Those Annoying Cookies

There has been a lot of uproar recently about how ISPs are now able to monetize our browsing history. It’s certainly scary thinking that a company can record what you do on-line and then sell this information to others who can use it for reasons unknown.

But we are already being tracked today (and have been for some time) to some extent by cookies put onto our computers when we visit websites. Cookies are not automatically bad, but many cookies were designed for the express purpose of spying on us and to track and record our web behavior.

Cookies differ from viruses, worms, trojan horses and other kinds of malware which are active pieces of code that can make almost any imaginable change to a computer. Lately ransomware is the worst of the new viruses which encrypts your hard drive and won’t unlock it until you pay a ransom fee to have the virus removed (and often then your system still won’t unlock).

Cookies instead are strings of text stored on your computer. In the most benign cases a cookie can be a time log that records when you visited a given web site so that the web site owner will recognize you when you return. And many benign cookies are friendly and convenient and are used to store your log-on passwords so that you don’t have to log in every time you visit a web site. But since cookies are text files they can record a lot more information and in the most extreme cases can be used as a place to record your browsing history – the same thing we are worried about the ISPs monetizing.

Cookies are routinely used by retail shopping sites. They not only record who you are but they know what you viewed and what you purchased at a site. These adware cookies allow a web site owner to direct you to a tailored page when you visit their site based upon your past history on the site. They may send a previous shopper to a page showing the things you are interested in, or for a non-shopper may offer discounts to lure you to buy.

Shopping sites and others similar web services like cookies because it’s the only easy tool they have to identify you. If you browse a website without somehow logging in to identify yourself a web site has no idea that you have been to their site before. All that any web site can see from a non-identified user is the identity of the ISP you use to get to that site. But by putting a cookie on your computer, even if a web owner doesn’t know your name, they know your past behavior at their site and the cookie provides a ‘memory’ about you.

Of course, some cookies are more aggressive. Once sitting on your hard drive they can gather data that identifies more about who you are, so that when you return to a web site the owner might know your identity and can tailor items and prices to you.

Years ago it was fairly easy to deal with cookies. They often were named for the web service that created them, such as your bank or the log-in page to your ISP. We learned not to delete these cookies in order to avoid having to log in every time we visited a web site or service. But today there are huge volumes of cookies.

I rarely do anything personal on my work computer. I rarely shop from it, play games, watch video or do anything personal. I mostly use my work computer to do research and to read industry articles. I also run an ad blocker to minimize ads that can see my computer. Even with this limited use I get hundreds of cookies every week. Most people don’t realize that when you visit a web page with ads that many of those ads dump a cookie on your computer – and you don’t need to click on the ad for this to happen. Many web sites have been created just for this purpose, such as web sites that make you click through multiple pages of a ‘slide show’ to see the ten cutest puppies or the ten best town in America. Those sites are ad heavy and pound your computer with cookies and sometimes even malicious malware.

The worst thing about cookies to me is that I don’t know who is placing cookies on my computer or what they want to use them for. Since some cookies can be malicious I worry that they are recording my web browsing history or passwords or other information I want to keep private. The worst of the bad cookies are persistent and bury themselves in places that are hard to find. These kinds of cookies cross the line to look more like viruses, but it’s still considered to be a cookie if it just records things and become a virus when the actively change something on the computer.

I sometimes wonder if we worry about the wrong things in the cyberworld. ISPs certainly have the opportunity to know a lot of things about me, but they also are likely to be at least a little cautious about blatantly abusing their customers. It seems more likely that most big ISPs will use our data for their own market purposes and may not sell our data to competitors or the wide world.

But the people who put cookies on our computers don’t have any such restraints. They get on our computers anonymously and we have no idea what they are doing with any given cookie. It’s now well-known that there have been detailed profiles created about each of us and I have to think that a lot of the data used to populate these profiles comes from cookies. Most people I talk to do not use ad blockers or routinely purge cookies the same way I do – and I don’t even know if what I do really makes a difference. If there are even just a handful of the more malicious cookies hidden on my computer somebody might already be tracking a lot of the things I do.

The Latest on Malware

HeartbleedCisco has identified a new kind of malware that takes steps to evade being cleansed from systems. The example they provide is the Rombertik malware. This is one of a new form of malware that actively fights against being detected and removed from devices.

