Posted by Jason Remillard on Tue, Mar 09, 2010 @ 12:35 PM
A note about transparency and a Special Offer to ControlScan Customers
By now, many have become aware of the settlement between the Federal Trade Commission and ControlScan.
From companies specifically created to sell seals without doing ANY scanning or verification what so ever, to individuals and businesses misrepresenting their status at the Better Business Bureau ; there is long and sorry history of this type of deceptive practice. It is refreshing to see the FTC finally catching up to some of these people. The deceptive and fraudulent actions of a few tarnish the hard work and honesty of the rest of us. Rarely does a day go by that I don't have to answer a question in one form or another about whether we're for real, and can we prove that we actually do scans. These are honest inquiries that I can not fault.
The FTC ruling against ControlScan for their past activities and inactivity, will not help us with this.
Adding to the questions about our legitimacy, there will now be lingering doubt in some people's mind about scanning frequencies. To clarify, yes we really do scan for Malware every single day. We really do scan for Web Vulnerabilities at preset schedules. For most of our customers, that's everyday too. In your Control Panel, you can see when the last Malware scan was completed and also when your last Web Vulnerability scan was completed.
For those of you reading this that are ControlScan customers who still have some natural lingering doubts about the service you're getting, we'd like to help set your minds at ease. To be clear, we have no reason to doubt that ControlScan is providing you with scans. We do know that they scan only for known vulnerabilities and not for the lastest and fastest growing segment of security challenges, Malware.
So to ControlScan customers we'd like to offer you 50% off the package of your choice, with no obligation. Simply contact me either by phone at 717-704-0061 or email and I'll be happy to answer any questions that you might have, to get your sites enrolled immediately and to hopefully restore for you some peace of mind.
Doug McDonald
VP Sales & Business Development
SiteSecurityMonitor.Com
Posted by Jason Remillard on Fri, Feb 05, 2010 @ 04:06 PM
Recently - security and accessibility issuies -have become an important topic to me. Although I had always considered accessibility and more specifically usability important in my designs, since I'm now down to one active hand two to a surgery on the other hand, I am now much more sensitive to the issue of accessibility. Call a subjective I suppose, but digress.
Two weeks ago was speaking to a product manager for a product that most of us
use each and every day , and the issue of usability and accessibility came up. We were discussing how usability affects the success or failure of products in general. Something as important a security itself should have a large focus on usability and accessibility.
Lately for me, I've been doing a lot of research in the area of accessibility of tools and I'm happy to say actually that Microsoft has done a very good job with his speech recognition system built into windows 7. After spending just a few minutes training it, I plugged in my headset on off I went! I would say the speech recognition system has worked at about a 97% effective rate. Although right now I am using it mainly for dictation, to save on my typing efforts, obviously there are a lot of other functions like switching between windows, launching browsers, etc. At this point I'm using it just to save my good hand from too much work
On the mobile front I found a solution called VLinglo which works on the blackberry (of which I am a very heavy user of). It performs the same function as the speech recognition system in windows 7; essentially translates your voice phrases and commands into blackberry lingo and executes them on the platform. Again in this case I'm using it primarily to save my good hand from too much work. I wonder if people are utilizing the platform for true medical conditions like carpal tunnel syndrome or other issues. I would suspect that systems like this allow them to utilize technology in a much easier and more effective fashion.
So what does SiteSecurityMonitor have to do with usability and accessibility, specifically with windows or blackberry? Not much specifically to the platforms. However, I've realized that as a founding missions statement, SSM is providing very specific detailed security information in accessible and usable formats. We've always prided ourselves on our simple to use, and easy to understand reports - specifically the high, medium, low priority issues that come out of our reports by default. We've always heard comments from customers about the reports. Specifically they appreciated the delineation between issues which helps obviously managers and webmasters to understand where the priority issues are, and which to address right away. More importantly, from my perspective - putting the vulnerabilities into this criterion of issues, does a lot more for the business than the customers are actually telling us.
In this case we are actually helping you to prioritize your expenditures, manage resources, a truly focus on what's important. When we added Malware detection scanning services to our offering about six months ago, this also made the reporting more valuable. By combining their reporting were able to give the site owner of a holistic and whole site overview of their enterprise from a security perspective -perhaps in this case making it more accessible, but definitely more usable.
So, not to detract from any other true research or breakthroughs on the accessibility and usability front, we feel that we have done our own little part in the security side to provide this information to business owners in the format and fashion that one can understand and appreciate - and more importantly action!
