Samaneh Tajalizadehkhoob
Tom Van Goethem
Tyler Moore
ABSTRACT
Hosting providers play a key role in fighting web compromise, but their ability to prevent abuse is constrained by the security practices of their own customers. Shared hosting, offers a unique perspective since customers operate under restricted privileges and providers retain more control over configurations. We present the first empirical analysis of the distribution of web security features and software patching practices in shared hosting providers, the influence of providers on these security practices, and their impact on web compromise rates. We construct provider-level features on the global market for shared hosting -- containing 1,259 providers -- by gathering indicators from 442,684 domains. Exploratory factor analysis of 15 indicators identifies four main latent factors that capture security efforts: content security, webmaster security, web infrastructure security and web application security. We confirm, via a fixed-effect regression model, that providers exert significant influence over the latter two factors, which are both related to the software stack in their hosting environment. Finally, by means of GLM regression analysis of these factors on phishing and malware abuse, we show that the four security and software patching factors explain between 10% and 19% of the variance in abuse at providers, after controlling for size. For web-application security for instance, we found that when a provider moves from the bottom 10% to the best-performing 10%, it would experience 4 times fewer phishing incidents. We show that providers have influence over patch levels--even higher in the stack, where CMSes can run as client-side software--and that this influence is tied to a substantial reduction in abuse levels.
Supplemental Material
- Greg Aaron and Rod Rasmussen. 2014. Anti-Phishing Working Group (APWG) Global Phishing Survey: Trends and Domain Name Use in 1H2014. http://docs. apwg.org/reports/APWG_Global_Phishing_Report_1H_2014.pdf. (2014).Google Scholar
- Greg Aaron and Rod Rasmussen. 2015. Anti-Phishing Working Group (APWG) Global Phishing Survey: Trends and Domain Name Use in 2H2014. http://docs. apwg.org/reports/APWG_Global_Phishing_Report_2H_2014.pdf. (2015).Google Scholar
- Abeer Alhuzali, Birhanu Eshete, Rigel Gjomemo, and V.N. Venkatakrishnan. 2016. Chainsaw: Chained Automated Workflow-based Exploit Generation. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, 641--652. Google ScholarDigital Library
- Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J Alex Halderman, Viktor Dukhovni, et al. 2016. DROWN: breaking TLS using SSLv2. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, 689--706.Google Scholar
- Ben Balker. 2017. Dealing with quasi-models in R. https://cran.r-project.org/ web/packages/bbmle/vignettes/quasi.pdf. (2017).Google Scholar
- Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi. 2016. Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1365--1375. Google ScholarDigital Library
- Davide Canali, Davide Balzarotti, and Aurélien Francillon. 2013. The role of web hosting providers in detecting compromised websites. In Proceedings of the 22nd international conference on World Wide Web. World Wide Web Conferences, 177--188. Google ScholarDigital Library
- Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson. 2016. Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, 628--640. Google ScholarDigital Library
- Orcun Cetin, Mohammad Hanif Jhaveri, Carlos Gañán, Michel van Eeten, and Tyler Moore. 2016. Understanding the role of sender reputation in abuse reporting and cleanup. Journal of Cybersecurity 2, 1 (2016), 83--98. Google ScholarCross Ref
- Steven Cheung and Alfonso Valdes. 2009. Malware Characterization through Alert Pattern Discovery. In 2th Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET 09). USENIX Association. http://static.usenix.org/legacy/ events/leet09/tech/full_papers/cheung/cheung_html/Google Scholar
