Friday, 9 February 2018

Online advertising.. The continuing cat and mouse game..

The online advertising industry needs to tackle security, and tackle it fast!


So, shortly after the advent of online advertising, came ways to block it.

Adblock Plus and friends block the ads, the advertising networks update their code, the blockers update their filters and the back and forth continues.

Besides advertising, websites also often employ third party metrics tools, and, with those.. you guessed it, came ways to block them.

Ghostery (though it has its issues), Disconnect, Privacy Badger etc have popped up.

Load up any website, particularly advertising supported news sites such as newspapers, technology news, entertainment and meme distribution sites, and with the right plugins loaded, you'll see them light up with 10, 20, 30 plus different external systems for advertising and user behaviour tracking monitoring everything from what ads you see, to where you hover your mouse on the page, to where you scroll to on the page. Sometimes it's obvious what a remote system's about, sometimes it'll be hard to ascertain because the resource is hosted on some obscurely named Amazon AWS instance.

Now, the reality is that sites hosting ads, and the ad networks, have little knowledge or control over the ads they're serving up to the visitors of sites, with Yahoo, The Weather Channel, The New York Times and other sites hit with bad ads.

The malvertising problem comes from the ability for people purchasing advertising inventory to be able to inject whatever they want into that inventory based upon multiple factors such as time, location and browser type. This means what might be initially reviewed (if a review happens at all) may be different to what end users are eventually served.

Advertising inventory on a given website may be offered to several different ad networks, those ad networks will then sell that inventory on to their customers, and then their customers may have networks of their own, such that there might easily be five or more degrees of separation between the site owner and the actual advertiser.

In the past, I've worked with a business that acted as an intermediary between advertisers and inventory holders, and not all the inventory holders were the site holders. Sometimes the advertising provided by the advertisers would be directly supplied "creative" (not just an adjective in the advertising world, but also a noun!) but other times we'd be issued with code that would pull the creative from other content distribution systems.

Subsequently, blocking advertising in my mind, is now no longer just a question of convenience, irritation or privacy concerns, but also one of security as unchecked advertising creative is now a valid malware vector.

Myself, in Firefox I run:
  • Ublock Origin
  • NoScript (all sites and plugins are blocked until I explicitly whitelist them)
In Chrome, I'm currently running:
  • Ublock Origin
  • HTTPS Everywhere (a recent addition when I found a hotel I visited was doing MITM that disabled redirections to HTTPS in some cases)
Cryptocurrency mining may be one way viewers can pay for content, if it's done with the viewer's consent. Otherwise, sites need to consider ways they can encourage people to pay for content (indeed, I have an annual contribution set up to one of the newspapers I frequently read online).

Otherwise, because there's so very little interaction between site owners, and the actual advertisers, the truth is that for security reasons, you have to block ads online these days.

References:
http://krebsonsecurity.com/2012/02/crimevertising-selling-into-the-malware-channel/
https://en.wikipedia.org/wiki/Malvertising
http://www.theregister.co.uk/2015/08/14/malvertising_expands_drudge/
http://www.theregister.co.uk/2015/08/04/yahoo_malware_ads/
http://lifehacker.com/the-best-browser-extensions-that-protect-your-privacy-479408034

No comments:

Post a Comment