Category: Data security

Beware of fake posts and online scams relating to the Nepal earthquake

Previous coverage

Malaysia Airlines air disaster–another event bringing out the online scams

My Comments

Just lately, a disaster that has affected many people has occurred with many casualties in the form of the Nepal earthquake.

But what follows on the tail of these disasters is an avalanche of spam email and flaky social-media posts that offer extra insight or paths to assistance for people who are touched by these events. As well, it is the time when scams pretending to be charity appeals intending to provide aid to the victims of this earthquake also appear on the Internet. It is something I have drawn attention to previously when there was the Malaysian Airlines MH370 air disaster which drew out these scams and am drawing attention to in relation to the latest earthquake. But they lead you to malware or to harvest users’ personal or financial details. In these situations, it pays to think before you click on that link so you are safe with the Net.

Check for legitimate resources that offer information about your relatives’ or friends’ wellbeing and some of these could include Nepalese consulates in your area, the Red Cross or similar services and work with them “from the horse’s mouth”. That means to deal with official websites that are known to the public and are usually published by the media as part of their coverage on the issue.

Facebook does offer a legitimate Safety Check service which comes in to play during civil emergencies. Here, it would identify if one was in an affected geographical area and allow the person to interact with them to know if they are safe and this status would appear in your Facebook Friends’ news feed. For that concerned person, they would be able to check on the News Feed for their relative’s or friend’s status. But be careful of any “fake friends” that appear around the time of this disaster and any post from a friend of yours that isn’t known to be in the area but is out of order should be questioned.

As for charity appeals, most of the media provide information about legitimate fundraising efforts that are taking place so you don’t get fleeced easily.

What to do is to be aware and careful with using the Internet to find details about who is affected by a major event and check with trusted resources.

Being careful about online marketplaces

House

Online marketplaces can be used to sell houses,

Increasingly, the Internet is becoming full of sites where you can advertise items for sale or swap. These range form online-auctions sites like eBay through to “online-classifieds” sites like Craiglist, Gumtree or Le Bon Coin, to online car-sales or house-sales directories like Carsales.com .

Holden Torana LX street machine

…cars including classic cars ….

A problem that can easily happen with these sites is where someone can use various forms of fraud or trickery to scam you out of your money or have you misrepresent the goods being sold. This doesn’t matter whether you are the buyer or the seller of the goods concerned. A friend whom I go to church with passed on an email about a bad experience that someone he knew had when he sold a vehicle on Carsales.com .

Deal with the site directly

Speedboat on trailer for sale

… or boats

As you manage your interactions with these online marketplaces, use the same cautions as what would be expected for online banking and broking. Here, you need to be suspicious of phishing approaches and interact with the site using its known Web address. This is a good time to add the online marketplace to your browser’s Favourites or Bookmarks; or create an operating-system link (available on the Desktop to the marketplace.

It is also a good habit to monitor the ad on the Website to make sure it hasn’t been modified by anyone but you if you are selling the goods in question. This is important in relationship to the price of the item being sold.

eBay screenshot

eBay – one of the most common online marketplaces

As well, deal with your email service in a cautious manner. Here, if you use a Webmail service, log in to the Webmail service by starting a Web browser and logging in using its Web address or coming in to the service using an entry point that you preset for it.

Settle the transaction in a traceable manner

As you settle the transaction, make sure you use a payment system like PayPal where the payments can be traced and you can reverse the transaction if there are questions about the goods. This is more important if the goods aren’t being handed over in person.

Craiglist

Craig(s)List – the popular online-classifieds Website

As well, deal with the payment system “at the horse’s mouth” when following up the transaction by using the system’s Web site. This is important when you are dealing with high-value goods.

Beware of transaction values that are way over or under the odds

Transactions that are way “off the beam” should ring alarm bells. This is important whether you are a buyer or seller. because a person who is offering well over the odds for something you sell may be engaging in a fraudulent transaction. Similarly, goods advertised well below their expected value may have many questions about their provenance or condition.

Research the goods you buy

When you are buying goods through an online marketplace, make sure you know about the goods you intend to buy so you can make an informed decision. This may involve researching the Web generally about the item, dealing with online forums specific to the kind of item being sold or simply talking with one or more people who are knowledgeable about the goods.

In the case of vehicles, watercraft and aircraft, find out their fair market value through resources like the Red Book (Australia, New Zealand or Asia Pacific), Kelly Blue Book or NADAGuides in the US, or Parkers Guides in the UK. If you are dealing with a “classic”, it may be worth contacting a club associated with that marque or model, or browsing through a magazine dedicated to those cars like Hemmings to assess the real value of them.

As well, use resources like CarFacts (Australia) or Autocheck to verify if the car has been stolen or written off, or if there are debts outstanding on it. In some cases such as a car that was just privately imported, you may have to use similar resources based in a country other than your own as well as your own country.

Making contact with the other party

Try to make contact with the other party at least through the online marketplace’s enquiry system so you can exchange more details about the goods that are the subject of the transaction. It is also a better idea to make a telephone call with each other so you can be sure you are dealing with a real person. Sometimes making a Skype or Viber videocall can work wonders so you can see whom you are dealing with and you can have them show you the item in question.

For high-value items like vehicles or boats, make sure you can see the item in person. This is to verify the goods are genuine and you can assess its condition properly. This also includes being able to take the vehicle for a test-drive to put it through its paces. In the case of vehicles especially when one is buying their first car, I have always advised bringing one or more friends along when seeing the seller and the vehicle in order to obtain a better opinion about the vehicle.

What is social sign-on?

Spotify login screen

Spotify login screen with option to login using Facebook

A trend that is being associated with online services or applications is to provide “social sign-on” for new and existing users of these services. This is based around the concept of single sign-on where you use one set of credentials verified by one service to authenticate with one or more other services. This time, the credential pool that is used for authenticating users is your membership with a social network like Facebook or Twitter. The expression is sometimes extended to cover other authentication-data pools like Microsoft’s authentication services associated with Outlook.com/Hotmail, Windows 8 or XBox; or Google’s authentication services used for GMail and YouTube.

TripAdvisor Webpage

TripAdvisor webpage with social sign-on and personalisation from Facebook

In a social sign-on arrangement, your credentials are held and tested at the social-network’s servers and both the online service and the social network create a unique “token” or “key” to link and authenticate your presence on these services. The common methods that these services use are based around the OAuth or OpenID protocols used for single sign-on across multiple services.

Social sign-on concept diagram

Social sign-on concept diagram – relationship between the social network and online service

As well, your social attributes (name, birthdate, etc) that you have stored on the social network’s servers would be copied in to your account on the online service when this account is being provisioned. You will know about this when your social network pops up a screen asking you whether to allow the online service to gain access to your details held at the social network.

Advantages

There are some key advantages with using a social sign-on setup.

One is to benefit from a simplified provisioning process for your online service. This is without the need to key in the same data across multiple services. It also includes use of a pre-authenticated email address which is considered of high value with forums, commenting facilities and the like because most social networks especially Facebook, Google and Microsoft implement strong measures to combat fraudulent identities.

We also benefit because there are fewer sets of credentials to remember. As well, if a social network implements improved user-security measures like multifactor authentication or “trusted-device” operation, this flows on to the online service we use.

Some of the online services also can provide a personalised experience such as granting you birthday wishes on your birthday, including making those “special birthdays” such as the “big zeros” or the 21sts highly special.

Disadvantages

The disadvantages that can occur include weak links in the authentication protocols and a total dependence on access to and the security of a particular social-network account.

This also encompasses situations where a workplace or school may implement measures to shut out access to social networks in the name of productivity or an oppressive regime may shut out access to the popular social networks to curtail free speech. This can limit access to the online service because of its dependence on the social network.

How can it be operated properly

To assure users of their privacy, a social sign-on setup needs to identify any attributes that it is obtaining from a social network and give the user consent to obtain the attributes. As well, the login procedure should allow for one to create a login that is independent of a social network whether in conjunction with a social-network presence or not.

Similarly, the concept of social sign-on could be exploited by social networks and other authentication services to support simple-but-secure login for living-room applications. This is, from my experience, something that needs to be worked on because such devices require a lot of “pick-and-choose” data entry using a remote control’s D-pad to enter user credentials for online services. As well, many different users are likely to use the same living-room device.

Removing Superfish from your Lenovo computer

Article

Lenovo Yoga 2 Pro convertible notebook at Phamish St Kilda

Removing Superfish from this Lenovo laptop

Lenovo offers tool to remove hidden adware ‘Superfish’ | BBC News

From the horse’s mouth

Lenovo Support

Advisory page with list of affected laptops

Removal-tool download (Run or copy to “toolbox” USB memory key)

Removal Instructions

My Comments and Instructions

If you bought a Lenovo computer through 2014 that was positioned at consumers like the G50-70 or the Yoga 2 Pro, you may have had Superfish’s Visual Discovery software installed on it. This is part of a common practice especially with consumer and small-business computers where they become loaded with software you most likely don’t really want.

Here, the variant of the Visual Discovery which is meant to be an enhanced “machine+Internet” search tool has been behaving like adware. It even has been jeopardising the security of your SSL-based secure-browsing sessions. Here, they were highlighting it as a software-driven client-side “man-in-the-middle” security threat that can intercept data that passes through your computer.

But you can remove the software form your G50-70, Yoga 2 Pro or other Lenovo laptop, and is a very similar practice to what I have done with a lot of adware that ends up on peoples’ computers.

Lenovo offers a single-purpose download to remove the Superfish software but if you have the patience to work through Windows to “root it out” or a computer-literate relative or friend can do this for you, here are the instructions which I have paraphrased from their Website.

Remove Superfish software

  1. In Windows 8.1, use the Search Charm in the Modern View to search “remove programs”, then select “Add Or Remove Programs”. On the other hand. right-click on the Windows icon on the Taskbar and select Programs And Features.
  2. Hunt for “Superfish Inc. Visual Discovery” and uninstall it by clicking the Uninstall option. This is a good time to go through all of your software that is on your computer and remove any questionable programs.

Remove Superfish certificates from the Windows Certificate Store

This is to remove the Superfish certificates from the main Certificate Store that Windows uses and is the “go to” certificate location for Internet Explorer, Google Chrome, Opera, Safari and co.

  1. In Windows 8.1, use the Search Charm to search “Certificates”, then select “Manage Computer Certificates
  2. Accept Microsoft Management Console’s request to change your computer data
  3. Select “Trusted Root Certificate Authorities” in the Certificate Manager then select “Certificates
  4. Hunt for items with the “Superfish Inc.” name and delete them. When the Certificate Manager asks that you want to delete them, click Yes.

Remove Superfish certificates from Firefox, Thunderbird and other Mozilla software

Mozilla operates a separate certificate store for Website certificates rather than using the Windows Certificate Store. Here, you would have to interact with each Mozilla program separately to remove the certificates.

  1. Open Firefox and, if the address bar and toolbar isn’t visible, click on the orange Firefox button.
  2. Select the Settings drawer with the three lines, then click on the Options gearwheel, then click on the Advanced gearwheel.
  3. Select the Certificates tab and click or touch the View Certificates button.
  4. In the Certificate Manager screen, select Authorities
  5. Hunt for “Superfish Inc” and select that certificate
  6. Click the Delete or Distrust button and click OK to delete the Superfish certificate from Mozilla’s certificate store.

Restart your computer

Immediately, restart your Lenovo computer as you would normally do.

This may be a tipping point for manufacturers to be part of a feedback loop when it comes to the software they supply with computers especially those that are sold to home and small-business users. It involves a requirement to test the software for vulnerabilities before packaging it for installation.

It will also become a time to question the practice of supplying third-party-supplied trial software and demoware with computers, especially notebooks, marketed to consumers.

Windows 10 to benefit from the FIDO authentication standards

Article

Microsoft to support Fido biometrics | NFC World

From the horse’s mouth

Microsoft

Windows For Your Business blog post

FIDO (Fast IDentity Online) Alliance

Press Release

My Comments

Microsoft is to enable Windows 10, which is the next version of Windows, to work with the FIDO (Fast Identity Online) Alliance standards for its authentication and authorisation needs.

But what is this about? FIDO is about providing a level playing field where authentication and authorisation technologies like biometrics, electronic keys and the like can work with applications and sites that support these technologies.

The goal with FIDO is to remove the need for drivers, client-side software and certificate-authority setups for 2-factor authentication or password-free authentication. As well, one hardware or software key can be used across compatible services and applications without user parameters being shared between them.

There are two standards that have been defined by FIDO Alliance. One is UAF which supports password-free login using biometrics like fingerprints; USB dongles; MiFare NFC cards; Bluetooth-linked smartphones and the like as the key to your account. The other is U2F which allows these kinds of keys to serve as a “second factor” for a two-factor authentication setup.

But what could this mean? With a UAF setup, I could set things up so I could log in to Facebook using my fingerprint if the computer is equipped with a fingerprint reader but not have to worry about using a password vault that plays nicely with that fingerprint reader. With a U2F setup, I could make sure that I have a tight two-factor login setup for my Website’s management account or my bank account but use a preferred method like a USB key or a smartcard reader that reads my EMV-compliant bank card.

The current implementation tends to ride on client-side software like browser plugins to provide the bridge between a FIDO-enabled site and a FIDO U2F-compliant key and this can impair the user experience you have during the login. It is because of you having to make sure that the client-side software is running properly and you use a particular browser with it before you can interact with the secure site. There is also the risk that the software may be written poorly thus being more demanding on processor and memory resources as well as providing an inconsistent user interface.

Microsoft will bake these authentication standards in to Windows 10 for the login experience and authentication with application-based and Web-based services. This will cut down on the client-side software weight needed to enhance your Internet security and allows those who develop the authentication methods to focus on innovating with them, just as Microsoft has done with other functionality that it has baked in to the various Windows versions. It will apply to Azure-based cloud-hosted Active Directory services and on-premises Active Directory services for business users; along with the Microsoft Account which is used for home and small business users with Windows 8 login and Outlook.com (Hotmail).

The question yet to raise with FIDO UAF and U2F functionality is whether this will be provided for application-based “client-to-server” authentication for situations like word-processors being used to upload blog posts or native clients for online services like Dropbox and Evernote. Similarly, would this technology allow a device to serve as a temporary or conditional authentication factor such as a smart lock that has just been used with your electronic key; or allow a card like a SIM card already installed in our smartphone or a MiFARE-compliant transit pass to serve as an electronic key for our Webmail.

Personally, I find that Windows implementing FIDO Alliance standards will allow us to make more use of various authentication technologies on our home or business computers.

BMW delivers a security update to its ConnectedDrive cars

Articles

BMW 120d car

BMW cars with ConnectedDrive will benefit from an over-the-air software security patch

Your BMW just downloaded a security patch | Engadget

BMW patches in-car software security flaw | IT News

BMW Group ConnectedDrive increases data security | BMW Blog (BMW enthusiasts’ online magazine)

From the horse’s mouth

BMW Group

Press Release

My Comments

BMW ConnectedDrive user interface press picture courtesy of BMW Group

BMW ConnectedDrive user interface – where you can manually draw down that update

An issue that is constantly being raised regarding the Internet Of Everything is data and network security, including making sure the devices work to end-users’ expectations for proper, safe and secure operation. One of the constant mantras associated with this goal is to have a continual software-update cycle for these devices with the ability for customers to place new software in these devices in the field like you can with a regular computer or a smartphone.

BMW had brought about the ConnectedDrive online vehicle management and infotainment system to their newer BMW, MINI and Rolls Royce cars. But they discovered a flaw in the software and wrote a patch to rectify this problem. You would normally think that to have this patch delivered in to the vehicle management system, you would need to bring the car in to the dealership and this would be done as part of its regular preventative-maintenance servicing.

Here, it would typically involve you having to book the car in with the dealership including determining whether you need to use the courtesy car or not, drive it there at the appointed day and time and pick up the courtesy car if you needed it, then make a point of heading back to the dealership before they close to collect your car when it is ready.

But BMW had worked on delivering the software patch to the car via the mobile broadband link that the ConnectedDrive system depends upon for its functionality. Here, you would be advised that the update is taking place and at an appropriate time, the software patch would be applied. If you had garaged the car, you can manually “draw down” the update to your car once you drive it out of your garage.

What I see of this is the proactive way that the BMW Group have been able to use what is taken for granted with most computer operating systems to roll out critical software patches to their vehicles, which is something to be considered of importance when it comes to data security. This has to work not just through the life-cycle of a vehicle but beyond especially in markets where vehicles are likely to benefit from long service lives.

Tech support scams now affecting the Macintosh platform

Article

Mac users: Beware of increased tech support scam pop-ups | MalwareBytes Unpacked blog

My Comments

The Apple Macintosh has been seen by its users as a safe regular-computer (desktop / laptop) platform mainly because it didn’t have as much of a foothold as the MS-DOS / Windows platform. Now this platform is starting to appeal to malware authors due to the fact that more people are heading towards it as a regular-computer option along with the fact that Microsoft has been continually hardening the Windows platform.

Windows users had suffered the bane of various unsolicited “tech-support” scams ranging from Website popups through to phone calls. Now the Mac platform is under attack because these scams implement JavaScript to take over the machine in a similar way to what happens with Windows. Also the same scam targets iOS devices due to their use of Safari with the same codebase and JavaScript implementation.

Of course, don’t follow through with the prompts to call these numbers or download the software because this involves activities like malware downloads or paying exorbitant fees to dodgy overseas-based businesses. But what do you do to close these nag screens?

On the Macintosh, you would have to kill the browser session by using the Force Quit routine. The best way IMHO to do this is to press Command+Option+Shift+ESC together if the browser has the foreground. You can also press Command+Option+ESC to bring up the Force Quit menu and use the mouse or trackpad to select the application to stop. The reason I suggest using the keyboard shortcuts is because some of the nuisance dialog boxes can effectively “take over” the pointing device.

iOS users can stop the browser by double-clicking the Home button and swiping the window representing the troublesome app to kill that app.

On both platforms, you clear out the browser cache and history to stop the fake tech-support Website cropping up. This is more important for the iOS platform because if you open up Safari, it will come up with the last-opened Website. For the OS X implementation, you click the “Clear History” option in the “History” menu, which also clears the cache. For the iOS implementation, you go to the Safari option in the Settings app and then tap the Clear History button to stop it from reopening.

A timely reminder to beware of suspicious emails in your inbox

Windows Live Mail client-based email interface

Slow down when you check those emails so you are safe

Increasingly people are receiving emails that are becoming very dangerous to their personal or business security.

This happens during November and December, especially between when the American community celebrates Thanksgiving (last Thursday in November) to Epiphany / Twelfth Night (January 5), where there is a lot of Christmas-driven communications and most, if not all, of us are thinking about Christmas. This includes responding to the shopping offers that are being made available through this time. Here, these emails are being sent in a manner as to “get at” the user and take control of their computing equipment or data..

Over this past weekend, some friends of mine from church had approached me about email issues and I had found out that the husband fell victim to a phishing attack against his Outlook.com Webmail account with it ending up being used to send spam messages. Here, I visited these friends on Monday night for dinner and to help him change his account’s password and report it as being compromised. Then a close friend of his rang him about receiving the Australia Post phishing emails and I suggested to that friend to delete that email immediately.

One example is to supply  malware as an attachment typically obfuscated as a compressed “file of files” or a malformed document file; or direct users to pick up the questionable software at a Web link. The idea is to get users to install this software of questionable provenance on their computer so that it makes it become part of a large botnet that is intended to wreak havoc on other computer users, steal your personal or business information, or extort money from you.

Another example is a link that send users to a forged login or other customer-interaction page for a Webmail, banking, Social Web or similar online service to steal their personal details. This is typically to steal the user’s money or identity, create a bank account or similar financial account for laundering ill-gotten gains, or use an email mailbox and contact list to send further spam to computer users.

The email is suspicious if

It is out-of-character with the sender

This may be reflecting a situation that you know the sender is not in, such as them or their business being in financial dire straits. It may also simply be an email of a kind the don’t normally send.

Contains nothing but enticing “click-bait” text

You may find some enticing text written in the Subject line or in the body of the message that gets you to either open the attachment or click on that link.

Implores on you to open it or click on the link under pain of losing service continuity or something similar

Looks very official and has copy that threatens you that you will lose access to your funds or continuity of a service you use, or something similar; and requires you to click on a link in that message to take action to remedy the situation. This may also be about the pending arrival of a parcel or some funds and you have to click on a link or open an attachment to print out a “claim form”.

What to do?

Do not click on the links in that email or open the attachment

Under no circumstances should you click on any links in the suspicions email or open any attachment that is part of that email.

Check the email out

In the case of a personal email, check the email address that purports to be in the name of your contact to see if it is one that you and your contact regularly use. Here, some people may operate a business email address alongside a personal email address and you need to confirm these addresses through conversation, business collateral that they supply, amongst other things.

In the case of a business email, check to see if the email looks as though it genuinely represents that organisation. If the email is requiring you to do something to assure “continuity of service”, access to funds, etc. contact that business directly using their customer-service number or email.

