The end result is an ever expanding canvas of attack surfaces for highly skilled and motivated cybergangs to tap into corporate databases. In this LastWatchdog guest post, Timothy David McCreery, President and CEO of network monitoring firm WildPackets, examines why it might make sense for companies to embrace network forensics as ongoing preventive maintenance, instead of turning to it in after the fact investigations only.

McCreery

By Timothy David McCreery

Homeowners insurance, health and life insurance are well known forms of risk coverage. While these modes of protection have remained relatively the same there is a litany of new threats that aren’t as well accounted for. Most businesses today operate some form of computer network and for many, their entire business in based online. Company computer networks are increasingly more vulnerable in the era of phishing scams, cyber attacks and large-scale data breaches. So then, what is their form of insurance?

Today, preventative security is a top priority for any IT department, but no amount of security can protect all of your networks all of the time. Even global brands and governments aren’t immune to attacks, and every company should have a contingency plan in place in the event of a breach. One of the most easily implemented, but often-overlooked contingency plans for your network is network forensics.

While many companies believe that a simple activity monitoring solution is the only thing they need to help protect their network, network forensics is an essential part of any comprehensive security strategy. Although IDS/IPS (Intrusion Detection/Intrusion Prevention Systems) solutions do help indicate and prevent problems, when they miss something security teams have no data to analyze and figure out what went wrong. Typically simple activity monitoring solutions involving IDS/IPS are tedious and require sorting through possibly thousands of packets of data –including IP address, source/destination port, time, date, protocol, string and more – to find one incident.

Network forensics, on the other hand, captures complete network conversations, recording all network activity at the packet level to fixed storage, displays key network performance statistics, and provides visual tools for post-capture analysis in real-time. Captured data is stored in a central location and translated into a common format, allowing users to easily drill into problem areas and quickly locate a specific incident or monitor for potential virus ‘fingerprints’ to avoid a major infection.

With an increase in breaches from both inside and outside the network, analysis and prevention can only be achieved if you have a complete view of your network activity. This level of insight is even more essential with the number of on-the-go users and BYOD policies growing within companies. In fact, it’s often business-critical issues that have nothing to do with performance or cyber attacks, like violations of industry regulations or data breaches, which drive the need for post-incident analysis.

A breached mobile device or infected personal laptop brings outside threats inside the network, which can go undetected by most IDS/IPS solutions. The ability to recognize a breach and pinpoint the source prevents a compromise of the entire network. In addition, network forensics can be used to identify rogue or unauthorized devices trying to access the network, preventing another kind of potential hack.

Network forensics can be a powerful tool in both your security and compliance strategies, but the key to network forensics is to have a solution in place now – before you have a need for incident analysis or require data to investigate an attack.

About the essayist: Timothy David McCreery is the President and CEO at WildPackets, a provider of network analysis solutions. McCreery co-founded WildPackets, Inc. as AG Group in 1990. McCreery taught undergraduate Computer Science at U.C. Berkeley obtaining a Master’s degree in EECS, and is an industry veteran with over 25 years of experience.

“We urge the Administration to ensure that it carries out this process in a fair and transparent manner, and that consumer voices are heard and acted on,” Susan Grant, Director of Consumer Protection at Consumer Federation of America, adds:

In an unusual move, the White House convened a press conference at 4:30 p.m. Eastern on Wednesday to announce the details, imposing an embargo – which all media outlets accepted without question – to midnight. Here are the seven rights:

• Individual Control: Consumers have a right to exercise control over what personal data organizations collect from them and how they use it.
• Transparency: Consumers have a right to easily understandable information about privacy and security practices.
• Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Security: Consumers have a right to secure and responsible handling of personal data.
• Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.
• Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights.

Watering down

Simpson

“The real question is how much influence companies like Google, Microsoft, Yahoo and Facebook will have intheir inevitable attempt to water down the rules that are implemented and render them essentially meaningless,” says John Simpson, spokesman for Consumer Watchdog. ” I am skeptical about the ‘multi-stakeholder process’, but am willing to make a good faith effort to try it.

Simpson and others remain concerned about the Commerce Department’s role in shaping consumer privacy protections. ” Commerce’s job — quite correctly — is to promote the interests of business, not protect consumers,” he says. “If nothing else, the report demonstrates the growing concern about online privacy. Perhaps this is one of the few issues where true bipartisan action will be possible this year.”

As proposed by the White House, the bill of recognizes the need to for heightened protections for children and teens on the Internet.

“If we want to ensure that the Internet economy continues to be strong and vital, consumers need to be able to trust that the information collected about them will not be misused. This announcement sets the stage for that to begin to happen,” says Ellen Bloom, Senior Director of Federal Policy for Consumers Union, the policy and advocacy arm of Consumer Reports.

Power moves

The next steps will entail Washington D.C.-style power brokering, says Jeffrey Chester, executive director of the Center for Digital Democracy.

Chester

“The new framework largely depends on the development of voluntary codes of conduct, to be negotiated between consumer groups and companies like Google, Facebook, Microsoft, Yahoo and others, Chester says. “Consumers groups will engage in these negotiations in good faith. But we cannot accept any ‘deal’ that doesn’t really protect consumers, and merely allows the data-profiling status quo to remain.”

Another part of the White House privacy framework calls for the Digital Advertising Alliance to add to its efforts to self-police its members by improving  an existing Do Not Track mechanism many of its members already make available to consumers.

” The plan by the DAA to add Do-Not-Track to its self-regulatory system could derail a promising privacy effort by the Worldwide Web Consortium standards group (W3C) that is being designed to give consumers greater control over data collection,” contends Chester. “The new DAA scheme will enable companies to continue to collect profiling data on users, and merely prevent the delivery of targeted ads. DAA members are terrified about the development of a DNT system with teeth, which would stop so much data collection, profiling and tracking.”

