back to article 'Legit' website compromises reach epidemic proportions

Once upon a time surfers could stay unmolested by malware by staying away from warez and smut. Those days are well and truly over as changes in hacking tactics mean that compromised content on legitimate website has become the main conduit for so-called drive-by download attacks. Web security firm ScanSafe reports that two in …

COMMENTS

This topic is closed for new posts.
  1. Paul

    It's getting to the point where...

    ... you need a completely seperate machine to use the Internet with any degree of safety. Even then you'd still have to go through several reinstalls and replacements...

  2. jubtastic1

    Bad news for the web

    So assuming a mass adoption of noscript et al, where does this leave advertisers?, and more to the point, where does this leave all those websites that rely on advertising revenue to stay online, like this one for example?

    Computer security is IMHO an oxymoron, and this fight for ownership of the millions of boxes is only going to escalate until someone sits down and writes an OS based upon the principle of extreme paranoia.

  3. Dan Hall
    Paris Hilton

    Not me...

    My two boxes at home run Linux and my two laptops are Macs.

    Could we please stop with the "OMG haxxors are taking over the web!" FUD? The only end users who are affected by this are those who choose to use a crappy plug-in on browser on a crappy OS. Cry me a river. It's not like it "suddenly" sucks to be an IE on Windows user--that's always sucked. We're just talking about an increase in suckage.

    What we have here is basic Darwinian survival of the fittest. Every twit that clicks a phising link, gets hacked because of bad choices, or has their bank account emptied because they think they're going to get 60 million dollars from Nigeria's oil minister DESERVES to suffer. I'm hopeful that eventually we can get these drooling idiots off the Web and into group homes where they can be supervised.

    Paris, because of the suckage, of course.

  4. Solomon Grundy

    Good for Everyone

    Maybe this problem will continue to spiral out of control and people will realize that the Internet is a silly thing as has very little impact on the real world. People got obsessed with this thing in the 90's and it hasn't really done much good. Retail on the Internet was largely a waste of time, services on the Internet is a stupid idea since everything is "virtual" - porn is the only industry that has truly risen (haha) to success on the web.

    Threats to your privacy and PC, combined with taxation on Internet purchases are combining to drive people away from the Internet and bring them back to reality.

    Remember the Internet (at least in the U.S.) was made popular because your computer could say "You've got mail". Stupid to begin with and growing more stupid with each passing day.

  5. Gordon Fecyk
    Go

    ScanSafe scare tactics, Symantec ThreatCon 'normal,' and Standardized LART

    First off, it's nice to see Symantec taking ScanSafe as seriously as they deserve to be taken. ScanSafe's "threat meter" reads 'high' right now, while Symantec's "ThreatCon" is 1, or 'normal.'

    That says something about ScanSafe right there.

    Once again John Leyden posts a scare piece that's deserving of a standardized LART. ScanSafe sells web filtering software, and ScanSafe is telling us that, "the web is under attack." That's a direct quote from the site John linked to. Umbrella manufacturers are, once again, predicting bad weather for the Internet.

    As for how to avoid malware on legit sites, well, we already have an OS based on the principle of extreme paranoia, um, least privilege. Actually we have more than one; we have many. It's all a matter of using them in 'extreme paranoia' mode. Yes, this includes Windows. And these all still work with advertising systems that use scripting, like this one.

  6. Anonymous Coward
    Anonymous Coward

    Nothing new

    I have run my own web site(s) for about four years now. I put a lot of effort into them (well, some of them anyway!). As I was developing them, I spent a lot of time researching how to do things, and one thing that struck me time and time again was the complete lack of care displayed by many other web developers and sys admins (I use both terms very loosely) when it came to security. Many people responsible for running many many web sites just don't give a shit about security. It's their own lookout and fair-do's when all it means is that their own hard work gets trashed, but it extends way beyond that; it's a complete lack of social responsibility!

