteSecurityMonitor.com
We have summarized the vulnerabilities detected over time (added medium and high priority issues) in order to give you a snapshot of your performance over time
Total Issues: Below are the issues detected on this scan, and the last scan.
| Previous scan ( 2009-11-30 xxxxxx AM ) 
|
|
Latest scan ( 2009-12-03 xxxxxx AM )
Posted by Jason Remillard on Thu, Jan 21, 2010 @ 11:32 AM
Subscribe in a reader
I came across a great question in LinkedIn a few weeks past, and took the opportunity to document basically what it is, in a simple version: (and it was voted the best answer! :)
Question:
What is an ‘SEO poisoning attack’?
SEO poisoning attacks are primarily attacks on popular websites using XSS or cross server scripting. IFrame viruses also act like this. Iframe are the most dangerous viruses that attack websites online through low server or FTP password leakage. These viruses then target different websites which contain some exploit matters, images and content.
Answer:
This is a sophisticated attack that is being perpetrated on a daily basis. (We just had one of these this week).
Basically, the hacker includes a script (in apache config, in your Wordpress blog, htaccess), etc. That says, if the incoming user agent = googlebot, etc. SEND THEM here. If its not, display that site.
So in my customer's example, all of his SEO rankings were showing porn, Viagra, etc. But to end users, the site worked just fine. So when Google crawled his site, Google was redirected to other content. Google indexes it, and moves on. So now, ALL of your SEO for your site is showing indexed data for the porn site. Keep in mind as well, the Google Malware alert was NOT displayed to end users. So they tricked Google twice here - once on the SEO rankings, secondly the Google Malware detection system. Seems they don't test the malware NOT using the googlebot user agent - otherwise it would've been detected. 
Even worse now, the one we dealt with last week, was operating a ‘webring’ of sorts. That is, the sites referred to each other as well. These cracked sites were thus increasing the SEO value of the porn links exponentially as the ring grew (as more infected sites were added). This was growing at approximately 30 sites a day.
The main ‘benefit’ here is that Google indexes this hacker's site, using your backlinks, etc. to your site to grow his SEO value.
Seems like everyone wants a good ranking from Google :-/
Unfortunately, this is a sophisticated attack, and usually has many layers (in this case, the redirects were in 4 different places, and took us hours to find).
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 08:24 AM
Subscribe in a reader
SiteSecurityMonitor.Com Now Scans for Malware
Launched quietly last week, we are now scanning all websites for malware. What does this mean to you? Well, we now test each and every URL on your site for malware. How? Well, we use over 98,950 (count at this point!) malware patterns for our testing. We can test your code, your servers and even more importantly, your ad networks. As you know, the attack patterns are changing, and now the ‘bad guys’ are injecting malware on adnetworks. Google and others have been hit with this in recent weeks. We hope you enjoy the new service (reporting available in your online reports at: SiteSecurityMonitor.com Online Reporting).
Facebook users – Update your Security Settings ASAP!
Funny, but serious… ASAP – Review your Facebook Security Settings: Zuckerberg pictures exposed by Facebook privacy roll-back
- CEO shown ‘plastered’, possibly while devising new policy
- Illuminating pictures of Facebook chief exec Mark Zuckerberg have been exposed by Facebook’s privacy roll back
Full Story Here
True Story on Fixing a Customer's Infection – and What It Means to Web Developers and Hosters
Cross posted to thewhir.com – Hey all…I figured I would re/cross post a recent article I did on managing a customer's problems with respect to a recent malware infection. In this case, the add-on to the story that was not published was that the webhost he was on, didn’t help much. One of those ‘you’re on your own buddy’ kind of things.
Full Story Here
Amazon EC2 Used as a Safe Habor for Hackers
Security researchers have intercepted a new variant of the Zeus crimeware, which is using Amazon’s EC2 services for command and control purposes of the botnet. The cybercriminals appear to be using Amazon’s RDS managed database hosting service as a backend alternative in case they lose access to the original domain, which would result in the complete loss of access to the compromised financial data obtained from the infected hosts.
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 08:22 AM
Subscribe in a reader
One big thing that is missing from this industry is empirical trend data that supports the TRUE risks and costs associated with hacking and malware infections. To date, we’ve written quite alot about customer-specific impacts when they are infected… The ‘results’ run the gambit of 1000’s of dollars of losses over time, loss of SEO rank, customer reputation, etc. However, one part that has been missing is the true impact around the realm of supporting actors in these instances.
For example, if there is a site that is infected with a simple malware redirect. Instead of only looking at the impacts directly to the website owner (which are onerous enough!), we’re starting to look at the impacts to the service providers for that customer.
It's not just the webhoster. It's the affiliates for that site that may lose sales. It's the adnetwork that is presented on that site that receives negative feedback for the ads being present on an infected site. It's the content readers that also receive the infection, or are impacted by the reduction in traffic. It's the direct advertisers that are affiliated with the website, that are now also negatively impacted on either/or image, reputation or traffic perspectives.
So we here at SSM are undertaking a small series of end-user surveys (specifically those that were impacted) about their total ‘experience’ with the solution. Questions like: Who did you call first? How were you told? Did your SEO rankings take a hit? Was your webhoster helpful? Did you switch hosts/designers/products based on the infection. What other steps have you taken, etc.?
Thus far (early in our survey), some interesting facets have already arisen.
Primarily:
1) Clients learned of their defacement primarily through their customers or colleagues. Because they don’t regularly monitor their site, they had no idea that they were infected.
2) Their web host provider was NOT helpful, not beneficial during the resolution process. Surprisingly enough, only a small percentage ’switched’ providers due to this.
3) Google was their main source of information on this issue, but the information was confusing, not really related, and generally was unhelpful overall.
We will be publishing more results as the data becomes more solid. We are still running the survey, so if you (or someone you know) went through this very personal hell, please forward them this survey link URL: http://surveys.verticalresponse.com/a/show/527087/2a7f185d4a/0
(securely hosted by vertical response – anonymous is ok too!)
-Jason