The current state of online ad blockers (plus podcast)

The online advertising world is undergoing a massive transition right now, trying to cope with an increasing technology war between the advertisers and us, the people that view their advertising. It is messy, it is contentious, and no one really knows what is going to happen in the coming months and years.

Recently, Facebook made changes to the way it works with displaying online ads. They say in that linked post, “We’ve all experienced a lot of bad ads: ads that obscure the content we’re trying to read, ads that slow down load times or ads that try to sell us things we have no interest in buying. Bad ads are disruptive and a waste of our time.”

Here is the problem: one person’s “bad” ad is another person’s opportunity to sell you something that maybe you might want. So they have attempted to clarify the issue, and give users more control over their ad experience. So far, it hasn’t been good.

How many of you Facebook users know about this page to control your ad preferences? I don’t see many hands being electronically raised. Take a moment, click on the above link, and spend a few minutes browsing around to see what they have done. You will be surprised.


The page is full of confusing controls and has a really poor user experience. For example, as you can see from the screen shot, I have given my personal information to three different advertisers, two of whom that I didn’t recognize. When I deleted these two – because I don’t want to hear from them ever again – they first fade, before disappearing from view if I would return back to this page.

Andrew Bosworth, a VP at Facebook, says, “Some ad blocking companies accept money in exchange for showing ads that they previously blocked — a practice that is at best confusing to people and that reduces the funding needed to support the journalism and other free services that we enjoy on the web.” (my emphasis added)  That is a lofty thought.

But let’s not just blame Facebook. At least they are trying to take control over the situation and make improvements, so that users will click on more relevant ads and they will be able to charge more for them. How about the traditional news generators, like newspapers and other media companies? What are they doing about online ads?

The short answer is that they are selling every square pixel they can and finding new ways to pop-up, pre-roll, roll over, mix sponsored and editorial content, and in general pollute the overall browsing experience of their online properties. Just about every publication that I want to read places some obstacle (and that is what I think about them) in my way when I try to click on an article that I want to read. Their home pages automatically start playing noisy videos that have me using the mute button on my PC as a default setting, just so I can have some peace and quiet when I am reading in the mornings.

I know, they have to make money. Print advertisers are leaving in droves, subscribers are few and far between, and newsrooms are ghost towns.

So a few years ago, technology comes to the rescue and creates browser plug-ins called ad blockers. These sense pop-ups and other devious methods, and prevent them from displaying ads. It is a great idea, and most modern browsers have incorporated some of their features too.

However, the problem is the blockers worked too well. So Facebook and other major sites who benefit from advertising revenue have decided to block the blockers. Now we have a cat-and-mouse game, where as one side adds new features, the other side figures out a way around them. Malware authors have been doing this for decades.

“More publishers will have to look to more innovative ways to incorporate their commerce with their content.” So says TechCrunch, who ran this story not too long ago. They proposed a sensible argument for how ad blockers can improve the overall experience and at least eliminate the cheesy online ads. But what is happening is that innovation has turned into just using as many ways as possible to put up online ads.

The pre-eminent ad blocking company is called Ad Block Plus. On their blog, they announced a new version of their software that is used by hundreds of millions of users. It is called “Acceptable Ads Platform.” Basically, they get to choose which ads are “good” and which aren’t. They will continue to block the bad ads, but allow good ads by default. You can change this setting and not allow any ads whatsoever.

The New York Times has said, “instead of blocking bad ads, AdBlock allowed ads it deemed acceptable to be seen, often for a price.” This strikes me as something we used to call “bait and switch.” The Ad Block Plus company now wants to be known as a “web customizing” company. This seems a bit naïve, or misleading, or both. It also puts this company in the hot seat to decide what is acceptable and what is not. They claim to be putting together a panel of judges. We’ll see how well that will work.

As I said, this is all early days for what will come. While the web has been with us for decades, and online advertising too, it seems we need to work together to figure out how to best serve up ads that won’t block the editorial content that we were trying to view and still allow the publishers and media companies to make money from our interests. So far, it is sub-optimal for nearly everyone involved.

To hear more about this matter, listen to our latest podcast from Paul Gillin and I where we discuss this issue. Or leave your comments here.

Inside the Jihadist’s Tech Toolkit

A July report entitled Tech For Jihad: Dissecting Jihadists’ Digital Toolbox details and analyzes how 36 specific tools are used by various jihadist groups. While the news media has focused on how these groups leverage particular social media accounts and these are well documented (that last link has some solid suggestions on improving your social media posture too), there is actually a wide array of other tools that are used to spread propaganda, recruit new members, and launch cyberattacks. Indeed, the jihadists rely a great deal on the Internet and as they increase their digital footprint require the same kinds of security protection that any careful enterprise would employ these days.