California cracks down

On a parallel track, the Associated Press reports that  California is cracking down on invasive mobile apps.

California Attorney General Kamala Harris is calling for the tech giants vying in the mobile space — Apple, Google, Microsoft, Amazon Research In Motion and Hewlett-Packard  — as well as thousands of mobile app developers to give people advance warning before extracting and storing sensitive information from smartphones and tablet PCs.

Harris began discussing the need for better privacy protections with six powerful companies that have shaped the mobile computing market, spawning nearly 1 million applications over the past four years, the AP reports.

“We are assuming everyone is going to cooperate in good faith and not get cute,” Harris told AP reporter Mike Liedtke.

Harris , a Democrat, is taking her stand out west, at the same time fellow Californian, Mary Kay Bono, a Republican Congresswoman, and several other Republican lawmakers are clamoring for more details about Google and Facebook conduct online tracking. The tech giants put themselves in the spotlight by recently announcing new initiatives to extend how they index and cross-reference data about what consumer do on their PCs and mobile devices.

Google has begun rolling out a new user privacy policy that will make it easier for the search giant to correlate information about anyone who uses multiple Google services, such as Google search, plus Gmail, Google Apps, YouTube, Picasa or Google+.  Facebook is rolling out a new user interface — Timeline — that makes it easier to search and digest chronologically-assembled data about a person. Each is trying to out do each other in a race to sell more online advertising. Each insists  they  provide consumers with ample choice and control over such tracking data.

The White House on Wednesday unveiled a strongly worded “Consumer Privacy Bill of Rights’’ as the linchpin for a drive to get Congress to pass new laws protecting consumers privacy as they surf the Internet.

The announcement came as Maryland Attorney General Douglas F. Gansler and attorneys general from 35 other states sent a letter to Google complaining about a new privacy policy which will give the search giant greater latitude to track people using computers and mobile devices, with no way to opt out of being tracked.

One of the seven privacy rights, unveiled at a press conference by Commerce Secretary John Bryson guarantees consumers the “right to exercise control over what personal data organizations collect from them and how they use it.”

The Commerce Department will now commence a series of meetings inviting privacy advocates, consumer groups and key players in the tech and online advertising industries to hash out “enforceable privacy policies,” Bryson said.

In a statement, President Obama said, “American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online. As the Internet evolves, consumer trust is essential for the continued growth of the digital economy. “

Meanwhile, the Digital Advertising Alliance an industry trade group, announced it has begun work on a more visible and effective Do Not Track mechanism to add to a self-policing system in effect for all of the consortium’s members. The Federal Trade Commission separately has backed a call for a Do Not Track system buttressed by new federal laws.

Daniel Weitzner, the White House deputy chief technical officer, said the Obama Administration’s goal is to get Congress to draft and pass new privacy laws using the privacy bill of rights as a framework.

“We now have a much more focused blueprint” Weitzner said. “We’ll use our bully pulpit to get legislation passed based on these principals.”

The push comes as Google, Facebook and Apple have come under fire from some members of Congress and the FTC for tracking consumers as they use their PCs and mobile devices on the Internet, often without asking permission.

The Attorney Generals are seeking a delay is implementation of Google’s new privacy policy — which is set to take full effect  on March 1. The AGs now join several members of Congress and numerous privacy advocates and consumer group in protesting the fact that anyone who uses multiple Google services can not opt out of the new policy, which makes it easier for Google to cross reference activities across its most popular services, including search, Gmail, Google Apps, YouTube, Picasa and Google+.

The Obama administration recognizes that “we need to make meaningful changes to preserve consumer trust and confidence,” says Craig Spiezle, executive director of the non-profit Online Trust Association. “At the same time, we need to preserve innovation. Balancing the two is a challenge.”

Getting a divided Congress to pass any hard-edged privacy legislation is another challenge.

“The real question is how much influence companies like Google, Microsoft, Yahoo and Facebook will have in their inevitable attempt to water down the rules that are implemented and render them essentially meaningless,” says John Simpson, spokesman for Consumer Watchdog. ” I am skeptical about the ‘multi-stakeholder process’, but am willing to make a good faith effort to try it.

Simpson and others remain concerned about the Commerce Department’s role in shaping consumer privacy protections. ” Commerce’s job — quite correctly — is to promote the interests of business, not protect consumers,” he says. “If nothing else, the report demonstrates the growing concern about online privacy. Perhaps this is one of the few issues where true bipartisan action will be possible this year.”

Reacting to details of Facebook’s tracking practices disclosed in LastWatchdog’s page 1A story in print editions of USA TODAY, Sen. Jay Rockefeller, D – W. Virg., said he intends to invite Facebook and others to a hearing to explain how they are using personal information.

“The USA Today story is disturbing,” says Rockefeller, sponsor of a Do-Not-Track bill that would empower consumers to limit ad networks from tracking where they go online. “No company should track customers without their knowledge or consent, especially a company with 800 million users and a trove of unique personal data on its users.”

Facebook spokesman Andrew Noyes noted that Facebook tracking systems are used to personalize content and help boost security. He also said that the company’s tracking practicies are spelled out in its Privacy Policy and Help Center web pages. “We appreciate Sen. Rockefeller’s interest in protecting consumer privacy and look forward to discussing this with him,” Noyes says.

Meanwhile, Rep. Mary Bono Mack, R-Calif., who chairs the House Subcommittee on Commerce, Manufacturing and Trade, directed her staff to bring in Facebook officials next week for a briefing to learn more about the wave of pornographic and violent images that spread through Facebook’s automated content-sharing systems. “The Chairman is very concerned about what took place and wants to make certain – to the extent possible – that it doesn’t happen again,” says spokesman Ken Johnson.

