Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting

Hosting providers play a key role in fighting web compromise, but their ability to prevent abuse is constrained by the security practices of their own customers. Shared hosting, offers a unique perspective since customers operate under restricted privileges and providers retain more control over configurations. We present the first empirical analysis of the distribution of web security features and software patching practices in shared hosting providers, the influence of providers on these security practices, and their impact on web compromise rates. We construct provider-level features on the global market for shared hosting -- containing 1,259 providers -- by gathering indicators from 442,684 domains. Exploratory factor analysis of 15 indicators identifies four main latent factors that capture security efforts: content security, webmaster security, web infrastructure security and web application security. We confirm, via a fixed-effect regression model, that providers exert significant influence over the latter two factors, which are both related to the software stack in their hosting environment. Finally, by means of GLM regression analysis of these factors on phishing and malware abuse, we show that the four security and software patching factors explain between 10% and 19% of the variance in abuse at providers, after controlling for size. For web-application security for instance, we found that when a provider moves from the bottom 10% to the best-performing 10%, it would experience 4 times fewer phishing incidents. We show that providers have influence over patch levels--even higher in the stack, where CMSes can run as client-side software--and that this influence is tied to a substantial reduction in abuse levels.

[1]  Tyler Moore,et al.  Hacking Is Not Random: A Case-Control Study of Webserver-Compromise Risk , 2016, IEEE Transactions on Dependable and Secure Computing.

[2]  Tyler Moore,et al.  Understanding the Role of Sender Reputation in Abuse Reporting and Cleanup , 2015, WEIS.

[3]  Leandre R. Fabrigar,et al.  Exploratory Factor Analysis , 2011 .

[4]  He Liu,et al.  On the Effects of Registrar-level Intervention , 2011, LEET.

[5]  Stefan Savage,et al.  Priceless: the role of payments in abuse-advertised goods , 2012, CCS.

[6]  Tudor Dumitras,et al.  Patch Me If You Can: A Study on the Effects of Individual User Behavior on the End-Host Vulnerability State , 2017, PAM.

[7]  Daniel Voldal A Practical Methodology for Implementing a Patch management Process , 2015 .

[8]  R. Gonzalez Applied Multivariate Statistics for the Social Sciences , 2003 .

[9]  Alfonso Valdes,et al.  Malware Characterization through Alert Pattern Discovery , 2009, LEET.

[10]  Maciej Korczynski,et al.  Inferring the Security Performance of Providers from Noisy and Heterogenous Abuse Datasets , 2017 .

[11]  V. N. Venkatakrishnan,et al.  Chainsaw: Chained Automated Workflow-based Exploit Generation , 2016, CCS.

[12]  Stefan Savage,et al.  You've Got Vulnerability: Exploring Effective Vulnerability Notifications , 2016, USENIX Security Symposium.

[13]  Tyler Moore,et al.  Do Malware Reports Expedite Cleanup? An Experimental Study , 2012, CSET.

[14]  Vern Paxson,et al.  Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension , 2016, WWW.

[15]  Johannes M. Bauer,et al.  The Role of Internet Service Providers in Botnet Mitigation an Empirical Analysis Based on Spam Data , 2010, WEIS.

[16]  Maciej Korczynski,et al.  Developing Security Reputation Metrics for Hosting Providers , 2016, ArXiv.

[17]  Rasool Jalili,et al.  Two novel server-side attacks against log file in Shared Web Hosting servers , 2012, 2012 International Conference for Internet Technology and Secured Transactions.

[18]  Wouter Joosen,et al.  Parking Sensors: Analyzing and Detecting Parked Domains , 2015, NDSS.

[19]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[20]  Wouter Joosen,et al.  Large-Scale Security Analysis of the Web: Challenges and Findings , 2014, TRUST.

[21]  Aurélien Francillon,et al.  The role of web hosting providers in detecting compromised websites , 2013, WWW '13.

[22]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[23]  Kevin C. Almeroth,et al.  FIRE: FInding Rogue nEtworks , 2009, 2009 Annual Computer Security Applications Conference.

[24]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[25]  Florence March,et al.  2016 , 2016, Affair of the Heart.

[26]  Rainer Böhme,et al.  Rotten Apples or Bad Harvest? What We Are Measuring When We Are Measuring Abuse , 2017, ACM Trans. Internet Techn..

[27]  Samaneh Tajalizadehkhoob,et al.  The Role of Hosting Providers in Fighting Command and Control Infrastructure of Financial Malware , 2017, AsiaCCS.

[28]  Tyler Moore,et al.  Concentrating Correctly on Cybercrime Concentration , 2015, WEIS.

[29]  Andrei Sabelfeld,et al.  Measuring login webpage security , 2017, SAC.

[30]  Wouter Joosen,et al.  Abusing locality in shared web hosting , 2011, EUROSEC '11.

[31]  Sebastian Lekies,et al.  CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy , 2016, CCS.

[32]  Tyler Moore,et al.  Measuring the Impact of Sharing Abuse Data with Web Hosting Providers , 2016, WISCS@CCS.

[33]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[34]  Michele Bugliesi,et al.  Content Security Problems?: Evaluating the Effectiveness of Content Security Policy in the Wild , 2016, CCS.

[35]  Maciej Korczynski,et al.  Apples, oranges and hosting providers: Heterogeneity and security in the hosting market , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[36]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[37]  Yu Zhou,et al.  CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites , 2016, CCS.

[38]  Martina Mittlböck,et al.  Pseudo R-squared measures for Poisson regression models with over- or underdispersion , 2003, Comput. Stat. Data Anal..

[39]  Juan Caballero,et al.  Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting , 2013, DIMVA.

[40]  Nicolas Christin,et al.  Automatically Detecting Vulnerable Websites Before They Turn Malicious , 2014, USENIX Security Symposium.

[41]  Bruce M. Maggs,et al.  Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem , 2016, CCS.

[42]  Christopher Krügel,et al.  SecuBat: a web vulnerability scanner , 2006, WWW '06.

[43]  Michael Backes,et al.  Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification , 2016, USENIX Security Symposium.