Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Senators Slam Online Advertisers As 'Malvertising' Spikes

Complex ecosystem fails to arrest rise in malicious advertising, information security experts warn Congress.

agencies and also report bad actors to both law enforcement agencies and industry groups.

Similarly, the Senate report recommends that the online advertising industry issue stronger security guidelines for members, as well as share more information on threats. The report also calls for more frequent spot-checks of online advertising content to better catch malvertising outbreaks, and the development of "circuit breakers" to detect malvertising before it reaches consumers.

Otherwise, the committee has promised to spell out those responsibilities in new legislation: "If sophisticated commercial entities do not take steps to further protect consumers, regulatory or legislative change may be needed so that such entities are incentivized to increase security for advertisements run through their systems," the report reads.

Last week, committee member Sen. John McCain (R-AZ) likewise warned in a statement that Congress must "make sure standards and rules exist to ensure consumers do not have to be more tech savvy than cyber criminals to stay safe online." At the hearing, meanwhile, he laid into the industry's approach to regulating itself, noting that this had failed to produce effective guidance or clear standards for online advertising security or prevent the emergence -- or timely disavowal -- of such aggressive advertising techniques as history sniffing.

Intentions aside, Congress has a poor track record of passing any legislation that relates to privacy or data security. Notably, the Do Not Track initiative has stalled -- as the Senate report notes, with advertisers and consumer groups unable to agree on even a definition of what constitutes tracking -- and after years of debate, Congress has failed to pass any cyber security legislation or even a national data breach notification law. Meanwhile, President Obama's 2012 Privacy Bill of Rights lacks the force of law and is thus voluntary. Perhaps unsurprisingly, advertisers haven't rushed to sign up.

Cue the current state of affairs: "The one party who is least capable of monitoring and regulating advertising -- the consumer -- is the party who currently bears the full brunt of the losses when the system fails," the Senate report states.

Cyber criminals wielding advanced persistent threats have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Read our Advanced Attacks Demand New Defenses report today. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/19/2014 | 3:14:59 PM
Bad User Experience
This is really a big problem and gives new and even old less experienced Internet users a bad time.  I have a family member who doesn't do much besides some light surfing and hulu.  I recently went over and the computer was filled with adware, malware, spyware, whatever.  

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.