Posted by Jason Remillard on Fri, Jan 29, 2010 @ 11:23 AM
Perhaps our children will 'get it' now :)
Not a bad track, enjoy!
http://www.youtube.com/watch?v=d0nERTFo-Sk
Posted by Jason Remillard on Tue, Jan 26, 2010 @ 12:05 PM
Malware… Yes, its been around for many years. However the attack vector has changed. Long ago the primary distribution method was by sharing dirty data (yes, exchanging floppy disks….remember those days?! 
Then it went onwards into distributing viruses and malware via email (this is the early days of outlook express!). Then, came the solutions to block this (antivirus on your email, desktop solutions that block installs on your PC, etc.)
Now however, it is much more sophisticated. As unfortunately some of you have experienced, the hackers are now cracking PCs and websites to inject malware. Hence the term ‘drive-by malware’. By infecting your website the hackers are now able to enjoy a free distribution method for their wares – your website. Target any sized website, inject your bad code, and watch the infections grow by the minute!
Consider this scenario… we have a customer who came to us (name not mentioned of course), that had been injected my malware. The alerts went up in Google HQ. His site was dropped from search engine rankings immediately. So, boom – there goes all of his google traffic (in this case, responsible for about 2,000 unique visitors a day).
Worse yet, now that Google was aware to his sites problems, the browser vendors now pick up on this and start warning ALL people visiting his site with this nice little alert:
Malware Reported Attack Site
So now, he has -0- traffic from Google. ALL of his users are now getting told this is ‘an attack’ site. All bookmarked entries, links from other sites, etc. ALL reflect that this site is now worse than the worse of worse! You are evil! You are spreading the scourge of the earth! How could you!
Now, this guy is in a panic. He’d just started a major campaign (offline and online), and had paid for alot of advertising that was non refundable. He was loosing 
1000’s of dollars a day, and his business was evaporating before his eyes.
Personnally, I don’t like to scare monger my customers into solutions. I think it is a disservice that many of our competitors do. However, I do like to highlight true to life stories, and their true impacts.
In this case, we were able to quickly shut down his site to stop the spread. Taking the site offline also minimized any infections he was spreading (because, in reality, he was). After stripping out the hacked code, we scanned all of his site (100’s of pages) and plugged up any holes the web vulnerability scanner found (there were more than one in his shopping cart and forum systems). Turns out, some of the lovely little hit counters and subscriber forms he had on his site were wide open as well.
Anyways, after the cleanup, and a few runs through our malware scanner to ensure we were clean, we stood the site backup and asked please, please please!
Google, please allow his site to be back in your good graces…
After about 36 hours, Google’s scanners had verified that he was now indeed clean, and reincluded him in the indexes. Luckily, since we caught it quick enough, this did not affect his PR rankings and his SEO work he’d invested so much into was saved.
Now, the browser alerts were another problem. Firefox released their warnings within a few hours of Google. Microsoft IE shortly thereafter. Safari and a few other smaller footprint browsers took a few days.
All in all, this attack cost him well over $10,000 in immediate losses due to his PPC campaign and offline media buy losses. Of course, now he had a perception problem with his customers (yes you are safe, no I’m not a hacker, etc.), and on top of that, one very long, long weekend on the phone with customers.
How to protect from these effects? Well, since nothing is 100%, regular scanning is your best defense, since you’ll know before the hackers do that there is a problem with your site. Even more important, since we now test each and every URL on your site with over 120,000 attack patterns (yes, that many!), you are getting great coverage and risk mitigation from the standpoint that you know more, on a daily basis, about what the outside knows about your site.
This, all told, allows him to sleep better at night
Posted by Jason Remillard on Sun, Jan 24, 2010 @ 11:55 AM
Malware Infection, Cleanup and Vulnerability Analysis and Consulting Services…
ALERT: TRUE STORY BELOW..
Want to understand how simple it is to secure your site? Sure, we’ll take a real customer example from this week to document the story.
(Names and Certain Elements removed to protect confidentiality)
Context:
Large financial news information site that was recently infected several times. Running an older (but not so old) version of WordPress. Established site, running for years, great following.
Attacks:
Several different approaches, including a desktop infection, which then infected the site. Infections spread internally from there.
Impacts:
Malware was being distributed to its 2000+ unique viewers a day. Due to the depth of the attack, google has reindexed the site with all of the pornographic and male-enhancement site links, meta tags, etc. Effectively, the site (and business) is in bad shape, SEO results are suffering.
The Approach:
Customer signed up for a free scan, which resulted in the 1st metric on the chart below (roughly 1,640 High and Medium Vulnerabilities) – Keep in mind, this is a fairly large site.
The customer took the recommendations and executed some of them (upgrading Wordpress being the first). After contacting our support group, we went through the rest of the report, and summarized the findings, and recommendations.
Luckily the Malware Alert Attack Site! flags have been removed from most browsers..
