Expert(s):
Associate Director of Digital Security and Operationsfeature_status*/ ?>
The Media Trust

Comments Dotted : 17
March 20, 2020

Security Expert On Medical Mask Ads Still Showing Up
What started as a few dozen scam campaigns quickly multiplied to hundreds within days.
It’s difficult to police digital advertising, when billions of ads are served every minute to individuals accessing content from around the world via different devices and behavioral profiles. The challenge is defining what is a scam or bad ad, and then using defined characteristics to identify and terminate violations from the digital ecosystem. What started as a few dozen scam campaigns quickly multiplied to hundreds within days. To avoid being accused of profiting off the misfortune of.....Read More
It’s difficult to police digital advertising, when billions of ads are served every minute to individuals accessing content from around the world via different devices and behavioral profiles. The challenge is defining what is a scam or bad ad, and then using defined characteristics to identify and terminate violations from the digital ecosystem. What started as a few dozen scam campaigns quickly multiplied to hundreds within days. To avoid being accused of profiting off the misfortune of others, websites and their digital partners should closely analyze their content and ad tags with an eye to removing illegitimate promotions from their digital environment.  Read Less
March 12, 2020

On Adware – The Mobile Plague
As a result, this unmanaged code can easily perform additional actions outside the delivery of an ad.
Ads provide a very important function in the digital economy: they enable access to a free service. While most people approach this adware as a user annoyance with little actual harm to the user this usually isn't the case. The issue lies in what additional code ads bring to the device, most of which is unknown to the app creator or advertiser. As a result, this unmanaged code can easily perform additional actions outside the delivery of an ad. It's these surreptitious actions that lead to.....Read More
Ads provide a very important function in the digital economy: they enable access to a free service. While most people approach this adware as a user annoyance with little actual harm to the user this usually isn't the case. The issue lies in what additional code ads bring to the device, most of which is unknown to the app creator or advertiser. As a result, this unmanaged code can easily perform additional actions outside the delivery of an ad. It's these surreptitious actions that lead to unauthorized data collection, zombie device creation, browser or device exploitations, malicious downloads, and more. App creators and stores need to thoroughly analyze executing code from the user experience to identify these activities to not only accurately populate privacy policies and consent management platforms but also ensure compliance with data protection regulations. Taking responsibility for knowing what vendors are brought to the user experience will mitigate most annoying, malicious and regulatory violation problems.  Read Less
January 28, 2020

Response Comment: Google Docs Down
In the post-CCPA/GDPR world, tech companies are paying greater attention to the risks that software poses to users.
In the post-CCPA/GDPR world, tech companies are paying greater attention to the risks that software poses to users. Much of the risks stem from having no control over what impact code will have on the security and privacy of user personal data. Until tech companies know who's running what code in the various components that make up extensions and other forms of software, the risk of fraud and theft will remain high, as will the risk of running afoul of these new privacy laws.
January 24, 2020

Comments On Thousands Of WordPress Sites Hacked To Fuel Scam Campaign
While this arrangement may have worked in the past, the passage of the CCPA has shaken up the industry.
Campaigns that redirect users of legitimate sites to scam sites underscore the problems with relying on digital third-parties. While digital third-parties provide much needed support to websites that must meet the growing demands of website users, they also expose site owners and users to security and privacy risks. The code they run on today's websites lie outside the website owners' perimeter. As a result, owners don't know who's running what code on their sites, and what impact this might.....Read More
Campaigns that redirect users of legitimate sites to scam sites underscore the problems with relying on digital third-parties. While digital third-parties provide much needed support to websites that must meet the growing demands of website users, they also expose site owners and users to security and privacy risks. The code they run on today's websites lie outside the website owners' perimeter. As a result, owners don't know who's running what code on their sites, and what impact this might have on users. Meanwhile, bad actors are capitalizing on this growing reliance on digital third parties, who all too often bring their software to market without much thought given to security and privacy. While this arrangement may have worked in the past, the passage of the CCPA has shaken up the industry with stiff penalties and private right of action in case of a breach. The upshot, companies can no longer take privacy and security lightly.  Read Less
January 22, 2020

Comments On The Hanna Anderson Magecart Attack
By doing so, they will address not only security risk, but also quality and performance risks.
We need to call these attacks what they are: digital supply chain attacks. Some attacks use the same or similar code as Magecart, but a far greater number use a wide array of advanced techniques to redirect online shoppers and readers. Until companies take the insecurity of their digital supply chains seriously and monitor the code that runs on their sites, these attacks will continue. There's no other way to prevent these attacks than to allow only trusted digital vendors to run code on your .....Read More
We need to call these attacks what they are: digital supply chain attacks. Some attacks use the same or similar code as Magecart, but a far greater number use a wide array of advanced techniques to redirect online shoppers and readers. Until companies take the insecurity of their digital supply chains seriously and monitor the code that runs on their sites, these attacks will continue. There's no other way to prevent these attacks than to allow only trusted digital vendors to run code on your site, as well as closely watch and regulate all the code that these vendors and their own digital third parties run to make sure they all follow your policies. By doing so, they will address not only security risk, but also quality and performance risks that can degrade their site’s user experience.  Read Less
January 07, 2020