    One of my sites was commercial/retail and I used one of the many e-commerce systems available (in this case oscommerce - I very strongly don't recommend it by the way - try Xen instead). Anyway, while developing this, I came across countless other people who were and are also using it. I'm sure many people would be staggered by the brazen attitude many site admins have to things like dealing safely with credit card numbers, and other personal information. They just don't care!!

    And if you dare to suggest using some of the many tools and techniques that are available to make their sites more robust and keep the bad guys out, you will usually get a response on the lines of "it's too difficult" or "it's too time consuming" or "that would mean I have to think!". Most admins are more interested in the bloody colour of their banner ads than security!

    And Jo Bloggs sitting at home is no help either. It seems that it doesn't matter how often this is pointed out, most people still won't listen - that is "Windows is shite. It's a Swiss-cheese of an OS". Re the post "Bad news for the web", and the comment "...until someone sits down and writes an OS based upon the principle of extreme paranoia", I would say that such systems exists. And they are usually free. I use one every day. You just need to look and make the effort to find and use one! But most people won't - again, they just don't care about security, even if they say they do.

    It comes as no surprise at all that the web is turning into such a mess.

  7. Pete Silver badge

    vested interest

    Since the company that produced this report makes products to guard against the very same threats, it's reasonable to take it all with a very large pinch of salt.

    My own survey of the very same issues (full disclosure: I don't make or sell internet security products), carried out while surfing during a tea-break a few minutes ago, indicates that anyone with a decent firewall, anti-virus, popup-blocker and a modicum of common sense (or a non-windows O/S) has no need to worry and especially doesn't need these products. It's the same old threats that have been around for a decade or more - just coming up through a different vector.

    Panic over, nothing to see here, move along please

  8. Ben

    Extreme paranoia

    could you elaborate on the principles?

  9. Anonymous Coward
    Anonymous Coward

    The best solution...

    The obvious solution to this dilemma is to foster a different software deployment culture than the broken one we currently enjoy.

    Today, when vendors release new versions of their products, we receive a mixture of new features and fixes for recently discovered exploits. The obvious problem is that every new feature introduces new exploits. In the end, every program we have, no matter which version we use, is always somehow exploitable.

    What difference does fixing old exploits make if the fixes are paired with new exploits? They may as well fix nothing! It only takes *one* exploit to pwn.

    Software publishers need to adopt a "paradigm" wherein support for old software versions doesn't cease. Security is too large an issue these days for greed ("screw all you W2K users, buy Vista if you want a 'secure' Windows") to continue taking priority.

    At least for networkable software (as opposed to, say, the Windows calculator), the new view should be that if you put it out there, your responsiblity to its security should last at least 25 years. If this sounds burdensome, it is! But tough! If a 1983 Toyota model is discovered to have issues with its gas tank exploding in 2008, Toyota is still compelled to issue a recall, or to at least tell the public about it and how to fix it. Why should software be different?

  10. Ian

    Enermax

    The Enermax.com.tw website was compromised the last time I checked it out..

    check out http://www.google.co.uk/search?q=script46.com for more! ...

    Me? No script saved my ass :D fantastic program, probably helps I dont use windows though.

  11. Edward Pearson
    Thumb Up

    No...

    What we need is smarter (not greedier) ISPs with IDS filtering systems, all of which are updated automatically from a central "evil-code" registry.

    Really, it's that simple. Will it ever happen? Of course it won't, the ISPs are too busy making their quick buck and trying resell bad Anti-Vir solutions.

  12. Anonymous Coward
    Boffin

    Separate = a VM Browser Appliance

    Following on from Paul's comment, I suggest (and have done this myself) that 'separate' includes Virtual Machines (VMs), as I was suggesting the other day in comments on a similar article. That is, use a virtual machine as a 'browser appliance' (built without extensions, for added safety) and revert to the original VM image for eash session, thus blowing away any changes that occur during use, including malware infections. That way you have a 'clean' browser each time.

