An infectious disease broke out recently in a number of communities. We'd like to tell which communities they were, just in case you were visiting one at the time, but we can't. It would be bad for business, after all.
In the wake of the Scob/Download.ject attack a few weeks ago, a reader wrote with an interesting observation. "The successful compromise of IIS 5.0 servers worldwide, leading to infection of many client machines visiting them that used IE web browser, has been covered massively," the reader noted. "It has also been widely reported that many popular and well known sites were infected, thus infecting their users.
OK: WHO WERE THEY? ... There appears to be a concerted cover-up. What this tells me is some heavy hitters were probably hit, they infected a whole lot of visitors, and they are now afraid of lawsuit city."
After some diligent searching, neither I nor the reader could find published reports with anything more than vague rumours about which sites were compromised and may therefore have deposited some serious malware on the computers of unsuspecting visitors. And no amount of Googling turned up even one website that had chosen to post a warning that it might have been compromised around June 24th. Was a code of silence in effect? If so, who was enforcing it?
So I made it my business to ask everyone who ought to know why the compromised websites were not identified during or after the outbreak. The one common theme in the answers I got, from both public and private sectors, was that those who deal with security threats like this have to keep the victims' identity confidential. Otherwise, they may not get the cooperation and the information they need the next time to warn others.
OK, I can certainly buy that when it comes to the early warning organizations like the Internet Storm Center or the United States Computer Emergency Readiness Team (US-CERT). "Our policy would be not to comment on a specific site, as the organisations we work with need to know we will maintain their confidentiality or we might not be able to provide this information in the future," said a US-CERT spokesperson.
I can even understand Microsoft saying they could only recommend. I point enterprise and client customers to their webpage on the attack for information on how to protect themselves. We can talk all we want about what Microsoft's level of responsibility for our security woes, but one thing Microsoft can't be responsible for is publicly identifying which of their IIS customers were compromised.
But what about the websites themselves? If their only sin was not to be running the latest Microsoft softwarewith the latest Microsoft patches (hey, let he who is certain he has every patch for every Microsoft product cast the first stone), I would think they'd feel some sense of responsibility to those who visited while they were compromised. Once they've fixed their site, why not issue a warning?
"I think it's a very good question, but it's kind of complicated," says Paul Kurtz, Executive Director of the Cyber Security Industry Alliance (CSIA), a public policy advocacy group for security products vendors. "It certainly seems like something a company might want to do, but what are the legal and the liability issues? And it brings up the issue of awareness, and whether you can wait to update."
"From a consumer perspective, you'd like to see a Better Business Bureau of the Internet where you can go find who has the best security, but we're just not there yet," says Marcus Sachs, Director of the Internet Storm Center of the SANS Institute. The compromised websites - which he says included a number of well known sites but not, as rumored, biggies like eBay - really aren't in a position to identify themselves.
"Culturally that's just not acceptable behavior right now, and it would put the website at a great competitive disadvantage. And it could expose the Internet to something akin to the malpractice lawsuits you see in the medical field, and that could derail everything."
There's something missing here, though. Several observers pointed to a different analogy with the medical field, that of public health. If an outbreak of food poisoning is traced to a particular store or restaurant, for example, public health officials post notices on the establishment's door and make announcements through the news media. Yes, it's bad for business, but the public health has to come first.
The security health of the Internet should come first, too. If a website faces liability for inadvertently exposing visitors to a Trojan, shouldn't it face even more liability for keeping quiet when a warning might save some previous visitors from having their bank accounts drained?
Nobody wants to hear this, but I'm going to say it anyway. Those compromised but unidentified websites are sending a very clear warning about Internet security: industry self-regulation is always going to translate into industry self-protection.
The Internet right now is a very sick place and it's going to take some distasteful medicine to make it well.