A US Senate subcommittee has warned internet advertising companies that they need to better protect internet users from malvertising.
Or face the consequences.
In a report released yesterday, the Senate Permanent Subcommittee on Investigations, led by senator John McCain, said that hackers were increasingly infecting computers via malware hidden inside online advertising. Self-regulation, it said, has thus far failed to address the problem, leading to the suggestion that new legislation may be employed to force the issue.
The Subcommittee’s investigation revealed that whilst consumers were becoming increasingly aware of the information that they shared on the internet, they were far less informed about the volume of information created about them as they traversed it:
“A consumer may be aware, for example, that a search engine provider may use the search terms the consumer enters in order to select an advertisement targeted to his interests. Consumers are less aware, however, of the true scale of the data being collected about their online activity. A visit to an online news site may trigger interactions with hundreds of other parties that may be collecting information on the consumer as he travels the web.”
The Subcommittee highlighted the point by citing the experience of one user whose visit to a news site led to her unknowing interaction with a further 352 other web servers.
Such a scenario, the report says, makes it extremely difficult to identify the source should there be an advertising malware attack and equally difficult to apportion blame to any given party after the fact.
The report goes on to highlight how individual websites that display adverts have limited control over which advertisers will appear on their pages but that the advertising networks themselves most certainly do. Therefore, the recommendation is that Google, Yahoo and other leading technology companies should take action now or risk legislation that would force the sharing of threat intelligence. Additionally, the report also suggested that the FTC should consider implementing comprehensive regulations to protect consumers against such malware, invasive cookies or other forms of invasive data collection.
In response, Alex Stamos, chief information security officer at Yahoo said that blocking bad ads was a top priority for the company, adding that:
“We successfully block the vast majority of malicious or deceptive advertisements with which bad actors attack our network, and we always strive to defeat those who would compromise our customers’ security.”
Speaking for Google, George Salem, senior product manager, said that disclosure surrounding “badware” wasn’t always the best course of action, adding that:
“Our goal is to stay one step ahead of mal-vertisers and not tip them off to our activities.”
Whilst the aims of the Subcommittee are noble, the problem may not be as easy to solve as they would like to think. David Harley, senior research fellow at ESET had this to say:
“I don’t have a problem with companies providing internet, search, and social media services being to some extent accountable for the misuse of those services, but this isn’t a problem that’s going to be legislated away.
In fact the bigger names in those areas generally do expend considerable resources into countering a range of threats. No doubt out of concern for their customers, but in some cases perhaps, also in the hope of averting restrictive regulatory oversight.
It doesn’t surprise me if they worry that if they’re required to take absolute responsibility for malvertising, that they’ll be hit with legal penalties and litigation every time they’re seen to have failed to prevent some breach. And they will fail: malvertising is a complex technical issue. Information sharing does help – it’s been a staple of the anti-malware industry for decades – but it won’t put a stop to malvertising any more than it’s put an end to malware in general.