Ad Networks are Great for Malware Distribution

Last week, several major news sites unwittingly served as malware mules.

When you visit a website, the publisher displays whatever their ad networks target for you. As the page loads, ad space is sold to the highest bidder on an exchange. Sometimes the highest bidder on New York Times’s network just happens to be a hacker serving ransomware.

They were using the Angler Exploit Kit, which is actually quite clever. Angler hides encrypted code in an innocuous-looking advertising image. The attackers send the private key to decrypt the malicious code only if they determine you to be a good target.

A GIF can contain embedded code.
A GIF can contain embedded code.

Remember how ad trackers create a digital fingerprint based on your browser version and installed plugins? The fingerprint script used here also tells attackers whether you have security software installed. They want to only attack vulnerable systems on residential networks, avoiding targets that look like security researchers who might blow their cover.

So if the fingerprint script decides you’re a good mark, it fetches the private key to decrypt the embedded code. The code runs and exploits some Java/Flash/IE vulnerability, and suddenly your hard drive is locked with a pop-up demanding Bitcoin.

cryptolocker

The ransomware is designed to hit only once per IP address. This is to avoid reproducibility by security experts, but it also makes the ransomware similar to a tax. I wonder if ransomware will become the tax obligation that gives Bitcoin the price support it needs.

Block me if you can

Good thing we use Adblock Plus, right? Nope!

Google, Amazon, Microsoft, and Taboola paid the creators of Adblock to allow their ads to get through. And Google’s DoubleClick was one of the ad networks delivering this exact exploit kit.

According to Adblock, they whitelist “acceptable ads” that meet certain criteria. If you visit a lot of sketchy warez sites, you will recognize Taboola as the purveyor of pornographic popups. Apparently Adblock’s acceptability criteria is money. Adblock: It’s like ransomware for advertisers.

A security hole doesn’t disappear just because you outsource your problem to Adblock Plus. But you can better protect yourself by installing those stupid Java updates that pop up every few days. If that’s too annoying, you can always go back to using Lynx.

See Also:
1. Operation Fingerprint: A look into several Angler Exploit Kit malvertising campaigns –Malwarebytes
2. Don’t Hate the Ad, Hate the Ad-Tracker

It’s Good to be Google

Last night, I was innocently building a tracking script for my website when I noticed that I had some visitors that looked like Google but who were not, in fact, Google.

One was Wayback Machine. Another was archive.is. These web capture sites provide saved snapshots of a page at any given point in time, and apparently they do it by pretending to be Google.

Previously, we had a tutorial on how to bypass subscription paywalls by spoofing the Googlebot web crawler. For those who were too lazy or ethical to build that Chrome extension, another method for getting around paywalls is to paste the blocked URL into archive.is, and have archive.is do the spoofing for you:

Screen Shot 2016-03-19 at 6.47.21 PM

If publishers don’t provide paywall exceptions for public services like the Wayback Machine, who do they provide exceptions for? I did a quick check by swapping out my HTTP request headers to match those of various web crawlers.

The Wall Street Journal allows permissioned access for Google and Bing’s crawlers, and no one else. Not Yandex nor Yahoo nor DuckDuckGo. Not even Baidu.

Then I checked the more-cosmopolitan FT.com. FT exposes its content to Google, Bing, and Yahoo, but not Yandex or DuckDuckGo. It works intermittently with Baidu.

(I didn’t bother to check any other subscription sites because I am lazy and mortal and by most accounts I still have a day job, although I’m really not sure how.)

So here’s the thing. Publishers are optimizing for Google search results, and maybe Bing as an afterthought. As a result, Google’s indexing bots have better access to content than any other web crawler.

A third-rate search engine like Yahoo could actually get better indexing results if it changed its web crawler User-Agent headers to Googlebot. It could also acquire way more users if it changed the name of its website to . Finally, it would provide far more shareholder value if it burned itself to the ground and redirected its domain to Google.com.

It’s tough to not be Google.

Update, a few hours later: I just noticed that the Wall Street Journal also lets the Facebook crawler bypass its paywall. But not Twitter! FT.com gives access to both Facebook and Twitter crawlers.

I almost forgot that Facebook has become a force to be reckoned with when it comes to content discovery.

A Reasonable Expectation of Privacy

It’s hypocritical for me to complain about ad trackers when I use Gmail, a service controlled by the biggest ad-tracking network in the world. Who cares about trackers when Google has been reading my email for the last decade?

I tell myself Google is good, they promised to Do No Evil. That’s my stupid brain’s way of saying I’m lazy and Google is convenient.