Posted by Jason Remillard on Tue, Jan 26, 2010 @ 12:05 PM
Malware… Yes, its been around for many years. However the attack vector has changed. Long ago the primary distribution method was by sharing dirty data (yes, exchanging floppy disks….remember those days?! 
Then it went onwards into distributing viruses and malware via email (this is the early days of outlook express!). Then, came the solutions to block this (antivirus on your email, desktop solutions that block installs on your PC, etc.)
Now however, it is much more sophisticated. As unfortunately some of you have experienced, the hackers are now cracking PCs and websites to inject malware. Hence the term ‘drive-by malware’. By infecting your website the hackers are now able to enjoy a free distribution method for their wares – your website. Target any sized website, inject your bad code, and watch the infections grow by the minute!
Consider this scenario… we have a customer who came to us (name not mentioned of course), that had been injected my malware. The alerts went up in Google HQ. His site was dropped from search engine rankings immediately. So, boom – there goes all of his google traffic (in this case, responsible for about 2,000 unique visitors a day).
Worse yet, now that Google was aware to his sites problems, the browser vendors now pick up on this and start warning ALL people visiting his site with this nice little alert:
Malware Reported Attack Site
So now, he has -0- traffic from Google. ALL of his users are now getting told this is ‘an attack’ site. All bookmarked entries, links from other sites, etc. ALL reflect that this site is now worse than the worse of worse! You are evil! You are spreading the scourge of the earth! How could you!
Now, this guy is in a panic. He’d just started a major campaign (offline and online), and had paid for alot of advertising that was non refundable. He was loosing 
1000’s of dollars a day, and his business was evaporating before his eyes.
Personnally, I don’t like to scare monger my customers into solutions. I think it is a disservice that many of our competitors do. However, I do like to highlight true to life stories, and their true impacts.
In this case, we were able to quickly shut down his site to stop the spread. Taking the site offline also minimized any infections he was spreading (because, in reality, he was). After stripping out the hacked code, we scanned all of his site (100’s of pages) and plugged up any holes the web vulnerability scanner found (there were more than one in his shopping cart and forum systems). Turns out, some of the lovely little hit counters and subscriber forms he had on his site were wide open as well.
Anyways, after the cleanup, and a few runs through our malware scanner to ensure we were clean, we stood the site backup and asked please, please please!
Google, please allow his site to be back in your good graces…
After about 36 hours, Google’s scanners had verified that he was now indeed clean, and reincluded him in the indexes. Luckily, since we caught it quick enough, this did not affect his PR rankings and his SEO work he’d invested so much into was saved.
Now, the browser alerts were another problem. Firefox released their warnings within a few hours of Google. Microsoft IE shortly thereafter. Safari and a few other smaller footprint browsers took a few days.
All in all, this attack cost him well over $10,000 in immediate losses due to his PPC campaign and offline media buy losses. Of course, now he had a perception problem with his customers (yes you are safe, no I’m not a hacker, etc.), and on top of that, one very long, long weekend on the phone with customers.
How to protect from these effects? Well, since nothing is 100%, regular scanning is your best defense, since you’ll know before the hackers do that there is a problem with your site. Even more important, since we now test each and every URL on your site with over 120,000 attack patterns (yes, that many!), you are getting great coverage and risk mitigation from the standpoint that you know more, on a daily basis, about what the outside knows about your site.
This, all told, allows him to sleep better at night
Posted by Jason Remillard on Sun, Jan 24, 2010 @ 11:55 AM
Malware Infection, Cleanup and Vulnerability Analysis and Consulting Services…
ALERT: TRUE STORY BELOW..
Want to understand how simple it is to secure your site? Sure, we’ll take a real customer example from this week to document the story.
(Names and Certain Elements removed to protect confidentiality)
Context:
Large financial news information site that was recently infected several times. Running an older (but not so old) version of WordPress. Established site, running for years, great following.
Attacks:
Several different approaches, including a desktop infection, which then infected the site. Infections spread internally from there.
Impacts:
Malware was being distributed to its 2000+ unique viewers a day. Due to the depth of the attack, google has reindexed the site with all of the pornographic and male-enhancement site links, meta tags, etc. Effectively, the site (and business) is in bad shape, SEO results are suffering.
