<<<
Tuesday, April 15, 2008
>>>
 
Phorm Factor Posted by Stefan @ 09:13 GMT

For some time now, several ISPs in UK have been lobbied by an advertising company called Phorm. The online advertising business generates a great deal of revenue and so it's easy to listen to riches and fortune when opportunity knocks. But is the potential opportunity worth the potential risk to privacy?
Phorm, http://www.phorm.com
Phorm's technology is a tracking solution for ISPs that would enable the display of contextual advertisements. When ISP subscribers browse the web, their content will be "deep packet" scanned to gather information about their interests. Advertisement banners will then be selected based on those interests.

The effect is similar to most adware solutions today — except it's installed on your ISP instead of your home computer.

During the summer of 2007 a large UK ISP did a trial of Phorm's technology. Thousands of customers' browsing habits were monitored. Whether the information was used, stored or shared with Phorm is unclear. Currently no ISP has this technology in use, but several in UK have signed up as partners with Phorm.

Because the technology uses a cookie to identity each user, most antivirus vendors have the possibility of creating a signature and can wipe the tracks of monitored interests. Based on the descriptions of the deployment (opt-out) and the technology we lean towards creating such a detection signature for the cookie. The same stance has been given by many other security vendors and we all pull for a secure opt-in solution.

It has also come to our attention that Phorm was previously known as 121Media.

121Media was the company behind the brand PeopleOnPage. PeopleOnPage is the friendly wrapper around the advertisement engine ContextPlus. Another wrapper was called Apropos, which was one of the most widespread malicious rootkits of 2005. In 2006 the heat was too much and they shut it down. DNS registrars and website content supported that they were all in it together.

Using multiple brands and not having full disclosure is common in the adware business. Renaming a company to clear a bad reputation has also been seen before.

In the media war against Phorm, they always come back to their extreme measures not to include personal or privacy sensitive data. Even if they have good measurements for this today — it doesn't mean it won't change tomorrow. Ernst and Young scrutinized their technology earlier and now 80/20 Thinking is also giving it a review — but who will look into their future upgrades after they've already sold it to the ISPs?

For our London based readers, there is a public event this evening (Tuesday) where you can ask Kent Ertugrul about Apropos and ContextPlus.

Questions:

   How many users did ContextPlus had?
   If Apropos is installed on my home computer, from where can I get assistance on how to uninstall it?
   What was the intension of the rootkit/stealth technology in Apropos?
   Why should we trust Phorm?






<<< RSA 2008
|
Malware Analysis Course Coming to a Close >>>