Risk
10/1/2013
10:48 AM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Online Trust Alliance Embraces National Cyber Security Awareness Month

Announces three-part initiative to advance industry self-regulatory efforts

Bellevue, WA (October 1, 2013) – On the 10th anniversary of the National Cyber Security Awareness Month, the Online Trust Alliance (OTA) today announced a three-part initiative to advance industry self-regulatory efforts addressing security and privacy issues that affect consumers and businesses worldwide.

Networks of malicious malware - known as botnets and fraudulent ads are at the center of online privacy and security concerns. The explosive rise in botnets is estimated to have compromised one in 10 home-based computers. Concurrently, international cybercriminals are increasingly using malicious and fraudulent advertising, known as malvertising to compromise users' privacy, bank accounts and to facilitate identify theft. In just the past twelve months, OTA estimates over one-billion malicious ad impressions were served to unsuspecting consumers as they surf the web. Counter-measures introduced by OTA today to combat this problem include:

• Botnet Remediation & Removal Best Practices

• Fraudulent Advertising & Customer Risk Framework

• Customer On-Boarding Best Practices for Hosters and Cloud Service Providers

OTA was recognized by the White House last year and recently re-appointed by the Federal Communications Commission to the Communications Security, Reliability and Interoperability Council, OTA as a leading convener of multi-stakeholder efforts. OTA works across the ecosystem with commerce sites, advertisers, hosters, ISPs, financial instructions, and security vendors to provide prescriptive advice to help neutralize botnets, stem the spread of malicious and fraudulent advertising, and help cloud service providers identify fraudulent businesses.

"It is critical that we implement technical safeguards, but also equip business and internet intermediaries with the tools needed to help stem the tide of cybercrime," said Craig Spiezle, executive director and president OTA. "By implementing these practices, consumers, businesses, and industry will mutually benefit. Businesses who fail to adopt are unnecessarily putting consumers at risk."

"We have a shared responsibility to help prevent, detect, and remediate the spread of botnets. Collaboration among ISPs, the security community, OS providers, banking and commerce sites is a key to fighting these threats. It is critical for users to keep their software applications up-to-date including protection from malicious downloads and dubious apps," said John Scarrow, general manager of online safety service at Microsoft.

"One 'bad actor' can hurt an ESP's or hoster's overall reputation and adversely affect the reputation of other customers using the same infrastructure. Having a solid vetting process in place can obviously help minimize the risk to an organization's reputation," said James Koons, chief privacy officer at Listrak. "Being on the front lines we have learned vetting is a great opportunity to detect fraud while enhancing client relationships. OTA's New Account Risk Framework is an excellent tool for any organization and underscores the value of collaboration and data sharing."

Recognizing that over one billion malicious ad impressions were served this past year, the OTA Advertising Security Working Group has been working with publishers, ad networks, and advertisers. Based on their analysis upwards of 60% of malvertising is attributed to cybercriminals merely masquerading as legitimate advertisers or agencies inserting malicious and fraudulent ads. These prescriptive guidelines will make a significant dent into the threats which are undermining the trust and integrity of online advertising.

"Protecting the integrity of online advertising is critical to the industry and the vitality of the internet. The combination of malvertising, click fraud, and ads from fraudulent companies is undermining consumer trust, which in turn undermines marketing effectiveness. We call on our partners and fellow ad networks to adopt these best practices to help stem the tide of fraudulent and malicious advertising," said Paul Harrison, co-founder and chief technology officer at Simpli.fi. "We applaud OTA's leadership to help protect consumers' data, identity and privacy from abuse."

These documents and additional resources are available at https://otalliance.org/resources. OTA will be hosting webinars providing prescriptive advice to enhance consumer protection and online trust.

Thursday, October 3, 9 AM PDT – Noon EST

On-Boarding Best Practices for Ad Networks, Hosters & Cloud Service Providers

https://cc.readytalk.com/r/qg2gdfyhikcy&eom

Friday, October 4, 9 AM PDT / Noon EST

Anti-Botnet Remediation Best Practices

https://cc.readytalk.com/r/6xwcmo5v6cev&eom

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-0965
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted SOAP response.

CVE-2014-3022
Published: 2014-08-21
IBM WebSphere Application Server (WAS) 7.0.x before 7.0.0.33, 8.0.x before 8.0.0.9, and 8.5.x before 8.5.5.3 allows remote attackers to obtain sensitive information via a crafted URL that triggers an error condition.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.