- Richard Clayton, Tyler Moore, and Nicolas Christin. 2015. Concentrating Correctly on Cybercrime Concentration. In 14th Workshop on the Economics of Information Security (WEIS). http://www.econinfosec.org/archive/weis2015/papers/ WEIS_2015_clayton.pdfGoogle Scholar
- cPanel. 2017. cPanel TSR-2017-0002 Full Disclosure. http://news.cpanel.com/ cpanel-tsr-2017-0002-full-disclosure. (2017).Google Scholar
- Alban Diquet. 2016. SSLyze. https://github.com/nabla-c0d3/sslyze. (2016).Google Scholar
- Zakir Durumeric, James Kasten, David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicolas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer, and Vern Paxson. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). ACM, 475--488. Google ScholarDigital Library
- Brian Habing. 2003. Exploratory factor analysis. University of South Carolina- October 15 (2003).Google Scholar
- Harald Heinzl and Martina Mittlböck. 2003. Pseudo R-squared measures for Poisson regression models with over-or underdispersion. Computational statistics & data analysis 44, 1 (2003), 253--271. Google ScholarCross Ref
- hosting.com. 2012. Best Practices for Architecting Your Hosted Systems for 100% Application Availability. http://www.hosting.com/wp-content/uploads/2013/11/ Hosting_2012-04-WP-Architect-Availability.pdf. (2012).Google Scholar
- IBM Security Intelligence. 2016. New Year, New Problems: CMS Vulnerabilites Take on 2016. https://securityintelligence.com/news/ new-year-new-problems-cms-vulnerabilites-take-on-2016. (2016).Google Scholar
- Stefan Kals, Engin Kirda, Christopher Kruegel, and Nenad Jovanovic. 2006. Secubat: a web vulnerability scanner. In Proceedings of the 15th international conference on World Wide Web. World Wide Web Conferences, 247--256. Google ScholarDigital Library
- Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz. 2014. Exit from Hell? Reducing the Impact of Amplification DDoS Attacks. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, 111--125.Google Scholar
- Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 million flows later: large-scale detection of DOM-based XSS. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1193--1204. Google ScholarDigital Library
- Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. 2016. You've Got Vulnerability: Exploring Effective Vulnerability Notifications. In 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, 1033--1050.Google Scholar
- Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, and Vern Paxson. 2016. Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension. In Proceedings of the 25th International Conference on World Wide Web (WWW '16). International World Wide Web Conferences, 1009--1019.Google ScholarDigital Library
- He Liu, Kirill Levchenko, Márk Félegyházi, Christian Kreibich, Gregor Maier, Geoffrey M. Voelker, and Stefan Savage. 2011. On the Effects of Registrar-level Intervention. In Proceedings of the 4th USENIX Conference on Large-scale Exploits and Emergent Threats (LEET'11). USENIX Association, 1--8.Google ScholarDigital Library
- M3AAWG. 2015. M3AAWG Anti-Abuse Best Common Practices for Hosting and Cloud Service Providers. https://www.m3aawg.org/sites/default/files/document/ M3AAWG_Hosting_Abuse_BCPs-2015-03.pdf. (2015).Google Scholar
- Damon McCoy, Hitesh Dharmdasani, Christian Kreibich, Geoffrey M. Voelker, and Stefan Savage. 2012. Priceless: The Role of Payments in Abuse-advertised Goods. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS '12). ACM, 845--856. Google ScholarDigital Library
- Seyed Ali Mirheidari, Sajjad Arshad, Saeidreza Khoshkdahan, and Rasool Jalili. 2012. Two novel server-side attacks against log file in Shared Web Hosting servers. In Internet Technology And Secured Transactions, 2012 International Conference for. IEEE, 318--323.Google Scholar
- Tyler Moore and Richard Clayton. 2007. Examining the impact of website take-down on phishing. In Proceedings of the Anti-Phishing Working Group 2nd annual eCrime Researchers Summit. Google ScholarDigital Library
