Koby Menachemi's  Instablog

Koby Menachemi
Send Message
Koby Menachemi is Seeking Alpha's CTO and VP R&D. He is responsible for the smooth functioning of Seeking Alpha's website as its audience grows, and development of Seeking Alpha's Web 2.0 functionality, such as StockTalk and Instablogs. He joined Seeking Alpha in December 2006 as CTO, before... More
  • SA Site Status Update, 8/23/09 13 comments
    Aug 23, 2009 12:04 PM
    UPDATE 3:15PM EDT: We're quite confident we've located the ad that is the source of the malware. We don't anticipate any further problems, but please alert us immediately at support@seekingalpha.com if you see anything suspicious. Thank you for your patience, and for helping us locate this problem.

    About 10 days ago, we received a few alerts from Seeking Alpha users expressing concern about a pop-up box they experienced on SA, alerting them to "harmful and malicious software" on their computers. We immediately asked security experts we work with to investigate the source of the popup and to assess the potential danger to our users. It became clear that this is a type of "scareware" that is essentially a false alarm designed to entice users to click on it, download an unwanted program that produces more false alarms, and eventually purchase anti-virus software. A similar (if not identical) piece of scareware is described by McAfee as "low risk" for both home and corporate users, but as we take the security of our site and our users extremely seriously, we immediately began investigating its source.

    Our initial search of our servers, databases and network showed no sign of hacking or malicious code. This led us to believe, as we continue to believe, that the source is outside our server base and connected to the ads we display.

    After receiving additional alerts from our users, therefore, last Wednesday (8/19) we removed all Google AdSense ads, as AdSense has less direct oversight than other ads we serve. When the alerts continued, we today decided to take the more radical step of removing all ads from our site. We're closely monitoring the site and user feedback to see if we can zero in on the source and remove it as quickly as possible.

    If you experience this malicious popup, please email us at support@seekingalpha.com with, ideally, a screenshot of the page from which the popup emerged.

    As we progress on diagnosing the source of the scareware, I'll update this blog.

Back To Koby Menachemi's Instablog HomePage »

Instablogs are blogs which are instantly set up and networked within the Seeking Alpha community. Instablog posts are not selected, edited or screened by Seeking Alpha editors, in contrast to contributors' articles.

Comments (13)
Track new comments
  • H. T. Love
    , contributor
    Comments (19437) | Send Message
     
    Thanks for the update. Although I'm not "expert", have you checked out the possibility of DNS cache poisoning or "man in the middle"?

     

    Both can be extremely difficult to spot because of the number of remote nodes that make up the path from any user to the server. All it takes is one of them to be corrupted to see what I've observed.

     

    IOW, you can't presume that it's the servers of the facilities which you contract. Although I can't state how likely what I mention above is, get your security consultants to think outside of the current box.

     

    One more possible clue: after I successfully get out of that malware loop and click the same link again, all operates normally. This implies that some type of "cookie" may be involved.

     

    I'll be glad to e-mail mine if you think it might help.

     

    HardToLove
    23 Aug 2009, 05:03 PM Reply Like
  • H. T. Love
    , contributor
    Comments (19437) | Send Message
     
    By the way, regardless of the "risk" assigned by the big software, whne my wife's got infected, it made her computer unusable as the number of pop-ups overwhelmed all other processes.

     

    It took me several hours working on an O.S. I seldom touch (Windows) to get rid of it and make all good again.

     

    Thank you-know-who for *IX so we have a good alternative.

     

    HardToLove
    23 Aug 2009, 05:05 PM Reply Like
  • Koby Menachemi
    , contributor
    Comments (10) | Send Message
     
    Author’s reply » We are investing a lot of resources in securing our site. Together with that, the first things we've checked to be on the safe side were the security of the site and DNS cache poisoning (maybe you are not an expert but you sure talk like one ;-) and everything was clean (we used local DNS servers for this testing and we were able to reproduce this bad behavior)

     

    We almost certain it's an ad issue as once we took all ads down we didn't get anymore complains... Then we've identified the bad ad and got confirmation from Google about it as well. I truly believe this will solve the issue but we will be smarter tomorrow after we bring all the ads back to the site ;-)

     

    On Aug 23 05:03 PM H. T. Love wrote:

     

    > Thanks for the update. Although I'm not "expert", have you checked
    > out the possibility of DNS cache poisoning or "man in the middle"?
    >
    >
    > Both can be extremely difficult to spot because of the number of
    > remote nodes that make up the path from any user to the server. All
    > it takes is one of them to be corrupted to see what I've observed.
    >
    >
    > IOW, you can't presume that it's the servers of the facilities which
    > you contract. Although I can't state how likely what I mention above
    > is, get your security consultants to think outside of the current
    > box.
    >
    > One more possible clue: after I successfully get out of that malware
    > loop and click the same link again, all operates normally. This implies
    > that some type of "cookie" may be involved.
    >
    > I'll be glad to e-mail mine if you think it might help.
    >
    > HardToLove
    23 Aug 2009, 06:22 PM Reply Like
  • H. T. Love
    , contributor
    Comments (19437) | Send Message
     
