35 votes

Update: Malware False Flag Alert on the DP (Again); Also Affecting Tech Crunch, Other Sites

Friends,

Here's an article on the Malware False Flag:

Google’s malware checker on Tuesday started to detect ads from isocket‘s advertising network, distributed via the adsbyisocket.com URl, as a threat. The result is that sites using the advertising network are throwing up malware warnings on some pages visited by Google Chrome. These include TechCrunch, Cult Of Mac, and possibly others.

The article notes that Google has lifted the malware alert, so it should stop showing up here any time. As I noted in a comment on another thread, this is the third time this has happend to the Daily Paul. I'm familiar with the drill. I have removed all the isocket ad tags from the site, and resubmitted the site for a scan by Google. Hopefully things will clear up soon.

Thank you again for your patience.

Michael

- - - - Original Post - - - - - -

I've seen the alert on Chrome and Safari. Other people have mentioned it. This is the third time it has happened. It is being triggered by the ad network. Very sorry about the trouble folks. I'll let you know more when I know more.

Michael

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Same here.

Still can't use my up vote.

Lost vote

I've lost my vote here. Hasn't worked for two days.Have to use forum link in my "history" to get in site.
Hope things are fixed soon.

Deekey

Please, don't call it a false flag

When a security system alerts when there was no real threat, it is called a false positive.

It happens.

I am noticing more and more

I am noticing more and more instances where when i visit a site there are certain articles and/or videos that Firefox says they can't bring up.some they can.need i say censorship? I used to wonder why HuffingtonPost would not post certain comments until i found that George Soros has ties to HuffingtonPost. George Soros has ties to 30 major news media organizations.

Bob Marshall

blocked me @ 3 est

gone by 5 ish

Garan's picture

Google Chrome's Warning/Message Doesn't Add Up

Browsers are designed with security in mind.

So, it seems awfully strange for the warning message/report to warn of an ad automatically installing something on the computer.

That should be impossible if the browser is designed and implemented well, which Google Chrome seems to be (in my experience).

So, why would Google Chrome issue a message about blocking a site, when that would really be a bug (a security hole)?

Browsers use multiple security mechanisms

Browsers don't warn about these pages because the content they serve can successfully execute a code injection attack against the browser itself (eg. buffer overflow, pointer corruption, etc) but because some pages serve malware and use social engineering to persuade less savvy users to run them. They may also block pages that exploit known vulnerabilities in 3rd party plugins.

Code injection vulnerabilities in widely used software are rare these days. And a lot more difficult to exploit reliably thanks to process hardening techniques such as Address Space Layout Randomization, canaries surrounding important pointers on the stack, out of bound management of heap memory, another variety of canaries in the heap called "guard pages", forced mapping of the null pointer, making writable memory non-executable, process separation and privilege separation, etc.

Then there is the whole class of attacks that arise from the details of maintaining session over HTTP, a stateless protocol: Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF). The non-persistent (aka "reflective") variety of XSS and XSRF need to be launched from pages which users must be lured to. The malware filters need to warn users before these pages load and the user is exploited. These are not vulnerabilities in the browser, they arise from server side code that doesn't filter input appropriately considering the context.

Because of their reach ad networks are obvious targets for serving malicious content. Attackers love to get their code in there, and ad network operators are far from perfect when it comes to filtering it out.

False negatives and positives happen.

Garan's picture

A lot of info. Thanks. Followed most of it.

I haven't dealt with low level code in quite a while.

So, it is funny to read about stack-level security code that seems nearly psychotic (..or maybe an immune system).

Computers haven't

Computers haven't fundamentally changed. We just have faster, cheaper hardware and have build up a mountain of abstraction in software. Then we've added some specialized hardware to deal with a select few of those things, like drawing polygons and virtualizing ring 0. In the end it's still just a lot of loading, processing, and storing.

Neuter Java.

_

Free includes debt-free!

Garan's picture

Java or JavaScript?

--

Java

Numerous exploits discovered.