- Antonio Nappa, M. Zubair Rafique, and Juan Caballero. 2013. Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting. In Proceedings of the 10th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'13). Springer-Verlag, 1--20. Google ScholarDigital Library
- National Institute of Standards and Technology (NIST. 2017. National Vulnerability Database. https://nvd.nist.gov/vuln/search/results?adv_search=false&form_ type=basic&results_type=overview&search_type=all&query=PHP5. (2017).Google Scholar
- Nick Nikiforakis, Wouter Joosen, and Martin Johns. 2011. Abusing locality in shared web hosting. In Proceedings of the Fourth European Workshop on System Security. ACM, 2. Google ScholarDigital Library
- Arman Noroozian, Michael Ciere, Maciej Korczyński, Samaneh Tajalizadehkhoob, and Michel Eeten. 2017. Inferring the Security Performance of Providers from Noisy and Heterogenous Abuse Datasets. In 16th Workshop on the Economics of Information Security. http://weis2017.econinfosec.org/wp-content/uploads/sites/ 3/2017/05/WEIS_2017_paper_60.pdfGoogle Scholar
- Arman Noroozian, Maciej Korczynski, Samaneh Tajalizadehkhoob, and Michel van Eeten. 2015. Developing Security Reputation Metrics for Hosting Providers. In 8th Workshop on Cyber Security Experimentation and Test (CSET). USENIX Association. https://www.usenix.org/system/files/conference/cset15/cset15-noroozian. pdfGoogle Scholar
- OWASP. 2017. OWASP Top Ten Project. https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project. (2017).Google Scholar
- Xiang Pan, Yinzhi Cao, Shuangping Liu, Yu Zhou, Yan Chen, and Tingzhe Zhou. 2016. CSPAutoGen: Black-box Enforcement of Content Security Policy Upon Real-world Websites. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, 653--665. Google ScholarDigital Library
- RedHat. 2014. OpenSSL CCS Injection Vulnerability (CVE-2014-0224). https: //access.redhat.com/articles/904433. (2014).Google Scholar
- SANS. 2003. A Practical Methodology for Implementing a Patch management Process. https://www.sans. org/reading-room/whitepapers/bestprac/practical-methodology-implementing-patch-management-process-1206. (2003).Google Scholar
- Armin Sarabi, Ziyun Zhu, Chaowei Xiao, Mingyan Liu, and Tudor Dumitraş. 2017. Patch Me If You Can: A Study on the Effects of Individual User Behavior on the End-Host Vulnerability State. In International Conference on Passive and Active Network Measurement. Springer, 113--125. Google ScholarCross Ref
- Kyle Soska and Nicolas Christin. 2014. Automatically detecting vulnerable websites before they turn malicious. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, 625--640.Google Scholar
- James P Stevens. 2012. Applied multivariate statistics for the social sciences. Routledge.Google Scholar
- Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. In 25th USENIX Security Symposium (USENIX Security. USENIX Association, 1015--1032.Google Scholar
- Brett Stone-Gross, Christopher Kruegel, Kevin Almeroth, Andreas Moser, and Engin Kirda. 2009. Fire: Finding rogue networks. In Computer Security Applications Conference. IEEE, 231--240. Google ScholarDigital Library
- Samaneh Tajalizadehkhoob, Rainer Böhme, Carlos Ganán, Maciej Korczyński, and Michel van Eeten. 2017. Rotten Apples or Bad Harvest? What We Are Measuring When We Are Measuring Abuse. ACM Transactions on Internet Technology (TOIT) Forthcoming (2017), 00-00. https://arxiv.org/abs/1702.01624Google Scholar
- Samaneh Tajalizadehkhoob, Carlos Gañán, Arman Noroozian, and Michel van Eeten. 2017. The Role of Hosting Providers in Fighting Command and Control Infrastructure of Financial Malware. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security (ASIA CCS '17). ACM, 575--586. https://doi.org/10.1145/3052973.3053023 Google ScholarDigital Library
- Samaneh Tajalizadehkhoob, Maciej Korczynski, Arman Noroozian, Carlos Ganán, and Michel van Eeten. 2016. Apples, oranges and hosting providers: Heterogeneity and security in the hosting market. In Network Operations and Management Symposium (NOMS). IEEE/IFIP, IEEE, 289--297. https://doi.org/10.1109/NOMS. 2016.7502824Google ScholarDigital Library