    On Aug 23 06:22 PM Koby Menachemi, CTO Seeking Alpha wrote:

     

    > We are investing a lot of resources in securing our site. Together
    > with that, the first things we've checked to be on the safe side
    > were the security of the site and DNS cache poisoning (maybe you
    > are not an expert but you sure talk like one ;-)

     

    In a past life I was in many areas of computer technology for decades. Eventually I lost the enthusiasm for the "profession", but not the technology. Result is I now consider myself "ex"+"spurt" (an old joke: "ex=has been, "spurt"=drip under pressure :-))

     

    I don't try to keep up any longer with the details, but I do try to keep a good "overview".

     

    > and everything was
    > clean (we used local DNS servers for this testing and we were able
    > to reproduce this bad behavior)

     

    Outstanding! I had no doubt that SA was investing in security, but I also know that it is a never-ending battle and can sometimes be underfunded - bean counters run so many outfits these days and they don't always understand the hidden costs of *not* spending adequately on these issues.

     

    >
    > We almost certain it's an ad issue as once we took all ads down we
    > didn't get anymore complains... Then we've identified the bad ad
    > and got confirmation from Google about it as well. I truly believe
    > this will solve the issue but we will be smarter tomorrow after we
    > bring all the ads back to the site ;-)

     

    Good work and thanks to you and you cohorts!

     

    By the way, in case the contributor coordinators didn't pass it on, I offer what limited assistance I can to help you beta test or whatever. Since I have the background I do, I am particularly understanding of the difficulty of supporting multiple platforms remotely.

     

    I run Linux (RHEL 4.8/5.3 and FF browser).

     

    HardToLove
    23 Aug 2009, 07:16 PM Reply Like
  • SA_Member_158117
    , contributor
    Comment (1) | Send Message
     
    Good work, Seeking Alpha Tech team!
    24 Aug 2009, 12:29 AM Reply Like
  • grin bakel
    , contributor
    Comments (6) | Send Message
     
    As one who contacted you, thanx for your quick responses and your sense of responsibility to your users. I cannot afford membership, but I will work to make up for that by constantly recommending your site, actually, by continuing to.....

     

    Grin Bakel
    25 Aug 2009, 03:13 PM Reply Like
  • Neil459
    , contributor
    Comments (2636) | Send Message
     
    Also, as one contacting you regarding this issues, thank you for the email followup. Its good to see SA out in the open and not running and hiding along with insisting there is no problem.
    25 Aug 2009, 03:21 PM Reply Like
  • tivoboy
    , contributor
    Comments (38) | Send Message
     
    Thanks for keeping us informed. I was one who sent this in, it was indeed "scareware", and nobody should have been infected, unless of course they clicked YES and let the installer run. Too bad it appears that some did just that.
    25 Aug 2009, 03:30 PM Reply Like
  • Barb
    , contributor
    Comments (9) | Send Message
     
    Thanks Seeking Alpha. Its good to be back.
    25 Aug 2009, 05:07 PM Reply Like
  • doubleguns
    , contributor
    Comments (9651) | Send Message
     
    Once you find those responsible for infecting the site please take them out and cane them.
    26 Aug 2009, 08:56 AM Reply Like
  • yellowhoard
    , contributor
    Comments (1500) | Send Message
     
    Second that Guns.

     

    I bet they don't have a problem with this crap in Singapore.
    26 Aug 2009, 09:08 AM Reply Like
  • Mayascribe
    , contributor
    Comments (11197) | Send Message
     
    I champion this website!

     

    Thanks for beating that scumbag.
    26 Aug 2009, 10:13 AM Reply Like
  • Ricard
    , contributor
    Comments (3814) | Send Message
     
    Thanks for taking care of this problem. I hope SA continues to provide a wide perspective on investing.
    1 Sep 2009, 12:45 AM Reply Like
Full index of posts »
Latest Followers

StockTalks

  • Online Advertising Revenues Ramp Up 10.2 Percent in Fourth Quarter http://seekingalpha.com/a/40zv
    Feb 11, 2010
  • Reading: Is Google Voice Violating Its Own Privacy Policy? http://bit.ly/pulfS
    Nov 14, 2009
  • As a owner of Apple TV I wonder if this product and business will ever be more than a hobby for Apple (AAPL)
    Nov 1, 2009
More »

Latest Comments


Most Commented
Instablogs are Seeking Alpha's free blogging platform customized for finance, with instant set up and exposure to millions of readers interested in the financial markets. Publish your own instablog in minutes.