This article originally appeared in CSO on March 14, 2019.
The Media Trust offers website owners a way to detect malicious code coming from third parties, and DarkOwl scans the dark web for signs that a company has been compromised.
I’ve got a confession to make. I’ve never attended an RSA Conference before last week. For RSAC 2019, however, I had the honor of giving one of my favorite presentations, 12 Ways to Hack 2FA. The crowd filled the presentation room and a spill-over room to hear it. I was a little under the weather, but I think it went well enough.
I was just as delighted to attend the full conference and many sessions. Most of the talks were good. Many were excellent. Two full vendor halls with lots to see, do and learn: book signings, entertainment, fun activities and lots of bar meetups. If you like to collect conference swag, you will find no better conference. I’d go again in a heartbeat.
I met with dozens of companies at the conference, but two stood out.
The Media Trust: An anti-malvertising service for website owners
I have long known about entities that serve banner ads are a huge risk to the websites that profit from them. Bad guys target banner ad companies and code to inject malicious code into content that a visitor to an otherwise legitimate website consumes—a practice known as malvertising. I wrote about “transitive trust” back in 2008, telling website owners that they must verify (and trust) all code running on their website no matter where it comes from.
Flash forward to today. I interviewed The Media Trust CEO and founder, Chris Olson, who says that the average website he works with has 30 to over 1,000 different code components coming from all over the world. If you track the involved domains for any popular website, you’ll be surprised how many different pieces of code and content are making up a single page. Sometimes that nth-party code is malicious, either getting accidentally compromised or launched by some malicious content vendor who otherwise looks legitimate.
Olson didn’t sugarcoat the problem: “No major website vendor understands every bit of code that is being launched to their visitors by that website. No one in the company knows. It’s code and content coming from third parties, and fourth parties and nth parties that the third party hired. A lot of that code is not what the vendor would want to have running on their website. I’m sure if some CEOs or CMOs saw what was actually running on their websites they would shut them down.”
When a website hires The Media Trust, it monitors the thousands of nth party code vendors interacting with the website (or mobile app) looking for and blocking maliciousness. It’s not something The Media Trust has to wait for. While I was talking to Olson, I saw The Media Trust block hundreds of malicious attempts.
Olson says The Media Trust blocks maliciousness every 14 seconds. “We are 72 hours ahead of VirusTotal. By the time VirusTotal is picking something up, it’s basically dead and over.” If The Media Trust detects something malicious running on a client’s website or mobile app, it immediately sends a message to the client so it can be researched and blocked. Automated remediation is not usually done because blocking one piece of code can cause devastating service impact to a website. Olson says many of his clients trust the alerts and immediately block the offending code.Taking the leap to be your own boss can be easier with an Intuitive Investor® account from Wells Fargo Advisors.
Perhaps the most astounding fact I learned was how the bad guys use the same underling ad-targeting mechanisms that legitimate websites and services use to send targeted advertising to target you (or your associated profile group) with malicious code. As Olson states, “The internet is one big selling platform. It’s why it exists. They look for the weakest link in the advertising chain, break into it, and then use it to target specific sets of people.” For example, they might target victims by gender or whether they are in the armed services.
I was impressed with what The Media Trust does. If you have sophisticated websites or mobile applications that rely on third-party or, as Olson calls it, nth-party code, then check out The Media Trust.
DarkOwl: A dark web scanning service
Another company that intrigued me was DarkOwl. I met with CEO Mark Turnage and VP and former Tor project executive director Andrew Lewman. Briefly, DarkOwl surfs the dark web, makes a copy of what it finds, and then indexes and triages customer-related information for its customers. It’s a good way to quickly find what the dark web knows about your company and its employees. Did a hacker steal your data crown jewels and upload them to a website on the dark web? Does the dark web have your employees’ logon names and passwords? DarkOwl knows.
Just over two-and-a-half years old, DarkOwl surfs Tor and other dark webs. Tor is the biggest and best-known dark web, and DarkOwl surfs 26,000 of its 29,000 websites, along with another 200 pastebin web sites. They collect the data into a big database that customers can interact with. The collected data is even ranked with a “Hackishness Score” ranging from 0 to 16, with higher numbers indicating more risk. In the demo I saw, several of the U.S. military services were ranked high.
One of the coolest and most useful features was how much correlation DarkOwl had about different dark web groups. In places designed to have a heightened amount of anonymity, DarkOwl is easily identifying key players and transactions. The DarkOwl blog publicly identifies and shares this information. For instance, they outed Daniel of the Darknet as a gray hat.
Daniel is a key player on the dark web who offered a place for many other dark web players to hang their shingle. Daniel always claimed that he never worked with unethical or illegal players. After a big outage to Daniel’s platform due to a claimed database breach, DarkOwl was able to identify illegal and unethical players using Daniel’s services, including child abuse sites.
In another instance, DarkOwl showed me a graphical map of a bunch of bitcoin users. It showed all the incoming payments (numbering in the thousands) and a few output nodes where the bitcoin was being transferred to and likely being converted to a regular currency. It was pretty cool.
During the demo they ran queries for information on my current full-time employer, KnowBe4, and also on my personal email address. They found some interesting stuff, although nothing that I didn’t already know about. Some of the information was incredibly detailed. For example, someone was using a maliciously modified real advertisement to exploit unsuspecting customers. I had heard about this attack from the CEO a few months ago, but it was interesting to see the maliciously modified document in its entirety including exactly where the malicious switch out had been made.
Key to the service that DarkOwl offers is early notification of bad content and things related to your company, its assets and its people. If you can’t stop something bad from happening, early warning is the next best thing. DarkOwl is one of the best early warning systems I’ve seen.
All-in-all, I found the RSA conference, its sessions, and its vendors valuable. Don’t listen to those who say it isn’t worth the time or has gotten too big. I think most of the people attending felt like they got good value for their money, like I did.