Honeypot analysis – Full disclosure works

When all else fails, *full disclosure (the process) seems to work.

Early in January, we sent a bunch of emails to the people at the Georgia Government, after we detected that they were hosting malware. We asked for contacts on Twitter. Nobody replied. Nothing got fixed.

Early in January, we did the same think to the guys at the Colombia Government, and nobody replied and nothing got fixed.

The good news is that after we posted in our blog, people from both governments contacted us and fixed their sites, removed the malware, etc. Awesome! They just needed a bit of attention to look at their security issues.

However, we only go to the full-disclosure route when all else fails. Early in February we detected that one of the UNDP (United Nations development program) sites were hosting malware. We asked for contacts on Twitter, got a reply and everything got fixed within a day.

Same thing with the University of Rhode Island (uri.edu). Their main site was hosting malware, and after we contacted them using the Whois information (and abuse email), everything got fixed within a day.

What to take from that? If you are a site owner, please configure your abuse@ email address, and have clear contact instructions on your site. If you are a security researcher and found something wrong, and nobody listened to you. Try full-disclosure… Blog about it and they might notice.

Plus, if you want this kind of monitoring for your own Internet presence, check out http://sucuri.net. At Sucuri Security we have two main goals: Monitor your visible Internet presence (via DNS, site content changes, whois, blacklisting status, etc), and to also monitor what is not visible (or easily accessible). So we run multiple honey pots, we monitor IRC chats used by botnets and attackers, multiple forums, etc. All with the goal to protect our clients and notify them if we see any issue in the “underground”

**Notice: I am talking about full-disclosure, the process. Not the mailing list