    When stripped down and built specifically as a browser appliance, I've found VMs to be reasonably quick and not resource hungry ... suitable for the majority of recent PCs, IMHO. I have scripts that import/export bookmarks and I can manually transfer downloads (after screening) so I have full browsing functionality. For those comfortable with the privacy implications, one could use a VM browser in conjunction with 'online' storage of bookmarks to make things easier.

    Some VM package makers offer a pre-built browser appliance, though I prefer to build my own, and in fact use a different VM package altogether. (I avoid naming names so as not to promote one VM supplier over another).

    In my case I have a Linux host and a WinXP VM (making use of an old license I had lying around). Because I 'reset to original image' on each use, there is no particular need for additional security or monitoring - within the VM, I use only the basic XP firewall - no A/V or security suite - which obviously saves money. (Although it pains me to say it, XP seems to make a good VM 'appliance' .... though I maintain XP is still an insecure OS on its own. As examples of a cost-neutral approach: (a) take an existing XP machine, install a (free) Linux host, free VM package and re-use the XP license in your VM; (b) similarly, re-use an old XP license on a new Vista machine and free VM package, assuming full (not upgrade) versions; (c) use Linux for both host and VM).

    So, in a nutshell, I recommend using a virtual machine 'browser appliance' to maximise security online.

  13. Scott Simpson

    Don't lose your library card ...

    This is hideous! It's like walking into your local bank branch, only to discover that all the tellers have been replaced with members of the Dillinger Gang.

    Since there appears to be no way to stop this (apparently, all the best and brightest have gone over to the dark side), so we may as well disconnect and go back to snail mail, reading books, newspapers and magazines (remember those?), and looking stuff up in our local libraries.

    Disgustedly yours,

    Scott

  14. Colin Wilson
    Linux

    virtual machine images

    Probably the easiest way of getting back to a "clean" virtual machine image would be to set up a machine in VirtualBox with little or no hard drive (because you don't need it for this purpose), and mounting a CD image that you use to boot with.

    Job done !

  15. Anonymous Coward
    Linux

    WINDOWS PCs

    and other strains of malware onto compromised <WINDOWS> PCs

    Let's get a bit of accuracy here.

  16. Anonymous Coward
    Anonymous Coward

    Good for Web Developers

    Currently they're a dime a dozen; when this happens more it will make companies think again about hiring someone with no security background or whatever just so they can make a quick buck exploiting the poor programmer who's not very good.

    VMs and separate systems for the internet are all good, but most people aren't going to go up with it. (Same with putting Firefox and its buddies on a separate partition.) I still think the simplest solution would be the ISPs giving a damn and making an effort to stop crap.

  17. Mark

    Bad for the internet?

    Well if this is bad because of noscript being required to be safe and the use stopping ads from getting to the eyeballs, how much worse is Phorm replacing mid-stream the adverts the site is expecting to hand off and replacing them with ones BT and Phorm are selling?

    If you're not going to get the ads the site needs to keep going no matter what you do, why not ban all ads? No loss to the site, after all: the ads were being blocked by BT.

  18. Anonymous Coward
    Boffin

    @Colin Wilson + More on LiveCDs

    Although the LiveCD approach (whether virtual or real) is a quite valid*, the quickest way to rest to original image in VirtualBox is "Revert to Snapshot" on closing the VM - takes about a second and can be made the default action. That is, you build your VM whilst offline, take a "snapshot" then use that as the "clean" image thereafter.

    * Previously, in the War on Malware (TM), I've advocated using a LiveCD as a means for the "average" net user to achieve secure browsing from home - typically, for functions such as online banking or paying utility bills. The details of the proposal are that, with Government leadership and sponsorship**, a LiveCD is produced and distributed to home users. The LiveCD would permit regular/secure browsing and be configured with a familiar "look and feel" (although probably it would be Linux-based for cost reasons). It would include bookmarks for just about all "critical" online institutions in the country of origin - it could even include raw IP addresses for critical institutions to avoid rare-but-possible DNS spoofing attacks. To those that can manage VMs, I recommend that approach, and to those that can't, I recommend getting someone you trust to build you a LiveCD (for critical online functions), until such time as the Government (in your country) sponsors one.