Rombertik acts much like a normal virus in its ability to infect machines. For example, once embedded in one machine in a network it will send phishing emails to others to infect other machines and uses other typical malware behavior. But what is special about Rombertik and other new malware is how hard they fight to stay in the system. For example, the virus contains a false-data generator to overwhelm analysis tools, contains tools that can detect and evade a sandbox (a common way to trap and disarm malware), and has a self-destruct mechanism that can kill the infected machine by wiping out the master boot record.

The problem with this new family of malware is that it evades the normal methods of detection. Typical malware detection tools look for telltale signs that a given website, file, or app contains malware. But this new malware is specifically designed to either hide the normal telltale signs, or else to morph into something else when detected. So as this new malware is detected, by the time you try to eradicate it in its original location it has moved somewhere else.

This new discovery is typical of the ongoing cat and mouse game between hackers and malware security companies. The hackers always get a leg up when they come out with something new and they generally can go undetected until somebody finally figures out what they are up to.

This whole process is described well in two reports issued by web security companies. Menlo Security reports that there was 317 million pieces of malware produced in 2014 in their State of the Web 2015: Vulnerability Report. In this report they question if the security industry is really ready to handle new kinds of attacks.

The report says that enterprises spent more than $70 billion on cybersecurity tools in 2014 but still lost nearly $400 billion as a result of cybercrime. They report that the two biggest sources of malware in large businesses come either through web browsing or from email – two things that are nearly impossible to eliminate from corporate life.

Menlo scanned the Alexa top one million web sites (those getting the most traffic) and found the following:

  • 34% of web sites were classified as risky due to running software that is known to be vulnerable to hacking.
  • 6% of websites were found to be serving malware, spam, or are part of a botnet.

The other recent report on web vulnerabilities came from Symantec, which can be downloaded here. Symantec said that hackers no longer need to break down the doors of corporate networks when the keys to hack them are readily available. That mirrors the comments by Menlo Security and is referring to the fact that companies operate software with known vulnerabilities and then take a long time to react when security breaches are announced.

The report says that in 2014 firms took an average of 50 days to implement security patches. Hackers are launching new kinds of malware and then leaping on the vulnerability before patches are in place. The biggest example of this in 2014 was the Heartbleed malware, where hackers were widely using it within 4 hours of it hitting the web while companies took a very long time to come up with a defense. Symantec says there were 24 separate zero-day attacks in 2014 – meaning an introduction of a new kind of malware that was either undetectable or for which there was no immediate defense.

Symantec reports much the same thing as Menlo Security in that the big vulnerability of malware is what it can do once it is inside of a network. The first piece of malware can hit a network in many different ways, but once there uses a number of sophisticated tools to spread throughout the network.

There is certainly nothing foolproof you can do to keep malware out of your corporate systems. But most of the ways that networks get infected are not through hackers, but though employees. Employees still routinely open spam emails and attachments and respond to phishing emails – so making sure you employees know more about malware and it’s huge negative impact might be your best defense.

Non-Human Traffic Dominates the Web

Incapsula-logo-widgetIncapsula did their third annual survey of web traffic to determine how much is human generated versus machine generated. From August through September, 2014, they surveyed over 15 billion visits to over 20,000 web sites scattered around the world.

What they found will probably surprise the average person (but not any web administrator). For the third year in a row there was more traffic generated on the web by bots than was generated by people. There are both good and bad bots and they looked at each transaction to determine the nature of the bot. In 2014, 44% of all web traffic was generated by humans, 29% from bad bots and 27% by good bots.

So what are bots exactly? There are many examples of good bots. Probably the best known is the Google web crawler that reads through web sites to build the Google search engine. All search engines have similar bots, but Incapsula says that the Google bot is unique in that it seems to crawl through everything – big web sites, small web sites and even dead web sites, and this certainly accounts for why you can find things on Google search that don’t turn up anywhere else.

Another example of a good bot can be seen when you go to a shopping site. If you’ve ever shopped for electronics you will find a bunch of these sites. They list all of the places on the web that are selling a given component and let you compare prices. These sites are built by bots that crawl through the electronics sellers to constantly grab any updates. These sites do this to earn sales commissions when people choose to buy something through their site.

Another big category of good bots are RSS feeds. This stands for Really Simple Syndication. I used this technology for years. It was a way to know if somebody wrote a new blog or if a news site published an article on a topic of interest to you. The RSS bot would notify you when they found something you were looking for. There was a 10% drop from 2013 to 2014 in good bot traffic due to the phase-out of RSS feeds. Google Reader was the biggest source of such feeds and it was discontinued last year.