Uninstall it if you don't need it.

Free includes debt-free!

How do I know if I need JAVA?

What are the most common things people use JAVA for?
Thanks!

Don't know. Tons of details here Text and Podcast.

Leo Laporte of Twit.tv discusses Java with guest.
http://www.grc.com/sn/sn-367.htm

Free includes debt-free!

Michael Nystrom's picture

Malware alert seems to be gone

Anyone seen it recently?

The only way to make sense out of change is to plunge into it, move with it, and join the dance. - Alan Watts
Michael Nystrom's picture

Well, I'm still getting the error

Trevor's site got hit too.

www.libertycrier.com

The only way to make sense out of change is to plunge into it, move with it, and join the dance. - Alan Watts

ta-ha! I KNEW IT!

look at all the brave people that decided to just say,"Screw the warning! I'm going to the DailyPaul and you can't stop me!"

:-)

Got the warning on FireFox on a MAC.

I never take a chance... instead I just...

Instead I surf the web with this Firefox add-on called Cocoon. I can surf the whole web behind a proxy so no malware can get me. As long as I'm not dl'ing stuff the cocoon will keep me safe.

It's a free dl:
www.getcocoon.com

LOL

> no malware can get me

You are wrong about that. Malware passes through proxies too. The way Firefox blocks these things by default is actually far more respectful of your privacy than cocoon is. Firefox compares locally, cocoon runs all your traffic through their proxy, where it is monitored.

Sometimes that's cool, it's good to run your traffic through proxies when I go to conferences or use untrusted wifi. It's also good to do it when booking plane tickets, submitting forms with your name in them to government web sites, and so on.

Wait, am I wrong?

Cocoon claims that the malware hits them (the proxy) and I don't get hit. So the malware does get through and it hurts them, not me. (according to cocoon) They claim that they can take care of all the malware on their servers.

I also use the privacy settings on Firefox as you mentioned. If I'm wrong about this please explain. I don't want to have false security. They also claim that they're not recording any of your web surfing. I'd love to know if cocoon is good or bad from someone who's good with computers.

> Cocoon claims that the

> Cocoon claims that the malware hits them (the proxy) and I don't get hit.

That is true, however their proxy cannot be perfect. It's as fallible as every other solution that scans for known attacks.

> They claim that they can take care of all the malware on their servers.

That's just dishonest. In spite of what their marketing is telling you, Cocoon hasn't innovated anything new. It is an anti-virus proxy server. These have been widely used for 10 years already, and we still have malware.

> They also claim that they're not recording any of your web surfing.

And that's all you have: Their claim. For all you know they record everything. By choosing to route all of your traffic through them, you are giving them the ability to do so at any time, without your knowledge or consent.

Startpage.com makes the same

Startpage.com makes the same claim... : (

Do you think they are just as unreliable?

They don't appear to set any

They don't appear to set any cookies or pass the search results through their own redirect url to track what you click on. Startpage doesn't serve content from other domains in its pages either, so only they see what you do on their site.

Startpage doesn't claim to protect you from malware, they only claim not to log your IP address. There's no way to verify whether or not they log it.

You don't pass all your traffic through Startpage though, so at worst they're recording your HTTP requests to them. That's not a big deal.

I wish more computer experts could chime in.

Startpage allows you to use them as a proxy. After you view the list of hits from your query you can click on the proxy link to view each search hit. That would allow you view the website from the startpage results anonymously.

So both cocoon and startpage claim to give you that anonymity. Startpage is more indirect as you have to surf the web via startpage results by specifically clicking on the proxy links. Cocoon would let you type in anything in the URL so there's more convenience.

I really want to find an expert who could share his insight about malware protection via proxies.

I know recording user's web activity also costs money. Startpage is low budget so they can't even afford to track you if they wanted to; though they have said that's not their goal. With Cocoon, I have no idea what they could be doing.

I didn't notice that feature

I didn't notice that feature of Startpage.

