Monday, November 23, 2015

ABC sponsored story from Norton raises an iceberg: drive-by website infection, maybe steganogrpahy

Monday, ABC News offered a sponsored story from Norton, about the risk of getting malware from “drive-by” sites, where merely opening the page can load malware (or “scareware”).  Some of these may be misspellings of well-known commercial sites, especially news sites (like when “news” is miss-typed as “bews”).  Commercial anti-virus vendors don’t always catch all of them (especially the “scareware” which doesn’t load an executable).

One possibility is for sites to be hacked, as has happened even with news sites.  Recently, a major church had its site hacked and replaced by Viagra ads, with the attacker traced to Russia.

 Unfortunately, the church had not backed up everything off-line, and apparently was running its own server rather than using a professional hosting company.  It has changed that practice, and now will use FourSquare (which is pretty good about warning about unusual volume or possible DDOS).  Webroot has written about this possibility, mostly in the area of SQL injection attacks.  There is the imagined possibility that illegal content could be loaded this way, posing legal risks to owners perhaps.

Shortly after 9/11, security experts expressed a concern that enemies might hack sites (even small amateur sites) to send “stegonographic” instructions to other operatives.  Discussion of that possibility in the media pretty much had stopped by the end of 2002.  But in April 2002, two pages on an older legacy site of mine were hacked with material related oddly to nuclear terror and Finland.  This was reported to the FBI.  But the incident has not recurred, and no real-world attack related to the contents of the hack has ever happened.

The possibility of steganographic attacks could lead to the idea that websites with low volumes or infrequent updates by the owner should not be allowed to stay up.  On the other hand, such an attacker risks being discovered if the owner regularly and randomly checks the site even if it isn’t update a lot (including checking directories for unlinked files).  It’s at least conceivable that an attack could be detected in advance any time a public web page is involved.  So that’s a natural deterrent.

The recent events in Europe seem to have been coordinated with off-the-shelf encryption products installed on the mobile devices themselves – private conversation that is pretty much the cultural opposite of publishing and steganography. The main debate now seems to be whether tech companies should be required to keep copies of encryption keys (the “back door”) so that law enforcement could intercept terror attack plans, with court supervision and proper warrants or subpoenas.
Still, there’s a chance that the old 2002 debate will return.

No comments: