In the era of large-scale internet scanning, misconfigured websites are a frequent cause of data leaks and security incidents. Previous research has investigated sending automated email notifications to operators of insecure or compromised websites, but has often met with limited success due to challenges in address data quality, spam filtering, and operator distrust and disinterest. While several studies have investigated the design and phrasing of notification emails in a bid to increase their effectiveness, the use of other contact channels has remained almost completely unexplored due to the required effort and cost. In this paper, we investigate two methods to increase notification success: the use of letters as an alternative delivery medium, and the description of attack scenarios to incentivize remediation. We evaluate these factors as part of a notification campaign utilizing manually-collected address information from 1359 German website operators and focusing on unintentional information leaks from web servers. We find that manually collected addresses lead to large increases in delivery rates compared to previous work, and letters were markedly more effective than emails, increasing remediation rates by up to 25 percentage points. Counterintuitively, providing detailed descriptions of possible attacks can actually *decrease* remediation rates, highlighting the need for more research into how notifications are perceived by recipients.
翻译:在大规模互联网扫描的时代,错误配置的网站是数据泄漏和安全事件的一个常见原因。以前的研究调查了向不安全或失密网站的操作者发送自动电子邮件通知的问题,但由于在处理数据质量、垃圾过滤、操作者不信任和无兴趣方面的挑战而往往取得有限的成功。虽然有几项研究调查了通知电子邮件的设计和措辞,以提高其效力,但由于必要的努力和费用,其他联系渠道的使用仍然几乎完全没有被探索。在本文中,我们调查了提高通知成功率的两个方法:使用信件作为替代发送媒介,以及描述攻击情景以激励补救。我们评估这些因素,作为利用1359年德国网站操作者人工收集的地址信息进行通知运动的一部分,并侧重于网络服务器无意泄漏的信息。我们发现,人工收集的地址导致交付率比以前的工作大幅上升,信函明显比电子邮件更有效,补救率提高到25个百分点。直截然说明,对可能发生的袭击的详细说明实际上可以降低*补救率,从而突显了接受者对研究的需求。
相关内容
微信扫码咨询专知VIP会员