Conclusion:
As a result, we’re now down to 2 high severity issues, and about 70 medium severity. Direct Malware injections were removed. Now we’re going through the last steps to remove the last stragglers of the infection, (some things are set to reinfect after removal, etc.), and CLOSE THE DOORS on the site.
We’ll wrap up the work in a day or so, and the customer will be free from the existing hacks, and we will be monitoring his site on a daily scan basis (for both vulnerabilities and Malware) for the next few months.
Actual Screenshots from the Reporting Tool @ SiteSecurityMonitor.com
We have summarized the vulnerabilities detected over time (added medium and high priority issues) in order to give you a snapshot of your performance over time
Total Issues: Below are the issues detected on this scan, and the last scan.
| Previous scan ( 2009-11-30 xxxxxx AM ) 
|
|
Latest scan ( 2009-12-03 xxxxxx AM )
Posted by Jason Remillard on Thu, Jan 21, 2010 @ 11:32 AM
I came across a great question in LinkedIn a few weeks past, and took the opportunity to document basically what it is, in a simple version: (and it was voted the best answer! :)
Question:
What is an ‘SEO poisoning attack’?
SEO poisoning attacks are primarily attacks on popular websites using XSS or cross server scripting. IFrame viruses also act like this. Iframe are the most dangerous viruses that attack websites online through low server or FTP password leakage. These viruses then target different websites which contain some exploit matters, images and content.
Answer:
This is a sophisticated attack that is being perpetrated on a daily basis. (We just had one of these this week).
Basically, the hacker includes a script (in apache config, in your Wordpress blog, htaccess), etc. That says, if the incoming user agent = googlebot, etc. SEND THEM here. If its not, display that site.
So in my customer's example, all of his SEO rankings were showing porn, Viagra, etc. But to end users, the site worked just fine. So when Google crawled his site, Google was redirected to other content. Google indexes it, and moves on. So now, ALL of your SEO for your site is showing indexed data for the porn site. Keep in mind as well, the Google Malware alert was NOT displayed to end users. So they tricked Google twice here - once on the SEO rankings, secondly the Google Malware detection system. Seems they don't test the malware NOT using the googlebot user agent - otherwise it would've been detected. 
Even worse now, the one we dealt with last week, was operating a ‘webring’ of sorts. That is, the sites referred to each other as well. These cracked sites were thus increasing the SEO value of the porn links exponentially as the ring grew (as more infected sites were added). This was growing at approximately 30 sites a day.
The main ‘benefit’ here is that Google indexes this hacker's site, using your backlinks, etc. to your site to grow his SEO value.
Seems like everyone wants a good ranking from Google :-/
Unfortunately, this is a sophisticated attack, and usually has many layers (in this case, the redirects were in 4 different places, and took us hours to find).
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 08:24 AM
SiteSecurityMonitor.Com Now Scans for Malware
Launched quietly last week, we are now scanning all websites for malware. What does this mean to you? Well, we now test each and every URL on your site for malware. How? Well, we use over 98,950 (count at this point!) malware patterns for our testing. We can test your code, your servers and even more importantly, your ad networks. As you know, the attack patterns are changing, and now the ‘bad guys’ are injecting malware on adnetworks. Google and others have been hit with this in recent weeks. We hope you enjoy the new service (reporting available in your online reports at: SiteSecurityMonitor.com Online Reporting).
Facebook users – Update your Security Settings ASAP!
Funny, but serious… ASAP – Review your Facebook Security Settings: Zuckerberg pictures exposed by Facebook privacy roll-back
- CEO shown ‘plastered’, possibly while devising new policy
- Illuminating pictures of Facebook chief exec Mark Zuckerberg have been exposed by Facebook’s privacy roll back
Full Story Here
True Story on Fixing a Customer's Infection – and What It Means to Web Developers and Hosters
Cross posted to thewhir.com – Hey all…I figured I would re/cross post a recent article I did on managing a customer's problems with respect to a recent malware infection. In this case, the add-on to the story that was not published was that the webhost he was on, didn’t help much. One of those ‘you’re on your own buddy’ kind of things.
Full Story Here
Amazon EC2 Used as a Safe Habor for Hackers
Security researchers have intercepted a new variant of the Zeus crimeware, which is using Amazon’s EC2 services for command and control purposes of the botnet. The cybercriminals appear to be using Amazon’s RDS managed database hosting service as a backend alternative in case they lose access to the original domain, which would result in the complete loss of access to the compromised financial data obtained from the infected hosts.
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 08:22 AM
One big thing that is missing from this industry is empirical trend data that supports the TRUE risks and costs associated with hacking and malware infections. To date, we’ve written quite alot about customer-specific impacts when they are infected… The ‘results’ run the gambit of 1000’s of dollars of losses over time, loss of SEO rank, customer reputation, etc. However, one part that has been missing is the true impact around the realm of supporting actors in these instances.