    ** Not as crazy as it sounds. The Australian Government spent many millions trying to improve net security, though quite wastefully focussing on a useless content filter that was made free to home users. But there is also Aus-CERT, so there's hope yet.

  19. Anonymous Coward
    Thumb Down

    @Edward Pearson

    >"What we need is smarter (not greedier) ISPs with IDS filtering systems, all of which are updated automatically from a central "evil-code" registry."

    Hell no. You can have some baby-safe filtered internet if you want, but there's no way on earth I want my traffic filtered, any more than I want someone listening into my phonecalls to bleep out any rude words someone might say towards me.

    Plus a fully automated IDS filtering system would be plagued with false positives and negatives and totally break loads of your internet. You ever tried sifting through snort logs for something that actually /means/ anything?

    Plus, of course, once you give them that control, how long before they think to use it for censorship? And just who runs this central registry anyway?

    Nope, not a chance. Give me my full-fat uncensored unfiltered IP internetwork any day. You can stay in your nice cosy safe playground while I explore the world.

  20. Terrance Brennan
    Flame

    Missing the point

    All the comments about how best to protect your computer such as Linux, Firefox, VMs, etc are all fine and good for tech savvy users. However, the only way the Internet survives as a viable commercial enterprise and keep many of the people who visit this web site employed is by being available to the masses. If only tech savvy users were allowed on the Internet any site depending on traffic volume to survive whether through ads, public funding, or whatever would disappear. Say what you want about M$ they helped make computing accessible to almost everyone in developed countries and as a result you are going to have a wide variety of sophistication amongst users. You don't put the onus for plane safety on the passengers, you put it on the airlines and air plane manufacturers, same with cars and most other consumer products. The Internet is just another consumer product and the people making money on it need to take responsibility for the crap they put up.

  21. Anonymous Coward
    Boffin

    @Terrance - Re: Missing the point

    Good comments, and I agree with what you say in that software vendors need to take more responsibility for their products with respect to security and 'fitness for purpose' ... but I think context is important.

    Modern software products are incredibly complex and no code will be free from defect when developed affordably. Some of the inevitable defects will impact online security. So, regardless of whether software vendors take greater responsibility and improve their products, there will still be security holes that need patching 'in the field' and there will still be a need for users to remain security-aware and take reasonable precautions. Having said that, I'd agree that recommendations above regarding VMs and LiveCDs are in response to (IMHO) unsatisfactory quality of MS products.

    Please note that the LiveCD recommendation would be suitable for average users if made generally available - just put in the CD, re-boot and use as normal for your 'safe' online session. It is less flexible than a VM, though.

    If I could be a bit cheeky: You say that the onus for air safety is on the aircraft manufacturers and airlines. They play a critical role, but I'd say, more than anything else, the onus is on the pilot and air traffic controllers. A better example is driving a car - the onus is predominantly on the driver. The parallel with net use, is users should be better aware of online hazards, though this is just one of several components of improving online 'safety'.

    MS did indeed make computing accessible to millions, but they leveraged a dominant market position to push IE, which has, in the opinion of many, been responsible not only for stifling innovation but also for many severe security problems. (You may already agree with this - it's not clear from your comments).

    To be sure, it's a very complex field and there are several components and alternatives to reaching the goal of 'safe, simple and affordable' online computing.

  22. Dr. E. Amweaver
    Gates Horns

    paranoia for dummies

    1. If you're going to use Sql, attack test it yourself.at least ensure any prog that interfaces with SQL removes escape characters.

    2. Never leave Sql login visible on a script whose source can be publically read.(surprisingly common on dev machines)

    3. Ideally, lock down which progs can access ftp and or cpanel to a tightly restricted IP range. 4. Tinfoil nipple pasties essential.

This topic is closed for new posts.

Other stories you might like