Bono Mack

Among the questions Bono Mack wants answered: How many people were impacted? What actually happened? How did it happen? Could the vulnerability be used to gather users’ personal information? What is Facebook doing to prevent future intrusions?

Noyes pointed out this CNN news story praising how Facebook responded to the systemic attack on its content-sharing technologies. “Protecting the people who use Facebook from spam and malicious content is a top priority for us,” says Noyes. “Our team responded quickly to eliminate most of the spam caused by this incident. We are now working to improve our systems to better defend against similar attacks in the future.”

Joseph Steinberg, CEO of Green Armor Solutions, says that the porn and gore spam attack is another reason users should not rely on Facebook’s security and privacy settings.

“Facebook has never been the poster child for security,” Steinberg says. “This situation reinforces that concept. If some form of beach occurred and information that you configured to be viewable by only your friends became viewable by the entire world it is unlikely that Facebook is going to compensate you. But they can gather information about you and advertise to you. In many ways, you are Facebook’s product, not its customer.”

Far more quietly, another debate is brewing over a different side of online privacy: what Facebook is learning about those who visit its website.

Facebook officials are now acknowledging that the social media giant has been able to create a running log of the web pages that each of its 800 million or so members has visited during the previous 90 days. Facebook also keeps close track of where millions more non-members of the social network go on the Web, after they visit a Facebook web page for any reason.

Click here to view  an  interactive chart of  how Facebook’s tracking systems work

To do this, the company relies on tracking cookie technologies similar to the controversial systems used by Google, Adobe, Microsoft, Yahoo and others in the online advertising industry, says Arturo Bejar, Facebook’s engineering director.

Facebook’s efforts to track the browsing habits of visitors to its site have made the company a player in the “Do Not Track” debate, which focuses on whether consumers should be able to prevent websites from tracking the consumers’ online activity.

For online business and social media sites, such information can be particularly valuable in helping them tailor online ads to specific visitors. But privacy advocates worry about how else the information might be used, and whether it might be sold to third parties.

New guidelines for online privacy are being hashed out in Congress and by the World Wide Web Consortium, which sets standards for the Internet.

If privacy advocates get their way, consumers soon could be empowered to stop or limit tech companies and ad networks from tracking them wherever they go online. But the online advertising industry has dug in its heels, trying to retain the current self-regulatory system.

Online tracking involves technologies that tech companies and ad networks have used for more than a decade to help advertisers deliver more relevant ads to each viewer. Until now, Facebook, which makes most of its profits from advertising, has been ambiguous in public statements about the extent to which it collects tracking data.

Zuckerberg on Rose show

It contends that it does not belong in the same camp as Google, Microsoft and the rest of the online ad industry’s major players. Facebook CEO Mark Zuckerberg made this point to interviewer Charlie Rose on national TV last week.

For the past several weeks, Zuckerberg and other Facebook officials have sought to distinguish how Facebook and others use tracking data. Facebook uses such data only to boost security and improve how “Like” buttons and similar Facebook plug-ins perform, Bejar told USA TODAY. Plug-ins are the ubiquitous web applications that enable you to tap into Facebook services from millions of third-party web pages.

Facebook spokesman Andrew Noyes says the company has “no plans to change how we use this data.” He also says the company’s intentions “stand in stark contrast to the many ad networks and data brokers that deliberately and, in many cases, surreptitiously track people to create profiles of their behavior, sell that content to the highest bidder, or use that content to target ads.”

Conflicting pressures

Rather than appease its critics, Facebook’s public explanations of how it tracks and how it uses tracking data have touched off a barrage of questions from technologists, privacy advocates, regulators and lawmakers around the world.

Markey

“Facebook could be tracking users without knowledge or permission, which could be an unfair or deceptive business practice,” says Rep. Ed Markey, D-Mass., co-sponsor with Rep. Joe Barton, R-Texas, of a bill aimed at limiting online tracking of children.

The company “should be covered by strong privacy safeguards,” Markey says. “The massive trove of personal information that Facebook accumulates about its users can have a significant impact on them — now and into the future.”

Noting that “Facebook is the most popular social media website in the world,” Barton adds, “All websites should respect users’ privacy.”

After Zuckerberg appeared on the Charlie Rose TV show last week, Markey and Barton sent a letter to the 27-year-old CEO asking him to explain why Facebook recently applied for a U.S. patent for technology that includes a method to correlate tracking data with advertisements. They gave Zuckerberg a Dec. 1 deadline to reply.

“We patent lots of things, and future products should not be inferred from our patent application,” Facebook corporate spokesman Barry Schnitt says.

Facebook is under intense, conflicting pressures.

Li

It must prove to its global financial backers that it is worthy of the hundreds of millions of dollars they’ve poured into the company, financial and tech industry analysts say. Those investors include Microsoft, Goldman Sachs, the Russian investment firm Digital Sky Technologies, Hong Kong financier Sir Ka-shing Li and venture capitalist Peter Andreas Thiel.

The success of the company’s initial public offering of stock, expected sometime next year, hinges in part on Facebook’s ability to move beyond the bread-and-butter text ads that appear on members’ home pages and emerge as a key player in graphical display ads and corporate brand marketing campaigns, says Rebecca Lieb, advertising media analyst at the Altimeter Group.

In advertising, knowing more about consumers’ preferences is key. “More data means better targeting, which means more revenue,” says Marissa Gluck, managing partner of the media consulting firm Radar Research.

To meet rising expectations, Facebook must increase its annual revenue, now estimated at about $4 billion, by double-digit percentage points for years to come, Gluck says. The company is striving to keep its options open to do this. In doing so, it is bumping into pressure from critics who are concerned that leaving online privacy standards entirely in the hands of corporations might not be the best idea.

