Pages Menu
Rss
Categories Menu

Posted by on Jul 7, 2016 in All Articles, Professional Services |

Is “Malvertising” Getting the Best Of You? (Part 2)

Is “Malvertising” Getting the Best Of You? (Part 2)

*Make sure to check out JC Consultant Group’s part one of this two-part series here.

Digging Deeper

In Part 1 of our article, we put a spotlight on the practice of hijacking ad networks to inject malicious advertisements into your online feed; sharing instructions on disabling Flash and Java to begin protecting your computer.

You now know that disabling Flash and Java in combination with running an ad-blocking extension and keeping your virus protection software up-to-date, you’ll significantly reduce the risk of your computer becoming infected. In Part 2, we will take you a deeper into ad blocking and blocking scripts.

We can’t guarantee you will completely eliminate all exposure with the information we will share in this article. Quite frankly, avoiding the internet entirely would be the only way to guarantee 0% risk, but we all know that business today is conducted via the internet more and more, throwing that option out the window. However, here are some additional steps we have found that may help keep your computer clean and more secure:

There's No Place Like 127.0.0.1“Loop Back” Ad Blocking

“Loop Back” ad blocking adds another layer of protection, but it is tedious to maintain because there are constantly new domains needing to be added to the blacklist.

This method also involves editing a system file, and doing it wrong could result in you losing access to unintended websites. If you accept the risk, you can modify your computer’s “hosts” file by adding offending ad-serving domains, but pointing their IP address back to your computer.

It’s a technique called “loop back” because rather than going out to the Internet to your service provider’s DNS server to find the IP address of a domain name, the hosts file takes precedence. Any entries found within it will use whatever IP address they’re given in there, so using your own computer’s IP address will loop the domain request back, and return nothing.

One of the best-maintained lists of ad-serving domains is hpHosts, and you can find it here: http://www.hosts-file.net/

The advantage to hosts file ad-blocking is that it works for every browser on your computer, you don’t need any extensions, but you can use it as a supplement to your browser’s extensions. Browser extensions are small helper utilities that you can add to a web browser, such as Firefox or Chrome, that perform specific useful functions like preventing ads and scripts from reaching you.

The disadvantage is the work required to keep up with the flood of ad-serving domains that pop up constantly. Some routers even allow you to edit their host’s file, which is ideal for completely blocking ads for every computer, phone, and tablet in your home or office, as long as they’re connected to the same network.

Block Malicious ScriptsBlocking Scripts

Script blocking is another way to reduce the risk your computer gets infected by a nasty virus. The drawback to this is decreased functionality on some websites, sometimes even resulting in non-functioning sites. These can be worked around, but you may find the risk/reward not worth the constant effort to selectively enable scripts on every website you visit.

The advantage, however, is almost total protection from any website-based attack vector because the default setting is to disable all scripts. This makes you choose which ones you feel are safe to enable on a case-by-case basis, and websites cannot automatically push files to your computer, no ads can run and potentially infect your computer. The way you do this, as with ad blocking and click-to-play, varies from browser to browser.

  • Internet Explorer

This one is the most user-unfriendly because it’s designed for someone managing a configuration for hundreds of computers, so it can be cumbersome if what you want is to customize one or two. But it can be done. To do this, click on Tools, then Internet Options, and then Security, choose the Internet zone and move the slider up to High security.

You do not have granular control over what scripts are allowed or not, it’s all or nothing. However, you can whitelist individual websites. To whitelist you need to copy the site’s URL, then go back to your Security options, and choose the Trusted Sites zone. Add a new entry for the site. This zone will allow scripts (and other plugins) to run on only the websites added, even when your Internet Zone is set to high security.

Encryption KeyAlternatively, you can “blacklist” sites, instead of blocking scripts globally and selectively whitelisting. The drawback to this method is that usually you don’t know you need to blacklist a site, until it’s already too late.

