In Ad Network Nightmare, Microsoft Making ‘Do Not Track’ Default for IE 10

Microsoft announced Thursday that the next version of its browser, IE 10, will ship with the controversial “Do Not Track” feature turned on by default, a first among major browsers, creating a potential threat to online advertising giants.

That includes one of Microsoft’s chief rivals — Google.

The change could also threaten the still-nascent privacy standard, and prompt an ad industry revolt against it.

Do Not Track doesn’t attempt to block cookies — instead it sends a message to every website you visit saying you prefer not to be tracked. That flag is currently optional for sites and web advertising firms to obey, but it’s gaining momentum with Twitter embracing it last week.

The proposal also has the backing of the FTC, which has grown deeply skeptical of the online ad industry’s willingness to play fairly with users and has threatened to call for online privacy legislation. After initially opposing the idea, the online ad industry is now seeking to soothe the feds by hammering out rules that aren’t too tough on data collection. The hope then is that not many users avail themselves of the tool, and then not much has to change in how ad companies build profiles of users in order to sell premium-priced targeted ads.

But Microsoft’s announcement throws a wrench in those plans, since it’s likely that eventually something like 25 percent or more of the net’s users will upgrade to IE 10 over time and have DNT on by default. Microsoft said it’s making the change to better protect user privacy, and given the IE team’s recent history of including privacy technologies in the browser, that’s easy to believe.

We believe that consumers should have more control over how information about their online behavior is tracked, shared and used. Online advertising is an important part of the economy supporting publishers and content owners and helping businesses of all shapes and sizes to go to market. There is also value for consumers in personalized experiences and receiving advertising that is relevant to them.

Of course, we hope that many consumers will see this value and make a conscious choice to share information in order to receive more personalized ad content. For us, that is the key distinction.

But its chief online rival, Google has a thriving ad display business that uses the kind of tracking cookies that Do Not Track would block, though Google denies that’s why it opposed DNT early on. Microsoft’s third-party ad network is tiny in comparison — making the choice not too hard for the company to make.

But the change could backfire by undermining the loose coalition working to create a standard, in the web’s usual, messy, multi-stakeholder way.

Consider this scenario: If indeed the net’s major advertisers obeyed Do Not Track and IE 10 keeps the default,  more than a quarter of the net’s users would be opted out of behavioral ad tracking by default.

That’d be a far cry from a purely opt-in system that might be used by a single-digit percentage of opt-in users — those who likely don’t click on ads in the first place. So that could make the online advertising industry back out of the process and decide not to implement DNT — or to write its own rules for how it interprets DNT.

The move comes in the midst of a large and messy standards setting wrangling at the W3C over what “tracking” and “Do Not Track” actually mean. So for instance, how does it affect popular analytics programs and third-party plug-ins? Would a news site be able to track what users do on its own site? Does the flag mean “don’t collect information” or “don’t use the information to show targeted ads”? What happens if I’m logged into a site and have DNT turned on? And when users choose to turn it on or off in their browsers, what guidance if any should be given by the browser?

Justin Brookman, the director of consumer privacy at the Center for Democracy and Technology, applauded the move as pro-privacy, though he’s concerned about the timing.

“I hope this doesn’t throw a wrench into works on getting agreement on Do Not Track,” Brookman said. “But I like it when browsers compete on privacy.”

Brookman points out that years ago Apple set the default on the Safari browser to block third-party cookies, a far stronger protection against behavioral ad tracking cookies than Do Not Track, and that there’s a huge number of advertisements that aren’t based on tracking — they instead are based off the content of the page or the site the ads are displayed on.

But that’s not going to be an argument welcomed by the online advertising business.

Wired contacted the Interactive Advertising Bureau, which is on the W3C working group for comment, but the group did not send out its official response by press time.

Given federal and European regulators stance on online tracking and the online ad industry’s lackluster job of policing itself, something is going to change online. Even a widely used Do Not Track might still be a less burdensome change for online advertisers than a edict or badly-thought-out cookie mandate from governments.

“This is going to be painful either way,” Brookman said.

Photo: Jonney/Flickr

Flamer: A Recipe for Bluetoothache

W32.Flamer is possibly the only Windows based threat we have encountered which uses Bluetooth. It is yet another indicator that W32.Flamer is not only exceptional, but that it is a comprehensive information gathering and espionage tool. The CrySyS laboratory has previously documented the technical details of Bluetooth in W32.Flamer. But, what does this actually mean for potential victims targeted by Flamer? What can an attacker accomplish using Bluetooth?

The Bluetooth functionality in Flamer is encoded in a module called "BeetleJuice". This module is triggered according to configuration values set by the attacker. When triggered it performs two primary actions:

  1. The first is to scan for all Bluetooth devices in range. When a device is found, its status is queried and the details of the device recorded—including its ID—presumably to be uploaded to the attacker at some point.
  2. The second action is to configure itself as a Bluetooth beacon. This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area. And there is more. In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer (see Figure 1) and then stores these details in a special 'description' field. When any other device scans for Bluetooth-enabled devices, this description field will be displayed:

These are the facts of how Flamer uses Bluetooth. And what can the attacker do with this functionality? There are several potential avenues available:

Scenario #1 – Identification of victim social networks

By continuously monitoring the Bluetooth devices within range of a W32.Flamer compromised computer, the attacker can build a profile of various devices encountered throughout the day. This will be particularly effective if the compromised computer is a laptop because the victim is more likely to carry it around. Over time, as the victim meets associates and friends, the attackers will catalog the various devices encountered, most likely mobile phones. This way the attackers can build a map of interactions with various people—and identify the victim's social and professional circles.

