

NBC.com hacked, serving up Citadel malware - anateus
http://hitmanpro.wordpress.com/2013/02/21/nbc-com-hacked-serving-up-citadel-malware/

======
rdl
I think Google Chrome goes into the top-10 list of "software/systems/services
which have improved real world Internet security the most" -- wide reach,
moderate impact. Probably in the top 3.

(I still think ssh tops the list -- pretty narrowly focused, but SO MUCH
BETTER than telnet, rlogin, etc., even kerberized telnet which didn't encrypt
contents, only auth. And, like Chrome, it's not just most secure, it's
_better_ than the alternatives in every other way, so it got wide adoption for
non-security reasons too.)

I guess https falls in there too, but probably the move to "SSL all traffic by
default, at least if the user opts-in" is the reason, not the "https just the
final form for credit card processing."

SSL also IMO deserves a 9 or 10 place for START-TLS in mail protocols like
SMTP and IMAP.

~~~
dfc
Doesn't firefox provides the same protection? I am not dismissing chrome I am
just curious if the malware/phishing protection is the same. I thought they
both used the same API.

~~~
rdl
Not sure about their malware/phishing blocking. (IIRC it wasn't on by default
in firefox in the last version I used.)

Firefox has many security issues Chrome doesn't have (tab isolation by process
is #1, but "devotes a lot more effort/resources to security" is generally
true, too -- Chrome just has vastly more resources than Firefox, and spends
them on a smaller number of platforms).

Chrome = HSTS. Cert pinning. Dealing with bad SSL cert failures correctly
(i.e. not letting users simply click to accept...)

Also, Chrome led the way on auto-update of browsers, which is one of the
biggest improvements in the real world. Chrome also got good security wins
through their own PDF handler and Flash, vs. the Adobe stuff. I think Chrome
also did "click to run" by default on more other plugins (Java) earlier,
although I haven't payed as much attention to that (client-side java is
basically an abomination now, generally.)

~~~
dfc
Firefox's malware/phishing system was added in 3.0,[1] which was released June
17, 2008[2].

[1] <https://www.mozilla.org/en-US/firefox/phishing-protection/>

[2]
[https://en.wikipedia.org/wiki/Firefox_release_history#Releas...](https://en.wikipedia.org/wiki/Firefox_release_history#Release_history)

------
sucuri2
Still infected after more than 2 hours of reporting to them.

Not only nbc .com, but also latenightwithjimmyfallon .com and other major NBC
sites.

We posted some details here too:

[http://blog.sucuri.net/2013/02/nbc-website-hacked-be-
careful...](http://blog.sucuri.net/2013/02/nbc-website-hacked-be-careful-
surfing.html)

thanks,

------
diminoten
It's cool that we have Google capable of on-the-fly warning users when malware
is detected on a popular website.

You can complain a lot about Google's business model, but that's a damn
valuable service. Probably saved a lot of computers today.

~~~
dmix
> You can complain a lot about Google's business model

Why would we do that? Gmail and google is essentially free with of the
addition tasteful ad designs.

~~~
de90
Because their business model benefits from knowing everything it can about
you.

~~~
grumps
But you willingly allow them to, and in return they give you value back.

~~~
hackinthebochs
That's the thing, I highly doubt the majority of users are even aware of how
much information Google has on its users. Even I as a knowledgeable programmer
would probably be surprised at the depth of profiling they have done. And this
isn't even considering any sort of machine learning analysis of the data that
to extrapolate information not explicitly given. So no, "willingly allow them"
is not an accurate description of the relationship.

~~~
dmix
There's chrome plugins to opt out of ad-tracking and you can delete your
search history.

Everything is optional. You don't have to be signed in or using cookies to
search using Google.

That's how I like my information privacy. My only issue is the lack of
encryption in gmail (and email in general).

Personal privacy is the users responsibility. There's a technology knowledge
gap regardless if the user is using google or any other site. That isn't one
websites responsibility.

------
sp332
How do you "sinkhole" an IP address?

~~~
ChuckMcM
You create a route, in a router you control, that sends packets to that
address into the bit bucket. Ideally its an edge router that everyone in an
organization shares, or at an ISP which will protect anyone using that ISP.

~~~
sp332
Oh, so this only works for a subset of the internet? That makes more sense.
Are there blacklists for IPs like there are for spam domains?

~~~
ChuckMcM
Various companies will sell you a list of currently known malware domains
(like spammer lists) which you can feed into a router to create blocks for
them. Is that what you are asking?

------
thursley
Writeup of the network monitoring service that discovered the infection:
[http://blog.fox-it.com/2013/02/21/writeup-on-nbc-com-
distrib...](http://blog.fox-it.com/2013/02/21/writeup-on-nbc-com-distributing-
citadel-malware/)

------
smokestack
Chrome's malware warning stopped appearing in the last 5 minutes. Looks like
it's fixed.

~~~
anateus
Just for nbc.com or for all infected properties like Jay Leno's site?

~~~
untog
Depends if you consider Jay Leno to be a form of malware that NBC can't
remove.

(sorry)

~~~
jabagonuts
Well if you prefer Conan O'Brien as the host, it may seem that way

------
some1else
NBC shut down EveryBlock. I don't follow them anymore

------
jonaldomo
I better run my antivirus! Oh wait, I am on Mac...

------
aranjedeath
Nice ad.

~~~
aranjedeath
I see now why I'm being downvoted. See, now there is substance to the article.
10 hours ago, it was 2 paragraphs on citadel malware and cnc servers and 3
more on their anti-malware app, with gratuitous screenshots of such. It /was/
an ad.

