StopBadware Blog

A successful web chat

Fri, 27 Aug 2010 15:45:00 -0400

We'd like to express a heartfelt thanks to Adobe's Brad Arkin, Mozilla's Johnathan Nightingale, and the many people who observed and contributed to yesterday's web chat. The topic, applications' role in protecting users from badware, proved interesting and engaging. You can read the transcript of the chat here.

We hope to do more of these web chats in the future. What topics would you like to see covered?

Web chat: Applications' role in protecting users from badware

Thu, 19 Aug 2010 11:48:00 -0400

Badware often installs itself by taking advantage of bugs or exploits in software on the user's computer. While some of these exploits are in the operating system or default web browser, badware increasingly is targeting other applications and browser plug-ins.

What role can and should these applications—and their developers—play in protecting users from badware? Join Brad Arkin, Adobe's director of privacy and security, and Johnathan Nightingale, Mozilla's head of Firefox development, for a free moderated web chat next Thursday.

Title: Applications' role in protecting users from badware
Date/time: Thursday, August 26, 1-2 pm EDT
URL: http://www.stopbadware.org/events/apps-web-chat
Cost: Free! No preregistration required.

We hope you'll join us on the 26th for what promises to be an informative and interesting discussion!

The continuing evolution of StopBadware

Fri, 13 Aug 2010 08:17:00 -0400

As StopBadware and the environment in which we operate evolve, we continually evaluate where to focus our resources and attention. Over the next couple of months, we'll be making a few changes that reflect our current priorities. Hiring a "raconteur," or communication specialist, is one such change. This will allow us to work more closely with the community, our industry partners, and our other constituents to ensure that effective techniques for protecting users from badware reach the greatest possible audience.

Another change is that we'll reduce—for now—our emphasis on technical research and "deep-dive" analysis of badware sites. In place of a dedicated research function, we'll create a new, broader role that includes a bit of data sifting, along with hands-on systems work, testing, documentation, and more. (Job posting coming soon.)

Finally, we'll be introducing more events, like our upcoming web chat, that bring people together to discuss and share ideas about how best to protect users from badware.

With these changes, along with our continued work assisting webmasters and our data providers, we believe that StopBadware will be in a great position to expand our impact and make the Internet safer for all of us.

Save the date: Upcoming web chat

Thu, 12 Aug 2010 16:18:00 -0400

Save the date! On Thursday, August 26, from 1-2 pm EDT, StopBadware will host a web chat on the topic "The role of third-party applications in protecting users from badware." The featured "speakers" will be Brad Arkin, director of privacy and security at Adobe, and Johnathan Nightingale, head of Firefox development at Mozilla.

More information will follow soon. Meanwhile, if your company is interested in sponsoring this event, please let us know!

Now hiring a professional raconteur!

Wed, 11 Aug 2010 11:10:00 -0400

StopBadware is hiring! If you know someone looking for a full-time communications job here in Harvard Square, be sure to refer him/her to the job description.

Americans want security, don't know how to get it

Tue, 10 Aug 2010 09:39:00 -0400

A study released today by the National Cyber Security Alliance (NCSA) and the Anti-Phishing Working Group (APWG) indicates that most Americans are genuinely concerned about online safety and security. Furthermore, according to the study, they recognize their responsibility to contribute to the Internet's overall security and are willing to take steps in that direction.

The biggest obstacle, perhaps unsurprisingly, is the lack of clear, concise instructions on what users should do to protect themselves. This is an area in which we, as an industry, have to improve. When you combine the complexity and diversity of available technologies with a lack of consistency around messaging, terminology, and visual symbols, it's no wonder that consumers are feeling confused.

The upcoming National Cybersecurity Awareness Campaign, which the NCSA and APWG are spearheading, should be a step in the right direction. It promises a unified messaging campaign to increase awareness nationwide, and perhaps even internationally. Of course, if this survey is any indication, this will be a challenge, as the issue isn't so much awareness of the problem, but rather awareness of the solution.

Over the coming months, StopBadware will be working with industry partners to help them do their part to protect consumers from badware. Part of this, undoubtedly, will be consumer education. Just as we (and, by extension, our partners like Google and Firefox) now offer webmasters specific tips on finding, removing, and preventing badware on their websites, we need to work together to present clear guidance for users on how to protect their computers, their handheld devices, and their online information.