Scenario #2 – Identification of victim physical locations

When compromising a victim's computer, the attacker has determined that this particular victim and their location is a high-priority target. While the building that the victim resides in can be known, the actual office is not identified. The attacker, however, could identify the location of compromised devices using Bluetooth.

Bluetooth operates over radio waves. By measuring the strength of a radio wave signal, an attacker can measure if he is she is getting closer or further away to a particular device. With the Bluetooth beacon turned on, and with the details of a particular compromised device available in the description field, it is straightforward for the attacker to identify the physical location of a W32.Flamer compromised computer or device.

An alternative to this is that rather than identifying the actual compromised computer, the attacker identifies a mobile phone which belongs to the victim. The Beetlejuice module already has retrieved a list of all the devices IDs which are near to the infected computer and so the attacker knows what devices belong to the victim. It is likely that one of the devices is a mobile phone which the victim carries most times. Now the attacker has the ability to passively monitor for the victim, without installing or modifying the victim's devices. Bluetooth monitoring devices could be placed in airports, train stations, or any transport hub, and listen for the ID values of any known victim device. Some attacks have even identified Bluetooth devices more than one mile away. The more sinister aspect of this passive sniffing is that it allows the attacker to pinpoint a victim and, therefore, more easily track them in the future.

Scenario #3 – Enhanced information gathering

As described in our previous blog, a substantial part of Flamer’s functionality is implemented in Lua scripts, or 'apps' which are downloaded from the FLAME 'app repository’. It would be trivial for an attacker to upload a new malicious Bluetooth Lua app into the FLAME store for download onto a compromised device. With increase functionality an attacker, having identified various Bluetooth devices in range, could perform numerous attacks:

  • Steal contacts from an address book, steals SMS messages, steals images, and more.
  • Use a device to eavesdrop. Connect a compromised computer to a nearby device and enable handsfree communication. When the device is brought into a meeting room, or used to make a call, the attackers could listen in.
  • Exfiltrate already-stolen data through any nearby device's data connection. This would bypass any firewalls or network controls. An attacker within one mile of the target could use their own Bluetooth-enabled device for this.

It is possible that there is undiscovered code within W32.Flamer which already achieves some of these goals. For example, although we have not found network code near the 'beacon' code, one compromised computer may connect to another computer using Bluetooth. If the second computer is using a secured network and was infected through a USB connection, potentially the only network available would be a Bluetooth connection back to the first compromised computer. The code to achieve this may already exist in Flame.

The various theories described here are all practical attacks, easily to implement by a skilled attacker. The sophistication of W32.Flamer indicates that the attackers are certainly technically skilled and such attacks are well within their capabilities.

Deceitful Charity Lottery

Co-Author: Avdhoot Patil

Lottery scams are not new to the world of phishing, so phishers are always seeking new fake lottery strategies. Phishers gained interest in schemes that involved donating to charity using lottery prizes. They utilized the idea in a phishing site which claimed that a popular bank was organizing a lottery for its customers and that a portion of the prize money would be donated to charity. Phishers believed that customers would be duped by the twin advantages: winning prizes and donating to charity. The phishing site was hosted on servers based in Iowa Park, USA.

A link to login was provided on the phishing site urging customers to enter their credentials. The link lead the customers to a phishing page that prompted the customer for their name, ticket number, and email address:

Figure 1. Phishing site asking for full name, ticket number and email address

After the required information was entered, the phishing site displayed the customer’s lottery ticket details, namely, the ticket number and the winning reference number. The lottery account balance was highlighted as EIGHT HUNDRED THOUSAND POUNDS. A button, labeled transfer, was provided at the bottom of the page to transfer the lottery prize to the customer’s bank account:

Figure 2. Phishing site prompting for lottery ticket details

After the transfer button was clicked, the phishing site asked for details of the customer’s bank account to which the prize money was to be transferred. The details included the customer’s account name, account number, bank name, and country. Finally, customers were asked to choose the charity organization they wished to donate to. If customers fell victim to the phishing site, phishers would have successfully stolen their confidential information for financial gain.

Figure 3. Phishing site asking for bank account details

Figure 4. Phishing site asking the customer to choose a charity organization

Internet users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages.
  • Avoid providing any personal information when answering an email.
  • Never enter personal information in a pop-up page or screen.
  • When entering personal or financial information, ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar.
  • Frequently update your security software (such as Norton Internet Security 2012) which protects you from online phishing.

Bitdefender Internet Security 2012 Review

Introduction I do examine Security Software now and then to see what’s going on, if there are any new developments and what the state of affairs is when it comes to consumer grade Antivirus and Firewall software. Countermeasures are useful, especially when it comes to less tech savvy users (which we may happen to live [...]

Read the full post at