One obvious red herring would be if you receive a contact from a bank or other business you don’t do any business with. Another red herring is an email that isn’t addressed to you personally, rather it uses a generic “all-call” salutation like “Dear Customer”. Yet another red herring is the quality of the document. Here, you look out for whether the email represents the company’s current “trade dress” such as current logos, colour schemes and the like. As well, you look for the quality of the document to see that it reflects what is expected for a business document coming from the company’s location of business, such as spelling, grammar, punctuation, etc.

Sometines, what may appear in the “To” list may be contacts, including “virtual contacts” which represent a cluster of email address, whom you don’t have anything to do with. This is also a sign of a suspicious email.

Check with the sender

If you receive an email from a contact of yours which appears to be out-of-character with them, contact them about that email. You must do this not by replying to that email but by either calling them on the phone, sending an SMS or instant-messaging message to them or sending a separate email to them.

If it is business-related like correspondence from your bank or other organisation, log in to the business’s Website yourself using its commonly-publsihed or commonly-known Web address. Here, you type the address in to your Web browser’s address bar or, if you do regular business with the site, go to the bookmark or favourite link you have created for it. As well, it may also be of value to contact the organisation on their published phone number to check the veracity of that email. Here, you may find this in the regular business correspondence that you have for them or use the common telephone directory or the organisation’s Web page to find that number.

Report the email then delete it

If you are using your Webmail provider’s Web-based user interface, you may have an option to report that email as spam, hacking, fraud or something similar. If you are using a client-based email setup, forward the email as an attachment to your ISP’s or email provider’s email address that has been set up for reporting email abuse or fraud.

Business users who work for a company that has an in-house or contracted IT team should let that IT team know about the suspicious email. This will also apply to those of us who study at a school or university which has its own IT team.

As well, if the email appeared to be in the name of the bank or other organisation, look on the organisation’s Website for a “report fraud” link or email and use that to report the fraudulent emails that you received. Here, they can engage local or national law enforcement to take further action especially if the behaviour is consistent.

Then delete the fraudulent email immediately.

Security tips

  • Keep the computer’s operating system and application software up-to-date with the latest patches
  • Make sure you are running a good anti-malware utility and that it is updated frequently and regularly. It may also be a good practice to run a full scan with this software
  • Make sure that you have strong and preferably unique passwords on your online services
  • Make sure that your home network hardware is on the latest firmware and has strong non-default passwords.
  • Consider using a password manager program or service. As well, it may be worth it to implement a two-factor authentication setup on your online services with your smartphone showing a key number as a “second factor”.
  • As well, you may find that if you have an account with a major online service like a Microsoft service or one of the popular social networks, you may have the opportunity to implement a single sign-on. This may be worth using especially with games, forums, comment functionality, online music or similar services so you don’t have to work out extra passwords.
  • Back up the data you created yourself using your computer to a NAS and/or USB hard disk and preferably make a separate copy of this backup in a separate location
  • Only visit Websites and online services that are known to be reputable

Web-page advertising needs to adopt a secure-ads strategy

Article

Beware of Risky Ads on Tumblr | MalwareBytes Unpacked

My Comments

Online ad - to be respected like advertising in printed media

Ads on sites like here need to be secure to obtain the same respect as magazine ads

Most of us who use the Web are making increased use of ad-sponsored Web sites for news, blogs, social media and the like.

In most cases, the banner advertising that appears on these Websites or on advertising-funded mobile-platform apps and is delivered in a tasteful manner provide a similar experience to the display advertising we see, accept and take for granted in newspapers, magazines and other printed media. That is where pop-up or pop-under advertising isn’t used or you don’t hear noisy video commercials playing through. It could be enough to see an animated or slide-show ad appear within the confines of the banner. Here, the advertising doesn’t interrupt the reading experience unlike with TV advertising or online-video advertising where it interrupts the viewing experience.

Such advertising, like the Google AdSense ads you see on this site, is sold on a contract that is based on cost-per-click which the advertiser pays when you click on the ad to follow through with it, or cost-per-impression which is based on simply on the ad being loaded and appearing on the site.

The malvertisement threat

But there is a security problem cropping up here in the form of “malvertisements”. These are online advertisements that are delivered to lead users to Websites that host malware. Typically they use enticing copy and graphics in the advertisements to attract users to view content on these sites and download software of questionable provenance.