Two security researchers from Flashpoint wrote the report: their company is a security vendor that analyzes the dark web and provides other intelligence reports about malicious actors.

At the heart of their toolkit is the Tor browser, which enables anonymous surfing and connecting to the Dark Web for various illegal activities. According to the report, Tor has been in use since May 2007 by the jihadi groups. A year later saw the creation of a custom encryption tool called Asrar Al-Mujahideen. After the Snowden revelations, a new tool was released called Amn Al-Mujahid. A full timeline, from the RecordedFuture blog, can be seen here:

The preferred access method seems to be the Opera browser, because it can connect to a free VPN service, and mostly from Android devices. Speaking of VPNs, they were first used in 2012, and the authors found early posts on dark web forums comparing the various VPN technologies and their advantages and disadvantages, just like any solid IT researcher would go about doing. This included an analysis of what kinds of logs the VPN software keeps and how these logs can be erased. The VPN chosen was the CyberGhost VPN (there are free and paid versions, and of course payments in bitcoin is accepted).

Another tool mentioned in the report is the HardDiskSerialNumberChanger, which can further obfuscate the originating device identifying information coming from the local hard drive. Another tool is called FakeGPS, which provides a false physical location to various social media clients such as Facebook and Twitter. This enables users to pick some fake location when they post social updates.

Then there is various encrypted email services, including HushMail, ProtonMail, GhostMail and Tutanota, among others. The authors document the use of these products by jihadists beginning in February 2013. This was followed with encrypted text messaging chat services, such as What’sApp and Telegram. Telegram in particular is used to disseminate official statements from Jihadi leadership to the general public. Because it offers end-to-end encryption, this makes messages difficult to read while in motion and is why the app is becoming more popular among jihadists. Taken together, what is clear is that jihadists are doing a great deal to carefully hide their locations and digital tracks.

This is just a few of the tools that are employed by these organizations. There are others, including home-grown mobile apps that are used to spread propaganda (including their own podcasts and other media streams) in both English and Arabic to supporters. These media streams have proven so popular that “culture jammers” have released their own apps that purport to be the “real” ISIS podcasts to confuse their audience. This is what Google’s Project Jigsaw has been working over the past year to target aspiring ISIS recruits and dissuade them from signing up. By using search algorithms, the program places ads alongside common search terms and keywords that link to anti-ISIS English and Arabic YouTube channels. Jigsaw hopes these links of testimonials can debunk the Jihadi narratives, and so far it seems to be working. Click through rates on Jigsaw’s curated videos were three times more than the pro-ISIS links, according to Wired magazine.

Clearly, this increasingly comprehensive outlook shows how seriously jihadists handle their operational cyber security and other online activities. But it could also be a useful example for ordinary enterprise IT workers, who travel abroad or who wish to maintain a higher level of security themselves.

There is much that can be learned from the jihadist infosec toolkit and how they make use of the Internet for recruitment.

As the authors conclude, “While jihadists incessantly adapt their behaviors to evade surveillance, we must adapt our surveillance tactics to keep up. The more we understand about how jihadists leverage digital technologies to engage in nefarious activities, the better equipped we will be to defend ourselves and mitigate risk as effectively as possible.”

SecurityIntelligence: No Business Is Too Small for SMB Cybersecurity

Smaller businesses, like the HVAC company that caused the Target penetration in 2013, often think they are too small to be security targets, but SMB cybersecurity can have big implications. Size doesn’t matter as long as your firm has something of value that someone thinks is worth stealing, or a connection that someone thinks is worth exploiting.

However, the more vertical the SMB market, the more likely it is to sustain attacks. I explain why in this post for IBM’s blog.

What, me worry (about my emails)?

I never thought I would see the day where executives and major public figures would be proud of their techno-luddite status. Scratch that. Not proud, but grateful. In a story in today’s New York Times, several senators and other public figures are quoted about how they have given up their personal email accounts, or have begun scrubbing their sent folders, thanks to the recent series of leaks from the mailboxes of the DNC and Colin Powell.

chuck2Senator Lindsey Graham said, “I haven’t worried about an email being hacked since I’ve never sent one. I’m, like, ahead of my time.” Senator Chuck Schumer is noted for still using a flip phone. And of course there are the email-related stories that doggedly follow one of our presidential candidates around. All of a sudden, it is cool to be more disconnected. Especially ironic, given today is also the day millions will flock to the nearest Apple Store and buy a phone that doesn’t have a headphone jack. (Shelly Palmer’s rant on this is pure pleasure.)

The hacked emails seem to be genuine, at least according to press reports and the impact they have had with the shake up of the DNC leadership. But they have also had the effect that others in the public eye are reconsidering the contents of their own message store.