What is scary is the ever-growing volume of bad bots. These are just what you would imagine, and are crawling around the web trying to do damage.

The fastest growing class of bad bots are impersonator bots, which are malware that tries to look like something else to make it onto a web site or computer. These include DDoS (denial of service) bots that are disguised to look browser requests, bots that are disguised as proxy server requests, and bots that mimic search engine crawls. These are really nasty pieces of malware on the net that are used for things like data theft, site hijacking, and denial of service attacks. These bots go after all types of web sites hoping to then infect site visitors.

Probably the biggest volume of bad bot traffic comes from scrapers. These are bots that are designed to grab certain kinds of information. The good bot listed above that compares electronics prices is a kind of web scraper. But the malicious web scrapers look to steal things of value such as passwords, email addresses, phone numbers, credit card numbers, or other kinds of data that can then help hackers better attack somebody.

Of course we all know about the next category of spamware which is used for all sorts of malicious purposes like content theft, phishing, and identity theft.

The final category of bad bots are categorized as hacking tools; these are generally aimed at servers rather than computers. Hacking tools are used to crack into servers to steal corporate data, to steal credit card information, or to crash the server.

Incapsula found that bad bots attack web sites of all kinds and that there are proportionately more bad bots trying to crack small web sites than large ones. This is probably due to the fact that the vast majority of web sites have less than 1,000 visitors per day and are often much less protected than larger corporate sites.

What does this all mean for an ISP? The ISP uses tools to try to intercept or deflect as much of the bad bot traffic as possible. ISPs try to keep malware off customers’ computers since one of the biggest threats to their network are attacks from within. Accumulated malware on customers’ computers can play havoc within the network and inside firewalls.

There are companies like Incapsula that sell tools for ISPs to monitor and block bad bot traffic. But the volume of bot attacks is so large these days that it’s often a losing game. For example, Incapsula says that during a denial of service attack, when large volumes of bots attack the same site simultaneously, as many as 30% of the malware attached to the attacking bots gets through any normal malware protection schemes.

To some degree the bad guys are winning, and if they get far enough ahead it could be a threat to the web. The worst of the bad bots are written by a handful of very talented hackers and the industry is currently stepping up pursuit of these hackers as a strategy to cut off bot attacks at their sources.

A Few Shorts for Friday

TGIFI’ve accumulated a few topics that don’t merit a full blog, but which I thought were worth a mention:

NSA a Source of Malware. News came out last week as part of the Edward Snowden documents that the NSA creates malware and also hijacks existing malware for their own uses. I find it a bit scary that the government is creating malware. I have to assume they are creating really good malware, and once released onto the web it can end up anywhere. I am not going to feel any better if I find out that the malware on my computer came from Uncle Sam and not some malicious hacker.

The NSA is also using malware networks to launch their own attacks. The Snowden documents show that they are using operation DEFIANTWARRIOR to place their own malware next to existing malware on computers so that the NSA can launch attacks on sites without it being traced back to them. Attacks look like they came from whoever put out the original malware. This means the next time they attack North Korea they might be doing it from your PC.

US Helps Jamaican Broadband. On January 21 the U.S. Government signed an agreement with Jamaica to help them provide internet access everywhere. The plan is to use white space spectrum which is not in use in the country. This will result in an island-wide wireless Internet network. The U.S. will provide both technical support and some funding.

I have no problem with us doing this. I spent the last ten years living in the Caribbean and the region is largely poor and is falling behind the rest of the world in basic infrastructure and Internet connectivity. It’s going to take initiatives like this all over the world to get everybody connected to the Internet.

My problem is that we aren’t doing the same thing in our own country. The FCC is overseeing a program called CAF II that is going to upgrade a lot of rural U.S. areas to maybe 10 Mbps. By the FCC’s own definition passed last week, this isn’t even considered as broadband. Meanwhile we will help to bring whitespace radio broadband to a third world country that will probably deliver between 20 Mbps and 30 Mbps. The CAF II program is badly flawed in that it gives a priority to the giant telcos to make inadequate upgrades instead of offering that money first to providers who would use it to bring real broadband to rural areas.

