Web Ads Get Tangled in Cloak of Invisibility
via online.wsj.com
I don't normally post articles on security, figuring there's enough analysts and commentators who make a living pontificating on the subject, usually providing marginal insight in the echo chamber. That said, this article on "ad fraud" by delivering ads within a page context without actually displaying the ad (allows fraudster to display one ad and invisibly render another 20-30 (through HTML trickery) and take credit for ad delivery/impressions) is revealing about a very fundamental problem in the security space - That what is displayed, may not be what in fact is executing on your computer. I last dealt with this problem in the context of electronic signatures - Is this document you're seeing, the one you're signing online?
Now there's a whole ecosystem that has sprung up to deter/verify that the ad networks and member/partner sites are actually delivering and someday those companies may be the HNC Falcon(s) of the Web Advertising world. (Hecht-Nielson's neural net based Falcon credit card fraud scoring system was one of the successes of AI boom in the 80s (acquired by FairIssac)). But that's not the interesting part here. The Procter & Gambles of this world won't go broke on ad-fraud but the underlying technology that made this fraud possible is worth some attention and cogitation.
What makes this more interesting today is that back in the 80s and early 90s, code of completely unknown provenance wasn't pouring into your system every hour by the bucket. These days even your run-of-the-mill web pages are delivering down not just static content but code that assembles the page within your browser, on the fly from 3-5 different sources per page. Often the content is well beyond the control of the site you're visiting and so what you're seeing visually on the page vs. what is executing underneath in code could have pretty serious consequences for a range of applications within the browser context which is primarily interactive and increasingly used to complete electronic transactions. Over the last 18 months, there is increasing chatter about advertisements being the new malware trojan horse (one reason to use ad-filters and utilities like "NoScript").
The consequences of such perversion haven't been dramatized in front page news yet and sites conducting sensitive commerce resort to some simple rules of thumb to minimize the chances of problems with their transactions (you're unlikely to see 3rd party content on a bank's transaction pages). Nonetheless, the area deserves more attention than its getting.
While some work has been done in this area technically, trustworthiness of code in general and its linkage to user interface elements and interaction remains an interesting problem that's waiting for better solutions in the modern context- Adobe took a crack at this a while ago in their Acrobat platform but seem to have let some of that work slide. A decent book on the principles and trade-offs (more implied than explicit) of constructing a trusted chain in the context of the h/w and the system software elements supporting it is "Dynamics of a Trusted Platform" by David Grawrock - Intel Press". Perhaps the next generation of security professionals can evolve the browser into a real trusted platform (there's at least one existing company in the space and several that exited a few years ago).
Till then - you don't have to fear invisible ads but you should guard against invisible/unauthorized code in your browser. As a generally prudent measure I'd advise the following:
- Run an ad-filter with your browser that strips all the crap out (AdBlock, FlashBlock, AdMuncher etc.)
- Consider utilities like NoScript (pretty harsh) that disables all dynamic content on a page
- Consider running a dedicated browser (a different one or a clone of your favorite) for your "secure transactions" - if you're really paranoid, run a dedicated machine - all to minimize potential for malware contamination.
Comments