The Media Trust Comments On HappyHotel Search Engine Breach
Users will want to keep their data private and protect information on their activities from public exposure.
An aggregator like HappyHotel is not your average hotel booking site--it's neither for family vacations or for business trips. Users will want to keep their data private and protect information on their activities from public exposure. Apart from exploiting data for identity theft or various other forms of fraud, bad actors can extort money from users and cause irreparable damage to their private and public lives. Site owners that facilitate sensitive activities that users wouldn't want made.....Read More
An aggregator like HappyHotel is not your average hotel booking site--it's neither for family vacations or for business trips. Users will want to keep their data private and protect information on their activities from public exposure. Apart from exploiting data for identity theft or various other forms of fraud, bad actors can extort money from users and cause irreparable damage to their private and public lives. Site owners that facilitate sensitive activities that users wouldn't want made public should exercise extra security precautions to prevent breaches. Their sites, not to mention the digital third parties that support it, are likely in the crosshairs of bad actors who want to score and profit from extra-sensitive information.  Read Less
December 20, 2019

Expert Insight: Magecart Attack On Macy’s Was Customized
Bad actors know they can count on many site operators to leave open the same entry points.
While digital skimmers have been around for years, the customized use of skimmers in attacks that target large e-commerce businesses is more recent. But what remains the same is what bad actors exploit: website design and operations processes that pay insufficient attention to insecure or unauthorized third-party code. Bad actors know they can count on many site operators to leave open the same entry points either through bad configuration, poor security measures, or both. Until businesses take .....Read More
While digital skimmers have been around for years, the customized use of skimmers in attacks that target large e-commerce businesses is more recent. But what remains the same is what bad actors exploit: website design and operations processes that pay insufficient attention to insecure or unauthorized third-party code. Bad actors know they can count on many site operators to leave open the same entry points either through bad configuration, poor security measures, or both. Until businesses take third-party code risks more seriously and continually monitor third-party code to keep out unauthorized activities, these attacks will continue simply because their success is almost guaranteed.  Read Less
November 26, 2019

Comments On The Report: MSPs Targeted For Cyber Attacks In 2020
Nearly all websites today are hosted by cloud service providers (CSP).
Digital supply chain attacks are mounting because they give bad actors a nice return for their investment. By targeting one provider, bad actors gain access to the data of several, if not many. Nearly all websites today are hosted by cloud service providers (CSP), who are rarely held to account for any malicious attacks that break out across their platforms. And even if businesses show their CSP concrete evidence that an attack was traced to their platform, chances are small that the CSP would.....Read More
Digital supply chain attacks are mounting because they give bad actors a nice return for their investment. By targeting one provider, bad actors gain access to the data of several, if not many. Nearly all websites today are hosted by cloud service providers (CSP), who are rarely held to account for any malicious attacks that break out across their platforms. And even if businesses show their CSP concrete evidence that an attack was traced to their platform, chances are small that the CSP would help to shut down the attack.  Read Less
November 20, 2019

Experts Comments On Macy’s Customer Payment Info Stolen In Magecart Breach
Treat everyone else as a potential threat.
The challenge with preventing cross-site scripting attacks is identifying which code should be running on a site, which ones shouldn't. Until site owners know all the domains that are called by code on their site, they won't be able to distinguish who's authorized to be there, and who isn't. If they have an inventory of allowed digital vendors, they'll be able to root out unauthorized actors like those behind barn-x.com. They need to take a left of left-of-breach approach. Only allow code from.....Read More
The challenge with preventing cross-site scripting attacks is identifying which code should be running on a site, which ones shouldn't. Until site owners know all the domains that are called by code on their site, they won't be able to distinguish who's authorized to be there, and who isn't. If they have an inventory of allowed digital vendors, they'll be able to root out unauthorized actors like those behind barn-x.com. They need to take a left of left-of-breach approach. Only allow code from digital vendors you know. Treat everyone else as a potential threat. You'll avoid making the headlines for all the wrong reasons.  Read Less
November 19, 2019

Expert Insight On Fake Domains
Data encryption alone will not prevent bad actors from accessing personal information from site users.
TLS certificates were developed to protect communications between a server hosting a site and a browser. Designed to protect legitimate business, this security measure is now being abused by bad actors exploiting hurried consumers' tendency to pay little attention to details like the URLs of sites they visit. The current push towards universal encryption will worsen this problem, making it difficult to catch bad actors behind website spoofing or typosquatting schemes. Data encryption alone will .....Read More
TLS certificates were developed to protect communications between a server hosting a site and a browser. Designed to protect legitimate business, this security measure is now being abused by bad actors exploiting hurried consumers' tendency to pay little attention to details like the URLs of sites they visit. The current push towards universal encryption will worsen this problem, making it difficult to catch bad actors behind website spoofing or typosquatting schemes. Data encryption alone will not prevent bad actors from accessing personal information from site users. As incidents like those involving PayLeak-3PC and other payment stealing malicious code show, encryption won't prevent bad actors from hijacking the online journey. Detecting this type of code requires the right tools and expertise that conventional security methods don't offer. It also requires knowing who should be running code for what purpose on your website and who shouldn't.  Read Less