Privacy and Online Ads

Without ads monetizing the content of public computer networks, a service that is now low cost would be much more expensive. I’m willing to accept that. But there is something sinister in the online ad business.

Today, “monetize” usually means to change something that is popular in the digital world into a money-maker for someone. Online ads monetize most of what we think of as the internet. Google makes most of their money from online ads as does Facebook. Amazon makes their money from selling things, but their online ads are a crucial part of their business plan.

The ad business has changed

Remember “banner ads”? A seller like Rolex will be glad to pay a premium for a banner ad on a site like the New Yorker that has wide circulation and a good reputation among people with money to spend on luxury watches.

But the banner ad is an endangered species from the age of paper advertising. They are based on high-end, intelligent marketing that made many careers in the 20th Century. But no longer.

21st Century digital advertisers have facts. Traditional marketers knew that New Yorker readers were affluent and well-educated, but they were short on specifics on who was buying and why. Digital marketers today can tell you who sees an ad, how often viewers click on an ad, and, for digital sales, how often they spend money. And they know the age, location, income bracket, and browsing habits of most potential customers. They can target ads to the most likely customers and know exactly how the ads perform.

How do online ads work?

Traditionally, a big city daily newspaper could charge more for their ads than a community weekly because a seller could expect more people to see an ad in the big city daily and act on the ad. Sellers measure the effectiveness of ads by “return on investment” (ROI). If a seller invests $50 in an ad in a community fish wrapper and sees a $100 increase in sales, they get a 200% return. ($100 return/$50 investment = 200%. Sometimes a low-cost ad has better ROI, usually not.

Some businesses occasionally use advertising to improve their image or convey information, but the everyday advertising goal is ROI, using ads to make more sales. The lure of digital advertising is that digital advertising can be fine-tuned to increase ROI by reducing costs and increasing returns.

Digital advertisers can count how many times the ad was seen (impressions) and was followed (clicks). If the transaction is digital, they can count the number of times the ad resulted in a sale. Traditional paper advertising only knows how many copies of the ad were circulated, not how often the ad was seen and only generalities about readers.

The network collects information on buyers that can be used to target advertising toward people likely to buy. For example, people who don’t have cars are unlikely to buy car polish. Therefore, car polish sellers can improve their advertising ROI by directing their ads to car owners and ignoring people without cars.

Who are the players in the online ad biz?

  • Customers. That’s you.
  • The ad publishers. Google, Facebook, Amazon, etc. Ad publishers put the ads in front of potential customers.
  • Ad networks and exchanges. The folks in the background who match likely buyers to sellers and maximize the vigorish. When you open a web page with slots for ad, the slots are often auctioned off highest bidder in milliseconds. The bidders use information about you, to decide how much to bid. You may be familiar with some of these players like “DoubleClick” whose addresses flash by as you enter a site.
  • Ad agencies. Those waggish artists who think up cunning ads for the advertisers. These companies usually have bland names like “WPP Group.”
  • Data brokers. The vacuum cleaners that suck up data and sort it into a commodity they can sell to advertisers, ad agencies, networks, and exchanges. These are companies like Blue Kai or Live Ramp, whom you may not have heard of.

Except for customers, the players are often combined. There are one-stop shops that combine all the functions and boutiques that specialize in a narrow aspect of the process.

The network never forgets

The data collected on buying habits has grown rapidly in the last few years. If you do something on the network, someone, somewhere, has taken a note. The more we use computer networks, the more data is amassed on us. “Big data” arose to process the mountains of accumulated data.

Today, electronic payment is common, and many customers get discounts by identifying themselves when they purchase. Consequently, grocery store managers may know more about your food buying habits than you do. They can use that information to offer the items you want, but they also use it to find and persuade you to buy more profitable items. They can appeal to habits you may not even know you have. Online sales are even more effective at collecting data on customers.

Although you may not enjoy being manipulated in this way, most people still choose to use payment methods that identify themselves and trade their phone number at the point-of-sale for reduced prices. A lot of people feel that the convenience of electronic payment and a reduced price are reasonable tradeoff for subjecting themselves to manipulation by their sellers.

Why do online ads make me feel uneasy?

Using network habits to target ads is occasionally annoying. My grandfather died of colon cancer after a colostomy fifty years ago. Recently I wondered how those ugly colostomy bags had changed. I searched online. What a mistake! I still occasionally get an ad for disposable bags in cheery prints.