If you decide to do this, however, in the Security settings instead of using the Trusted Sites zone, you want to go to the Restricted Sites zone. You can add new entries here. If you are using High Security in the Internet Zone, you don’t really need to blacklist anything, but if you are not then this zone will block any scripts and other plugins from running on only the websites listed.

  • Google Chrome and Mozilla Firefox

Things get much easier with Google Chrome. Chrome does have a built-in option to disable scripts globally, and selectively whitelist websites. Very similar to enabling click-to-play, open your settings, go to Show advanced settings, and click Content settings. Find JavaScript in the window that pops up, and select do not allow any site to run JavaScript.

Now, all you have to do when you go to a website that you want to whitelist, up in the address bar there will be an icon that looks like a piece of paper with an X on it. Similar to click-to-play you can either continue blocking, allow scripts just this once, or always allow.
Firefox does not have this built-in option, but it does have a very powerful extension available called NoScript. You can find it here: https://addons.mozilla.org/en-US/firefox/addon/noscript/

No ScriptNoScript allows you to either temporarily or permanently allow scripts from both the website you’re on and any sites that it is pulling in scripts from. Its default setting is to block all scripts, hence the name. This then lets you choose website-by-website and script-by-script what you will allow to run.

If you would like more fine-grained control over specific scripts, there is a new extension called uMatrix. It is made by the same developers that did uBlock Origin. You can find it here for Chrome: https://chrome.google.com/webstore/detail/umatrix/ogfcmafjalglgifnmanfmnieipoejdcf?hl=en

Or here for Firefox: https://addons.mozilla.org/en-US/firefox/addon/umatrix/

Once uMatrix is installed, it immediately goes to work blocking scripts and other potential methods of attack, though it does still allow some known “trusted” scripts to run.

When you click on its icon on your extension bar, you’ll be presented with a grid, or matrix, of various things that can be enabled or disabled. On the left column is a list of URLs that are being called from the current website you are on, the following columns are the potential attack vectors.

Green means allowed, red means blocked, and clicking on the top half of the box turns it green, clicking on the bottom half turns it red. If you click on the URL box on the left column that will allow/block the entire row at once, or you can allow/block each individual column.

By default, any changes you make are only temporary. If you would like to save your settings, simply click the padlock icon at the top of the uMatrix window. This will save the settings only for the particular website. If you would rather make sure these settings are saved for all sites, click the blue box at the top left and select the asterisk (*), and then click the padlock. That asterisk means “every website.”

  • Apple Safari

Safari does have a built in option to disallow all JavaScript. However, there is no whitelist available and no way to selectively allow JavaScript from trusted sources. There is a newer extension that works similar to NoScript called JS Blocker, and you can find it here: http://www.macupdate.com/app/mac/42143/js-blocker

HTTPS - Encrypt Your ConnectionEncrypt Your Connection

Finally, this last tip is not necessary for blocking scripts or ads, but it is a good overall increase in security. The extension, HTTPS Everywhere, is available for Chrome and Firefox, and you can install it here: https://www.eff.org/https-everywhere

The extension aims to ensure your connection to websites is encrypted and secure, this includes not only to the primary website that you are visiting but any connection to 3rd party domains (such as ad networks, script hosts, embedded content, etc.). It won’t stop malicious scripts and ads, but it can help prevent them when a website honors secure connections. It is essentially a set-it-and-forget-it extension, and it requires no manual configuration. Nor will it get in your way.

HTTPS Everywhere

Keep Your Computer Protected

The instructions we have shared are all DIY. We do know that some browsers, like Opera, and virus protection services, like Norton, have ad blocking available but are usually inactive by default requiring you to activate them. In our research we were not able to find anything other than extensions that do the script blocking. The closest approximation would be router-level blocking from products provided by companies, like Barracuda, but is directed more for spam email, not really blocking ads or scripts.

By implementing any or all of the steps discussed in both parts of this article, your computer can be safer than it’s ever been. While it’ll take a few hours to properly configure all the extensions and browsers on your PC, the added security will be well worth it in the long run.