Hi propheticus,
Sometimes I see these postings come up later in search results for webmasters with similar website issues. So there might be a purpose, how limited this may seem. Preaching to the choir, mainly. Maybe it is for a few aware readers and to keep an eye on weak and strong avast! detection patterns. Yes avast also has weak blind spots, especially in the Brazilian malcode theater. So my intention is to keep feeling avast"s detection pulse mainly and gain insight while doing so.
The big question remains how to reach the unknown ignorant webmaster? How to wake up the Rip van Winkles.
If only they would update and patch their CMS and saw to it/demanded that the servers that their websites ran on had the right configuration and were decently hardened to withstand instantaneous infestation, we would have gained so much. Reality teaches another story!
Secondly if we could convince software coders to code better with security in mind, this would help. This awareness has started but too little and too late!
Why webmasters for instance still go for free themes and plug-ins with vulnerabilities galore?
When we look at the overall security situation on the Internet a large part of it should rather be closed down as being unfit for secure surfing. That is a hard thing to say, but it is the truth! A lot of users are “happy go click” folks without any awareness to pre-scan unknown links.
Only a small educated faction click inside browser with decent protection like a script blocking extension, adblocking extension (essential along common av protection now), and with a lesser chance on infections because they have their software fully patched and updated and uninstalled Java for instance when they do not need that. I guess the safehex community to stand at a mere 10% of the Internet population now.
For website security the situation is likewise abominable. Most websites spread excessive header info to the globe and malicious attackers/bots to such an extent that attackers only have to look up an exploit to grant them a successful attack and turn the decent webmaster into a malcode spreading villain. Loads of sites are vulnerable to click-jacking, SEO Spam etc. etc. See my postings .
And then we haven’t discussed javascript obfuscated injections, conditional redirects etc, etc, Furthermore the situation was not helped by the constant downgrading of website security and encryption standards by the forces behind the ongoing total surveillance grid as we learned through recent revelations, where governments and big corporations played hand in foot for whatever reasons they should have.
I am an adept of folks like the late f.ravia (reverse engineer and later into “searchlores”), Richard Stallman and security developer and ex-hacker Giorgio Maone, the developer of NoScript extension.
The question is how to reach the security ignorants. Go with the flow and only preach to the choir.
The only places where I read about website security is on Google documentation, via snort messages also going round in a particularly small circle centered around an expert like GMane and a few more distant corners of the web.
There are a few people out there that are “propheticus in the desert”, but what has it brought for the ignorant online masses - not a mere wrinkle on the endless World Wide Interwebs. ;D .
Damian