Creepy, yes, but not threatening. I, thank Heavens, am not remotely likely to purchase a colostomy bag according to my gastroenterologist. The sellers have made a mistake, but it only costs them a few cents and they certainly get a worthwhile ROI on their ads, winning the numbers game. And I get annoying ads. Nothing to lose sleep over.

Misuse of personal profiles

But let’s change the story some. Suppose you looked up alcoholism treatment out of curiosity. And the user of your profile was not an alcoholism treatment center selling their services, but an investigative agency running a check for a potential employer to whom you sent an application. Maybe the job was important to you and you were well-qualified, but your application was tossed on the first round because you were flagged as an alcoholic.

Do you see how the situation changed? A seller looking at ROI doesn’t grudge a fried fig for a few ads sent to the wrong place. A loss of a few cents to misdirected ads is nothing compared to all those colostomy bag sales. But you lost a job that you may have wanted, even needed, badly. And the potential employer lost a brilliant prospect. This happens when a personal profile is used in a scenario where much harm can result from inferences that are perfectly valid in other circumstances.

The danger is that the profiles will applied wrongly when they are harmless and useful in most circumstances. That is sinister.

Ransomware Protection Strategies for Small Business

I was chatting with a lawyer yesterday about cybersecurity and he mentioned that he has heard that law offices in our county have been hit with ransomware in the last few months. Law offices are a ripe target for ransomware because the confidentiality and integrity of their records are vital. Lose their records, lose their business. The same applies to many other small businesses.

What is ransomware? Ransomware is malicious software used by a criminal to deny the rightful owner of a computer system access to vital system resources and demand payment to restore the resources. Usually, ransomware encrypts data and demands Bitcoin or other untraceable cybercurrency payment for decrypting the data.

What should these offices and other small business do to protect themselves from ransomware? I suggest a two-pronged approach: prevention and damage control.

Prevention

Take steps to avoid a ransomware assault in the first place. The practices below are basic cyber hygiene for everyone that will lessen the chances of all forms of cybercrime.

  • Use a good anti-virus scanning utility. Keep it up-to-date and scan regularly.

    Wondering which utility? Windows Defender, the default Windows 10 anti-virus is a good choice. It’s already installed, doesn’t get in the way, and does a competent job. Are 3rd party tools better? The anti-virus business is highly competitive. Which utility is best changes rapidly. I use Windows Defender myself because it is convenient, and Microsoft has invested in keeping Defender among the best, which is good enough for me. Whatever you do, use an anti-virus utility and keep it up to date.

  • Use only supported operating systems and applications and subscribe to automatic updates. New vulnerabilities show up every day. Accept the manufacturer’s help in patching up the holes as the appear.

    If you don’t trust your vendor’s updates, get rid of their software. If you don’t, you put your business at risk. The only exception to this rule is when you have special software that is frequently broken by security patches. At that point, you are strapped and dependent on the maintainer of your special software. Avoid this situation if you can.

  • Be cautious of links in web pages, emails, and messages. If a link looks dodgy, skip it. Be doubly cautious about attachments to emails and messages. If you are not sure where something came from, don’t open it. If there is a question, call the sender and confirm that it is legit. Links and attachments are the most common entry points for ransomware.

Damage control

If you are diligent in following these three practices, a criminal will have a hard time entering your computer system and might pass it by for easier prey, but you have no guarantee. Let your guard down an instant and you are vulnerable. A smart criminal who is intent on assaulting your system is likely to eventually succeed no matter what you do. However, if you plan ahead, the game is not over when you get a ransom note. Your backups are critical in recovering from a ransomware assault and a lot of other computer system mishaps.

  • Backup your system regularly. I favor reputable cloud backup services because they tend to be automated and trouble free. The most likely time for ransomware to hit is the day someone forgot to run backups, or the janitor switched off the external backup drive by mistake.
  • Test your backup system regularly. All backup systems are complex mechanisms that sometimes fail. Your only assurance that they are working is a recent successful test. I always assume that a backup system that has not been tested recently does not work. I have seen disasters in the aftermath of backup systems that were assumed to be working but were not.
  • Protect your backups. Smart ransomware attempts to mash your backups. Put up barriers to protect them. Check the documentation on your system or talk to your IT technician on how to do it effectively.
  • Have a plan. A rock-solid backup system is the foundation for recovery but consider what you will do the instant a ransom note pops up. I suggest immediately ceasing all activity, detaching from all external networks, and running a virus scan. Then contact an experienced technician for help. Do not shut the system down or restart if you can avoid it. Some recovery methods depend on recovering data from memory that disappears on shutdown or reboot.

