Saturday, November 18, 2017

(Responsible) victim notification?

For three years we've been briefing anyone who'd listen about a wide spread campaign that we identified. The information isn't showing up in the haveibeenpwned site, or many of the other sources. We've talked to everyone from our customers to other information sharing groups, law enforcement, and to national CERTs, briefing it at FIRST technical conferences on two occasions. We've passed on thousands of victim notifications to folks who we thought might help let people know they'd been compromised, but we continue to see victims exploited.

About a month ago we began testing a service called RiskWatch. The idea is, we monitor this campaign and other sources of victim information and if we see a compromised email account, we send out a standardized notification. The notification was built to be polite and informative, yet readable. It starts out with who we are, and links to places that they can verify who we are. It has a 2 minute cartoon explainer video, a few things about what they can do, and if they choose, a link to RiskWatch.  At no charge, the recipient can click through, register, and come into their own session where they see the email addresses, a timeline, and other information.. enough information to be able to get help, or fix things themselves.

At the same time, if they want to come back and view the findings regularly, or receive weekly or monthly notifications, they can purchase a subscription starting at $9 per month. This is in no way required, but it's available.

Why?

Early last year, in an attempt to notify, we sent over 200,000 notifications to the abuse email addresses listed in domain registrations. We used a text-based format similar to that used by Carnegie Mellon/CERT-CC back in the early days of victim notification. We received mixed feedback. Some were appreciative of the notification, others, well, not so much. Today however, many use registration privacy proxies. So… we sent what we thought was a polite email, with that explainer video, short instructions, and a link. We tried this for about a month, retiring the email as part of A | B testing with a new format currently in the works.

We struggled with the idea of email. As security folks, we teach people not to click. We've tried direct personalized notifications, we've talked with scores of folks that we thought might be of assistance in getting the word out; yet, the problem grows exponentially.

We've seen a few clean-ups as a result of the notifications —even without having them come to our site, but the others? They continue to be exploited.

So here's the question? If we know about all of these victims, many with exposed passwords, others hitting sinkholes, most having no idea what to do about it, why not let them know? If their social security numbers are lost, and their privacy information were on the web, are they notified? Yes.

Is email the best way? No. We knew that going in.  This is a hard question. We're not sure what the right answer is. We're not a big company. We share information and we try our best to always do the right thing, but in this case, there are SO many victims.

We're open to suggestions. How do we get the word out without looking like spammers? If there are others with thoughts on how this might be accomplished, We'd love to hear it.

For those of you who've received the notifications and thought it was spam? We apologize. That however, does not make the notification any less real. We might have done it better (and we will in the future) but we would urge you to take it seriously.