For example, if there is a site that is infected with a simple malware redirect. Instead of only looking at the impacts directly to the website owner (which are onerous enough!), we’re starting to look at the impacts to the service providers for that customer.
It's not just the webhoster. It's the affiliates for that site that may lose sales. It's the adnetwork that is presented on that site that receives negative feedback for the ads being present on an infected site. It's the content readers that also receive the infection, or are impacted by the reduction in traffic. It's the direct advertisers that are affiliated with the website, that are now also negatively impacted on either/or image, reputation or traffic perspectives.
So we here at SSM are undertaking a small series of end-user surveys (specifically those that were impacted) about their total ‘experience’ with the solution. Questions like: Who did you call first? How were you told? Did your SEO rankings take a hit? Was your webhoster helpful? Did you switch hosts/designers/products based on the infection. What other steps have you taken, etc.?
Thus far (early in our survey), some interesting facets have already arisen.
Primarily:
1) Clients learned of their defacement primarily through their customers or colleagues. Because they don’t regularly monitor their site, they had no idea that they were infected.
2) Their web host provider was NOT helpful, not beneficial during the resolution process. Surprisingly enough, only a small percentage ’switched’ providers due to this.
3) Google was their main source of information on this issue, but the information was confusing, not really related, and generally was unhelpful overall.
We will be publishing more results as the data becomes more solid. We are still running the survey, so if you (or someone you know) went through this very personal hell, please forward them this survey link URL: http://surveys.verticalresponse.com/a/show/527087/2a7f185d4a/0
(securely hosted by vertical response – anonymous is ok too!)
-Jason
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 08:21 AM
Whew… After Denis told me about what he found, I was quite concerned. After a little bit of digging, I was surprised, and somewhat thankful I suppose.
You see, in addition to hacking sites, and getting credentials, etc., these dummies made a mistake in their coding and effectively ‘broke themselves’. Which is just fine, since based on today’s quickscan numbers, there seems to be well over 40 or 50,000 sites currently in this state.
I guess we can be thankful they made an oopsie, but you can’t rely on that being your defense of course. Any current customer of 54f3.com is already protected from this sort of attack, and is highly recommended to upgrade Wordpress as per our previous notes.
Anyways, we’ll let you read more about the research here. I know, I know… We’ve been trying to hire Denis for a while now, but he’s a tough guy to ‘rope down’.. Perhaps, thats a good thing in this case
Gumblar Breaks WordPress blogs and other complex PHP sites
http://blog.unmaskparasites.com/2009/11/04/gumblar-breaks-wordpress-blogs-and-other-complex-php-sites/
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:40 AM
For some light humor!
1) You really enjoy waking up in the morning with your coffee, hitting your homepage, and finding a new page marketing ‘special offers’ for ‘enhancement’ products… You spill your coffee, burn…ouch.
2) You just love getting a hosting bill showing your site had somehow managed to use 4 terabytes of data last month, even though your site is actually just 3 small pages.
3) You appreciate the Friday afternoon calls from 2 of your largest customers, saying that they are switching to your competitor due to some aggressive marketing they’ve received… Hmm, wonder how your competition knew how many kitty trinkets your biggest customer ordered last week?
4) You relish the thought of not being able to send your weekly newsletter to your regular customers, since, for some reason, no emails are getting through and your hosting provider says you sent 1,540,098 emails in the past hour marketing Acai Beans. You sell catnip toys… Interesting.
5) You’ve had approximately 38.56 different people help you with your website, you’ve changed hosters 6 times, and attempted to change the registrar of your domain three times but gave up. You know what they say about too many cooks…
6) That great freeware guest- book system written by a kid in Slovakia with a name you can’t even pronounce you thought was really neat in 2003 is actually still on the site, but you’ve long forgotten about it being there. Google and the scammers didn’t forget though…
7) One of your designers installed a patch for your shopping cart 2 years ago and had problems. After googling for a solution for a few hours with no results they decided to chmod 777 * a few large directories. Voila, it works! And that’s the way it’s been for 2 years now. Lovely.
8 ) You enjoy explaining to your customers how their private information is now front page news, or worse, with their ex-wife’s lawyer!
9) The thought of having the marketing list you paid $10k for last year available to anyone is something you enjoy. Sharing and collaborating, that’s what the net is all about, right?
10) You enjoy negotiating with a faceless individual from somewhere overseas that speaks like this “u will knot get ur d8a bck ever again unlezz u pay $80.000 dollarz.”. It wasn’t just your corporate data, it was your friends and family as well… Ouch.. Get that wire transfer ready.
11) Finally... The end of the pain. Perhaps not. On top of all of the great ‘side effects’ of not scanning your website – You get sued, your family gets sued, and now the ‘authorities’ are looking into your business activities — because — surprise, surprise, there are laws surrounding data protection. Your business is kaput, your staff is leaving in droves, and everything you’ve worked for for years now is gone. You thought you were diligent in picking a hosting provider, team members for the design and development and other folks for the rest of your business. However, when it came to someone offering you a fresh set of eyes on your site, you said no. No, we’re ok. We check. We’re fine. You thought website security scanning was like insurance. Perhaps it is. But we all miss it when we need it. In this case, you need it before you actually really need it. Because, by then, it’s too late.
