![Page 1: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/1.jpg)
Understanding Security Notifications At ScaleFrank Li - University of California BerkeleyZakir Durumeric - University of MichiganMichael Bailey - University of Illinois Urbana-ChampaignVern Paxson - University of California Berkeley
![Page 2: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/2.jpg)
Why study security notifications?
Lots of work in academia and industry on identifying security issues
2
![Page 3: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/3.jpg)
Why study security notifications?
Lots of work in academia and industry on identifying security issues
However, those who find security issues are often not the same party as those who need the information
3
![Page 4: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/4.jpg)
Why study security notifications?
Lots of work in academia and industry on identifying security issues
However, those who find security issues are often not the same party as those who need the information
Security notifications serve as a bridge
4
![Page 5: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/5.jpg)
Why study security notifications?
Lots of work in academia and industry on identifying security issues
However, those who find security issues are often not the same party as those who need the information.
Security notifications serve as a bridge
There has been little academic study of security notifications
5
![Page 6: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/6.jpg)
Our Research Agenda
Better understand the nature of these notifications and the most effective approach to conducting them
6
![Page 7: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/7.jpg)
Our Research Agenda
Better understand the nature of these notifications and the most effective approach to conducting them
Today:
- Share our experiences and analysis from conducting several notification efforts
- Hear from you about your experiences and lessons learned
7
![Page 8: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/8.jpg)
Experiences
We have measured and analyzed notification sent for:
● Heartbleed bug● Security misconfigurations and vulnerabilities● Compromised websites
8
![Page 9: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/9.jpg)
The Heartbleed Bug
![Page 10: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/10.jpg)
10
![Page 11: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/11.jpg)
What is Heartbleed?
● Allows access to sensitive data in memory, such as passwords, secret keys, etc., on OpenSSL servers
● Fix: Update to patched version, or disable TLS “Heartbeats”
11
![Page 12: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/12.jpg)
ACM Internet Measurement Conference 201412
![Page 13: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/13.jpg)
Detecting Vulnerable Hosts
Used the ZMap scanner to scan HTTPS servers
Ethical consideration: probe packet does not exploit Heartbleed or read any data from memory
13
![Page 14: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/14.jpg)
Patch Rates
14
![Page 15: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/15.jpg)
Notification Effort
● April 24: Grabbed 4646 unique contact emails from WHOIS lookups for ~250k still-vulnerable IPs
● Randomly selected half to notify via email on April 28th, the other half notified on May 7th
● Scanned every 8 hours to track behavior
15
![Page 16: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/16.jpg)
Notification Groups Patching Rates
16
![Page 17: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/17.jpg)
Notification Groups Patching Rates
17
Nearly 50% Increase in Patching by
Notified Contacts
![Page 18: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/18.jpg)
First Round Responses
● Received 530 email responses● 11.1% human responses, 40.2% automated, and 48.7%
delivery failures
18
![Page 19: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/19.jpg)
First Round Responses
● Received 530 email responses● 11.1% human responses, 40.2% automated, and 48.7%
delivery failures● Of human contacts:
○ 92% positive○ 5% neutral ○ 3% negative
19
![Page 20: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/20.jpg)
First Round Responses
● Received 530 email responses● 11.1% human responses, 40.2% automated, and 48.7%
delivery failures● Automated messages
○ Confirmations○ Tickets○ Trackers (many incorrectly configured)
20
![Page 21: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/21.jpg)
Lessons Learned
● Notifications can be effective at promoting patching.
● Mass notifications are doable and can be well-received.
21
![Page 22: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/22.jpg)
New Questions...
● How effective are notifications in other scenarios?
● How do we find reliable contacts for more hosts?
● What are best practices for effective notifications?
22
![Page 23: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/23.jpg)
Security Misconfiguration Notifications
23
![Page 24: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/24.jpg)
Security Misconfiguration Notifications
24USENIX Security 2016
![Page 25: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/25.jpg)
Security Misconfiguration Notifications
Notifications for 3 classes of misconfigurations:
● Publicly Accessible Industrial Control Systems (ICS)● DDoS Amplifiers● Misconfigured IPv6 Firewall Policies
25
![Page 26: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/26.jpg)
Security Misconfiguration Notifications
Publicly Accessible Industrial Control Systems (ICS):
● Remotely control physical infrastructure, but lacks important security features
● Detection/tracking: Protocol-specific fingerprints with ZMap
● Fix: Firewall or remove from public Internet
26
![Page 27: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/27.jpg)
Security Misconfiguration Notifications
DDoS Amplifiers
● Protocols abused for DDoS attacks● Detection: Monitoring DDoS attacks against a network● Tracking: Custom protocol specific probing● Fix: Firewall or disable protocols or abused functions
27
![Page 28: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/28.jpg)
Security Misconfiguration Notifications
Misconfigured IPv6 Firewall Policies
● v6-only services may indicate firewall misconfiguration● Detection/tracking: Large-scale probing with CAIDA’s
Scamper tool● Fix: Correct firewall policies, or disabling applications
28
![Page 29: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/29.jpg)
Experiment Variables
● Who to contact?
