| View previous topic :: View next topic |
| Author |
Message |
TeMerc
Warrior Obsessed
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
|
 Posted: Sun Dec 18, 2005 11:19 pm Post subject: From Ben Edelman: Who To Trust |
 |
|
| Ben wrote: |
Much of the spyware problem results from users visiting sites that turn out to be untrustworthy or simply malevolent. I'm certainly not inclined to blame the victimized users -- it's hardly their fault that sites run security exploits, offer undisclosed advertising software, or show tricky EULAs that are dozens of pages long. But the resulting software ultimately ends up on users' computers because users browsed to sites that didn't pan out.
How to fix this problem? In theory, it seems easy enough. First, someone needs to examine popular web sites, to figure out which are untrustworthy. Then users' computers need to automatically notify them -- warn them! -- before users reach untrustworthy sites. These aren't new ideas. Indeed, half a dozen vendors have tried such strategies in the past. But for various reasons, their efforts never solved the problem. (Details below).
This month, a new company is announcing a system to protect users from untrustworthy web sites: SiteAdvisor. They've designed a set of robots -- automated web crawlers, virtual machines, and databases -- that have browsed hundreds of thousands of web sites. They've tracked which sites install spyware -- what files installed, what registry changes, what network traffic. And they've built a browser plug-in that provides automated notification of worrisome sites -- handy red balloons when users stray into risky areas, along with annotations on search result pages at leading search engines. |
Full Read @ Ben Edelman
_________________
Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog |
|
| Back to top |
|
 |
TeMerc
Warrior Obsessed
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
|
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 25 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Mon Dec 19, 2005 5:51 pm Post subject: |
|
|
Thanks for posting this. Great screenshots, too.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.  |
|
| Back to top |
|
|
Recon Man
Warrior
Joined: 21 Mar 2005
Last Visit: 02 Dec 2008
Posts: 95
Location: Miami
|
| Posted: Tue Dec 20, 2005 5:44 am Post subject: |
|
|
Hello Suzi and TeMerc  ,
Indeed, SiteAdviser does seem to be a quantum leap in internet security and a sign of great things to come with regards to preventing users from hurting themselves by accessing dubious sites. A most exciting and promising innovation to say the least. I look forward to its release in the future.
In the meantime, however, it is a matter of carrying the right amount of security hardware/software onboard and avoiding going to those shady websites so prevalent on the internet these days.
Best Regards,
Recon Man 
_________________
Helping make Cyberspace a safer place. |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Tue Dec 20, 2005 6:13 am Post subject: |
|
|
I'm about as skeptical as anyone when it comes to sites that collect user profiles as this one does. (They claim to aggregate & discard.) However, I find this outfit and concept very intriguing. The data transfered is NOT personally identifiable as demo'ed here with the capture of a normal transfer made with every request to any site visited(noted no GUIDs or identifying cookies);
| Code: |
GET /DSS/Query?Type=Domain&Name=www.spywarewarrior.com/index.php
&IPAddr=204.14.90.22&version=2&language=en HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: dss1.siteadvisor.com
sInfo><RogueInfo code="UNKNOWN">
<description>
</description>
<short_desc>
</short_desc>
</RogueInfo>
</FacetInfos>
</DomainInfo>
<IPAddrInfo>
<ipAddress>204.14.90.22</ipAddress>
<country>-</country>
<blacklists>unknown</blacklists>
</IPAddrInfo>
</DomainQueryResponse>
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2005 13:18:24 GMT
Server: Apache/1.3.34 (Unix) mod_jk/1.2.15
Cache-Control: no-cache
Content-Length: 1528
Content-Type: text/xml;charset=ISO-8859-1
<DomainQueryResponse><DomainInfo name="spywarewarrior.com" expires="1136589457">
<DomainMetaData baseDomain="spywarewarrior.com" dateCreated="1077771600"
isDynamicIP="false" isUserContent="false"
domainSpecRegExs="^{[^/\\]*\.}?(spywarewarrior.com){[:/\\?].*}$">
<Location country="us" state="" city=""/>
</DomainMetaData>
<Classification code="OK" color="green">
<description>We tested this site and didn't find any significant problems to report.</description>
</Classification><FacetInfos>
<CommerceInfo code="UNKNOWN">
<description></description><short_desc>
</short_desc></CommerceInfo><DownloadsInfo code="UNKNOWN">
<description>We found 2 downloads here, which we are still testing.</description>
<short_desc>Testing 2 downloads</short_desc>
</DownloadsInfo><PersonalInformationInfo code="UNKNOWN">
<description>We have not found any e-mail sign-up forms on this site.</description>
<short_desc>0 sign-up forms found</short_desc>
</PersonalInformationInfo>
<AnnoyanceInfo code="OK">
<description>When we browsed to this site we didn't receive any pop-ups.</description>
<short_desc>0 popups</short_desc>
</AnnoyanceInfo><LinksInfo code="OK">
<description>This site links mostly to sites which our tests show to be safe.</description>
<short_desc>Links to green sites</short_desc>
</Link |
I am tho a little bugged by the fact that the connections don't close untill the session with the page requested ends...constant pings...makes a mess of netstat.
