Security experts criticise Phorm

Security experts have criticised targeted-ad company Phorm, claiming the nature of its infrastructure could increase the likelihood of successful denial-of-service attacks against its ISP customers.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

Dr Richard Clayton, a security expert from the University of Cambridge, published a paper earlier this month detailing Phorm's infrastructure. Clayton found that part of Phorm's system involves mediating web page requests between users and ISPs. A browser request is first sent via a switch to a machine on the ISP network, which then redirects the user to the Phorm Webwise server to have an anonymised cookie attached to it, allowing Phorm to serve targeted ads to the user.

In the process of attaching the cookie to the browser session, the request is bounced to the ISP machine three times. These request bounce-backs would magnify any denial-of-service attack, according to Clayton, and could also create incompatibilities with browser-security measures.

Clayton said: "Because they start with three redirections before users are led to the real site, browser heuristics could say that this was a dodgy site, which is unwise. Also, by sending sufficient crafted packets to the [Phorm] web server, attackers would get more bang for their buck, and the net effect would be [that] the server would not resolve anyone to the ISP."

While Phorm could always just switch off its web server in the event of attack, said Clayton, he said the system makes browsing the internet "more complicated and less stable".

A spokesperson for Phorm denied on Thursday that users would experience any problems with the stability of their web browsing.

The spokesperson told siicon.com sister site ZDNet.co.uk: "We disagree that Phorm will downgrade the experience of the internet. From a commercial standpoint, it would be entirely stupid for us to downgrade the user experience, as ISPs buy in[to the service]."

Phorm was also criticised by security company F-Secure in a Tuesday blog post, which drew attention to Phorm's past work and reputation. Phorm was previously named 121Media, with a brand called "PeopleOnPage", the wrapper around the ad engine ContextPlus. F-Secure said 121Media was responsible for developing pieces of adware, including Apropos. In the blog post, F-Secure described Apropos as containing "one of the most widespread, malicious rootkits of 2005".

On Thursday, Phorm denied that Apropos had contained a rootkit but admitted that it did contain code to hide itself from other pieces of adware. The company's spokesperson said: "Apropos wasn't hidden; users could uninstall it. Competing pieces of adware would attempt to uninstall it, so [the code was hidden] to stop the effects of unscrupulous other adware. The company is not stealth-based."

The spokesperson added that Phorm had ceased trading as 121Media, as that brand had gained a reputation for serving spyware, but said that such a reputation was undeserved.

The spokesperson said: "We have never denied that we were in the adware business. Such a business is involved in the legitimate bundling of ad-serving technology with free software applications, willingly and knowingly downloaded by users. It is the very fact that people were always unable to distinguish between legitimate adware and illegitimate spyware that caused us to do something unprecedented. As the only publicly traded adware company, listed on the London Stock Exchange with Fidelity and a series of other blue-chip shareholders, and the former chairman of Microsoft UK as our chairman, we unilaterally discontinued our entire revenue stream, concluding that the spyware association was inconsistent with our long-term goals."

More technical details of how Phorm systems work can be found in a paper by Richard Clayton.

Original article: Phorm accused of making web browsing 'less stable' from ZDNet UK