Tuesday, April 19, 2016

Ad Where?

   The first website debuted on Dec. 20, 1990 at CERN in Switzerland.  And less than four years later, the first banner ad.  The idea was simple... if people are reading information on a website, why not hit them with an ad?  Media has traditionally been either for-pay or ad-supported and the model for the web included that.  Of course, back then people had no idea the extent to which other screens like laptops, tablets and smartphones, and binge-watching would displace traditional TV watching.

   And shortly after website ads arrived, so did the malware. Ad-ware, also called "malvertising", was born.

   There are a few different ways website ads can cause problems:
  • virus code in the ad itself - so clicking on the ad downloads or executes the malware
  • malicious code that executes based on a mouse action - such as clicking on a flash animation or even just moving your mouse over an ad (called a "drive-by download")
  • a link in the ad brings you to a different page that can have malware, asks for personal information or exploits your browser to grab information from another tab (kind of like phishing)
   You may ask... why would someone allow a virus in an ad on their site?  That's a great question.   The issue is that most sites don't have a direct relationship with the people creating the ads.  The way it typically works is that sites sell space on their pages to ad brokers, who resell that space either to someone wanting to place an ad, or even to other ad brokers.  And often the ads rotate.  It becomes pretty easy for crooks to insert malware into these ad spaces without detection.

   This led to the creation of ad blockers.  These are programs that work in your browser to block content from the 3rd party ad brokers.  There was a big controversy about this in 2015.  On one hand, websites that offer free content need to have a way to monetize.  On the other hand, web and banner ads are annoying, collect our information, and can contain malware.  Some businesses block ads on corporate systems as a way to cut down on malware... and it works.

   To fight back, some sites block people who block ads!

   And that's where things get interesting.

    Let's look at Forbes.com for example.  Many websites simply show their ads along with each page.  If the ads are blocked, then those parts of the pages just don't load, or show a broken image icon.  But when you go to the Forbes website, you first see a welcome page that counts down until you can click to the main page.  While that is happening, the page loads hundreds of those 3rd party ad sites.

   And earlier this year, the Forbes site was serving malware through ads!

   So there's the bind... allow sites to display their ads, including those full sites that only display if ads are allowed; or open the enterprise to malware!

   But shouldn't the responsibility for this malware be with the website that displays the ads?  Shouldn't they test to make sure there isn't executable code in those ads?  I think so.

   I also understand that sites display content that is worth something and they deserve to be compensated.

   There are some compromises.  Some sites ask you to register to see additional content.  You are "paying" by providing information about yourself that they can sell.  Some sites charge nominal subscription fees (some sites charge high subscription fees!).

   There is perhaps some middle ground with Google Contributor.  With this consumer service you pay a nominal monthly fee.  Then google distributes that to sites based upon your usage patterns.

   What are your thoughts?  Is there a middle ground?  Should consumers have to pay for content?  Do we need to be bombarded with ads?  And who should be responsible when sites serve up malware or malicious links?

Tuesday, April 5, 2016

It's Not If, but When

   Have you heard???  2015 was the "Year of the Breach".  Of course, 2014 was the year of the breach.  And, 2013 was the year of the breach.

   2016 is shaping up to be quite a year as well.

   Of course, when we talk about breaches, we're usually talking about someone "stealing" data.  It's not actually "stolen" because you still have it.  It's more accurate to say that in a breach the data is exfiltrated.  This is also called an attack on the confidentiality of the data.

   In security, we talk about the C-I-A triangle, Confidentiality, Integrity and Availability.  Confidentiality is about the secrecy of data.  Integrity is about the accuracy of data.  Availability is about being able to properly access data when it's needed.  A well-rounded security program needs to consider all these aspects.

   What is somewhat different this year is the crypto-/ransom-ware attacks.  In these cases, the attack is a virus that typically gets in as an email attachment.  Someone opens the attachment and the virus executes.  It finds files in network shared directories and encrypts them.  Now, encryption is often a good thing, but that's when you (or your organization) has the decryption key.  In a crypto-ware attack, only the attacker has the key.  That's a problem.  It becomes ransom-ware when the attacker offers to provide the key for a "small" consulting fee, usually paid via the anonymous crypto-currency, bitcoin.
   These are basically attacks to the availability of data.  We've seen instances of hospitals or other organizations temporarily shutting down as a result.  These could also be considered attacks to the integrity of the data - though I think we have not yet seen the real integrity attacks... and they are coming.