The Approach:
Customer signed up for a free scan, which resulted in the 1st metric on the chart below (roughly 1,640 High and Medium Vulnerabilities) – Keep in mind, this is a fairly large site.
The customer took the recommendations and executed some of them (upgrading Wordpress being the first). After contacting our support group, we went through the rest of the report, and summarized the findings, and recommendations.
Luckily the Malware Alert Attack Site! flags have been removed from most browsers..
Conclusion:
As a result, we’re now down to 2 high severity issues, and about 70 medium severity. Direct Malware injections were removed. Now we’re going through the last steps to remove the last stragglers of the infection, (some things are set to reinfect after removal, etc.), and CLOSE THE DOORS on the site.
We’ll wrap up the work in a day or so, and the customer will be free from the existing hacks, and we will be monitoring his site on a daily scan basis (for both vulnerabilities and Malware) for the next few months.
Actual Screenshots from the Reporting Tool @ SiteSecurityMonitor.com
We have summarized the vulnerabilities detected over time (added medium and high priority issues) in order to give you a snapshot of your performance over time
Total Issues: Below are the issues detected on this scan, and the last scan.
| Previous scan ( 2009-11-30 xxxxxx AM ) 
|
|
Latest scan ( 2009-12-03 xxxxxx AM )
Posted by Jason Remillard on Thu, Jan 21, 2010 @ 11:32 AM
I came across a great question in LinkedIn a few weeks past, and took the opportunity to document basically what it is, in a simple version: (and it was voted the best answer! :)
Question:
What is an ‘SEO poisoning attack’?
SEO poisoning attacks are primarily attacks on popular websites using XSS or cross server scripting. IFrame viruses also act like this. Iframe are the most dangerous viruses that attack websites online through low server or FTP password leakage. These viruses then target different websites which contain some exploit matters, images and content.
Answer:
This is a sophisticated attack that is being perpetrated on a daily basis. (We just had one of these this week).
Basically, the hacker includes a script (in apache config, in your Wordpress blog, htaccess), etc. That says, if the incoming user agent = googlebot, etc. SEND THEM here. If its not, display that site.
So in my customer's example, all of his SEO rankings were showing porn, Viagra, etc. But to end users, the site worked just fine. So when Google crawled his site, Google was redirected to other content. Google indexes it, and moves on. So now, ALL of your SEO for your site is showing indexed data for the porn site. Keep in mind as well, the Google Malware alert was NOT displayed to end users. So they tricked Google twice here - once on the SEO rankings, secondly the Google Malware detection system. Seems they don't test the malware NOT using the googlebot user agent - otherwise it would've been detected. 
Even worse now, the one we dealt with last week, was operating a ‘webring’ of sorts. That is, the sites referred to each other as well. These cracked sites were thus increasing the SEO value of the porn links exponentially as the ring grew (as more infected sites were added). This was growing at approximately 30 sites a day.
The main ‘benefit’ here is that Google indexes this hacker's site, using your backlinks, etc. to your site to grow his SEO value.
Seems like everyone wants a good ranking from Google :-/
Unfortunately, this is a sophisticated attack, and usually has many layers (in this case, the redirects were in 4 different places, and took us hours to find).
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 08:21 AM
Whew… After Denis told me about what he found, I was quite concerned. After a little bit of digging, I was surprised, and somewhat thankful I suppose.
You see, in addition to hacking sites, and getting credentials, etc., these dummies made a mistake in their coding and effectively ‘broke themselves’. Which is just fine, since based on today’s quickscan numbers, there seems to be well over 40 or 50,000 sites currently in this state.
I guess we can be thankful they made an oopsie, but you can’t rely on that being your defense of course. Any current customer of 54f3.com is already protected from this sort of attack, and is highly recommended to upgrade Wordpress as per our previous notes.
Anyways, we’ll let you read more about the research here. I know, I know… We’ve been trying to hire Denis for a while now, but he’s a tough guy to ‘rope down’.. Perhaps, thats a good thing in this case
Gumblar Breaks WordPress blogs and other complex PHP sites
http://blog.unmaskparasites.com/2009/11/04/gumblar-breaks-wordpress-blogs-and-other-complex-php-sites/
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:40 AM
For some light humor!
1) You really enjoy waking up in the morning with your coffee, hitting your homepage, and finding a new page marketing ‘special offers’ for ‘enhancement’ products… You spill your coffee, burn…ouch.