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:39 AM
Just about every single entity involved in a computer has updates. Whether it’s the newest software version of Firefox or the newest graphics driver for your computer. We all know this can get annoying… every few minutes another application is telling me I should update it and sometimes you can just forget to, or decide not to… but then there are often downsides of that.
WordPress recently announced that if you do not have the newest version (or second newest version) you could be vulnerable to the latest worm. This one actually has the ability to register a new user which hides itself and later edits permalinks in order to hide spam and malware inside your old posts.
So make sure that you have the latest version of WordPress, you can check by going to “Tools” and then “Upgrade” and it will tell you whether it’s the latest or not. If you don’t have the latest version, update and check all of your old links immediately.
Updating can be a hassle and keeping up with all those applications can be an annoyance. At least you always know that you don’t have to worry about updating your security services here with us — here at SSM we are updating our scanners and pattern matchers every day to ensure that you have the best protection.
SOURCE: http://www.net-security.org/malware_news.php?id=1103
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:38 AM
As reported previously on my thewhir.com blog posting there seems to be a growing debate about the true ‘value’ of the PCI/DSS standard.
Indeed, I’ve been following a rather large thread on linkedin.com as well that is discussing the value of PCI in regards to the recent Network Solutions, Inc. disclosure that they were malwared for several months!
As we continue, it seems that the Heartland CEO feels the same way: we were certified, we thought we were fine, until we learned that being certified doesn’t mean much… Read the full article here: http://www.cso.com.au/article/314712/heartland_ceo_data_breach_qsas_let_us_down
To me, Heartland’s reponse to its issues have been much more responsible than others. In this case, they weren’t happy with things, ‘took it on the road’, spun up trade groups, etc… As compared to others, who just hid under the certified stamp.
Post your responses here, or email me directly. If you are interested, I will support/sponsor a more public and open forum on this topic.
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:37 AM
This is a sales pitch, I am not going to deny that. A lot of web sites out there have an array of vulnerabilities and your site could easily be one of them. A recent study based on the first six months of this year found that every 3.6 seconds a new web site is infected (http://www.itbusiness.ca/it/client/en/home/news.asp?id=54476). That is ridiculous and more importantly, it’s faster than it was last year. This epidemic is getting worse.
Now of course, we want you to try our service, that’s what I’m writing about here, but we want to make you aware of the facts first. We help to make sure your website is secure so that you are not one of those statistics listed above. We’re not trying to offer this service to people who won’t be helped by it — if your site is flawless, good for you! Unfortunately though, most sites are not perfect. We come across a lot of infected sites — some much, much worse than the owner could ever have anticipated.
Now again, don’t do business with us if you feel your website has absolutely nothing that can be gained by our services. However, before you worry, get a free scan from us and make sure that at least for now you are still safe — and hopefully your site will still be safe 3.6 seconds from now…
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:36 AM
You have a lot of things you try to keep secure, and some of them you simply have to put in other people's hands because you simply can’t do it on our own (like your website *hint hint*). However, there are some things you
do have control over and a big one is passwords. We all get to decide our unique words (or numbers or made-up gibberish) to protect our account. But how good is your password?
I read an interesting analysis recently that took the data from three hacked websites where passwords were revealed and constructed charts specifying which were most common, you can find that here and a bit more analysis here. The main thing I learned is that if your password is “123456″ — change it immediately. Other common ones were “jesus”, “qwerty”, “password” and other very basic passwords.
A personal password is an important thing and yet many of us just pick something that first day of signing up for an e-mail or whatever else and stick with it forever without re-examining whether it’s even a good password or not. However, for most of us that is good enough. Most people won’t have their accounts hacked or broken into and it’s possible that if you do, there really wasn’t much you could do in the first place (like here). So what’s the point of even thinking about it? Well, it still happens — usually not in a “I’m a hacker going to steal your credit card info” but more of a “I’m a jealous (ex-)partner and want to make sure you’re not cheating on me” type of way. And whether you are cheating or not, I doubt you want anyone going through your e-mails or anything else without your permission. (However, if you have a website you should make sure your password is secure or else spam could be the only thing your customers see — if you’re not using our services that is.)
So now if you’re wondering what constitutes a good password, well as a previous link mentioned, the more characters you have, the harder it is to break into, with each additional character making it quite a bit harder. Using an 11-character password might seem like a lot, but once you start using it you learn to type it pretty fast (or you’re letting your browser save it for you, in which case why not have a 20-character password). Additionally, don’t just pick the first object you see or the first thing someone says to use as a password, make it something completely random — and then throw a capital and a number in there just to be sure.