- Mark Usher, Limor Kessem, and Martin Steigemann. 2017. Relying on Data to Mitigate the Risk of WordPress Website Hijacking. https://securityintelligence.com/ relying-on-data-to-mitigate-the-risk-of-wordpress-website-hijacking/. (2017).Google Scholar
- Steven Van Acker, Daniel Hausknecht, and Andrei Sabelfeld. 2017. Measuring Login Webpage Security. In Proceedings of the 32st Annual ACM Symposium on Applied Computing (SAC'17). ACM, 8. Google ScholarDigital Library
- Michel Van Eeten, Johannes M Bauer, Hadi Asghari, Shirin Tabatabaie, and David Rand. 2010. The role of internet service providers in botnet mitigation an empirical analysis based on spam data. In TPRC 2010. OECD Publications. https://ssrn.com/abstract=1989198Google Scholar
- Tom Van Goethem, Ping Chen, Nick Nikiforakis, Lieven Desmet, and Wouter Joosen. 2014. Large-scale security analysis of the web: Challenges and findings. In Trust and Trustworthy Computing. Springer, 110--126. Google ScholarDigital Library
- Marie Vasek and Tyler Moore. 2012. Do Malware Reports Expedite Cleanup? An Experimental Study. In 5th USENIX Workshop on Cyber Security Experimentation and Test (CSET). USENIX Association.Google Scholar
- Marie Vasek, John Wadleigh, and Tyler Moore. 2016. Hacking Is Not Random: A Case-Control Study of Webserver-Compromise Risk. IEEE Transactions on Dependable and Secure Computing 13, 2 (2016), 206--219. https://doi.org/10.1109/ TDSC.2015.2427847Google ScholarDigital Library
- Marie Vasek, Matthew Weeden, and Tyler Moore. 2016. Measuring the Impact of Sharing Abuse Data with Web Hosting Providers. In ACM Workshop on Information Sharing and Collaborative Security. ACM, 71--80. http://tylermoore.ens. utulsa.edu/wiscs16.pdf Google ScholarDigital Library
- Thomas Vissers, Wouter Joosen, and Nick Nikiforakis. 2015. Parking Sensors: Analyzing and Detecting Parked Domains. In Proceedings of the 22nd Network and Distributed System Security Symposium (NDSS 2015). Internet Society, 53--53. Google ScholarCross Ref
- Web Technology Survays. 2016. Market share trends for content management systems for websites. https://w3techs.com/technologies/history_overview/content_ management. (2016).Google Scholar
- Web Technology Survays. 2017. Usage statistics and market share of Linux for websites. https://w3techs.com/technologies/details/os-linux/all/all. (2017).Google Scholar
- Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc. 2016. CSP is dead, long live CSP! On the insecurity of whitelists and the future of content security policy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1376--1387. Google ScholarDigital Library
- WPBeginner. 2016. Sucuri Review -- How Sucuri Helped us Block 450,000 WordPress Attacks in 3 Months. http://www.wpbeginner.com/opinion/ sucuri-review-how-sucuri-helped-us-block-450000-wordpress-attacks-in-3-months/. (2016Google Scholar
Index Terms
- Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting
Recommendations
The Role of Hosting Providers in Fighting Command and Control Infrastructure of Financial Malware
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityA variety of botnets are used in attacks on financial services. Banks and security firms invest a lot of effort in detecting and combating malware-assisted takeover of customer accounts. A critical resource of these botnets is their command-and-control (...
The role of web hosting providers in detecting compromised websites
WWW '13: Proceedings of the 22nd international conference on World Wide WebCompromised websites are often used by attackers to deliver malicious content or to host phishing pages designed to steal private information from their victims. Unfortunately, most of the targeted websites are managed by users with little security ...
Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension
WWW '16: Proceedings of the 25th International Conference on World Wide WebAs miscreants routinely hijack thousands of vulnerable web servers weekly for cheap hosting and traffic acquisition, security services have turned to notifications both to alert webmasters of ongoing incidents as well as to expedite recovery. In this ...
Comments