Article 43

 

The Mother of All Privacy Battles Part 6

phantomaccess.jpg
Save

NebuAd exploits normal browser and platform security behaviors by forging IP packets, allowing their own JavaScript code to be written into source code trusted by the Web browser. NebuAd and ISPs together cooperate in this attack against the intentions of the consumers, the designers of their software and the owners of the servers that they visit.

Web page code is normally entirely downloaded from servers to clients over a single TCP connection. Once the page is downloaded, the downloaded code is executed by the client. The execution of this code is what causes the additional operations necessary to download images and other page resources. This code is considered safe to execute because it purportedly came from a source trusted by the user. NebuAds code injected into another’s page source is a cross-site exploit (XSS) and the subsequent behavior of loading cookies it normally would not load is a browser hijack. NebuAd accomplishes its XSS by using what is effectively a classic man-in-the-middle attack.
- Rob Topolski

Free Press/Public Knowledge Investigation Finds NebuAd Wiretaps Consumers and Hijacks Web Sites

By Art Brodsky
The Free Press
June 18, 2008

Consumers are having their Web browsing intercepted and Web sites are having their computer code altered by NEBUAD, a company that provides targeted advertising for Internet Service Providers (ISPs), according to a technical investigation by Free Press and Public Knowledge.

NebuAd recently made headlines by announcing its partnership with cable company CHARTER COMMUNICATIONS, but has also been deployed by WOW!, EMBARQ, Broadstripe, CenturyTel, Metro Provider and others. The NebuAd partnership with Charter was originally announced to start June 15, but Charter has delayed the implementation.

Topolski found that NebuAd, after being installed on the WOW! network, injects extra hidden code into a users browser that was not sent by the Web site being visited. That code directs the user’s Web browser to another site not requested or even seen by the consumer, where hidden code is downloaded and executed to add more tracking cookies. The consumer then sees ads based on NebuAds profile of a user’s browsing habits—built through the secretly collected information.

By changing the computer code for Web sites to insert information into the packets of data sent to consumers, NebuAd and its ISP partners violate several fundamental expectations of Internet privacy, security and standards-based interoperability, the report found.

This report shows that NebuAd’s Internet wiretapping is highly questionable, said Marvin Ammori, Free Press general counsel. “Phone and cable companies should press pause on NebuAd and any similar venture until consumers and members of Congress can address the serious concerns raised by this report.”

“Once again, it shows that ISPs are putting themselves where they dont belong - inserting themselves between consumers and Web sites,” said Gigi B. Sohn, president and co-founder of Public Knowledge. “Inserting unwanted information and advertising under false pretenses violates every concept of an open and free Internet.

Topolski added, “NebuAd breaks the rules of acceptable behavior on the Internet. It monitors what you do and see on the Internet, it breaks in and changes the contents of your private communications, it keeps track of what you’ve done, and if you even know that it’s happening, it is impossible to opt-out of it.”

SOURCE

NebuAd is an online advertising company whose partnership with cable and phone companies has raised substantial privacy questions for House Subcommittee on Telecommunications and the Internet Chairman Ed Markey (D-Mass.) and Rep. Joe Barton (R-Texas).

In a new report, NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking,Ӕ Robert M. Topolski, the chief technical consultant for the organizations, found that NebuAd uses special equipment that monitors, intercepts and modifies the contents of Internet packetsӔ as consumers go online. Topolski, the network engineer who made public Comcasts throttling of BitTorrent applications, said in the report that ғNebuAd commandeers users Web browsersҔ to load tracking cookies and collects information from users in order to place ads from ISPs.

Apparently, neither the consumers nor the affected Web sites have actual knowledge of NebuAdӒs interceptions and modifications, the report found.

---

Consumer Groups Dig Inside NebuAD Technology
And find a slew of controversial - if not ILLEGAL - tactics…

By Karl
Broadband Reports
Jun 18, 2008

Consumer groups Free Press and Public Knowledge today issued a REPORT on NebuAD behavioral advertising technology. ISPs are paid to install a user tracking device that sits on the ISP network, and aids in the delivery of ads tailored to your browsing habits. Broadband Reports user ROB TOPOLSKI, who first discovered Comcast’s upstream BITTORRENT THROTTLING, ran a series of tests and found the technology forges packets, violates IETF standards and more:

NebuAd exploits normal browser and platform security behaviors by forging IP packets, allowing their own JavaScriptcode to be written into source code trusted by the Web browser. NebuAd and ISPs together cooperate in this attack against the intentions of the consumers, the designers of their software and the owners of the servers that they visit.

So far all we’ve had is NEBUAD PROMISES promises that the technology plays fair and protects user privacy, though few have actually dug into how the technology works. There’s MOUNTING CONGRESSIONAL PRESSURE to investigate the technology before it’s inevitably launched by more than just the handful of carriers I’m currently aware of (WOW, Knology, Charter, EMBARQ, Broadstripe, Bresnan Communications, and CenturyTel).

Topolski suggests the technology takes a few pages out of the playbook of several controversial tactics, including browser hijacks, cross-site scripting (XSS) attacks, man in the middle attacks and more.

“NebuAd breaks the rules of acceptable behavior on the Internet,” says Topolski. “It monitors what you do and see on the Internet, it breaks in and changes the contents of your private communications, it keeps track of what you’ve done, and if you even know that it’s happening, it is impossible to opt-out of it.”

“This report shows that NebuAd’s Internet wiretapping is highly questionable,” says Marvin Ammori, Free Press general counsel. “Phone and cable companies should press pause on NebuAd and any similar venture until consumers and members of Congress can address the serious concerns raised by this report.”

“Once again, it shows that ISPs are putting themselves where they don’t belong inserting themselves between consumers and Web sites,” says Gigi B. Sohn, president and co-founder of Public Knowledge. “Inserting unwanted information and advertising under false pretenses violates every concept of an open and free Internet.”

SOURCE

---

Posted by Elvis on 06/18/08 •
Link to this articleLink to this article and comments
Home
 

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Next entry: Extreme Weather To Increase With Climate Change

Previous entry: Mass Effect DRM

<< Back to main

Home

Members:
Login | Register
Resumes | Members

In memory of the layed off workers of AT&T

Today's Diversion

If you want to grow your own dope, plant a politician. - Anonymous

Search


Advanced Search

Categories

Archives

Favorite Posts

Recent Entries

American Solidarity

Favorites

Statistics