Despite all of this though, even all of those common passwords combined made up about 4-5% of the total so it seems that most people are using something more original than “123123″. You just want to be sure that, at the very least, your password can’t be broken into by someone simply looking at a “most used passwords” list and then trying them out. That would be stupid.
*UPDATE* October 6, 2009
With the recent leak of around 10,000 e-mail accounts and passwords, new statistics are already popping up about them. Rather than make a new blog post about this, I figured I might as well just add them to this one. It’s no surprise that the most common password found was “123456″, although it is a bit odd that the next highest is “123456789″, but I guess these users just decided it’s better to go across the entire row of numbers than stop somewhere randomly in between.
The most interesting thing that these statistic seem to reveal though is that 1) The phishing scam was targeting a particular ethnic group, and that 2) The fact that you can know that just from seeing the passwords! Frankly, if your password is good enough, no one should have the slightest clue about you — not race, ethnicity, gender, and perhaps even what language you speak.
I understand that a lot of people never want to change their password once they’ve created it, but if that’s the case you should make sure it’s a high quality password. I also know that the first moment you create a password is a critical moment, because you begin using it more and then before you know it, it’s ingrained and you’re afraid to change it because you might forget the new one. If that’s the case, I hope it works out for you and for most of you it probably will. But there will always be a few that will wish they had updated their password so don’t become one of them.
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:35 AM
While not particularly new anymore, online social networking is still an exciting medium. Compulsively, I check my Facebook every day, make several posts on Twitter and contribute what I can to LinkedIn and I know I’m not alone with these things. Well, now unsurprisingly a study has found that “social network users [are] more vulnerable to risks”, discovered here.
The study has its issues, but it has some important points too. Let’s start with the issues.
- "Changing passwords (64 percent infrequently or never)
- Adjusting privacy settings (57 percent infrequently or never)
- Informing their social network administrator (90 percent infrequently or never)”
While changing passwords can certainly help maintain a certain level of security, I think that a more important aspect is the quality of the password (how long it is, whether it includes capitals/numbers, and how original it is) is more valuable than the amount of times that the password is changed in most circumstances (for more information on passwords, check out my last blog post).
Adjusting the privacy settings really depends on what sort of privacy you need. If you don’t put up anything private, then obviously you don’t need strict privacy settings.
Then finally, “Informing their social network administrator.” It’s not surprising that this is 90% because I have no idea what this is even referring to. Who is the social network administrator and what do they need to be informed of? Most people are probably their own social network administrator making this question invalid.
After that the article goes on to note things like that “21 percent accept contact offerings from members they don’t recognize” — which is actually exceptionally low in my opinion. I would think more people would accept to see if perhaps they know the person but didn’t realize, then if they don’t, they delete them. Easy.
If you’re paranoid and feel that you’ll easily fall victim to some sort of phishing scam then by all means, don’t accept them. However, the article states that 55% of people have seen phishing scams, but it doesn’t state how many have really been scammed by one, so I’m guessing that number is actually much lower.
When it comes to social networking, the best thing you can do is use common sense. If someone you don’t know is asking for money or asking for your password (in all my years of having online passwords, I have never once been asked for it by a legitimate official for any purposes, so if someone is asking you, 99% of the time, it’s a scam). Also, if someone posts a link, make sure it’s from a source you trust or else you can always highlight and Google it, or if it’s a link like a couple I posted here that are shortened, there are a few things you can do. There are sites that will tell you where the link leads but if the link is from bit.ly or j.mp you can paste the link in your browser and add a “+” at the end of it and it will give you interesting details, including where the link leads (go ahead, try it out on one of the links here).
Of course, sometimes it can be difficult to realize what a scam is, as it was for Jayne Scherrman, who as I posted on Twitter a couple of weeks ago, was scammed out of almost $4,000 on Facebook: http://bit.ly/4mqZQv. However, with a single call to her friend, it could’ve been saved.
So watch out for these types of things and if a friend is asking you for money, especially large amounts of money, why not give them a call, or at least an e-mail to verify it. And if you’re not willing to give them a call, well then you’re probably not close enough to them to be giving them money anyway.
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:34 AM
It’s becoming quite clear that this is an age of increased malware
and security threats. The news is becoming more and more flooded with
these kinds of reports and many of them are from reputable companies
that end up looking stupid because of a vulnerability on their website.
Of course, we already know many good reasons to get added security for
your website: keeping your site safe and reliable, putting your
customers at ease, and all of these kinds of things that I’ve said many
times before. The important thing right now is that the U.S. Federal
Trade Commission is offering you a new reason… you could end up being
fined.
An article today (which can be found at the end) announced that
ChoicePoint, a databroker, is being fined $275,000 because their data
was breached a second time. Now many of you may not be in a situation
where your site being exploited would actually result in you being
fined, but any company that’s in a situation where you have other
people’s information, any information, could result in serious losses.
