Real security researchers disclose responsibly
As I write this column, one of the bigger IT security vendors is recovering from being on the wrong end of a security news story.
Rather than explaining why we should be using its Internet Security Suite, Kaspersky has had to explain how hackers managed to put a link on its own website that led visitors to a rogue antivirus download.
Although this hacked link stayed in place for only around three-and-a-half hours, the security giant chose not to make any announcement on the website to warn customers of the breach.
Kaspersky’s UK managing director Malcolm Tuck told PC Pro’s sister title IT PRO that such a warning would have “caused panic and confusion”, and they didn’t feel the need to go public since it wouldn’t have benefited anyone.
I’m more likely to trust a security company that’s open about such matters than one that takes the closed, non-disclosure approach
I’m going to have to disagree with him there. The crisis was dealt with relatively quickly, the infected server was taken offline within ten minutes of Kaspersky becoming aware of it, and the company has now contacted everyone known to have been affected by it with advice and support. However, to suggest that makes everything okay is nonsense.
Three-and-a-half hours is actually quite a long time for visitors to be exposed to a live threat when we’re talking about a website as busy as Kaspersky’s. Going public with an official statement and warning would have benefited any visitors to the site who may have worried that their security had been compromised.
There’s far more likelihood of panic and confusion if news of such a breach becomes public via the media rather than the company. This “no benefit” excuse for failing to issue an official warning needs to be looked at in reverse: it’s the company that benefits by not issuing a public warning, in the hope that the problem might slip by unnoticed and thus limit damage to its reputation.
I’ve said it before and I’ll say it again: disclosure is a two-way affair, which when executed properly benefits everyone, including the victim.
I’m more likely to trust a security company that’s open about such matters than one that takes the closed, non-disclosure approach. In this case the problem was fixed quickly, so Kaspersky could easily have spun it into a “speedy response” claim, along with a warning that even those in the security business need to remain vigilant at all times.
This attack could have had immediate and dangerous consequences for visitors who clicked the hacked link, and given that the victim of the breach was a trusted security vendor, the only acceptable approach was to be honest and fully transparent.
Anything less, as Kaspersky no doubt learned during the aftermath, risks making you look as though you care more for your brand reputation than your customers’ peace of mind.
Although the full facts of this affair will have to wait for a detailed investigation, interestingly enough it appears that a vulnerability in a third-party application used for website administration was exploited to insert the rogue antivirus link.
That’s interesting because just a day or two before Kaspersky fell victim to the hacking, a contact of mine in the PR business posed me this equally interesting question: “Is there any risk posed by third-party analytics being run on secure pages?”