Malicious Data From Trusted Companies

Last night, I received one of the typical malicious “you have a package waiting” spams to an email address that I have only used at one place–in this case DynDNS.com. It included a link inviting me to print a shipping label, which of course leads to malware.

I logged into my DynDNS account with the intention of notifying support that they may have been breached, when I happened to stumble on some community forum posts indicating that others were experiencing the same thing. This in turn linked to an acknowledgement by the company that they were at least aware of the issue.

In this case, DynDNS believes that a business partner was responsible. Although we can never really know for sure, it does point out that your security is dependent on an entire ecosystem of trust. You trust companies that you do business with not to send you malicious data, and they trust companies that they do business with to do the same. They also trust that company to not send malicious data to their customers, because they have inherently opened themselves up to some liability for some quantifiable benefit.

Tony Perez of Sucuri Security does a decent job explaining how external services can compromise the integrity of your web site. It’s not uncommon these days for major sites to deliver malicious data to their users by way of ad networks.

The one thing I see missing with DynDNS and others like them is an acknowledgement of responsibility. When a company chooses to places trust in a business partner, that doesn’t mean they are off the hook for security. The company needs to hold that partner accountable, as the customer should hold the business they are interacting with accountable. The responsibility and accountability has to end with someone and in this case, it is DynDNS that is responsible for the breach of trust.

No one does security perfectly, but remember to vet your partners carefully. Think about what customer data you share with your business partners and remember to extend your incident response plan to include scenarios where that partner becomes compromised, because ultimately, you are the one accountable to your customers.

Posted in Incident Response, Risk Management Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *

*