Of course, these are already on top of other losses, like ones noted in an ITworld article:
“The latest versions of Microsoft’s
Internet Explorer browser and Google’s search engine detect sites
infected with malware, issue a warning and block access to the site.
‘To me, this is serious online brand damage,’ says Garter analyst John
Pescatore, and it can be disastrous for small and midsize businesses
that totally depend on search engine traffic. The next frontier, says
Dye, may be attackers who use these types of exploits against the Web sites of high-profile brands and then publicize — or threaten to publicize — what happened.”
Don’t take risks with your website. It may run flawlessly today and
it may run flawlessly tomorrow, but if your site is not insecure, it
could cost you. And sadly, more and more companies are discovering this
right now.
Don’t be one of them.
Via: http://www.cso.com.au/article/322712/choicepoint_pay_fine_second_data_breach?fp=2&fpid=1&rid=1 and http://www.itworld.com/security/81482/hijacked-web-sites-attack-visitors
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:33 AM
Malware… Yes, its been around for many years. However the attack vector has changed. Long ago the primary distribution method was by sharing dirty data (yes, exchanging floppy disks….remember those days?!
Then it went onwards into distributing viruses and malware via email (this is the early days of outlook express!). Then, came the solutions to block this (antivirus on your email, desktop solutions that block installs on your PC, etc.)
Now however, it is much more sophisticated. As unfortunately some of you have experienced, the hackers are now cracking PCs and websites to inject malware. Hence the term ‘drive-by malware’. By infecting your website the hackers are now able to enjoy a free distribution method for their wares – your website. Target any sized website, inject your bad code, and watch the infections grow by the minute!
Consider this scenario… we have a customer who came to us (name not mentioned of course), that had been injected my malware. The alerts went up in Google HQ. His site was dropped from search engine rankings immediately. So, boom – there goes all of his google traffic (in this case, responsible for about 2,000 unique visitors a day).
Worse yet, now that Google was aware to his sites problems, the browser vendors now pick up on this and start warning ALL people visiting his site with this nice little alert:
Malware Reported Attack Site
So now, he has -0- traffic from Google. ALL of his users are now getting told this is ‘an attack’ site. All bookmarked entries, links from other sites, etc. ALL reflect that this site is now worse than the worse of worse! You are evil! You are spreading the scourge of the earth! How could you!
Now, this guy is in a panic. He’d just started a major campaign (offline and online), and had paid for alot of advertising that was non refundable. He was loosing 1000’s of dollars a day, and his business was evaporating before his eyes.
Personnally, I don’t like to scare monger my customers into solutions. I think it is a disservice that many of our competitors do. However, I do like to highlight true to life stories, and their true impacts.
In this case, we were able to quickly shut down his site to stop the spread. Taking the site offline also minimized any infections he was spreading (because, in reality, he was). After stripping out the hacked code, we scanned all of his site (100’s of pages) and plugged up any holes the web vulnerability scanner found (there were more than one in his shopping cart and forum systems). Turns out, some of the lovely little hit counters and subscriber forms he had on his site were wide open as well.
Anyways, after the cleanup, and a few runs through our malware scanner to ensure we were clean, we stood the site backup and asked please, please please! Google, please allow his site to be back in your good graces…
After about 36 hours, Google’s scanners had verified that he was now indeed clean, and reincluded him in the indexes. Luckily, since we caught it quick enough, this did not affect his PR rankings and his SEO work he’d invested so much into was saved.
Now, the browser alerts were another problem. Firefox released their warnings within a few hours of Google. Microsoft IE shortly thereafter. Safari and a few other smaller footprint browsers took a few days.
All in all, this attack cost him well over $10,000 in immediate losses due to his PPC campaign and offline media buy losses. Of course, now he had a perception problem with his customers (yes you are safe, no I’m not a hacker, etc.), and on top of that, one very long, long weekend on the phone with customers.
How to protect from these effects? Well, since nothing is 100%, regular scanning is your best defense, since you’ll know before the hackers do that there is a problem with your site. Even more important, since we now test each and every URL on your site with over 120,000 attack patterns (yes, that many!), you are getting great coverage and risk mitigation from the standpoint that you know more, on a daily basis, about what the outside knows about your site.
This, all told, allows him to sleep better at night
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:32 AM
One big thing that is missing from this industry is empirical trend data that supports the TRUE risks and costs associated with hacking and malware infections. To date, we’ve written quite alot about customer-specific impacts when they are infected… The ‘results’ run the gambit of 1000’s of dollars of losses over time, loss of SEO rank, customer reputation, etc. However, one part that has been missing is the true impact around the realm of supporting actors in these instances.
For example, if there is a site that is infected with a simple malware redirect. Instead of only looking at the impacts directly to the website owner (which are onerous enough!), we’re starting to look at the impacts to the service providers for that customer.