WHOIS contact, our local US-CERT, host’s local CERT
29
![Page 30: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/30.jpg)
Experiment Variables
● Who to contact?
WHOIS contact, our local US-CERT, host’s local CERT
● What to say to server admins (WHOIS contacts)?
Terse message
Terse message with a link to detailed info site
Verbose message with details30
![Page 31: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/31.jpg)
Notification Methodology
● Found abuse contacts via WHOIS
● Grouped hosts by their abuse contacts
● Randomly assigned contacts to control vs CERT vs WHOIS groups
31
![Page 32: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/32.jpg)
Experiment Groups
32
![Page 33: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/33.jpg)
Results
33
![Page 34: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/34.jpg)
Results
Our notifications had no effect on DDoS Amplifiers…
● Prior notification efforts● Population bias
34
![Page 35: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/35.jpg)
Remediation Rates
IPv6 ICS
35
![Page 36: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/36.jpg)
Remediation Rates
IPv6 ICS
36
WHOIS Verbose messages performed
best
![Page 37: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/37.jpg)
Remediation Rates
IPv6 ICS
37
![Page 38: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/38.jpg)
Remediation Rates
IPv6 ICS
38
Majority of contacts did not
react
![Page 39: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/39.jpg)
Remediation Rates
IPv6 ICS
39
![Page 40: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/40.jpg)
Remediation Rates
IPv6 ICS
40
![Page 41: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/41.jpg)
Remediation Rates
IPv6 ICS
41
Notification’s effect is
short-lived
![Page 42: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/42.jpg)
Staying Power of Notification’s Effect
IPv6 ICS
42
![Page 43: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/43.jpg)
Notification Response
● Received 685 emails● 13.6% were human, 77.4% were automated responses,
and 9.1% were bounces
43
![Page 44: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/44.jpg)
Notification Response
● Received 685 emails● 13.6% were human, 77.4% were automated responses,
and 9.1% were bounces● Of human responses:
○ 77% were positive○ 19% neutral○ 4% negative
44
![Page 45: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/45.jpg)
Insights
● Verbose messages to WHOIS contacts can be relatively effective.
● However, overall effectiveness is limited.
● Notification’s effect is short-lived, partly due to lack of reliable points of contact.
45
![Page 46: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/46.jpg)
Another context: Hijacked Websites
46
![Page 47: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/47.jpg)
Another context: Hijacked Websites
World Wide Web Conference (WWW) 2016
47
![Page 48: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/48.jpg)
Websites are constantly hijacked...sanfranciscobaycoffee.com
48
![Page 49: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/49.jpg)
Websites are constantly hijacked...
Google Safe Browsing Transparency Report 49
![Page 50: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/50.jpg)
Compromised sites lead to...
● Drive-by downloads● Cloaked redirections● Scams● Phishing● Defacements
50
![Page 51: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/51.jpg)
This Study: Analysis of ~1 Year of Google Webmaster Notifications
51
![Page 52: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/52.jpg)
This Study: Analysis of ~1 Year of Google Webmaster Notifications What works effectively for notifying webmasters?
52
![Page 53: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/53.jpg)
This Study: Analysis of ~1 Year of Google Webmaster Notifications What works effectively for notifying webmasters?
What factors affect remediation behavior?
53
![Page 54: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/54.jpg)
This Study: Analysis of ~1 Year of Google Webmaster Notifications What works effectively for notifying webmasters?
What factors affect remediation behavior?
How well are webmasters able to comprehend the remediation process?