Call law enforcement

Local law enforcement may not be able to help because the criminal is likely to be in a different state or country. Keep them informed anyway. Unreported crimes encourage law breakers. Some states have cyber crime task forces with real muscles that work with the FBI and the Department of Homeland Security to shut these operations down. If local law enforcement can’t help, report the crime to the FBI’s Internet Crime Complaint Center. (IC3) If cyber crimes are not reported, funds will not be allocated to fight cyber crime and laws will not be written or changed to reflect the injuries done by these criminals.

Consider cyber insurance

Cybercrime is not that different from conventional theft and damage. I understand that cyber business insurance is becoming more common. I am not familiar with the costs involved or the efficacy of the policies, but your business insurance agent is likely to be able to help. Nonetheless, remember that avoiding or controlling damage is less disruptive to business than insurance compensation and insurance seldom makes up the whole cost of an assault.

A final note

Ransomware and other forms of cyber crime are real threats. In 2016, over 1.3 billion dollars in losses were reported to the FBI. Those who take steps to protect their business will suffer less and may completely avoid becoming victims.

 

KRACK!

The foundation of secure home wireless networks cracked this week. (I apologize for the pun. Well, No, I don’t!) KRACK is a Key Reinstallation AttaCK on WPA and WPA2 (Wireless Protected Access and Wireless Protected Access II). If you read my book, Personal Cybersecurity, you know that WPA2 is the best choice for protecting your home wireless system from intrusion. It still is, but without some timely updates, WPA2 is vulnerable to hacking.

Don’t panic

No intrusions have been reported yet, although there almost certainly will be some in coming weeks and months. The vulnerability is in the WPA and WPA2 standard. Consequently, everything that follows the standard is vulnerable. The problem is not with particular implementations. Anything that uses WPA or WPA2 correctly is vulnerable. The security of a component that uses WPA or WPA2 incorrectly is anyone’s guess, but there is a good chance it was insecure even before KRACK was discovered.

What must be patched

The Windows operating system (all versions), Linux, and Apple all are affected.  Internet of Things (IoT) gear such as wireless security cameras, smartphone controlled wireless door locks, thermostats, and light switches are also vulnerable. Practically anything wireless must be patched. Fortunately, the necessary patches have already been written for many components that need them.

Your wireless router must be patched. I read a comment in a Comcast forum that the common Xfinity Technicolor TC8305C combined cable modem and wireless router does not need patching, but I haven’t found any acceptable confirmation of that, and therefore I assume it is wishful thinking. I would appreciate a comment here from anyone who knows more.

Microsoft’s automatically delivered October security update fixed the issue for supported versions of Windows, so you are most likely already safe there. Linux distributions have patches written and it is possible your Linux installation is already safe too. I’m not as well tapped in to the Apple world, so I am not sure what the status is there, but I’m sure lights are burning late in Cupertino if they haven’t spiked it already.

The good news is that the patches are backwards compatible— that means patched components can work side by side with unpatched components without interrupting service.

The bad news

The bad news, and very bad news it is, is that a hacker can use the vulnerability to get into your wireless network from any unpatched component. The IoT is scary: Windows is easily patched automatically and is likely to be safe already, but many IoT devices have no automated patch mechanism and the device manufacturer has no means to even inform you that you are vulnerable. White label gear is especially dangerous because you have few ways to contact the manufacturer. In other words, you are on your own in the IoT.

Some reports say that Android phones are the most vulnerable. For them, you are dependent on your cellular carrier for patches to your phone. Some are more prompt than others. If you are worried, to protect yourself, turn off wireless support on your phone and only use the cellular network for network connections. When your carrier gets around to patching your device, turn wireless back on to save on data charges, if that is an issue.

Switch to wire where you can

If you have a means to switch IoT gear to a wired ethernet connection, that will render the device no longer vulnerable. Same applies to any computer or printer that you are unsure of that uses a wireless connection; turn off wireless and jack the device into your wired network if you can. If you can’t connect by wire, turn the device’s wireless service off or turn the device off entirely. You may have to turn wireless back on to download patches when they are available.