FCC Penalties for Advanced Tel. Last week the FCC levied a fine of over $1.5 million on Advance Tel of Simi Valley California. The fine was for failure to make required payments to the Universal Service Fund, the Telecommunications Relay Service, the Local Number Portability administration and other federal regulatory fees. The FCC gave the carrier an opportunity to resolve what it owed, and ultimately levied the fines when no agreement could be reached.

This is a reminder to all of my clients that we are all still regulated. I talk to clients all of the time who look for ways around these regulations and fees, and this is a stark reminder that you should pay your taxes. Most of the fees that Advanced Tel didn’t pay are normally added to customer bills by most companies, and so their customers should have supplied the funds necessary to make the payments. These taxes seem like a hassle, but they are not a competitive disadvantage since every one of your competitors collects them too.

New Wireless 911 Rules. The FCC adopted new rules last week that require more accuracy from the wireless providers in pinpointing the location of a wireless caller to 911. The current data gathering for this process is done by triangulation from neighboring cell sites along with looking at GPS. But these methods work very poorly or not at all for calls originating indoors, particular calls made from large multi-tenant buildings and other large buildings. The FCC has given a deadline to the wireless carriers to propose and implement solutions that will provide greater accuracy and an indoor solution.

Verizon Halts FiOS Again. Verizon announced that it is done expanding FiOS, something it just picked back again a year ago. FiOS has been very successful and the company keeps adding customers where it has fiber. But Verizon has mostly built FiOS in suburbs and a few rich neighborhoods in cities. They have largely ignored the major cities and rural areas, including sizeable towns in rural areas. It will be interesting to see if Google or anybody else tries to step into those large market niches.

It’s also been rumored that Verizon is going to auction off up to $14 B of its assets including more landline customers as a way to raise the money to pay for the spectrum it purchased in the recent auction. At the rate they are ditching copper they will eventually be reduced to only owning the FiOS networks.

The Explosion of Malware

virusIt seems the on-line world is getting more dangerous for end-users and ISPs. Numerous industry sources report a huge increase in malware over the last two years. AV-Test, which tests the effectiveness of anti-virus software says that their software detected 143 million cases of malware, up 73% from the year before. In 2012 they saw only 34 million. Over the last two years they found more malware than in the previous ten years combined. Another security software vendor, Kaspersky said that it saw a fourfold increase in mobile malware last year.

What’s behind this exponential increase in malware? Experts cite several reasons:

  • This is partially due to the way that antivirus software works. It generally is designed to look for specific pieces of software that has been identified as being malicious. But hackers have figured this out and they now make minor changes to the form of the software without changing its function to get it to slip past the antivirus software.
  • Some hackers are now encrypting their malware to make it harder for antivirus software to detect.
  • Hackers are now routinely launching waterholing attacks where they create a denial of service attack against a website for the purpose of infecting it with malware, which they then hopes spreads from there.
  • It’s getting easier for hackers to obtain the code of malware. It’s published all over the web or is widely for sale giving new hackers the ability to be up and running without having to develop new code.
  • There is a new kind of tracking cookie called a zombie cookie because it comes back after being deleted. The best known case of this is tracking being done by Turn which is putting this software on Verizon Wireless cell phones.
  • Malware is being delivered in new ways. For instance, it used to be mandatory for malware to somehow be downloaded, such as downloading an attachment from spam. But in the last few years there are new delivery methods like attaching malware to remnant ad space on web sites that download automatically when somebody opens a popular web page. Cisco just warned that they see social media being the newest big source of malware in 2015.
  • Malware isn’t just for computers any longer. Cisco warms that the biggest new target for malware this year is going to be cell phones and mobile devices. And they believe Apple is going to be a big target. Cisco and others have been warning for several years that the connected devices that are part of the early Internet of Things are also almost all vulnerable to hacking.
  • Due to dramatic cases where millions of credit card numbers and passwords have been stolen hackers now have reasons and to target specific people to do things like empty their bank accounts and don’t always attack the public at large.
  • Cyber-warfare has hordes of government hackers from numerous countries unleashing malware at each other and the rest of us are often collateral damage.

The scary thing about all of this is that the malware purveyors seem to be getting ahead of the malware police and there seem to be a lot of malware that isn’t being caught by antivirus programs. This has always been a cat and mouse game, but right now we are at one of those dangerous places where the bad guys are ahead.

