I appreciate notification of stuff like this, because I try to always respond to the Koch-funded idiocy I get from business colleagues with something fact-based, and this will hit home for those types.
Except, Iâll probably have to send it to their secretaries, since most of them wonât actually understand the implications.
But they know more than young people, who are Socialists, of course.
While the damage appears to be limitedâŚ
How do you know? How would PageFair know if they unwittingly infected five computers or five million? This is not a trivial question - victims of even a hypothetical hack can suffer millions of dollars in harm. Consider the Target hack, or the OPM. Those entities were required to offer identity protection services to the individuals whose information was hacked, and that had to cost tens of millions of dollars, at the very least.
If nobody ever pursues damages, corporationsâ clever subversions of internet security will continue and escalate until nobody is able to trust any website, ever. I know some old folks who feel that way already - maybe theyâre not fools.
I was trying to figure out how they got around ad-blocking software, so I could counter-block them. At least one vector they used to circumvent was just paying the Ad-Block Plus folks to end up on their âtrustedâ list.
! Text ads by PageFair ([Under Review] Text ads by PageFair - Adblock Plus)
@@||pagefair.net^$third-party
@@||tracking.admarketplace.net^$third-party
@@||imp.admarketplace.net^$third-party
One place to start is making sure you have ABPâs supposedly ânon-intrusiveâ advertising disabled, if you havenât already switched over to a better product or ABP fork*. Kicking the allowed domains over to a 127.0.0.1 in the hosts file might not be a bad idea either.
*ETA: Other suggestions for adblockers that arenât taking bribes from advertisers would be Adblock Edge or uBlock
anybody who does not fall in line with a money-making scheme becomes the enemy.
Thanks @Woodchuck45
[quote=âWoodchuck45, post:4, topic:68900â]
@@||pagefair.net^$third-party
@@||tracking.admarketplace.net^$third-party
@@||imp.admarketplace.net^$third-party[/quote]
How do these work? Or more to the point, how to I disable their, uh, disablement.
I found the ||pagefair.net^$third-party entry in my adblock filters, but it didnât have the @@ preceding it - does the || symbol indicate exceptions (or âallowedâ ads)? (I also came across ##.pagefair-acceptable and ||pagefair.com/static/adblock_detection/js/d.min.js$domain=majorleaguegaming.com ⌠which sounds like exactly the kind of think I want Adblock to, well, block)
I didnât find either of the admarketplace entries, although I did find ###AdMarketplace, and ||admarketplace.net^$third-party
Itâs disappointing that Adblock is failing in this way. Disappointing, but not surprising. Itâs like a classic protection racket; build up some solid trust by being useful, then abuse that trust for profit by destroying the usefulness.
Itâs worth noting that, as best Iâve been able to gather, the compromise of âPagefairâ affected anyone attempting to view any of the sites embedding Pagefair-provided material, regardless of whether they were attempting any sort of adblocking or not;.
Pagefairâs payload may have been considered more valuable than a basic sleazy ad networkâs, since more effort is put into ensuring delivery even in the presence of user defenses; but it isnât triggered by attempted adblocking, just takes more care than usual to make sure that it still makes it through.
According to Arstechnicaâs piece ~500 sites(helpfully undisclosed by Pagefairâs disclosure; because we all know who the real customer is) of various levels of prominence were among those affected. Unfortunately, The Economist appears to be well above average with their lousy non-apology, since that number of sites is distinctly higher than the number of disclosures-to-readers, in any form, that the incident spawned.
Iâm pretty sure that Weather.com is one of them, based on the correlation with the timeline and attack type to a frantic-family tech support call; but comprehensive lists appear a trifle hard to come by; despite everyone being oh-so-sorry(most notably; Pagefairâs own âexposure checkerâ is an agonizingly snide, condescending, and uninformative document even by the low standards of adversarial technical documentation; and notably avoids mentioning any âwhat web sites should I be concerned about?â or âI run a network here; I want to check the logs for a list of URLs and/or IPs within a given timespan; stop shoving goddamn screenshots in my face?â related information. Just a drippingly condescending âdid you click on the malware and cause your own problems?â guide.)
If he knew, he wouldnât have written âappears.â
Heh heh, didnât affect me because my adblocking is better than their anti-adblocking. There is no such thing as a good or safe ad network.
Now is a great time to drop AdBlock Plus for uBlock Origin (not the same as uBlock - too much drama to dive into or care about there, but Origin gets more and better updates).
@@ means âallow fromâ
|| is a type of wildcard:
Sometimes one wants to block http://example.com/banner.gif as well as https://example.com/banner.gif and http://www.example.com/banner.gif. This can be achieved by putting two pipe symbols in front of the filter which makes sure the filter matches at the beginning of the domain name: ||example.com/banner.gif will block all these addresses while not blocking http://badexample.com/banner.gif or http://gooddomain.example/analyze?http://example.com/banner.gif
Nobody should trust any site ever. At least, not on the first visit. The smart thing to do is disable all scripting right from the start and only allow the minimal necessary scripting on a case by case basis.
To do otherwise is to invite disaster.
Seconding that. I visit several of the affected sites but as best I can tell no PageFair script ever ran. NoScript FTW. (When they figure out how to serve it from same-origin thatâll be different, but not a problem yet.)