54
![Page 55: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/55.jpg)
Compromise Life Cycle
55
![Page 56: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/56.jpg)
Compromise Life Cycle
56
![Page 57: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/57.jpg)
Compromise Life Cycle
57
![Page 58: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/58.jpg)
Compromise Life Cycle
58
![Page 59: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/59.jpg)
Compromise Life Cycle
59
![Page 60: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/60.jpg)
Compromise Life Cycle
60
![Page 61: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/61.jpg)
Compromise Life Cycle
61
![Page 62: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/62.jpg)
Compromise Life Cycle
62
![Page 63: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/63.jpg)
Data Sources
1. Compromised incidents detected by Safe Browsing (drive-bys) and Search Quality (blackhat SEO)
2. Search Console + WHOIS alerts sent for hijacked sites3. Webmaster appeals (requests for re-check)
63
![Page 64: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/64.jpg)
Notification Effectiveness: Remediation Likelihood
64
![Page 65: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/65.jpg)
Notification Effectiveness: Remediation Likelihood
Search Warning Only (Search Quality sites):
43.4%65
![Page 66: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/66.jpg)
Notification Effectiveness: Remediation Likelihood
Browser Warning + WHOIS alert (Safe Browsing sites):
54.6%66
![Page 67: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/67.jpg)
Notification Effectiveness: Remediation Likelihood
Search Console Alert:
82.4% - Safe Browsing76.8% - Search Quality
67
![Page 68: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/68.jpg)
Notification Effectiveness: Remediation Speed
68
0 Days
Time for 50% of sites to remediate
![Page 69: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/69.jpg)
Notification Effectiveness: Remediation Speed
69
0 Days
Time for 50% of sites to remediate Search Warning Only(Search Quality sites)
18 Days
![Page 70: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/70.jpg)
Notification Effectiveness: Remediation Speed
70
0 Days
Time for 50% of sites to remediate Search Warning Only(Search Quality sites)
18 Days
8 Days
Browser Warning + WHOIS Alert
(Safe Browsing sites)
![Page 71: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/71.jpg)
Notification Effectiveness: Remediation Speed
71
0 Days
Time for 50% of sites to remediate Search Warning Only(Search Quality sites)
18 Days
8 Days
Browser Warning + WHOIS Alert
(Safe Browsing sites)
Search Console AlertsSafe Search
Browsing Quality
3 Days 7 Days
![Page 72: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/72.jpg)
Notification Effectiveness: Remediation Speed
72
0 Days
Time for 50% of sites to remediate Search Warning Only(Search Quality sites)
18 Days
8 Days
Browser Warning + WHOIS Alert
(Safe Browsing sites)
Search Console AlertsSafe Search
Browsing Quality
3 Days 7 Days
Direct notification increases remediation likelihood and speed
![Page 73: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/73.jpg)
Appeals Performance before Success
73
![Page 74: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/74.jpg)
Appeals Performance before Success
74
30.7% of Safe Browsing, 11.3% of Search Quality webmasters appeal
Number of Appeals Needed
![Page 75: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/75.jpg)
Appeals Performance before Success
75
30.7% of Safe Browsing, 11.3% of Search Quality webmasters appeal
Number of Appeals Needed
![Page 76: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/76.jpg)
Appeals Performance before Success
76
30.7% of Safe Browsing, 11.3% of Search Quality webmasters appeal
Number of Appeals Needed
Webmasters often do possess capability to address symptoms
![Page 77: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/77.jpg)
Reinfections
77
![Page 78: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/78.jpg)
Reinfections
12% of remediated sites are reinfected within 30 days
78
![Page 79: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/79.jpg)
Reinfections
12% of remediated sites are reinfected within 30 days
79
![Page 80: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/80.jpg)
Reinfections
12% of remediated sites are reinfected within 30 days
80
![Page 81: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/81.jpg)
Reinfections
12% of remediated sites are reinfected within 30 days
81
Often root cause of infection or vulnerability unaddressed
![Page 82: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/82.jpg)
Insights
● Direct notifications help improve remediation.
● Webmasters can remedy hijacking symptoms.
● However, root causes are often unaddressed.
82
![Page 83: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/83.jpg)
Next Steps:
● Increased direct communication coverage
83
![Page 84: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/84.jpg)
Next Steps:
● Increased direct communication coverage● Further investigation of notification factors
84
![Page 85: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/85.jpg)
Next Steps:
● Increased direct communication coverage● Further investigation of notification factors● Better community coordination and organization
85
![Page 86: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/86.jpg)
Next Steps:
● Increased direct communication coverage● Further investigation of notification factors● Better community coordination and organization● Outreach + education
86
![Page 87: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/87.jpg)
Next Steps:
● Increased direct communication coverage● Further investigation of notification factors● Better community coordination and organization● Outreach + education● Develop more automated or usable remediation tools
87
![Page 88: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/88.jpg)
Next Steps:
● Increased direct communication coverage● Further investigation of notification factors● Better community coordination and organization● Outreach + education● Develop more automated or usable remediation tools
88
Thanks! [email protected]
![Page 89: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/89.jpg)
Extra Slides
![Page 90: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/90.jpg)
Notification Responses + Reactions
90
% of Responses:2.6%8.5%77.7%11.2%
![Page 91: Notifications At Scale Vern Paxson - University of ... · Scams Phishing Defacements 50. This Study: Analysis of ~1 Year of Google Webmaster Notifications 51. ... Quality (blackhat](https://reader034.vdocuments.us/reader034/viewer/2022043004/5f85626e800c4a1ade10eae2/html5/thumbnails/91.jpg)
Remediation Rates for CERTs
IPv6
ICS
91