How Do We Hold Companies Accountable for "Do as I Say, Not as I Do" Security Practices?
An Anonymous Coward writes:
When an associate of mine accessed their personal email account on their work computer, they opened an email from a friend purporting to be an invitation to a holiday party, and it contained a link that it claimed was to RSVP. In fact, the link was to a malicious MSI file hosted on Cloudflare's r2.dev service. Not knowing what an MSI file was, the associate ran the file and installed an instance of ConnectWise's ScreenConnect software operated by an attacker. The attacker promptly took control of the associate's computer for a couple of minutes before the associate wisely powered the computer off. Sure, the obvious answers are that people shouldn't click on suspicious links in emails they weren't expecting, even if they come from a friend or trusted colleague, and that they really shouldn't use work computers for personal tasks and vice versa. But this incident also revealed troubling concerns about how some large companies like Cloudflare have double standards about security.
The neighbor's computer was compromised by the same attacker, who accessed their GMail account and apparently sent a single email with the phishing email with the entire contact list as Bcc recipients of the email. This was probably a large number of contacts, and it really should have been automatically flagged by Google as potentially a spam email. A reasonable approach might be to delay sending the email until the sender confirms they really intended to Bcc a large number of people on a potentially suspicious email. The sender would then get a notification on their phone asking to confirm if they really intended to send a mass email, which they could either confirm or reject. Google is keen to push multi-factor authentication and require that users associate phone numbers with their accounts, so it seems like this might be a rational approach for outbound emails that ought to be flagged as suspicious.
But I'm more frustrated with Cloudflare, who seems to act as a gatekeeper many websites, arbitrarily blocking browsers and locking people out of websites, especially for the dastardly crime of using a non-Chromium browser like Palemoon. The malicious file was hosted on r2.dev, which is a cloud-based object storage system. Although the actual file might not trip malware scanners because ScreenConnect has legitimate purposes, R2 storage buckets and Cloudflare's other hosting services are also often used to host malware and phishing content. This is probably because Cloudflare has a free tier and is easy to use, making them a good tool for attackers to abuse. One of the logical actions I took was to try to report the malicious content to Cloudflare so they would take it down. They encourage reporting of abuse through an online reporting form. The first time I accessed the abuse reporting form, it was blank. I reloaded the page, and Cloudflare informed me that I had been blocked from accessing their abuse reporting page. The irony here is that Cloudflare has arbitrarily blocked me for no apparent reason, as if I am malicious, preventing me from reporting actual malicious content being hosted on their platform.
The problem here is that large companies like Google and Cloudflare have positioned themselves as gatekeepers of the internet, demanding that users conform to their security standards while themselves not taking reasonable steps to prevent attacks originating from their own platforms. In the case of Google, reCaptcha is mostly security theatre, making users jump through hoops to prove they're not malicious while harvesting data that can be used for tracking users through browser fingerprinting. As for Cloudflare, they use methods like blocking browsers with low market share, supposedly in the name of blocking malicious traffic. The hypocrisy is very blatant when Cloudflare's arbitrary and opaque blocking prevents users from reporting actual malicious content hosted by Cloudflare itself. Unfortunately, this doesn't seem particularly uncommon.
It's becoming increasingly difficult not to see companies like Google and Cloudflare as bad actors. In the case of Cloudflare, I finally sent complaints to their abuse@ and noc@ email addresses, but I expect little will be done to actually address the problem. How do we demand accountability from companies that act gatekeepers of the internet and treat ordinary users like potential criminals while doing little to prevent their own platforms from being vectors for abuse? In this case, is the best solution to complain to a government agency like the state attorney general, state that the malware may have caused harm, and that Cloudflare has made it next to impossible to get the content taken down?
Read more of this story at SoylentNews.