I have even learned a new acronym: LDL, for let’s discuss live. Meaning, “too hot to talk about in email.”

So let’s all just take a deep breath and look calmly at a few simple rules for your own email usage going forward. First off, yes, emails can be compromised. Don’t say anything there that you wouldn’t want anyone else to read. While you may not think you are a target or of any interest, you have no control over where that message might end up. You might want to walk down the hall for a quick FTF meeting, or even pick up the phone. Think about the 80’s.

Second, if you are very worried, start using encryption, and make sure it covers the complete path end-to-end. There are several instant messaging platforms that are easy to use (Network World did a recent review comparing them, and I have written reviews of encrypted email products for them as well). Yeah, I know, encryption is a pain, but the current crop of products is actually pretty easy to deploy and use. Having said that, hardly anyone sends me encrypted emails, ever.

Third, take a moment to review your password collection for your communications products, including your IMs, email accounts, voice mails and VoIP products. If you use the same password for more than one of these tools, take a day and install LastPass or some other password manager and start treating these passwords more seriously. Do it this weekend.

Finally, don’t hide behind your personal accounts such as Facebook or a non-corporate email address. Those are just as much at risk, as one network anchor realized who hurriedly deleted his Gmail account that was cited in the Times story. Everything is discoverable and vulnerable these days.

The death of the SMS OTP

The National Institute of Standards recently issued a ruling on digital authentication that states SMS messaging as a second authentication factor should now be considered insecure. While sending an SMS for OTP is still better than having no additional authentication factors, the NIST ruling suggests that organizations wanting to raise the bar on their security standards consider more secure authentication methods.

You can read the rest of my white paper for Vasco (reg. req.) here.

Security Intelligence: Use a Malware Simulator to Better Defend Against Ransomware

If you are looking for ways to run a malware simulator to test ransomware and other forms of malware in your environment, but don’t want to deal with the actual materials to infect your systems, look no further than the Shinosec ShinoLocker suite. This is a malware simulator and target attacking suite for penetration testers and other researchers. I talk more about this innovative product in my post today for SecurityIntelligence blog.

WindowsITpro: Going beyond the password

We have a love/hate affair when it comes to using passwords. The average person has to remember dozens of them for various logins, and many of us try to cope by reusing our favorites. That just opens up all sorts of security issues: if a popular service (take your pick: Yahoo, LinkedIn, Dropbox, and many more sites all have been breached over the years) is compromised and millions of user names and passwords revealed, there is trouble ahead.

In this piece for WindowsITpro, I talk about the past, present and future of the lowly password.

How one small trade association manages their security

I spoke to the IT Manager of a 65-person trade association in the DC area. I have known this manager, whom I will call John, for decades through various IT positions, mostly in non-profits and trade associations.

(He has asked that I not use his name or the name of his association.)

Things have changed since he first began working at the association eight years ago. “When I was just a few months into my current position, we had about 15 laptops stolen from their docking stations by (what we believe was) the night-time cleaning crew. People came in to work and their laptops were gone. My logistical response was executed pretty well – I had folks up and running very quickly. But we never treated the incident as a serious information breach. These days we think about things differently.”

One of the biggest impacts that John has had was to hire a network management VAR to help setup and monitor their firewalls. He uses a combination of tools such as NetWrix for auditing their Active Directory logs (“I can unlock a user before they even realize it,” he said), Sophos for anti-virus full disk encryption and its web appliance.

He uses another VAR and additional monitoring tool that is industry-specific. “They have a monitoring appliance in our environment that sends a ton of alerts that tend to be very non-actionable – like someone used a cleartext password on a website. Well, there’s only so much I can do about that. The value is that they aggregate our data with our members’ data to look for unusual trends across the country so they can alert us to industry-wide attacks.” This VAR also performs vulnerability scans annually that he says is very disruptive to our storage array. But it is useful. ”For example, did you know that APC products (UPSs and PDUs) have three factory default login IDs and passwords? We knew about the first. Didn’t know about the second and third. So, I’m changing those asap.”

When it comes to dealing with insider threats, he says “a big win for us has been It is a very affordable training program that allows me to spam and phish my own staff. Plus they offer videos and a learning management system that we hope to implement next year with HR’s approval. They also send me a “scam of the week” which I repackage and send to staff. It’s both entertaining and educational.” Another classic phishing situation was when one of his VPs sent out member email addresses to a Yahoo address he thought was our CEOs. “ It happened on a weekend and the VP was on his phone and couldn’t really see the whole message on the screen. It was quickly discovered that the CEO did not have a Yahoo address. That was our first real cyber security incident. Calls were made. The board was notified. It was only names and email addresses, but those two items are considered personally identifiable information. This happened about a week before I implemented KnowBe4. If I had gotten approval for it earlier and set it up earlier, this might have been avoided.”