Ground rules needed

Companies are incorporating tracking data into new business models “without necessarily appreciating the long-term and collective consequences,” says Craig Spiezle, executive director of the non-profit Online Trust Alliance.

Last week, consumer reporter Ric Romero of station KABC in Los Angeles showed how insurance companies monitor Facebook and Twitter, looking for reasons to raise premiums and deny claims. Previously, ABC News reporter Lyneka Little reported on how employers use Facebook information as part of the recruitment process.

Meanwhile, researchers at AT&T Labs and Worcester Polytechnic Institute have documented how tracking data culled from Internet searches and surfing can be meshed with personal information that Internet users disclose at websites for shopping, travel, health or jobs. Personal disclosures made on social networks, along with preference data gathered by new apps for smartphones and tablet PCs, are being tossed into this mix, too.

Privacy advocates worry that before long, corporations, government agencies and political parties could routinely purchase tracking data from data aggregators.

Eckersley

“Tracking data can be used to figure out your political bent, religious beliefs, sexuality preferences, health issues or the fact that you’re looking for a new job,” says Peter Eckersley, technology projects director at the Electronic Frontier Foundation. “There are all sorts of ways to form wrong judgments about people.”

So far, it does not appear that this sort of data correlation is being done, at least not on a wide scale. But in the absence of ground rules, technologists, regulators and privacy advocates worry that companies involved in collecting tracking data could succumb to the temptation to cash in.

Says Michael Fertik, founder and CEO of Reputation.com: “We can only imagine that an advertising company with a richer trove of data will sell more and more of that data.”

Facebook’s trove of data

Facebook for the first time revealed details of how it compiles its trove of tracking data in a series of phone and e-mail interviews conducted by USA TODAY with Bejar, Noyes and Schnitt, as well as engineering manager Gregg Stefancik and corporate spokeswoman Jaime Schopflin. Here’s what they disclosed:

•The company compiles tracking data in different ways for members who have signed in and are using their accounts, for members who are logged-off and for non-members. The tracking process begins when you initially visit a facebook.com page. If you choose to sign up for a new account, Facebook inserts two different types of tracking cookies in your browser, a “session cookie” and a “browser cookie.” If you choose not to become a member, and move on, you only get the browser cookie.

•From this point on, each time you visit a third-party webpage that has a Facebook Like button, or other Facebook plug-in, the plug-in works in conjunction with the cookie to alert Facebook of the date, time and web address of the webpage you’ve clicked to. The unique characteristics of your PC and browser, such as your IP address, screen resolution, operating system and browser version, are also recorded.

•Facebook thus compiles a running log of all your webpage visits for 90 days, continually deleting entries for the oldest day and adding the newest to this log.

If you are logged-on to your Facebook account and surfing the Web, your session cookie conducts this logging. The session cookie additionally records your name, e-mail address, friends and all data associated with your profile to Facebook. If you are logged-off, or if you are a non-member, the browser cookie conducts the logging; it additionally reports a unique alphanumeric identifier, but no personal information.

Bejar

Bejar acknowledged that Facebook could learn where specific members go on the Web when they are logged off by matching the unique PC and browser characteristics logged by both the session cookie and the browser cookie.

He emphasized that Facebook makes it a point not to do this. ” We’ve said that we don’t do it, and we couldn’t do it without some form of consent and disclosure,” Bejar says.

Bejar also acknowledged “technical similarities” in the cookie-based tracking technologies used by Facebook and the wider online advertising industry. “But we’re not like ad networks at all in our stewardship of the data, in the way we use it, and the way we lay everything out,” Bejar says. “We have a very clear and transparent approach to how we do advertising that I’m very proud of.”

Even so, Facebook’s public descriptions of its tracking systems have not satisfied some critics — particularly European privacy regulators. Ilse Aigner, Germany’s minister of consumer protection, last month banned Facebook plug-ins from government websites and advised private companies to do the same.

And Thilo Weichert, data protection commissioner in the German state of Schleswig-Holstein, expressed alarm at how Facebook’s technology could potentially be used to build extensive profiles of individual Web users.

“Whoever visits Facebook or uses a plug-in must expect that he or she will be tracked by the company for two years,” Weichert said in a statement. “Such profiling infringes German and European data protection law.”

Adding fuel to such concerns, Arnold Roosendaal, a doctoral candidate at Tilburg University in the Netherlands, and Nik Cubrilovic, an independent Australian researcher, separately documented how Web pages containing Facebook plug-ins carried out tracking more extensive than Facebook publicly admitted to.

Noyes says Germany doesn’t understand how the company’s tracking technologies work. And he blames “software bugs” for the indiscriminate tracking discovered by Roosendaal and Cubrilovic.

“When we were made aware that certain cookies were sending more information to us than we had intended, we fixed our cookie management system,” Noyes says.

Roosendaal

However, researcher Roosendaal says Facebook’s tracking cookies retain the capacity to extensively track non-members and logged-off members alike. “They have been confronted with the same issue now several times and every time they call it a bug. That’s not really contributing to earning trust.”

Some corporate security executives have become concerned about cybercriminals getting hold of tracking data relayed by Like buttons, then using that intelligence to steal intellectual property. They’ve asked firewall supplier Palo Alto Networks to identify and block traffic from Facebook tracking cookies, while enabling their employees to continue using other Facebook services.

“The concern is that Facebook has rich personal information, which Google doesn’t have,” says Nir Zuk, founder and chief technology officer for Palo Alto Networks. “Combining that personal information with Web browsing patterns could be revelatory.”

–By Byron Acohido

The online advertising industry is scrambling to quell a long-standing problem that has taken a turn for the worse: the spread of malicious ads on the Internet’s top commercial websites.