Hijacked subdomains still serving malware

Mon, 26 Jul 2010 16:43:00 -0400

Last month the Unmask Parasites blog wrote about attacks using hijacked sudomains of legitimate websites to serve badware. At the time of that articles publication the attacks had been going on for a month already. We are still seeing a lot of infected websites pointing back to solk.seamscreative.info (on port 8080) and other sites like it.

The standard attack used in Driveby Downloads required the injection of iframes into normally benign sites however the landing or intermediary sites those iframes pointed to weren't normally registered to benign users. This represents an interesting evolution of tactics by creating another layer of innocent victim into the network of infections. The attack has been fairly successful if in the last two months the infected subdomains haven't been taken down yet.

Considering our own methods of alerting the public to infections it is easy to see why. The subdomains aren't something the owners will be on the look out for and the DNS registrar likely has no idea that attacks are occurring on their customer base. According to the blog post at Unmask Parasites the most affected DNS registrar seems to be GoDaddy. I don't know if this means there is some flaw in their DNS management panel or if legit customers have had their credentials stolen. Either way this trend warrants more investigation.

UPDATE 7/28: The GoDaddy abuse team has been notified.

NSFOCUS, our newest data provider

Fri, 23 Jul 2010 15:35:00 -0400

We are pleased to welcome Chinese security firm NSFOCUS as a new data provider! NSFOCUS joins Google and Sunbelt Software in feeding our Badware Website Clearinghouse with updated information about URLs they have discovered to be bad. Like all of our data providers, NSFOCUS will participate in our independent review process.

We are particularly excited to work with NSFOCUS because their team's extensive knowledge will give us insight into the often opaque world of Chinese networks and hosting providers.

NSFOCUS's press release about the data provider arrangement can be found here.

StopBadware welcomes new developer

Wed, 14 Jul 2010 16:18:00 -0400

StopBadware is pleased to welcome Matthew Shanley, our new lead developer! As we mentioned previously, our current lead developer, Brandon, will be heading off soon to tortue himself for three years as a law student.

Matt joins us from Constant Contact, where he worked on their web development team. He holds a Master’s of Fine Arts in Interrelated Media from Massachusetts College of Art and Design, a Bachelor’s of Science in Electronic Media, Art, and Communication from Rensselaer Polytechnic Institute, and also attended Cornell University. He's also an all-around cool guy, and we're glad to have him on the team!

Establishing expectations for AV vendors

Wed, 07 Jul 2010 11:02:00 -0400

At StopBadware, we're currently revising our guidelines for badware applications. The goal of these guidelines is to distinguish between applications that are badware (defined as "software that fundamentally disregards a user's choice about how his or her computer or network connection is used") and those that aren't. One major reason for distinguishing badware from non-badware applications is to help people make informed choices before installing software that may compromise their privacy or security.

It is in this context that we ask a question that has been troubling us: if a "legitimate" anti-virus or security product has to send data about your computer use (e.g., your web search or browsing history) back to the vendor's servers to protect you as promised, how clearly should that data usage be disclosed?

Historically, we have thought of surreptitious collection of this type of data as a badware behavior. But what if the data isn't really being collected or used in any nefarious way, and the transmission of the data is necessary to make the product work as intended?

Consider a product like McAfee SiteAdvisor, a free browser plug-in that informs you of the safety of websites as you visit them or while browsing through search results. SiteAdvisor has to query a McAfee server with the URL (or the hash of the URL) of every site you visit or find during a search. This means that, if McAfee wanted to (or if a rogue employee gained access), a profile of your browsing history could be compiled and tied back to your IP address. Yet this is never disclosed in any visible way prior to or during installation. In fact, it's not even in the Privacy Policy. (It could be considered covered by a vague provision in the EULA about the collection of personal information from your computer necessary to the function of McAfee's security products.)

This is not unique to SiteAdvisor. Many AV products now query a centralized database about URLs and/or executables to ensure users are protected. In our experience, most of these products fail to disclose this potential threat to a user's privacy in any meaningful way.

So, back to the question. Is this a badware behavior, one that in this case is being perpetuated by several well-respected software companies? Or is it reasonable to expect that users either know or wouldn't care that their security comes at the price of a company having access to some private data? Is it dependent on the trustworthiness of the vendor or the stated use of the data once it's been received? What should we expect as a minimum bar from AV vendors whose products behave in this way?

Please let us know your thoughts in the comments!