John also deploys a BYOD policy for some of the staff, and is still evaluating mobile device management strategies. They just migrated their email to Office 365 and haven’t yet implemented any two-factor authentication.

John’s total staff is a help desk technician and his VARs, one of whom is on site two days a month.

“Security is a bigger part of my job today because of the increased emphasis and because our association represents a high profile industry where security is also a high profile issue. Our CEO wants us to walk the walk if we’re telling our members to do the same.”

Like what you are reading?

Subscribe to Inside Security!

Learning from the US Secret Service how to protect your enterprise

With all the changes to infosec technology, here is a not-so-outrageous idea: maybe you should take a page from the US Secret Service playbook in how you run your IT security department. Actually, this idea didn’t come from me, but from someone who actually is familiar with both roles. Nathaniel Gleicher is trained as a computer scientist and a lawyer, and currently is the Head of Cybersecurity Strategy at Illumio, a security vendor. Previously, he prosecuted cybercrime at the US DOJ and served as Director for Cybersecurity Policy at the White House National Security Council. While he worked at the White House, he saw multiple data breaches. “Every breach relies on lateral movement, and instead of attackers being at risk once they get inside, they’re able to take all the time that they need to identify high value information and cause damage.”

He thinks organizations need to take a different, simplified approach and go back to the basics: get visibility inside the data center and cloud and then be able to truly lock the doors inside.

In a blog post for his firm, he writes: “Like the Secret Service, cybersecurity defenders face a similar problem: they are defending high-value assets that must be protected, but also have to speak to hundreds or thousands of other servers. You have to have visibility, and reduce your attack surface, and focus on the security consequences for your most valuable assets. Shutting down the attack surface constrains attackers, makes lateral movement harder, forces attackers to risk exposure, and makes other security tools more effective.”

Sadly, most organizations focus their cybersecurity spend today at the perimeter, making no effort to secure or even understand the interior of their data centers. After reading Gleicher’s post, I asked him if there is a difference between interior and exterior networks any longer. He told me in a phone interview, “Everything is a potential threat. One difference is that you can have greater control around an interior network. And your network visibility is much more limited with exterior ones. But that’s missing the point. An intruder can find something once they are inside your network and can look around. Organizations are trying to layer defenses at the fortress wall, while the cyber attackers are parachuting inside and then free to move around as they want inside the data center and cloud.”

He continued, “I still have conversations with CISOs that don’t know how their devices are connected to their networks. And I don’t mean just a list of these devices, but how they are related to each other, both logically and operationally. This is the kind of information that attackers can exploit.”

His work with the Secret Service has him focused on understanding some of these lessons from providing physical security to protect the President. “People don’t see the Secret Service advance work that was done months before any presidential visit. They had to map the location and understand the physical space. The same is true for cybersecurity, because we need to identify the attacker quickly and respond fast too. This means that any cybersecurity effort should start months before any potential attacker actually shows up.” In other words, it isn’t just about stopping someone from getting across the White House fence, but understanding what will happen once then enter the grounds and what they might end up doing.

He agrees that good security isn’t easy. And he started early in his career with his first IT job for the Peace Corps. There he created a created a campus-wide network to connect 85 machines that were located in the different buildings of a college on a Caribbean island. Less than five minutes after it was first connected to the Internet it was breached. It took him several tries to close various ports and other vulnerabilities before he could defend the network properly. “This was an early lesson on how hard it was to do security properly: there are way more people trying to get in than keeping them out. It also showed me that the steps to strengthen data security aren’t rocket science and are very straightforward. It is a lot more how to orchestrate them and use them efficiently across the enterprise.”

Instead of focusing on the lack of response, he says we should be doing a better job of evaluating the highest-value targets, which is another lesson he learned from watching the Secret Service in action. He said, “You shouldn’t be in the business of protecting the app that handles your employee’s lunch request.” And not everything in the data center should be treated equally, too. “There are some things in your data center that are more valuable and you have to focus on what needs the most protection. If a burglar gets into your house and gets into your basement that is different from him getting into your bedroom where you keep your jewelry.”

Like what you are reading?

Subscribe to Inside Security!

iBoss blog: How Cyber-geddon Could Happen to Financial Networks

An article in the June Economist paints a dark picture of the aftermath of a fictional financial services hack. They start with some history and extrapolate based on current potential compromises to various networks. What is interesting about this piece is how cold and calculating they can be: “Processes designed to make banking safer have created new vulnerabilities: large amounts of money flow through certain key bits of infrastructure.”

What this means for the finserve industry and a more detailed description of their scenario can be found in my blog post for iBoss here.