Its not just the webhoster. Its the affiliates for that site that may lose sales. Its the adnetwork that is presented on that site that receives negative feedback for the ads being present on an infected site. Its the content readers that also receive the infection, or are impacted by the reduction in traffic. Its the direct advertisers that are affiliated with the website, that are now also negatively impacted on either/or image, reputation or traffic perspectives.
So we here at SiteSecurityMonitor.com are undertaking a small series of end-user surveys (specifically those that were impacted) about their total ‘experience’ with the solution. Questions like: Who did you call first? How were you told? Did your SEO rankings take a hit? Was your webhoster helpful? Did you switch hosts/designers/products based on the infection. What other steps have you taken, etc.?
Thus far (early in our survey), some interesting facets have already arisen..
Primarily:
1) Clients learned of their defacement primarily through their customers or colleagues. Because they don’t regularly monitor their site, they had no idea that they were infected.
2) Their web host provider was NOT helpful, not beneficial during the resolution process. Surprisingly enough, only a small percentage ’switched’ providers due to this.
3) Google was their main source of information on this issue, but the information was confusing, not really related, and generally was unhelpful overall.
We will be publishing more results as the data becomes more solid. We are still running the survey, so if you (or someone you know) went through this very personal hell, please forward them this survey link URL: http://surveys.verticalresponse.com/a/show/527087/2a7f185d4a/0
(securely hosted by vertical response – anonymous is ok too!)
-Jason
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:30 AM
Well folks, its been a crazy week online this week.. Is it part of the holidays, or simply that more vulnerabilities are going ‘unfixed’ and the hackers are finding more? You be the judge.. We definitely think that there is a ‘retribution’ slant to most of the major issues this week, specifically with Rockyou!
Rockyou.com Falls Victim to simple hack, Major exposure!
One of the more interesting facets of the story is RockYou’s failure to appropriately protect user’s login credentials. The hacker showed us an image containing the last few lines of a 32,603,388-line, seven-column dataset weighing in at 276 MB. All the data we saw was in plain text; any grade schooler could have used this information to log in to users’ accounts.
Link to Original Story
If you are interested, the most easterly point of North America
Long a fan of the ‘virtual google traveler’, I have found an interesting article using google maps to ‘visit’ locales. In this case, its the most easterly point of North America!
Link to Story
SEO Poisoning – 54f3.com responds
I came across and interesting question in LinkedIn that asked what was SEO poisoning. We recently had a customer that came to us with this nasty, nasty infection. Its ugly, and it hurts. Read all about it here.
US and Russia being cyber-SALT talks
This reminds me of the good old days of the SALT talks. Remember those? When we had nukes pointing at each other for MAD (Mutually Assured Destruction) needs? Well, now we’re in the Web 2.0 world, and the conversation has changed.
Full Story here
SiteSecurityMonitor.com Malware Survey Continues
Our survey for the results and true impacts of malware on the general consumer, the hoster, and the other parties associated with a hacked site continues. To date, we’ve received an incredible response with some interesting results. Be a part of the feedback and please take a few seconds to respond to our survey HERE
All in all, a very busy week! I hope your preparations for the holidays are not too crazy for you, and wish you and yours a safe and joyous holiday (however you may celebrate it!)
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:29 AM
Back for the last entry of 2009, here are the latest updates in the security world:
Aweber announces its own incursion into its site, unnumbered number of email addresses pilphered.
AWeber was recently the victim of an intentional
attack to mine email addresses. We’d like to take this opportunity to
share what happened, what was (and was not) affected and what we’re
doing as a result of this attack.
PCI Security Council updates its site:
Today, the PCI Security Standards Council (PCI SSC), a global, open
industry standards body providing management of the Payment Card
Industry Data Security Standard (PCI DSS), PIN Transaction Security
(PTS) Security Requirements and the Payment Application Data Security
Standard (PA-DSS), announced the launch of a new PCI SSC micro site,
providing resources to secure payment card data in eight languages.
Adobe named this years most hacked software
Taking the first place from Internet Explorer, Adobe has had its
fair share of issues this year, including numerous ‘zero-day’ exploits.
Kits that go by names like “T-IFramer,” “Liberty Exploit
Systems” and “Elenore” all turned up on underground markets selling for
$300 to US$500, Kandek says, and allow the attacker to install a Trojan
program ready to download whatever malicious software a cybercriminal
wishes, from spyware to click-fraud software. All three of those kits
exploit three unique Adobe Reader bugs, along with a smaller number of
bugs in Internet Explorer, Microsoft Office, Firefox and even Quicktime.
Ever think of what happens to your facebook account when you die?
This new service allows you to send posthumus notices, shut down
accounts, store passwords, etc. Important new entry into your last
will and testament?
“Practically everyone knows someone that has died and
whose blog just stays up there, or whose Facebook profile keeps on
sending friendship suggestions,” said Lisa Granberg, 29, a co-founder
of My Webwill.
“Those surviving that person, have a very difficult time (doing) something about it.”