Good points! I think that itâs also wise to not listen to new people you run into until they build up enough trust with you, as they could be thieves or murderers, and to do otherwise is to invite disaster. Same thing with new restaurants or stores in town - who knows if theyâre run by ruffians, and I heard from my sisterâs fatherâs boyfriendâs daughter that someone found a rat in their soup at that place!
I mean, the only other thing that could be done was to follow even a basic modicum of computer knowledge to let you know that a website suddenly downloading a program and then you disregarding all warnings to install it would be a bad thing, but thatâs literally crazy talk.
You know whatâs funny about default settings for most web scripting languages on most browsers? They never warn you, they donât ask your permission, and they run whatever script is served up by default.
This isnât like refusing to talk to people. Itâs more like refusing to let random people stick hypodermic needles in your arm. Donât be a smartass, itâs far easier to compromise a computer without the user noticing than it is to inject someone with a needle full of bleach.
The whole point here is that, if you just let anyone run code on your machine without actually vetting them, theyâre more than likely going to take advantage of that, and increasingly they themselves will end up compromised and try to make your computer execute crap that isnât in your interest.
For instance all advertising is not for your benefit. You are the product. Not the customer. And I prefer to decide myself what runs on my computer. Instead of letting other people decide what my computer should run.
Infection methods via computer often rely on security loopholes, not default behaviors. Someone canât just toss âELITEHAX0R=TRUEâ into a website and pwn your machine with impunity.
In the article you can see that this wasnât an elaborate and hidden stuxnet-style virus, this was a popup that said 'OMG UR FLASH IS OUT OF DATE!!!" and then downloaded an executable when you clicked yes (25% of the time, because even internet hackers canât get good availability numbers), and then when you ran that executable, it would install a remote access program. A subtle attack, this was not - itâs actually surprising they didnât bother waiting for a 0day or something with some real kick to it instead of a super old trick.
That all being said, sure disable scripting, whatever, but you can also just browse safely, take a modicum of precaution and not break a bunch of sites in a manner that probably wouldnât have fixed this problem anyway, assuming you trusted the site to some degree and allowed any advertising.
What reason do I have to trust sites and adnetworks? If I want to see something that specifically needs code to run on my machine, then I may allow it.
But just letting arbitrary code run on my machine isnât wise. âSafe browsingâ definitely helps. But you know what? Itâs just not good enough. And anyway using stuff like NoScript, and ad blockers that havenât been compromised by monied interests is just one part of safe browsing. Itâs not like Iâm being paranoid. People get malware installed on their machines all the time. And in some cases malware can run just on the site gobbling up whatever cookies you have, so they can better follow you around the web. Thatâs not something I think is useful to me. And I doubt theyâre doing it for my own good. If they want to know about me, they can ask me questions in person, or ask me to volunteer information, instead of just taking it.
Iâm sure youâd be just pleased as punch being followed around town every day by a few dozen people videoing you, taking photos and picking up every scrap youâve touched, digging through your trash, and putting gps trackers on your clothes and vehicles and personal belongings, right? Because without stuff like script blocking, thatâs whatâs happening on the web.
Ublock is so light it can run on your phone
This seems like as good a place to ask this question as any.
Letâs say Iâve got a shiny, new, out-of-the-box laptop. Mac, PC, whateverâwe can stipulate itâs not some obscure hand-coded version of Linux or my artisan revival of BeOS. I update my browser (Chrome, Firefox, whateverâagain, something mainstream) so that my software is at most a few seconds old. Default settings all around. Then I start loading web pages.
Under those circumstancesâcurrent software, but no special precautionary measuresâhow might my computer get compromised, if I donât do anything that makes me actively complicit? That is to say, assume I heed all warnings my computer or browser or ISP might throw up on my screen and back away when Iâm told to back away. Given all that, could I navigate to whatever.com and be instantaneously and successfully hit by malware? I realize thatâs a fuzzy concept, but Iâm talking about stuff worse than the now-normal trackers or super-cookies that every web page (including this one) attempts to use.
What this boils down to is this: does the current infrastructure mean that its baseline assumed user is being plagued by bad computer juju every single day? Or does all that rely on the user making at least one sin of commission (clicking a download button, ignoring a browser warning, installing a plug-in that later gets corrupted, etc.).
Good question.
Paging @albill
If youâre running Flash, Java, or similar binary plugins, these will be the vehicle through which most malware shows up (mostly Flash). Chrome has its own included build of Flash, which is better, but still Flash. At the very least, you make all binary browser plugins âclick to playâ before they run. Ideally, you just remove Flash and Java if theyâre on the system.
Beyond that, I recommend running things like uBlock Origin to block a lot of advertising related stuff, which is the network through which most malware arrives that isnât overly targeted at one individual.
The way most folks get compromised is:
- Old Binary plugins (usually Flash) that are out of date and have known security issues
- Old Browsers (that are out of date with known security issues)
- Old versions of their operating system (that are out of date with known security issues)
- Being idiots, downloading, and then running software they find on the Internet that comes with malware in it. That pirated copy of Office or Photoshop? WellâŚ
- Social engineering to install malware because people arenât security conscious
You can sense a theme in 1-3. Keep your software up to date, donât put off installing current versions. Donât install dodgy software whose origin is unknown to you. Donât run Flash if you can avoid it. If you do run it, run it only when you have to with human interaction.