I'm also wondering if this wont be abused like the spam filter sites have been...bogus reports made by ignorant or malicious individuals designed to taint the reputation of sites and or cause chaos. The user feedback forms appear to suggest such a possibility. The feedback forms can be seen on pages such as this one; http://www.siteadvisor.com/sites/carmainc.org
BTW I have the install & event snapshots too in case anyone is interested but there isn't anything noteable enough to cause me to publish them.
I have concerns about this concept but will continue to use/look at it for some time because it does seem to solve many of the probs found by it's predecessors...some of which have just been plain corrupt.
All in all, it looks very interesting and could be very usefull to an average user. I'll reserve my opinion untill they have made it fully available and I've had a more extensive look at it.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
TeMerc
Warrior Obsessed
Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
|
| Posted: Tue Dec 20, 2005 7:28 am Post subject: |
|
|
No, this is certainly not a cure all by any stretch, but I think in a general sense, users wil be immediatly re-directed when they see the red flag. And while it will take a rather long time to get a really useful amount of sites covered, they are just beginning.
Yes, there is bound to be some abuse but for this type of app, or for any app for that matter there is potential for that. The proof of the pudding will see how they deal with the abuse to fix it.
There is good commentary going on over at this DSLR thread. The guy from SiteAdvisor even dropped in as did Ben.
_________________
Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog |
|
| Back to top |
|
|
jlowell
Warrior
Joined: 06 Nov 2004
Last Visit: 13 Feb 2006
Posts: 128
|
| Posted: Tue Dec 20, 2005 7:49 am Post subject: |
|
|
All of these new approaches interesting, I still think that our Repentance Forum represents the best defense against malware. To see the turnaround in a person like fcukdat is truly spellbinding :
http://www.spywarewarrior.com/viewtopic.php?t=16370
Just joshin.
jlowell |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Tue Dec 20, 2005 8:07 am Post subject: |
|
|
I would also note that their server/s have been very slow to respond this morning. This makes using this tool incompatible with fast surfing. For this to work, their responses must be fast. Users wont tolerate slow resposes in their browsers that are caused by a browser add on tool timing out.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
Nick
Site Admin
Joined: 27 Feb 2004
Last Visit: 28 Aug 2012
Posts: 3913
Location: California
|
| Posted: Tue Dec 20, 2005 8:58 am Post subject: |
|
|
This could be good, but as mikey already said, regular folks aren't going to use it and be inconvenienced. If that one screenshot above is what a page looks like, then that's too much information for most people to deal with. Maybe it is a composite picture.
Also, what are these people getting for doing this. Who's paying for all of the bandwidth the bots are using? Do these bots follow a robots.txt? If they do then what if the bad people just block it with it? If it ignores the robots.txt, then isn't that a no no. What happens if the bots are blocked by htacess? Does the site automatically get a red flag? How much bandwidth does the bot use when looking around the site? If it uses alot and visits frequently, then webmasters are likely to block it.