For the ‘home hacker’ a nice little christmas break project
Book scanners, like the ones Google is using in its
Google Books project, run into thousands of dollars, putting them out
of the reach of a graduate student like Reetz. But in January, when
textbook prices for the semester were listed, Reetz decided he would
make a book scanner that would cost a fraction of commercially
available products.
Posted by Jason Remillard on Wed, Jan 20, 2010 @ 07:28 AM
While I try and not to be so graphic with my comments, I can’t help but feel CSI-que lately with all of these hack attacks.
So here we go again. This time, its CITI. Just reported today by marketwatch.com, Citigroups stock sank significantly based on the rumor that Citigroup suffered a hack attack that lead to millions of dollars of client losses.
Now for the record, at this point, Citigroup denies the allegations. However, the Wallstreet Journal broke the story themselves earlier today.
Anyways, no matter who did what, when to whom, lets look at the splatter here..
1) stock drops
2) Customers start to call in
3) Customers who smell anything out of the ordinary will call in
4) Customer worry, risk and otherwise confidence in the internet and banking as a whole suffer
I’m sure the community will come up with more than my simple list above, but it is safe to say there is SOME impact, material or not, to Citigroup and the industry as a whole.
UPDATE: Now CNET reports it as well, but with denials from Citigroup
Posted by Jason Remillard on Mon, Jan 11, 2010 @ 11:07 AM
Well, its happened. This time, the users themselves have taken action against
rockyou.com for their inadvertent disclosure of customer information.
As we previously
reported, Rockyou was hacked and disclosed it looks like over 32,000,000
accounts. Yes, 32 Million!
What is interesting about this case, for me anyways, isn’t the large
disclosure number (1 million, 30 shmillion), its the fact that the lead
plaintiff is accusing Rockyou.com of disclosing PII (Personally Identifiable
Information) as part of the exposure. This will open up Rockyou to a lot more
legislative-litigation than a simple information disclosure — now we’re dealing
with users’ personal information. As noted, Rockyou is a launchpad type of
service, that holds credentials for other services (myspace, facebook, etc.) as
part of their service.
The suit alleges that “RockYou recklessly and knowingly failed to take even
the most basic steps to protect its users’ PII (personally identifiable
information) by leaving the data entirely unencrypted and available for any
person with a basic set of hacking skills to take the PII of at least 32 million
customers.”
Read more:
http://www.consumeraffairs.com/news04/2010/01/rockyou.html#ixzz0bU0uS2cv
So now, Rockyou is being claimed to be responsible for exposures across the
OTHER platforms as well. As part of our risk mitigation service, we’ve been
warning site owners about the risks associated to holding PII information of
consumers. Its not just the email addresses alone that are risky (like the aweber
hack reported last week - I expect the impact of the aweber hack to be less
litigious). The aweber attack was ‘just email addresses’ that were exposed –
fairly low on the PII-scale.
On the Rockyou.com side, the PII exposure seems to be much larger since the
PII information included not just names and addresses, but now account
information for other services. So, from a ‘customer’ perspective, the
rockyou.com information could be the cinch point in targeting people who are
otherwise trying to be anonymous.
Consider this: A user has a facebook account, blog service, and a myspace
account. Consider this person has a private profile on facebook, an open blog,
and an open myspace account. Consider that the myspace account has some er….
risque content.. on it (pick your genre). To date, this person was afforded
privacy since he/she could operate these services independently of each other.
Now, with the rockyou.com exposure, you have account information for everyone,
on each service. Anyone looking through the data could stitch the services
together and paint a pretty complete picture of this persons activities.
THAT is what makes this exposure large and frightful.
Rockyou was entrusted with the information, really did little to protect it (as
evidenced with clear-text passwords, etc.). As well, the exposure was documented
‘nicely’ by the hacker. That is, he posted enough information to document the
hack. He didn’t expose the information to the masses. However, if this hole was
there for xxx time (weeks, months, years!?!?), who knows who else has
this information, and what its being used for.
As business owners, we should be greatly concerned and watch this case with
interest. Since, other than big names (like Verisign, Heartland, etc.) who
simple swept it under the carpet and bought out the exposed people, this is one
of the first ’small’ companies being hit with this exposure and the lawsuit.
Reading the language of the lawsuit, you’ll see many joining this class
action suit, and the damages will probably rock rockyou.com quite hard. Since
they are small, don’t have the teams and reams of lawyers the big guys have, and
potentially, if they lose the case, would probably shutter the service.
So, a greatly valuable and popular service is now at risk (business-wise and
otherwise), because they didn’t invest in simple ongoing security scanning. Like
insurance, you only need it when you need it. I suspect the management in
hindsight would’ve invested a small amount in a regular scanning service like
ours. Its ‘cheap’ insurance, and our solution would’ve reported the exposure the
second they got a scan.
Knowledge is power, and protection is imperative in this time and age. Not
investing in simple security measures like this, really is criminal.