A vocal contingency claims that the government is spying on us. Not really. Unless you did something to land on a terrorist watch list, the NSA sees you as part of the landscape.

The government isn’t out to get us. And that’s the problem.

Homeland Security did not request that every citizen carry a location-tracking device at all times. We chose to do that when we bought iPhones.

FinCEN did not develop a traceable payments network recording the time and location of every transaction; Visa and Mastercard did. We chose to participate in it.

If the government planted RFID chips on all our bodies, there would be outrage. But they didn’t. We did it to ourselves.

We can oppose a government conspiracy, but how do you argue against convenience? The technology that makes life so good and convenient just happens to be technology that enables mass surveillance.

So why are we surprised when the government wants to appropriate these tools for the purpose of law enforcement? Were we expecting service providers to protect the privacy that we were too lazy to protect ourselves?

Fourth Amendment rights prevent cops from casually invading our homes, but we’ve already invited Google to sit in the living room. The third-party doctrine holds that people who voluntarily give information to third parties have no reasonable expectation of privacy.

Google calls the cops if it finds child porn in your Gmail box, and your bank calls FinCEN if it suspects laundered money in your account. They’re required to. And a bill reintroduced in December would require all technology companies to report suspected terrorist activity as well.

Still, we don’t want to stop advancing. With every new technology created to make our lives better, we constrict the times and places where we can expect to not be watched. Each connected device makes the expectation of privacy a little less reasonable. And once people get used to the loss of privacy, it is impossible to get it back.

Cdqs8HnW8AASKpx

Encryption

This bit by John Oliver is pretty awesome:

https://www.youtube.com/watch?v=zsjZ2r9Ygzw

The reason iPhones need such strong security measures is because Apple customers can’t seem to keep their phones in their pants and out of the hands of hackers. Are people really storing bank account information on their phones? Cripes.

We make a big deal about encryption and security, but the weakest link is increasingly human. Last month, several companies (including Snapchat) fell prey to a phishing email and turned over all their employees’ IRS data. This is all it took:

knowbe4phish

My iCloud password requires twelve characters consisting of some combination of uppercase letters, lowercase letters, at least one number, a symbol, and an emoji. According to this password strength tool, it might take 2 million years to hack into my account with a GPU cluster. But only five minutes if you distract me from my desktop with a shiny object.

Instead of working to make encryption stronger, maybe try to make humans less stupid.

See Also:
chris-hadnagy

Keynesian Savings Time

667px-saving_daylight__-set_the_clock_ahead_one_hour_and_win_the_war-_uncle_sam__your_enemies_have_been_up_and_are_at-_-_nara_-_512689-0

Here I was, about to do something really productive, when the clock on my computer skipped ahead and stole an hour of my life that I will never see again.

I blame Benjamin Franklin.

Franklin first proposed Daylight Savings Time to the people of France as a joke, telling them they could save candles by rising earlier to take advantage of morning sunlight. He was actually making fun of them for being lazy: The French did not get out bed before noon, even back then.

Over a century later, we adopted Daylight Savings Time for real. The motive was to conserve coal during the war. Winston Churchill advertised: “We borrow an hour one night in April; we pay it back with golden interest five months later.”

The “golden interest” part never materialized, but Churchill’s proposal had merit. Now that central banks have all but run out of options to counter economic weakness, it is the perfect opportunity to revisit an expansionary time policy.

Daylight Savings works by imposing a mandatory one-hour contribution in the spring, then returning that hour in the fall. But we’re doing it all wrong. Why return an hour in the middle of the night, when it has no measurable impact on GDP? Add that extra hour to the middle of a 9-5 work day!

Time is a direct account of work output, especially when half of Americans are paid by the hour. By adding an hour to the work day, we instantly increase productivity. With more work to do and more hours to shop, we get a double dose of economic stimulus.

And why force the population to give it back in the spring? The purpose of an expansionary policy isn’t to seize economic gains and revert to some prior baseline. Let’s add an hour every year to ensure constant progress. If unemployment gets too high, let’s add two!

The best part about an expansionary time policy is that there’s no need to worry about concentrating the effects in wealthier households. Rich or poor, we all abide by the same clock.

And sure it might mean that in a dozen years we’ll be leaving for work in the middle of the night, but so what? We all have electric lights now. Daylight is a barbarous relic. The extra candles and coal that we burn will only serve as further stimulus.

The last thing we want is negative interest rates or a central bank helicopter drop. Wealth is measured by the control you have over your time. Rather than take further measures to expand the supply of money, central bankers should expand the supply of time.