Abstract
Internet end users increasingly face threats of compromise by visiting seemingly innocuous websites that are themselves compromised by malicious actors. These compromised machines are then incorporated into bot networks that perpetuate further attacks on the Internet. Google attempts to protect users of its search products from these hidden threats by publicly disclosing these infections in interstitial warning pages behind the results. This chapter seeks to explore the effects of this policy on the economic ecosystem of webmasters, web hosts, and attackers by analyzing the experiences and data of the StopBadware project. The StopBadware project manages the appeals process whereby websites whose infections have been disclosed by Google get fixed and unquarantined. Our results show that, in the absence of disclosure and quarantine, certain classes of webmasters and hosting providers are not incentivized to secure their platforms and websites and that the malware industry is sophisticated and adapts to this reality. A delayed disclosure policy may be appropriate for traditional software products. However, in the web infection space, silence during this period leads to further infection since the attack is already in progress. We relate specific examples where disclosure has had beneficial effects, and further support this conclusion by comparing infection rates in the U.S. where Google has high penetration to China where its market penetration rate is much lower.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Google does attempt to contact webmasters when their sites are initially added to Google’s blacklist, but there is no reliable system to ensure that webmasters receive these communications.
- 2.
Some have cited the increased investment in fraud-prevention technology resulting from placing the burden of liability for ATM fraud on banks, rather than on account holders, as an example of how civil liability could be used to promote greater investment in Internet security (Anderson 2001).
References
Akerlof, G. A. “The Market for ‘Lemons’: Quality Uncertainty and the Market Mechanism,” The Quarterly Journal of Economics (84:3), 1970, pp. 488–500.
Anderson, R. “Why Information Security is Hard—An Economic Perspective,” in 17th Annual Computer Security Applications Conference (ACSAC), 2001.
Anderson, R. “Open and Closed Systems are Equivalent (That Is, in an Ideal World),” in Perspectives on Free and Open Source Software, The MIT Press, 2005, pp. 127-142.
Arora, A., Krishnan, R., Nandkumar, A., Telang, R., and Yang, Y. “Impact of Vulnerability Disclosureand Patch Availability: An Empirical Analysis,” in Workshop on Economics and Information Security, 2004.
Arora, A., Telang, R., and Xu, H. “Optimal Policy for Software Vulnerability Disclosure,” in Workshop on Economics and Information Security, 2004.
Camp, L. J., and Wolfram, C. D. “Pricing Security: Vulnerabilities as Externalities.” Economics of Information Security (12), 2004.
Cavusoglu, H., Cavusoglu, H., and Zhang, J. “Economics of Security Patch Management,” in Workshop on Economics and Information Security, 2006.
Choi, J.-P., Ferstman, C., and Gandal, N. “Network Security: Vulnerabilities and DisclosurePolicy,” in Workshop on Economics and Information Security, 2007.
Fallows, J. “The Connection Has Been Reset,” The Atlantic Monthly. http://www.theatlantic.com/doc/200803/chinese-firewall, 2008.
Finjan. 2007. “Finjan Web Security Trends Report q2-2007.” http://www.finjan.com.
Geer, D., Bace, R., Gutmann, P., Metzger, P., Pfleeger, C. P., Quarterman, J. S., and Schneier, B. “Cyberinsecurity: The Cost of Monopology.” Computer and Communications Industry Association (CCIA), 2003.
Granick, J. S. “The Price of Restricting Vulnerability Publications,” International Journal of Communications Law and Policy (9), 2005.
OMurchu, L. “Honor among Thieves?” http://www.symantec.com/enterprise/security_response/ weblog/%2007/11/honour_among_thieves.html. Symantec, 2007
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. “The Ghost in the Browser Analysis of Web-based Malware,” in Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots’07), 4–4. USENIX Association, 2007.
Rescorla, E. “Is Finding Security Holes a Good Idea?” IEEE Security and Privacy (3:1), 2005, pp. 14–19.
Schechter, S. E. “How to Buy Better Testing: Using Competition to Get the Most Security and Robustness for Your Dollar,” in Infrastructure Security Conference, 2002.
StopBadware. http://www.stopbadware.org. Berkman Center for Internet and Society, 2008.
StopBadware. “Stopbadware.org Identifies Companies Hosting Large Numbers of Websites that Can Infect Internet Users with Badware.” http://www.stopbadware.org/home/pr 050307, 2007.
Swire, P.P. “Security Market: Incentives for Disclosureof Vulnerabilities,” in Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS ’05), 2005, pp. 405–405.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Day, O., Palmen, B., Greenstadt, R. (2009). Reinterpreting the Disclosure Debate for Web Infections. In: Johnson, M.E. (eds) Managing Information Risk and the Economics of Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09762-6_9
Download citation
DOI: https://doi.org/10.1007/978-0-387-09762-6_9
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09761-9
Online ISBN: 978-0-387-09762-6
eBook Packages: Computer ScienceComputer Science (R0)