Advertising and risk
Regular and first time readers will note that there are very few ads served with Sûnnet Beskerming content. The only advertising shown is a small image linking to one of our pre-configured products, tucked away halfway down the right column, or occasional text ads that are inserted into the primary FeedBurner feed for this site. Not everyone who operates a busy site chooses to operate in such a manner, and site owners that have accepted advertising from major online advertising firms are giving away some of their security to earn some money for their site. It isn't often that this risk has been highlighted in a public manner.
In essence, Google's recent advertising acquisition, DoubleClick, was found to be serving malware through its advertisements across a whole range of otherwise trustworthy sites, including The Economist and MLB.com. Visitors to these sites would not expect to be at significant risk of compromise - and this is something that the Information Security industry puts forward as a major point - only allow scripting and other interactive content support for "trusted" sites.
Rather than attempting to break through the main financial site, why not spend the relatively less effort required to break into the services offered by the third party vendor (and also gain access to other interesting sites)? Before complaining that this is not as viable as breaking into the main target site, consider that there have been several published and unpublished vulnerabilities affecting VeriSign's services that are provided in just such a manner, with many of the vulnerabilities remaining viable for months.
If anybody thought that the online trust model wasn't completely broken, these examples should reinforce it for them.
29 November 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.