Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Advertising and risk

Regular and first time readers will note that there are very few ads served with S?nnet Beskerming content. The only advertising shown is a small image linking to one of our pre-configured products, tucked away halfway down the right column, or occasional text ads that are inserted into the primary FeedBurner feed for this site. Not everyone who operates a busy site chooses to operate in such a manner, and site owners that have accepted advertising from major online advertising firms are giving away some of their security to earn some money for their site. It isn't often that this risk has been highlighted in a public manner.

In essence, Google's recent advertising acquisition, DoubleClick, was found to be serving malware through its advertisements across a whole range of otherwise trustworthy sites, including The Economist and Visitors to these sites would not expect to be at significant risk of compromise - and this is something that the Information Security industry puts forward as a major point - only allow scripting and other interactive content support for "trusted" sites.

Risks introduced by including third party scripts and code on websites is a topic that is gaining increased awareness amongst Information Security professionals, with a recent BugTraq discussion focussing on problems that can be introduced by third party JavaScript code. This is a problem particularly pertinent for financial sites, where any external code is a potential vector for attack. While critical for financial sites, it is a problem for any site that accepts third party elements or data. The core problem is that externally hosted scripts have full access to the DOM for the trusted site, and so can modify any element on the trusted site.

Rather than attempting to break through the main financial site, why not spend the relatively less effort required to break into the services offered by the third party vendor (and also gain access to other interesting sites)? Before complaining that this is not as viable as breaking into the main target site, consider that there have been several published and unpublished vulnerabilities affecting VeriSign's services that are provided in just such a manner, with many of the vulnerabilities remaining viable for months.

If anybody thought that the online trust model wasn't completely broken, these examples should reinforce it for them.

29 November 2007

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.