Larger businesses have responded to the increase in malware by having malware attack plans. These are step-by-step plans of what to do during and after an attack on their systems. These plans includes a lot of common sense ideas like backing up data often, making sure all software is licensed and up to date, and even little things like making sure that there are hard copies of contact information for employees and customers should systems go offline.

But there really is no way to plan for this on a home computer and if you get infected with bad enough software you are going to probably be paying somebody to clean your machine. It’s hard to know what to do other than maintaining a virus checker and backing up data.

The Dark Side of Web Advertising

virusYesterday I talked about the general way that Internet ads function. But today I want to look at one of the darker aspects of web advertising by looking at how ads spread malware.

Cisco’s Annual Security Report for 2013 provided some pretty amazing statistics about Internet advertising:

  • They said that the highest concentration of online security threats are not found on pornography, pharmaceutical or gambling sites, but rather that the most danger today comes from major search engines, retail web pages and social media outlets,
  • They said that online shopping sites are 21 times more likely, and search engines are 27 times more like to deliver a malicious piece of software than a counterfeit software site.
  • But no threat compares to online advertising, and Internet ads are 182 times more likely to give you a virus as searching the web for porn. (Of course, they didn’t say how the intrepid Cisco researchers made the comparison to porn).

Probably the major culprit of malware in advertising comes from a practice called real-time bidding. When you go to load a web page that has real-time bidding, an ad company like AppNexus (or many others) asks for bids for placing ads on your page. The solicitation gives a quick profile of who you are in terms of age, demographics, geography, etc. The highest bidder then gets the ad space, and this all happens in a flash. The problem with this kind of system is that nobody has time to monitor the ads that are placed and so malicious advertisers gain access to you by bidding the highest. And they don’t have to bid much. It takes only a very tiny fraction of a penny to get an ad placed at one specific user.

The malicious ads don’t look malicious and are usually disguised to look like an ad for some normal company. But the purpose of the malicious ad is to put a piece of code on your computer. The bad news these days is that you don’t have to click on the ad to get the bad software – the act of opening the web page is often enough to activate it.

I run a malware checker regularly and I am amazed at how many pieces of malicious software I get regularly. It is not unusual for my computer to have picked up a hundred pieces of malware within three days after having scrubbed it. I don’t shop much on-line, but I read a lot of articles and I assume that is the source of most of my malware.

According to my malware software, most of the bad things that I pick up are adware, which they define as a piece of code that is gathering and transmitting data about me to the world. These days adware is generally something a little more complex than a cookie. Cookies are somewhat passive files that sit on your machine to tell somebody later that you have already been to a certain web site or something similar. Think of adware as cookies+ in that they gather specific data and either store it for later retrieval or, in the worst cases send it out to the world.

I’d say 99% of what I get is adware with only the occasional more malicious malware, which could be a virus or some other nasty piece of code. But think about what I am getting. I am inadvertently downloading 100 pieces of adware within just a few days, each of which is looking for specific facts about me and reporting back to whoever placed the malware. I am sure that mostly they are tracking the web sites I’ve visited in order to build up a more detailed profile about me. But these little pieces of malware can pick up almost anything else from bank account numbers to passwords.

I think we all understand that half of what is on the web these days is designed to build a profile for each of us. But I don’t think most people realize how intrusive this effort has become. They are not building a profile by slowly studying your web usage. They are spying on your directly to know everything you do. It’s a bit scary when the most dangerous place on the web is a search engine or a major news site that has ads.

Yesterday I talked about ad blocking and perhaps this is what is going to save us from this rash of malicious malware and adware. Certainly if somebody will block all ads to my computer then I can’t be receiving ads with malware. But I would be just as happy if somebody could deliver ads to my machine that are certifiably safe. It doesn’t take a lot of effort for an ad company to test an ad first to make sure it doesn’t leave bad code behind. But that can’t be done in a process where an ad space is advertised and subscribed in milliseconds. This gives the bad guys a really cheap way to get their ads to anybody they want.

So I think Google is onto something with their product that can block all ads. But as I described yesterday, Google is not the last company in the chain between a web site and a user, so I am guessing that even with Google ad blocking that some ads and malware are still introduced after Google has wiped out the first ads. Your ISP is the last entity to touch the data stream coming to your house and thus has the final chance to get rid of malware. I think ISPs might be missing the opportunity to offer better security to their customers by either blocking ads or by making sure that ads are safe.