Online advertising is crucial for many sites BUT it exposes them to becoming unwitting attack carriers for visitor’s computers. I have maintained this stance for many years. This is why when I deploy a firewall that has some way to block ads I immediately activate it. This does break some sites and some features inside of sites but the security implications of allowing ads to run from third(or 4th or deeper) parties is not a good idea. For sites that get broken I then have to rely on the edge devices ability to scan the ads for malware and intrusions. Sometimes this is enough..but unfortunately more and more this scanning of the ads isn’t enough especially when the technology asking for the ad is highly insecure(java and flash) and is prone to what is known as a zero-day attack (A zero-day attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or undisclosed to the software developer. Zero-day exploits (actual code that can use a security hole to carry out an attack) are used or shared by attackers before the software developer knows about the vulnerability.). Crypto-locker and it’s newer variant crypto-wall have many attack vectors. Most recently crypto-wall was using online ads to turn trusted sites(Huffington Post, Daily Motion, New York Daily News, howtogeek.com and others) to turn those sites into malware infection sites by placing ads onto those sites that attacked a flaw in the adobe flash technology that runs on most of the computers in the world. In light of this and other factors I would rather block ads and work on building workarounds or using different sites than deal with the high risk of a malware infection.
first let’s grab some notes from a show i watch called security now:
I often disagree with Steve is some areas and in these show notes is one of them. In one section they talk about how online ads were used to install malware that encrypts your hard drive and you have to pay to get your data back. there’s another section that talks bout how blocking online advertising is killing your favorite sites. Unfortunately if a website is totally dependent on third parties to run it’s ads in today’s security landscape they have made a bad choice. If you want to have your ads trusted by any network I secure it MUST be in house. Even then it will be subjected to all the scanning and intrusion protection i can leverage at that time. If there is a “false positive” on an ad I default to blocking. Even in-house ad servers can get compromised but at least in house ad farms can quickly be fixed by the site in question. Third party networks usually take much longer to not only detect the compromise or malware laced ad but to also fix them.