Web Ads Used to Launch Online Attacks
Online advertising networks could be used to enlist millions of unsuspecting Web surfers in attacks on other websites, a demonstration at the Black Hat security conference in Las Vegas showed on Wednesday.
It didn’t take long for the victimized test server to begin struggling under the sudden load. In the first hour of the test, during which only $2 was spent on ads, more than 130,000 connections from browsers swamped the server. It wasn’t much longer until the server began falling offline under the growing load.
“We did not hack anybody; we used the way the Web works and brought down our own server,” said Johansen. “We’re just loading images as quickly as possible.”
The test server wasn’t protected by the specialized tools used by some sites to defend against so-called denial of service attacks. However, Johansen said that the low cost of this type of attack and reach of online networks suggest it could be easily scaled up. “It’s really not that much money to do real damage to real sites on the internet.”
At the typical prices for online ads—about 50 cents for 1,000 views—just $500 is enough to get a million contributors, he pointed out. The pair plans to test the attack against more powerful Web servers that have protections against denial of service attacks.
Grossman said the toughest question raised by the technique is not how to solve it, but who’s to blame for the vulnerability. Unlike most new attacks presented at Black Hat, it isn’t enabled by a failing in any one company’s technology. Ad networks, browser designers, and Web protocols all enable this style of attack, he said.
Jeff Debrosse, director of security research at online security company Websense, was less equivocal about who should address the issue. “It is up to the ad networks to remedy this solution,” he said, pointing out that the new research shows that ad networks that block custom code are correct to do so.
Geoffrey Hinton tells us why he’s now scared of the tech he helped build
“I have suddenly switched my views on whether these things are going to be more intelligent than us.”
Meet the people who use Notion to plan their whole lives
The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.
Learning to code isn’t enough
Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.
Deep learning pioneer Geoffrey Hinton has quit Google
Hinton will be speaking at EmTech Digital on Wednesday.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.