Several new twists have made so-called malvertisements a fast-rising threat to consumers — and a big headache for publishers, advertisers and ad networks, say technologists and security researchers.

The spread of infected online ads has spiked tenfold over the past year, according to research disclosed by security intelligence firm RiskIQ at a recent Online Trust Alliance conference in Washington, D.C.

RiskIQ documented a peak of 14,694 occurrences of malvertisements in May of this year, up from 1,533 in May 2010. Each corrupted ad could have infected the PCs of thousands or millions of website visitors, based on how long the ad ran, says Elias Manousos, CEO of RiskIQ.

Manousos

“In 2011 we observed malvertisements on major sites such as weather.com, foxsports.com, monster.com and usnews.com, just to name a few,” Manousos says.  “In the case of the usnews.com incident the malvertisement utilized a cyber crime tool called the Blackhole Exploit Kit. This tool is sold or rented by the author,  lowering the barrier of entry for the malvertiser.”

Indeed, organized crime gangs have streamlined the process of sneaking viral ads into the distribution system run by advertising networks, causing billions of tainted ad impressions to appear on the top 500 websites over the past 12 months, say technologists and security researchers.

“Malvertisements are a popular and extremely effective mechanism that take advantage of weaknesses within Web browsers,” says Vincent Liu, managing partner of security consultancy Stach & Liu. “The average home computer user faces a high risk of being attacked by malvertisements.”

Thriving ecosystem

Website security firm Armorize recently discovered criminals selling tutorials, tool kits and ad placement services to anyone who wants to get into the malvertising game. “There is a whole ecosystem designed to do this,” says Matt Huang, Armorize’s chief operating officer. “It’s all automated and all on the Internet.”

A recent rash of infections have been triggering bogus security warnings, followed by an offer for fake antivirus protection.

Last month, SpeedTest.net, a popular site that measures home broadband connection speeds, began displaying legit ads carrying instructions to load pitches for Security Sphere 2012. Simply navigating to the site launched the promos, which locked up the visitor’s PC until he or she purchased worthless “protection” for $35.

Doug Suttles, chief operating officer of Web diagnostics firm Ookla, SpeedTest’s parent, says his engineers spotted the attack and cleaned it up within three hours. The criminals, in this case, pioneered a novel technique. They corrupted legit advertisements as they arrived in the ad-handling program, called OpenX, used by the SpeedTest site.

“Most websites aren’t as on top of this as we are,” says Suttles. “We were surprised someone got in. We quickly stripped it out and locked things down.”

Insidious infections

However, tens of thousands of other websites that use the free OpenX ad-handling platform are wide open to this new type of attack, says Armorize’s Huang.

Two of the most insidious attacks involve pitches or Security Sphere 2012 and HDD_Plus. Each locks out use of any other application, while also disabling antivirus and the Windows system restore tool. If you reboot, the promo persists. The easiest course, by design, is to pay $35 to regain full control.

And many victims pay up. A vivid proofpoint:  $163 million banked by the Innovative Marketing ring of scammers who spread promos for SystemDefender. They were busted by FBI last year.

In another recent twist, consumers bedeviled by bogus anti-virus pitches have started bad-mouthing websites they believe triggered the bogus promos. Armorize has documented numerous consumer complaints that have gone viral on Twitter and other social networks, causing a drop in visits to the sites in question.

“Publishers are seeing their traffic and transactions drop in real time,” says Huang. “They are seeing an immediate financial impact from warnings appearing all over Twitter not to visit their site.”

Some ad networks have begun participating in a working group discussing “information-sharing about malvertisers and their ads,” says Steve Sullivan, the Interactive Advertising Board’s vice president of digital supply chain solutions.

The Online Publishers Association, the industry group of major website publishers, has yet to closely examine malvertising. “Obviously, stuff like this is disconcerting to the industry,” says Pam Horan, OPA’s president. “We haven’t done any research in this area, and I haven’t specifically heard anything from the members about this.”

Validation conundrum

Even so, validating ads has become a major conundrum. Web publishers trust the ad networks to continually rotate ads to their Web pages. Meanwhile, the big ad networks, such as Google, Adobe, Microsoft and Yahoo, use automation to pull ads into rotation from a series of smaller networks and agencies.

“The process isn’t flawless, and thus malvertisements end up running in the wild,” says Manousos. “I think awareness is growing and more players in the ad supply chain are committed to working on reducing the number of malvertisements that reach the public.”

Malvertisements are also used to spread stealthy infections that quietly take full control of the victim’s PC, which is then used to steal data, probe deeper into corporate networks and pilfer from online financial accounts.

Consumers can protect themselves by making sure anti-virus programs and all updates for their Web browsers and popular applications, especially Adobe Flash and Adobe PDF, are current. Consumers who want to protect themselves further can use browser plug-ins, such as NoScript and AdBlock, that block all online ads.

Liu, of consultancy Stach & Liu, says a few advertising companies are using scanning and detection mechanisms.

Liu

“But the detection of these malvertisements requires being able to access the content, and in many cases, these companies never even touch the ads,” Liu says. “Instead they pass along the advertisement link to the website, which then passes it along to the user, who ultimately loads the infected content.

“The sheer volume of advertisements served makes it costly and somewhat infeasible to scan all of the advertisements being served,” Liu continues. “Furthermore, the detection capabilities used today are inadequate for detecting all variations of attacks. The attackers have a significant advantage over the advertising companies and that gap is unlikely to close anytime soon.”

Craig Spiezle, the Online Trust Association’s executive director, says publishers, advertisers and the ad networks realize what’s at stake.