_________________
Nick's Security Ticker
Last edited by Nick on Mon Feb 13, 2006 5:54 am; edited 1 time in total |
|
| Back to top |
|
|
Oldfrog
Site Admin
Joined: 08 Aug 2004
Last Visit: 09 Feb 2013
Posts: 1161
Location: Hewitt, TX
|
| Posted: Tue Dec 20, 2005 9:14 am Post subject: |
|
|
| Excellent points, Nick. This site, for example, does some very aggressive robot control as do most of the ones that I am familiar with on the backside. |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Tue Dec 20, 2005 10:07 am Post subject: |
|
|
Yes Nick, very good points.
| TeMerc wrote: |
And while it will take a rather long time to get a really useful amount of sites covered, they are just beginning.
|
Considering all the timeouts I'm seeing, this brings to mind another concern;
We all know how slow things get when large dbs are parsed. I wonder how they intend to handle that prob. None of the other search engines have really solved the prob incl Google and while some do have browser add ons, they don't depend on that parsing for each and every new request.
Kinda reminds me of the probs experienced with the poor 'you know what kind of' toolbars that are prevalent today.
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
chris_dixon
Newbie
Joined: 20 Dec 2005
Last Visit: 30 Jan 2006
Posts: 1
Location: Boston
|
| Posted: Tue Dec 20, 2005 12:54 pm Post subject: Some responses to issues raised |
|
|
Hi everyone
This is Chris Dixon from SiteAdvisor.
I thought I'd take a moment to answer some of the issues raised here.
1. Our hosting facility actually appeared to get DOS'd this morning, severly limiting upstream traffic. They seem to have tracked down the source of the attack and stopped it. In the near future, we will have a full back up web cluster set up at another data center in case this happens again. We are really sorry about this inconvenience.
Our systems right now (while they aren't getting DOS'd!) should be able to handle a very large number of simultanoues users. We actually wrote our own data serving system that prepackages the analyzed data and serves it directly from a memory resident database. Of course we are in early Beta so problems could very well arise. If you experience any performance problems, please feel free to submit feedback directly to us via http://www.siteadvisor.com/feedback.html and we'll try our best to diagnose the issue (we have been personally responding to almost all feedback so far and have already started working on a number of issues people have raised).
2. As to the issue of people potentially using the user feedback mechanism to corrupt the site ratings, we are thinking hard about introducing a full blown "reputation system" for users in the near future, similar to how it is done on sites like eBay. In the short term, we are very likely going to start a "moderator program" where interested users who sign up will have more impact on the site ratings and get greater access to the detailed data. We will also be releasing an API so users can use the data in their own (non-commercial) applications.
Thanks for all your comments and please keep them coming!
-Chris
_________________
SiteAdvisor
www.siteadvisor.com |
|
| Back to top |
|
|
mikey
Malware Expert
Joined: 12 Feb 2004
Last Visit: 03 Sep 2012
Posts: 1061
Location: CenTex
|
| Posted: Tue Dec 20, 2005 3:37 pm Post subject: |
|
|
Hey Chris, very nice to see ya. I've been in contact with one of your mates...Paul. Seems like a nice sort. I'll quote myself here from my email to him; "I appreciate folks(devs) taking the time to solve user probs and address concerns. It speaks volumns about their character."
Well, it seems you are suffering some growing pains. Many of us in this pri/sec community have had the uncomfortable experience of dealing with severe DDoS attacks. Let's hope your experience is a mild one.
Anyway, again I thank you for taking the time to address our concerns. I would also say that I look fwd to continued exchanging of ideas and concerns. As well, I look fwd to hearing back from Paul(edited). Thx much.
Mike
============
EDIT: BTW While I have your attention; Do you think it could be a good idea to add an on/off toggle(bypass) to the context menu? I was thinking it might be of some use to some users especially when they are first trying out the concept.
Ref; {089FD14D-132B-48FC-8861-0048AE113215} ()
BHO name:
CLSID name:
Path: D:\Program Files\SiteAdvisor\
Long name: saIE.dll__BHODemonDisabled
_________________
-
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE
Spyware/Adware is NOT freeware, it costs all of us dearly.
Mikey's Stuff
Fiddler and friends...essential web diagnostic, forensic, & development tools.
- |
|
| Back to top |
|
|
|