Security vendors run a rhetoric that encourages us Web users to use ad-blocking software to keep our computer secure by masking all online advertising. But this can get in the way of honest advertisers and the publications that depend on them for revenue because the software works on an “all or nothing” approach.

But what can the online advertising industry do about this?

If a Website author has control over all of the advertising they admit, they can easily “fence out” malvertisements and distasteful advertising by examining what their potential advertiser is tendering at the start of and through the life of their advertising contract.

But this is not the case for most Websites where they will rely on one or more ad networks like Google AdSense to supply all or the remainder of their ad inventory. These ad networks typically source the advertising themselves and pay publishers a cut for each advertisement that appears or when someone clicks on an advertisement.

Ad networks

Malware sites advertise through these networks on a “pay-per-click-only” contract because it is a “low-risk high-return” option. But the networks could make life harder for them by, for example, vetting the creatives (advertising text, graphics, scripts and links) offered for an ad campaign before accepting them for display and through the life of the campaign. Similarly, they could make it harder to establish or sustain advertising contracts for “fly-by-night” operations like distributing malware such as implementing the ability to break-off ad contracts if the advertiser engages in deceptive conduct or not offering “very-low-risk” advertising options such as “pay-per-click-only” text ads. One way would be to require all ad contracts to be based on the requirement to pay for a particular time length or minimum number of impressions.

Ad networks can also exchange details about advertisers that engage in deceptive business practices so that the advertisers don’t go “shopping around” different ad networks to hawk their wares at the lowest risk. This is similar to a lot of proper business practices where companies are able to exchange details about known credit risks for example.

This could be part of an online advertising code of conduct to protect the validity and legitimacy of the online display advertisement as part of an advertiser’s campaign mix and as a way for Web publishers to raise some income.

Webmasters

Webmasters can work with the ad network’s control panel to reduce the kind of advertising that gets through to their ad spaces. For example, they could opt to keep the advertising that appears to tightly reflect the content and tone of their Website. The Webmaster can also exercise a tight level of control over any advertising they directly sell for their Website such as offering contracts with a minimum level of risk to the advertiser or vetting the creative material tendered by the advertisers.

As well, they can take out security measures over the Website to stop undesireable activity from occurring with their Website. This could include implementing hardened login procedures such as brute-force lockout or two-factor authentication on the critical admin and editor accounts.

Conclusion

Like most online-security issues like Wi-Fi security, it isn’t just up to end-users to do the “heavy-lifting” to keep their Web experience secure. Other stakeholders like advertising networks need to join in the game to keep a secure Web with respected online advertising and avoid exposure to liability.

Business-grade data security could approach the home network

Article

Startup builds intrusion prevention system for home networks | PC World

My Comments

A device that is being used mainly in enterprise networks is the “intrusion prevention system” which is another form of firewall installed at the network’s edge. This device is typically set up between a modem and the router that serves normally as the network’s edge to protect the network from outbound and inbound Internet-based attacks.

Increasingly, as most home networks acquire more devices and more of these devices are programmed with firmware that isn’t “written for security”, these devices are being seen as necessary for home and small-business networks.

Itus Networks are working on one of these devices and optimising it for the home network, so it is as secure as a similar device used in Enterprise America but is more cost-effective and is able to be managed by most householders. The iGuardian product is intended to go between the router and the modem to analysie outgoing and incoming traffic for malicious activity and block such activity based on community or commercial “Snort-form” rulesets.

But this form factor wouldn’t work well with the modem-router which is the way to go for most DSL services, where the modem and router are in one box. Personally, I could see the “intrusion prevention system” become an included feature with high-end routers that are pitched at “enthusiast” consumers, SOHO users or small businesses rather than the low-tier routers sold to most consumers.

Similarly, a functionality gap exists where other network devices could be at danger of intrusion caused by one network device without Internet involvement.

As well, I find that they may not be accepted for most home networks because they may be difficult to operate unless you have a lot of competence with business-grade computing. This may be due to issues like lack of “task-based” or “simple-language” design.

At the moment, this device is showing that the concept of business-grade internet security for the home network in the form of an “intrusion prevention system” is at its early stages and there needs to be a lot more work done to make a mature product for this class of network and the kind of operator that it will face..