“The good news is that there is growing interest of some of the key stakeholders — including Yahoo, Microsoft and Google — on the need to employ countermeasures,” says Spiezle. “It’s clear that validating the ads everyone depends on is a shared responsibility. If consumers don’t trust ads, they may not go to the site, or they’ll start running ad blockers, and that will compromise everyone’s ability to monetize.”

Antivirus giant Symantec has partnered with web app security firm Armorize to offer a cloud-based URL scanning service tuned to spot and thus help to block so-called malvertisements.

Symantec and Armorize unveiled the new service, called AdVantage, at the Online Trust Alliance’s “Realizing the Promise of Trust” forum last month in Washington D.C.

Malvertisements began to gain wide attention in June 2009 after a wave hit the Jerusalem Post and Wall Street Journal websites, followed by another wave of bad ads sneaking onto the New York Times, San Francisco Chronicle and Fox News sites in September 2009, prompting the Gray Lady to run this front page story about the attack.

Click here to see LastWatchdog’s Top Story: 10-fold increase in malvertisements

More waves have followed. In basic attacks, criminals find ways to insert corrupted ads into the rotation of legit ads automatically circulating from myriad ad networks and ad exchanges upstream to major ad networks, such as those run by Google, Adobe and Microsoft. The big ad networks then rotate ads onto high-traffic web sites.

Huang

Armorize co-founder and CEO Wayne Huang, who works from a lab in Taipei, recently discovered an even more insidious type of  attack — one that sneaks ads directly onto  each targeted  Web site, by exploiting security flaws in OpenX, the popular open source ad handling program used by tens of thousands of sites.

In this video, Huang outlines how the attackers corrupted all ads on SpeedTest.net for about three hours. (Technicians at Ookla, SpeedTest’s parent company, luckily spotted the attack and cleaned it up quickly.)

Because the attacks are stealthily deployed at different layers many publishers lack awareness of what’s going on and what to do. However, the ad networks, ad exchanges and analytics companies that comprise the online ad supply chain are starting to pay closer attention, says Craig Spiezle, executive director of the Online Trust Alliance.

Spiezle

“For the past 18 months, OTA and its members have been working to address the mounting threats to the advertising supply chain and ecosystem,” Spiezle says. ” In Sept 2010, we published voluntary guidelines as a first steps to help counter both the operational and technical issues.  At our recent forum, we had a full-day anti-malvertising summit bringing together leaders from around the world to share best practices to help address this threat.”

Website publishers, meanwhile, don’t have to wait for the infrastructure players to tighten down the system. Symantec’s AdVantage service will scan, detect and report all instances of malvertising detected on a Web page.

The scanner analyzes ad tags as they rotate onto the website in near real time. Performance is minimally impacted and there is nothing for the customer to do beyond providing URLs for scanning and protection, says Matt Huang, co-founder and COO of Armorize, told eWEEK.

When a bad ad is detected, the service alerts the publisher, who is then responsible for removing it from the site. Over time, publishers should gain intelligence about the quality of ads arriving from specific ad networks.

“Malvertising poses a serious risk to online publishers and their customers, reputation and revenue,” says Fran Rosch, Symantec Vice President, Identity and Authentication. “Highly publicized malvertising infections can damage the reputation of even the most trusted online sites.”

–By Byron Acohido

LW: Cyberattacks, especially so-called advanced persistent threats that drill deep into corporate systems, continue to accelerate. How come?

Kaspersky: Unfortunatly for enterprises, the bad guys behind Stuxnet and DigiNotar and other such cyberattacks are extremely professional. They devote time and resources to what they’re doing, making them extremely difficult to stop.

LW: What should the good guys be doing?

Kaspersky: Enterprise networks need to be redesigned to where the digital certificate is just one layer. They need much more strict rules about who can get access to internal systems and they need to consider switching off access to certain assets.

LW: Security vendors have been preaching these same best practices for years. What’s different today?

Kaspersky: Today there are so many more attacks than even just two years ago. Companies are getting compromised everywhere, in the United States, Europe and Japan. Thousands of corporations have been attacked in Russia, so now Russia has finally joined the club of victims.

LW: So what’s next?

Kaspersky: We are now in a much bigger arms race. Enterprises will pay more attention to security and have stricter rules for security systems. The bad guys won’t stop. They’ll invest more into new attack technologies. It’s a new level of the arms race.

TL: What does this mean for employees who bring their personal touch tablets and smartphones to work, and spend time during the workday on Facebook and other social networks?

Kaspersky: I’m afraid there’s going to be no more freedom for social network use in certain kinds of strict work environments. Instant messaging and e-mail for personal use needs to be limited. Employees will have a front line computer, with full access, but any personal-use devices mst be disconnected from the corporate environment.

LW: Doesn’t that scenario run counter to the rising popularity of cool mobile devices and our increasing reliance on Web apps and cloud services?

Kaspersky: Yes, it is a big step. But for critical environments, very, very strict rules are needed. It is the only way to fight effectively with the bad guys. Enterprises don’t need to be paranoid. But they must pay attention to security and understand the different scenarios of how the bad guys can get in. They need to understand how much damage can be caused. Risk management must be much more strict.

Hackers this summer have pioneered ways to forge the digital certificates intended to assure the authenticity of Web pages where you type sensitive data into forms, as highlighted by the recent bankruptcy declaration of Dutch certificate authority DigiNotar.

It turns out that the bad guys have also begun to steal copies of validly-issued certificates that companies use to authenticate, not just Web pages, but also software applications and documents, such as PDFs. Cybercrooks have begun to use stolen certificates to help disguise malicious applications they’re constantly trying to install on your Internet-connect computing device, according to antivirus firm ESET.

Qbot caper

In one cutting-edge caper, ESET researcher Robert Lipovsky found someone making criminal use of a digital certificate stolen from global consulting firm Towers Watson.