2) You just love getting a hosting bill showing your site had somehow managed to use 4 terabytes of data last month, even though your site is actually just 3 small pages.
3) You appreciate the Friday afternoon calls from 2 of your largest customers, saying that they are switching to your competitor due to some aggressive marketing they’ve received… Hmm, wonder how your competition knew how many kitty trinkets your biggest customer ordered last week?
4) You relish the thought of not being able to send your weekly newsletter to your regular customers, since, for some reason, no emails are getting through and your hosting provider says you sent 1,540,098 emails in the past hour marketing Acai Beans. You sell catnip toys… Interesting.
5) You’ve had approximately 38.56 different people help you with your website, you’ve changed hosters 6 times, and attempted to change the registrar of your domain three times but gave up. You know what they say about too many cooks…
6) That great freeware guest- book system written by a kid in Slovakia with a name you can’t even pronounce you thought was really neat in 2003 is actually still on the site, but you’ve long forgotten about it being there. Google and the scammers didn’t forget though…
7) One of your designers installed a patch for your shopping cart 2 years ago and had problems. After googling for a solution for a few hours with no results they decided to chmod 777 * a few large directories. Voila, it works! And that’s the way it’s been for 2 years now. Lovely.
8 ) You enjoy explaining to your customers how their private information is now front page news, or worse, with their ex-wife’s lawyer!
9) The thought of having the marketing list you paid $10k for last year available to anyone is something you enjoy. Sharing and collaborating, that’s what the net is all about, right?
10) You enjoy negotiating with a faceless individual from somewhere overseas that speaks like this “u will knot get ur d8a bck ever again unlezz u pay $80.000 dollarz.”. It wasn’t just your corporate data, it was your friends and family as well… Ouch.. Get that wire transfer ready.
11) Finally... The end of the pain. Perhaps not. On top of all of the great ‘side effects’ of not scanning your website – You get sued, your family gets sued, and now the ‘authorities’ are looking into your business activities — because — surprise, surprise, there are laws surrounding data protection. Your business is kaput, your staff is leaving in droves, and everything you’ve worked for for years now is gone. You thought you were diligent in picking a hosting provider, team members for the design and development and other folks for the rest of your business. However, when it came to someone offering you a fresh set of eyes on your site, you said no. No, we’re ok. We check. We’re fine. You thought website security scanning was like insurance. Perhaps it is. But we all miss it when we need it. In this case, you need it before you actually really need it. Because, by then, it’s too late.
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:32 AM
One big thing that is missing from this industry is empirical trend data that supports the TRUE risks and costs associated with hacking and malware infections. To date, we’ve written quite alot about customer-specific impacts when they are infected… The ‘results’ run the gambit of 1000’s of dollars of losses over time, loss of SEO rank, customer reputation, etc. However, one part that has been missing is the true impact around the realm of supporting actors in these instances.
For example, if there is a site that is infected with a simple malware redirect. Instead of only looking at the impacts directly to the website owner (which are onerous enough!), we’re starting to look at the impacts to the service providers for that customer.
Its not just the webhoster. Its the affiliates for that site that may lose sales. Its the adnetwork that is presented on that site that receives negative feedback for the ads being present on an infected site. Its the content readers that also receive the infection, or are impacted by the reduction in traffic. Its the direct advertisers that are affiliated with the website, that are now also negatively impacted on either/or image, reputation or traffic perspectives.
So we here at SiteSecurityMonitor.com are undertaking a small series of end-user surveys (specifically those that were impacted) about their total ‘experience’ with the solution. Questions like: Who did you call first? How were you told? Did your SEO rankings take a hit? Was your webhoster helpful? Did you switch hosts/designers/products based on the infection. What other steps have you taken, etc.?
Thus far (early in our survey), some interesting facets have already arisen..
Primarily:
1) Clients learned of their defacement primarily through their customers or colleagues. Because they don’t regularly monitor their site, they had no idea that they were infected.
2) Their web host provider was NOT helpful, not beneficial during the resolution process. Surprisingly enough, only a small percentage ’switched’ providers due to this.
3) Google was their main source of information on this issue, but the information was confusing, not really related, and generally was unhelpful overall.
We will be publishing more results as the data becomes more solid. We are still running the survey, so if you (or someone you know) went through this very personal hell, please forward them this survey link URL: http://surveys.verticalresponse.com/a/show/527087/2a7f185d4a/0
(securely hosted by vertical response – anonymous is ok too!)
-Jason