Ad-blocking is good from both a security and privacy standpoint

Every now and I then, I come across a story which reaffirms my long-held belief that ad-blocking is good from both a security and privacy standpoint. That happened again recently when I saw this article in The Register:

Online advertising has become an increasingly potent threat to end-user security on the internet. More hackers than ever are targeting the internet’s money engine, using it as a powerful attack vector to hide exploits and compromise huge numbers of victims.

Malvertising, as poisoned ads are known, is as deadly as it is diverse. Hackers are able to poison advertisements with the world’s most capable exploit kits, then pay to have it served on a large number of prominent websites. Up to half of users exposed to the very worst forms of malvertising fall victim, yet tracking the attacks is often tricky. Advertisements are dynamic and served only to certain users, on certain websites, in certain conditions, making attacks difficult to study.

As the article goes on to explain, malvertising has simply exploded in recent years, and is now an extremely serious problem. But unfortunately, big players in the web advertising business aren’t doing enough to combat it:

The industry’s top malvertising experts are unanimous: For all intents and purposes, advertising companies have no idea who is buying their ads, and they make what amounts to no attempt to understand their customers. In an industry that moves fast and operates on tight margins, whitelisting and security checks seem costly and unwanted speed bumps.

The two biggest online advertising organisations, Google and Yahoo!, did not respond to a request by Vulture South for comment after initially flagging interest in interviews.

What can users do to protect themselves from malvertising? The answer is simple: Block ads and block JavaScript from executing by default.

There are ad-blockers available for all major browsers, notably AdBlock Plus, which has extensions for Internet Explorer, Firefox, Safari, and Chrome/Chromium. All the major browsers also contain controls that are capable of turning off JavaScript execution, but since most of us want sites to trust to be able to run scripts (for example, I want to allow JavaScript to execute my own domain and my credit union’s domain), it’s better to install a tool like NoScript, which allows JavaScript to be selectively turned on for trusted sites. (NoScript has 2 million users and maintains an average review of five stars. It’s well-deserved).

Using these and other tools (like HTTPS Everywhere, RequestPolicy, Better Privacy, and Cookie Controller) can greatly improve our security and privacy as users. The tools I’ve mentioned essentially act as browser armor, and can safeguard against all sorts of threats on the Web, not just malvertising. We all stumble into bad neighborhoods on the Internet from time to time, often by accident. Having browser armor in place greatly minimizes the risk of harm to our computers. Prevention, as they say, is the best cure of all.

I’ve heard some people make the argument that ad-blocking is unethical. I disagree. I believe that as users, we all have the right to decide what content we want to come into our homes and workplaces through our personal computers, tablets, and smartphones. That means having the freedom to block JavaScript, cookies, cross-site requests, ads, images, or anything else. We all ought to be able to control our own computing and decide how the Internet connectivity we pay for gets used.

This is especially important in the context of mobile Internet access, because most of us are on plans with fixed data allotments.

I understand the economics of publishing and content creation, and I agree we need to support artists and writers. The best way to do that, though, is to purchase a subscription to a favorite publication, or put money in a site’s tip jar.

Tips for crafting a strong password for your Wi-Fi network

Recently I had an opportunity to evaluate the latest incarnation of Actiontec’s MI424WR (GigE) router, a workhorse designed for use with FiOS service offered by Verizon and Frontier Communications. While navigating through the administration console of the router, I noticed that the security settings page now incorporates a long list of useful tips on crafting a strong Wi-Fi password. (WPA2 is also now the default security protocol, which is great, because WPA and WEP are flawed and easier to compromise). Here are the tips I found, which concur with the guidance I offer to clients:

User Guidance on Password Selection

Your wireless network security depends on having a good password. A good password contains Sixteen (16) or more letters or numbers, with each letter or digit chosen at random. This initial password shipped with your router is an example of a good password. The initial password is printed on the serial number sticker under the router. The Letters in the password are case sensitive and the initial password provided on your router is in Upper Case
If you wish to change your wireless password, try to pick a password similar to your router’s initial password. You must include at least one letter and at least one number in your password. It is recommended that the password should be at least sixteen letters and numbers, with no spaces or special symbols. However, you can shorten the password at your own risk. At a minimum there has to be 8 characters and a maximum of 63 can be used.

Here are some suggestions to help you choose the safe password:

  • The password should be 8 to 63 ASCII characters long, and it is highly recommended to use 16 or more.
  • Characters that are upper case. ASCII is categorized as Alpha and Numeric characters.
  • DO choose each letter or digit at random. Try one-finger typing with your eyes closed.
  • DO use a longer password, and write it down somewhere safe. A short password is easier to remember, but also much easier for attackers to guess. It is OK to let your PC save your wireless password so you don’t have to remember it.
  • DO NOT use anything directly related to you, such as your street address, phone number or car license plate.
  • DO NOT use the name of any person or place in your password. The attackers know all the common names.
  • DO NOT use any word from the dictionary. The attackers have dictionaries, too.
  • DO NOT use a phrase or sentence. Once an attacker learns any portion of the phrase or sentence, the rest is easily guessed.

This is great advice. I often find when asking for the Wi-Fi password at a particular location that it is just a couple of words, the telephone number of the establishment, or the address (spelled out).

A secure password should not include any personally identifiable information. Birthdates, license plates, phone numbers, addresses, Social Security numbers, and other sensitive data should never be used in any password, ever. Length is good. Random characters are good. Mixed-case letters are good. Punctuation, if allowed, is great. Here is an example of a weak, bad Wi-Fi password:

555-567-8095

The following, courtesy of the Strong Password Generator, would be a strong Wi-Fi password:

Ay#{$.}n7 s$Q~sM*;.}73*CS

It’s easier to remember as ALPHA yankee # { $ . } november 7 [space] sierra $ QUEBEC ~ sierra MIKE * ; . } 7 3 * CHARLIE SIERRA

Do yourself, your family, and your business (if you have one) a favor and set a strong Wi-Fi password, using the WPA2 protocol. You’ll be glad you did.