Lipovsky discovered the perpetrator using Towers Watson’s digital signature to disguise copies of the Qbot Trojan, a nasty piece of malicious software that turns over control of an infected PC to the attacker.

“Towers Watson just learned of this potential issue,” company spokesman Mike McNamara said late Wednesday. “Our security team is now looking into it to verify whether or not there is an integrity issue with our certificate.”

Revoked certificates a pain

ESET security evangelist Stephen Cobb says Towers Watson — or any entity whose stolen digital certificate gets put into play by criminals — will eventually have to scramble to keep its Web pages, software apps and documents from being stymied. “It’s a huge pain if you have a certificate stolen because then it could get revoked,” says Cobb.

Goretsky

ESET has recently documented similar attacks built around use of stolen digital signatures to help disguise copies of the infamous ZueS Trojan. It’s nearly impossible for researchers to trace how certificates get stolen. One plausible scenario is that they are getting pilfered from the hard drives of the millions of infected PCs, or bots, in control of the cyberunderground, says Aryeh Goretsky, a distinguished researcher at ESET. Any simple data harvesting program activated on a botted PC would do the trick.

“It seems likely a bot somewhere got lucky and managed to harvest a digital code-signing certificate, which was then used or sold,” says Goretsky. “There are all sorts of files on computers which can be valuable to criminal hackers. Really, any kind of file or data which has some value as a trust mechanism has value to an attacker.”

Future-proofing attacks

It has become relatively easy for top crime groups to circumvent antivirus filters and other defense mechanisms while systematically infecting PCs. So Goretsky theorizes that the group behind the stolen-certificates attacks may be conducting research; in other words, the clever rats plotting to stay several steps ahead of the cat.

The bad guys could be anticipating security features in the next generation of operating systems that will require more pervasive reliance on digital certificates, says Goretsky.

“They may be future-proofing, testing new attacks to see if they get a better response rate,” Goretsky says. “These aren’t stupid people. They’ll try all sorts of ways to optimize what they’re doing and to stay in a position to keep pushing out their malware.”

The direct and indirect ramifications of LulzSec’s unprecedented hacktivist rampage will take some time to fully play out.

However, it seems clear that consumers, corporations and governments will likely experience troublesome collateral damage for some time to come.

The Australian government, for instance, is advising citizens to change and vary their Facebook, PayPal, Xbox Live and other online account logins because scammers have begun using some of the 62,000 stolen social network and webmail logins made public by LulzSec on 16June2011.

It’s noteworthy that downloads of that batch of logins reportedly numbered 2,100 in the first 4 minutes after release. It’s likely that active and wannabe cyber scammers did some, if not most, of the downloading.

Raevsky

That’s a small example of potential escalating  chaos;  LulzSec grabbed sensitive data from Anguilla, Brazil, Zimbabwe, Australia, Arizona, Sony, PBS, Fox, Nintendo, InfraGard, AT&T, IBM, Disney and others. While a precise accounting is difficult, one can presume that some, if not most, of any data pilfered by LulzSec from those organizations has been leaked publicly, or soon will be.

LulzSec at one point dumped a file containing 750,000 logins and passwords stolen from a variety of sources on  The Pirate Bay.   “Lost in the media frenzy and the self-promotional aspects of LulzSec is the fact that innocent individuals are being affected,” says Alexey Raevsky, CEO of data security firm Zecurion.

On Saturday, 24June2011, the group unexpectedly announced it was disbanding. The next day, a member of the group told the Associated Press that the group didn’t dissolve under pressure from law enforcement, but because “we’re getting bored of us.” The hacker declined to be identified, but he verified his membership by posting a pre-arranged message to the group’s Twitter feed.

New breed of hacktivists

Disrupting corporate and government web sites primarily to make a political statement has occurred since the early 1990s. But LulzSec has pushed hacktivism to another level.

On 21June 2011, British authorities arrested a 19-year-old Essex man, Ryan Cleary, for allegedly operating a server used for private communications between LulzSec’s leaders. Instead of laying low, LulzSec — a play on Laugh-out-loud Security — announced shortly afterward that it had hacked the Brazilian federal government’s website, as well as energy giant Petrobas’ site.

Shulman

“Imagine a group of people running around a city breaking windows,” says Amichai Shulman, chief technical officer at tech security firm Imperva. “LulzSec has crossed a line because of the intensity and high profile of its activities.”

Traditionally, hacktivists will overwhelm a targeted web site with nuisance requests, temporarily cutting off access to the site. Sometimes they will deface the site’s home page.

But LulzSec appeared to be driven by complex motives, not the least of which is the sheer pleasure of destroying things, security experts say. LulzSec bored into databases to steal e-mail addresses and passwords, account logins and other data. It then indiscriminately posts the information. Since bursting onto the Internet in May, the group has:

• Released source code for Sony’s developer network and a network map of Sony BMG.
• Stolen large volumes of e-mail from Sony Pictures’ websites in France, Russia and Portugal, and Sony Ericsson Canada.
• Posted administrative e-mails and passwords for 55 porn sites.
• Posted names, passwords and e-mail addresses for 180 members of InfraGard, an FBI-affiliated organization that works to prevent hostile acts against the U.S.

“Personally, I think they (LulzSec) are going into the garbage can of history,” says  Shulman. “They were extremely unfocused in their goal and gained attention mainly due to the relative intensity of their activity and lack of other good media topics.”

LulzSec — which splintered from the more serious-minded hacktivist group Anonymous — heralded its escapades via Twitter announcements and press releases posted on its website, lulzsecurity.com. It also maintained two phone lines to take hacking requests.

Beyond the direct damage it inflicted, LulzSec inspired copycats and pointed the way for profit-minded cybercriminals to sweep in and steal even more data from targeted organization, says Chet Wisniewski, senior security advisor at antivirus firm Sophos.

