Following the recent, and now fixed false positive blocking sans.org due to the already considered malicious dshield.org and giac.org it's also interesting to note that n.runs AG (nruns.com), whose research into vulnerabilities in antivirus products received a lot of attention lately, is also flagged as a dangerous site.
Excluding the conspiracy theories, a false positive when your solution is integrated in the second most popular search engine is bad, especially when other automated crawling approaches are successfully detecting the site as a non-malicious one. How come? It's all a matter of how you define malicious activity, and what exactly are you trying to protect your users from.
In this case, Site Advisor seems to be trying to protect the end user from herself, but flagging sites hosting some sort of hacking/pen-testing tool in a clear directory structure, since SiteAdvisor isn't capable of automatically flagging a SQL injected site as a malicious one, the approach it takes for assessing whether or not a specific site is malicious is flawed, namely integrating McAfee's signatures based malware database and flagging a site hosting anything detected as malware as a badware site itself. McAfee's comments:
"Our tests are very accurate," Dowling said. "The frequency of false positives is fewer than one a month. Changes in classifications we make are almost always because sites have changed their behaviour. "The email tests are the ones than have the most false positives. Users can have confidence in our ratings."
There are even more surprising false positives, such as, Hack in the Box security conference, Defcon.org, Zone-H France, Invisiblethings.org, AME Info - Middle East business and financial news and more :
ameinfo.com
Take for instance the Hack in the Box security conference, which is considered as the download publisher of a file hosted at packetstormsecurity.org. What's interesting to point out is that just like a huge percentage of already flagged as potentially harmful sites that haven't been re-checked in months, with Hack in the Box's case the link was last checked in February, 2008. And since hitb.org is now distributing spyware, any site that it links to is also flagged as badware, like hackinthebox.org itself :
"When we tested this site we found links to hitb.org, which we found to be a distributor of downloads some people consider adware, spyware or other potentially unwanted programs.'
These sites aren't SQL injected, IFRAME-ed or embedded with malware whatsoever, so it's like flagging a gun store as a malicious store because of the inventory there - wrong generalization aiming to bring order into the underground chaos at the first place is prone to result in lots of false positives, a wrong mentality that certain countries are starting to embrace.
Take for instance the Hack in the Box security conference, which is considered as the download publisher of a file hosted at packetstormsecurity.org. What's interesting to point out is that just like a huge percentage of already flagged as potentially harmful sites that haven't been re-checked in months, with Hack in the Box's case the link was last checked in February, 2008. And since hitb.org is now distributing spyware, any site that it links to is also flagged as badware, like hackinthebox.org itself :
"When we tested this site we found links to hitb.org, which we found to be a distributor of downloads some people consider adware, spyware or other potentially unwanted programs.'
These sites aren't SQL injected, IFRAME-ed or embedded with malware whatsoever, so it's like flagging a gun store as a malicious store because of the inventory there - wrong generalization aiming to bring order into the underground chaos at the first place is prone to result in lots of false positives, a wrong mentality that certain countries are starting to embrace.
The bottom line - is the "do not visit unknown or potentially harmful sites" security tip on the verge of extinction? Probably, as these days, exploited legitimate sites are hosting or redirecting to more malware than potentially harmful sites are.
No comments:
Post a Comment