March 2011 was a busy month with a number of very public announcements on systems being breached. These had different effects on each of us.

The one that had an odd side effect for me was the Lizamoon.com SQL injection attack. My day job has me attempting to protect a large number of staff from themselves and the evils of the internet, which isn't that different to many that read the Diary.
 
After seeing the alarm about this SQL injection attack, I implemented the standard block list to the identified malware hosting sites [2] and reviewed my firewall logs. Solid security and operational practices meant our systems were safe, but I did find three external websites that had been successfully compromised just from reviewing the proxy web logs. Just to be clear, my company has no anti-disclosure constraints, I was given permission to talk with the attacked sites, this attack is pretty public, I haven't tweaked, fiddled or done stuff* to find this information and they are, unwittingly, attacking my systems and staff. I, as the security guy need to stop this one way or another.

This leads to my First Question**: Should I tell them they have a problem or just blocked 'em too?

The SQL injected web site is a legitimate web site, staff from my company are allowed to access it and being redirecting to Evil Web Site without either party knowing means action has to be taken.

This seems like a no brainer. If you see someone's house is on fire, you let them know.

Second Question: How do I let them know?
The easy way was to get contact details from the infected web site by visiting the site and clicking on contact info. This identified them as a large company and two small businesses, all in my time zone and relatively local to me. I was able to get the helpdesk for the large company, the owner and a shop assistant for the other two.

Third Question: What do I tell them?***
The fun part of talking to non-IT people (most of humanity or so I'm informed) is glibly pointing out "their 'base has been 0wnzed by sqli" might not convey a clear and detailed picture of the issue.  Most people know being hacked is a bad thing, so the simple opener of “Your web site has been hacked and as a customer I’d like you to fix it please” was a reasonable start and got their attention. I told them where to get more information on how their website was hacked (Google these terms or go to web site X) and that their IT people need to fix it. I offer them the best of luck with fixing their site and that was it. All of a pretty easy ten minutes on the phone.

The outcome of a few minutes of advice

Two quickly fixed the damage done and seemed please someone had taken the time to let them know they had a problem.

Only the small company with the startled shop assistant haven’t fixed their Lizamoon problem. Despite a couple of follow up emails to the company they are still compromised so I’ve been forced to block that site at our borders. That’s sadly a loss of income for them, but a necessity for us.

Worthwhile being a good internet neighbour?

That’s up to you but the hope is that everyone can take a few minutes to help out a digital stranger in need every once in a while when you can. Many of you reading this help others in your physical lives, in one way or another, and I’m guessing that takes up a lot more time than a phone call or couple of emails to a digital victim.
Kevin Liston’s let’s clean up SQL slammer [3] diaries really shows if problems aren’t fixed and are left they never really go away but with effort, a difference can be made[4].

As always, if you have any better suggestions, insights or tips please feel free to comment.

* e.g. things that could get me fired, arrested, dragged off to a dark room then forced to listen to pan pipes or anything mum wouldn't approve of
** Capitalisation is intentional; it’s there to denote my deep pondering on the topic at hand
*** With so many well publicised social engineering phone scams in Oz [5], I was somewhat nervous about what response I might receive. Fortunately it was all good (as they say here Down Under)

[1] http://isc.sans.edu/diary.html?storyid=10642
[2] http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx
[3] http://isc.sans.edu/diary.html?storyid=9637
[4] http://isc.sans.edu/diary.html?storyid=9871
[5] http://isc.sans.edu/diary.html?storyid=10135
 

Chris Mohan --- Internet Storm Center Handler on Duty