I am a computer expert. I don't claim I know everything, but I have deep knowledge of this topic. And it is a broad topic. There's so many types of proxies: We can have proxies that operate at the TCP layer, which merely redirect traffic without discriminating based on content: regular SOCKS proxies, including Tor, for example. These types of proxies cannot protect you from malware any more than a firewall can. (That is, basically not at all)

Then we have proxies which can apply rules, and decide to alter or reject requests and/or responses based on various criteria. These can look at HTTP protocol fields to make decisions, as well as the content of the request or response. They can be used to protect both clients (web browsers) and servers, as well as plugins hosted within browsers and server side code hosted by web servers. This type of thing looked promising back in 2004 or so, but as someone who's been following this since the mid 1990s, I can tell you that the idea of protecting something as complex as a web browser with a proxy is dubious at best.

In theory, a proxy can block traffic that would exploit a vulnerability. In practice, there may be cases of server side code that can't be easily updated that would benefit from such protection. This is absolutely not the case for web browsers. The teams that maintain web browsers have a far better understanding of their vulnerabilities than any teams offering proxies have.

Google is literally offering millions of dollars in the next month for disclosure of vulnerabilities in Chrome. The prizes for 0day at conferences are worth more than the companies behind Cocoon and Startpage combined. If either had anything worth a damn, someone would just buy them.

Browser security is about process hardening, privilege separation, sandboxing, virtualization, and related fields. Proxies do not operate at the correct layer to provide credible protection against modern malware. All they are good for is shielding your IP address from the remote peer. Web based proxies may provide some protection incidentally, but only at the expense of breaking legitimate functionality.

Proxies are good for 3 things:
1) Make your traffic go somewhere else, before going to the target site. This is necessary at conferences or other networks where the network admin might know you personally and take interest in your traffic. A VPN or any kind of layer 3 proxy is sufficient.

2) To catch stupid users (skilled users can always bypass) trying to exfiltrate proprietary data from a corporate network you are tasked with protecting, or to enforce a white listed web access so that the jobbers don't go anywhere except work related sites on company time. This is kind of the reverse of keeping malware out: Keeping certain data in. It's actually impossible, there's always a way to sneak it through unless you utterly cripple access to the internet.

3) To assist in testing the security of web applications by enabling on the fly modification of cookies, post variables, and so on. And browser plugins are taking this over as they're actually better suited.

Try a query on Startpage...

For example, Startpage a query of "Daily Paul".

In the search results you'll see the first hit is the Daily Paul. And at the end of that hit there is a link for viewing it via the startpage proxy. Please check it out.

1. In your expertise, how good is that protection against malware?
2. Will this proxy protect my anonymity from the Daily Paul? my ISP? Both?

Thanks for the reply. It seems from your previous reply that proxies won't protect against malware. Thanks for the info. I appreciate it.

This provides some pretty

This provides some pretty decent protection against malware by stripping out Javascript. Keep in mind that it may be possible to craft some Javascript in such as way that the proxy doesn't recognize it as such but your browser does and runs it. It is far more likely than not that such a vulnerability exists. You could just use noscript, or disable Javascript entirely for the same effect.

The connection between you and the proxy is SSL, so your ISP most likely can't see what you're looking at.

Using the proxy does prevent DailyPaul from seeing your IP address, but it doesn't allow you to login without connecting directly. So how good is that, really?

Thanks for your input!

Well that's great to know. I've heard others talk about noscript. I need to look into that. Can it replace javascript and then I should perhaps remove javascript altogether? I don't know if javascript is required for anything else I do on my laptop.

Happy to help

You need Javascript. You can't disable it and still expect the web to function for you. Noscript doesn't replace it, just gives you more control in what runs. And thanks to content distribution networks it's not a whole lot, but better than nothing.

scawarren's picture

Yep, that's about what I

Yep, that's about what I thought, figured it was BS :)

It is easier to fool people than to convince them that they have been fooled. – Mark Twain