Image: Saul Loeb, Contributor via Getty Images
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
Lots of people who use ad blockers say they do it to block malicious ads that can sometimes hack their devices or harvest sensitive information on them. It turns out, the NSA, CIA, and other agencies in the U.S. Intelligence Community (IC) are also blocking ads potentially for the same sorts of reasons.
The IC, which also includes the parts of the FBI, DEA, and DHS, and various DoD elements, has deployed ad-blocking technology on a wide scale, according to a copy of a letter sent by Congress and shared with Motherboard.
The news highlights the continued risk from the online advertising ecosystem. Some hackers leverage how adverts are delivered to send target devices malware. Data brokers and potentially intelligence agencies can leverage the ecosystem to gather information on devices and by extension people, sometimes including their physical location. The IC taking steps to protect itself from the dangers of the advertising ecosystem shows just how malicious it can be.
“The IC has implemented network-based ad-blocking technologies and uses information from several layers, including Domain Name System information, to block unwanted and malicious advertising content,” the CIO recently told Wyden’s office, according to the letter.
Do you have information on how bidstream data has been used to track people? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
With malvertising, hackers upload a malicious advertisement to an ad network, which then distributes it to targets. Previous cases of malvertising have redirected victims to exploit kits, which then break into the victim’s computer to steal data.
In addition, Motherboard has reported on how data brokers may obtain information via a process called real-time bidding. Before an advertisement is placed into a person’s app or browsing session, companies bid on whether their own advert will win the ad spot. As part of that process, participating companies can gather data on people, known as bidstream data, even if they don’t win the ad placement. Motherboard previously reported that Venntel, a U.S. government contractor, obtains some of its location data from the real-time bidding process.
But that access could extend to foreign entities. Senators Ron Wyden, Mark Warner, Kirsten Gillibrand, Sherrod Brown, Elizabeth Warren, and Bill Cassidy previously wrote to a group of tech companies including AT&T, Verizon, Google, and Twitter, with their concerns that ad networks might be leveraged by foreign intelligence services.
“This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns,” the letter read. Responses from some of the tech companies showed that hundreds of relatively obscure and overlooked companies are potentially provided with sensitive data on Americans. The companies included ones based in Russia, China, and the United Arab Emirates, as Motherboard reported in June.
The Office of the Direction of National Intelligence (ODNI) did not respond to a request for comment on the ad-blocking practices. A DEA spokesperson told Motherboard in an email that “For the safety and protection of our environment, the Drug Enforcement Administration (DEA) does not disclose its cybersecurity measures; however, similar to the Intelligence Community, the DEA also considers recommendations from the Cybersecurity and Infrastructure Security Agency (CISA) and other governing bodies when implementing cybersecurity controls.”
An NSA spokesperson told Motherboard in an email that “In order to maintain secure unclassified networks for standard business operations, NSA’s CIO institutes a defense-in-depth set of network protections to ensure network security across our enterprise. While we are unable to detail these protections for operational reasons, NSA’s dynamic security approach constantly adjusts and improves our network defenses.”
The IC’s chief information officer’s quote was included in a letter Wyden sent to Clare Martorana, the federal chief information officer for the Office of Management and Budget (OMB), this week asking her to set rules for other agencies as well.
“I write to urge the Office of Management and Budget (OMB) to protect federal networks from foreign spies and criminals who misuse online advertising for hacking and surveillance, by setting clear new rules for agencies in its forthcoming “zero trust” cybersecurity policy,” Wyden wrote.
Wyden pointed to previously published recommendations from the NSA and Cybersecurity and Infrastructure Security Agency (CISA), encouraging readers to use ad-blocking technology. The NSA also published guidelines around the threat of the collection and sale of location data.
“While the intelligence community has acted to protect its personnel and computers from malvertising based threats, many other federal agencies have not, and are unlikely to until they are required to do so. To that end, as OMB finalizes its recently released draft Federal Zero Trust Strategy, detailing the specific actions that OMB is requiring federal agencies to take to secure their systems from hackers, I urge OMB to also require agencies to implement the CISA and NSA guidance to block ads,” Wyden’s letter continued.
“This administration is committed to strengthening federal cybersecurity and moving the U.S. government towards a zero trust architecture,” an OMB spokesperson told Motherboard in an email. “As part of this effort, the Office of Management and Budget asked for public feedback on a draft federal zero trust strategy that calls for strong multifactor authentication, encrypting network traffic, and other important cybersecurity practices. Over the coming weeks, we’ll be reviewing and considering each comment we received as part of this process, as we finalize this strategy.”
Subscribe to our cybersecurity podcast, CYBER.