Other reasons for optimism

If you live in a low density population area, you may be less vulnerable. In order to exploit the vulnerability, a hacker must have access to your wireless signals in the air. Ordinarily, that is only within 300 feet from your wireless access point (usually your wireless router). Special antennas can extend that limit, but if strangers can’t get closer than 300 feet, you are pretty safe. The exception to that is if a hacker happens to have taken control of a computer within the 300 foot sphere that can connect to your wireless network. Still, many people in low density areas are fairly safe from intrusion.

Final advice

If you know you are in area where wireless hackers are active, turn off all unpatched wireless devices or use a wired connection. Take inventory of your IoT devices and make sure they are all secure. One way to do this is to log on to your wireless router and review the list of attached devices. Some may be turned off and only appear on the inactive list. If there is any chance that the device might connect in the future, put it on your list of devices to be secured. I estimate that you have some weeks to react, but that margin will disappear quickly. You can expect that criminals are working weekends to write cheap exploit kits for sale to script kiddies on the dark web. The kids will then drive around with laptops looking for vulnerable wireless. It has a name: “war driving.” Stay in front of them. If you have to trash some unsafe unpatchable IoT gear, do it now, swallow the loss, and take a lesson.

Even if your network is vulnerable, you are much safer using secure HTTPS connections. If you haven’t installed HTTPS Everywhere from the Electronic Frontier Foundation on your browsers, now would be a good time. Get it here.

For further technical information on KRACK, check out Brian Krebs and this post from the discoverers of the vulnerability.

Late update

A friend pointed me to this article in Ars Technica. The gist is that most Android phones are not yet patched against KRACK as of December 1, 2017, but the Android layers of security are strong enough to render the threat negligible. I will not rest easy until my Android phone is patched, but my fears are likely excessive.

Bluetooth Is Not Getting Safer

Over a year ago I published Seven Rules for Bluetooth at Starbucks. Recently, Armis, a security firm specializing in the Internet of Things (IoT), announced a new set of Bluetooth vulnerabilities they call BlueBorne. If you read “Seven Rules”, you have a good idea of what BlueBorne is like: hackers can get to your devices through Bluetooth. They can get to you without your knowledge. Windows, Android, Apple, and Linux Bluetooth installations are all vulnerable. Most of the flaws have been patched, but new ones are almost certain to be discovered.

Some of the flaws documented in BlueBorne are nasty: your device can be taken over silently from other compromised devices. Using BlueBorne vulnerabilities, hackers do not have to connect directly to your system. Someone walks within Bluetooth range with a hacked smartphone and you are silently infected. Ugly. Corporate IT should be shaking in their boots, and ordinary users have good reason to be afraid.

What should I do?

A few simple things make you much safer.

  • Be aware of your surroundings. Bluetooth normally has a range of 30 feet. More with special equipment, but whenever you don’t know who might be snooping within a 30-foot radius sphere, you are vulnerable. That’s half way to a major league pitcher’s mound and roughly three floors above and below.
  • Keep your systems patched. The problems Armis has documented in BlueBorne have been patched. Don’t give the bad guys a free ticket by leaving known soft spots unprotected. Make them discover their own holes. By patching regularly and quickly, you cut out the stupid and uninformed hackers. Smart hackers are rare.
  • Turn Bluetooth off when you are not using it or you enter a danger zone. When Bluetooth is turned off, you are safe from Bluetooth attacks, although you may still be affected by malware placed on your device while Bluetooth was turned on.

The seven rules for Bluetooth I published a year ago are still valid. Follow them.

Seven basic rules for Bluetooth

  1. Avoid high-stakes private activities, like banking transactions, when using Bluetooth in public.
  2. If you are not using Bluetooth, turn it off!
  3. Assume your Bluetooth connection is insecure unless you are positive it is encrypted and secured.
  4. Be aware of your surroundings, especially when pairing. Assume that low security Bluetooth transmissions can be snooped and intercepted from 30 feet in any direction, further with directional antennas. Beware of public areas and multi-dwelling buildings.
  5. Delete pairings you are not using. They are attack opportunities.
  6. Turn discoverability off when you are not intentionally pairing.
  7. If Internet traffic passes through a Bluetooth connection, your firewall may not monitor it. Check your firewall settings.