One copycat is a 19-year-old  Lebanese hacker going by the nickname, “Idahc,” who has disrupted and stolen data from Sony websites in Portugal, Canada and elsewhere. Idahc told Forbes’ reporter Andy Greenberg that his vigilante activities were aimed at pushing “Sony to pay more attention on their security and to show everyone that IT security is fundamental.”

“Hacktivists foster the flow of stolen data into the public Internet,” says Wisniewski. “The collateral damage is very concerning. The type of information they’re stealing may seem innocuous when, in fact, it can be used to commit serious crimes.”

The recent arrest of Cleary in connection with LulzSec’s escapades set in motion potboiler subplots. Rival hacker groups, including The Ninja Team and Team Poison, have expressed envy and denigrated LulzSec members’ hacking skills.

The Ninja Team put up the website lulzsecexposed.blogspot.com at which it claims credit for leading police to Cleary. The site brimmed with details about LulzSec’s key operatives, including photos, home nations, profiles and even archived logs of chat channel discussions between LulzSec members as they carried out hacks.

More arrests anticipated

Tal Be’ery, a senior researcher at Imperva, says the material seems genuine, and appeared to be help police tighten the dragnet around LulzSec’s top brass. That includes the group’s clear leader, nicknamed Sabu, said to be close to 30, intelligent, and resentful of authority figures and successful people.

“When you’re running this kind of operation for a long time, especially with not very concrete plans, you’re bound to make mistakes,” says Be’ery. “I would be very surprised if all the major participants aren’t arrested fairly soon.”

Luis Corrons, PandaLabs researcher who has worked with police, agrees that the heated rivalries between hacking groups could factor in. Law enforcement, he says, is “smart enough to accept any information that can help them to arrest these cybercriminals.”

Sabu is said to be based in the United Kingdom or Brazil, the site of recent major hacks. Another key LulzSec member, Topiary, is reportedly the least skilled hacker. Topiary is said to be a quick-witted wisecracker who operates Lulzsec’s Twitter account and handles donations and payments for services rendered.

$52 billion spent on security

LulzSec’s disbanding notwithstanding, big companies and government agencies likely will have to rethink their approach to tech security.

Spending on information technology security already is growing faster than spending on general technology. And corporate and government tech buyers will have to dole out even more to defend against profit-minded cyberthieves and spies looking to swipe state and corporate secrets.

In fact, global spending on security products and services is expected to reach $71 billion by 2014, up from $55 billion today, according to Lawrence Pingree, research director for Gartner.

The recent hacking escapades of LulzSec underscore how hacktivists, motivated by the desire to express an ideology, have shaped a new kind of threat that’s gaining steam.

“We’re seeing loose communities of like-mind people combine their abilities and harness the power of crowds,” says Jonthan Penn, strategy analyst at Forrester Research. “This is the dark side of the same kinds of things we’re seeing support the popular uprising in the Middle East.”

On Saturday, 25June2011, LulzSec cut short cyberattacks that included a burst of hacks following the June 21 arrest of 19-year-old Ryan Cleary from his parents home in Essex, England. Cleary has been pegged as the alleged system administrator for one of the servers use for IRC chat conversations by the core members.

Corrons

“LulzSec disintegrated because they are afraid,” says  Corrons, of PandaLabs. “This case is really important for law enforcement agencies, as they cannot afford to have criminals running free after so much damage has been done.”

Imperva CTO Shulman says Cleary’s arrest could point the way to Sabu and other leaders. “I think they have agitated the law enforcement agencies enough to really go after them,” says Shulman. ” And they left many footprints so it’s quite plausible they can be tracked down.”

If captured and convicted, LulzSec members likely will face stiff sentences, says Josh Shaul, chief technology officer of Application Security.

“The members of Lulz that want to continue hacking will do so,” says Shaul. ” Some may rejoin Anonymous or other groups participating in the AntiSec campaign. Others may move on to pursue more profitable uses of their skills. We should assume that none of these folks have hacked for the last time.”

Since members appear to be dispersed around the globe, capture and prosecution are complex. “It is difficult to pinpoint a single person or group of individuals who may be responsible,” says John D’Arcy, information technology professor at University of Notre Dame.

D’Arcy anticipates that derivative hacktivist groups “will continue to proliferate and perhaps form alliances that can be even more threatening to businesses and governments. The threat is by no means over; what we have seen so far is really the tip of the iceberg because the existing security technologies cannot withstand a determined group of professional hackers.”

Morally neutral tools

Clawson

Whatever happens, LulzSec is expected to help tech security suppliers gain a more sympathetic ear from prospective customers. Penn says LulzSec’s spree heightens the concerns raised by the celebrated case of U.S. Army Private Bradley Manning, who is being prosecuted for releasing Pentagon and U.S. embassy documents to the anti-secrecy group, Wikileaks.

“We have long seen the hacker world embrace technologies that are designed for personal or employee productivity,” says Penn. “It’s a side effect of the Internet’s power to create political groups that fall outside traditional political boundaries.

‘It seems unavoidable,” Penn continues. “Tools are morally neutral and can be exploited for both good and ill. ”

Security companies remind tech buyers that in addition to new hardware and software, they need to be “educated on the potential repercussions of a data breach,” says Pat Clawson, CEO of security firm Lumension.

Clawson argues that both industry and government have failed to do enough to understand and address the problem of cyber attacks.

“Today, the reality and impact of cyber crime needs to be shared with everyone,” says Clawson. ” While sirens probably don’t need to be installed today, users do need to be educated. Public service announcements, billboards, mobile messaging, and of course a Facebook campaign would be a good place to start. So would the implementation of a school curriculum – starting with the youngest of students.”