A subdomain of Harvard University's Website that belongs to the Chandra X-Ray Observatory was among the domains identified by zScaler as having been compromised. Also, various pages hosted on the domain of MIT belonging to academics, as well as a page belonging to the High-Low Tech group that "integrates high and low technological materials, processes and cultures." At Stanford University, Web sites operated by the Associated Students of Stanford University was compromised, inclduing a Web portal for information about mental and sexual health. There was no clear pattern discernable among the sites compromised, though at least one of the subdomains was hosting the Wordpress blogging software.
zScaler also discovered commercial and governmental sites that were redirecting users to the bogus online stores. Among them, a subdomain of the Fandango.com movie information site was found to be redirecting users, as was part of the Web site used to promote the Webby Awards, which honor excellence in online media.
Zscaler's finding is just another datapoint showing a website's reputation has nothing to do with whether it can get hacked and redirect you to something malicious, or even just contain something malicious on its own website. Controls that let you bypass scanning for websites with good reputation are dangerous. The only safe way to surf the web is to scan everything and to do it efficiently. That means using URL filtering to block out the majority of known bad links, and using AV and malware scanning for anything that still remains. In addition the savvy IT administrator needs to make sure their secure web gateway or proxy blocks embedded links like the ones used in this attack rather than block the parts of the site that still contain useful information. In this case Harvard, MIT and Stanford's sites didn't have the malicious content, rather embedded links and redirection on their sites did. The proxy or secure web gateway protecting your environment should be smart enough to recognize that and only block the embedded links and redirection.
Posts
2 comments:
Your premise that because some good sites can be compromised and serve up bad data, therefore reputation is worthless is shallow and inept. That's like saying somebody's criminal history should not be used as a factor when determining whether or not that person is a viable candidate for a job as a school teacher. Good people can do bad things, just like good sites can do bad things, but it is not a bad idea to minimize risk by keeping the known bad guys at bay.
The problem isn't reputation. The problem is when reputation is used to bypass other security mechanisms. If you take a look at Ironport for example, they use reputation as a way to skip AV scanning. That's a bad idea. You shouldn't skip a layer in your network security just based on reputation. That's my concern with reputation.
Post a Comment