(in)Secure is a weekly column that dives into the rapidly escalating topic of cybersecurity.
Malware has a lot to answer for. It’s filled our browsers with nonsense advertisements, stolen our banking credentials, locked up our files, and caused the widespread crashing of countless systems. But malware is also having another unintended effect that’s just as problematic: It’s making the internet a centralized, monopolistic place to be.
That might seem hyperbolic but malware intentions are typically quite clear: Make the author money.
It’s been a long time since worms, trojans, and viruses were used to stroke the digital egos of the world’s greatest hackers, no matter what hat they wore. But the best practices to protect ourselves from malware can send us down well-trodden paths, leading to increasingly limited software solutions for everyone.
Don’t trust the outliers
As much as we all rely on the big players like Google, Microsoft, and Apple, one of the joys of the internet is the diversity of options. But when speaking to digital security professionals, the advice they almost always give is to stick to official app stores, popular search engines, and tried-and-tested browsers. It keeps you safe by virtue of there being plenty of oversight and budget to protect those platforms and services.
“We recommend using official platforms,” Jerome Segura, Malwarebytes’ head of investigations, told Digital Trends. “The non-official areas […] are very dangerous unless you know what you’re doing. It’s similar with app stores. There are a number of portals out there that offer sideloading for Android in particular. And people that want to get apps for free may want to download from those services. They bypass the security mechanisms that are in place to install from nontrusted sources and will typically end up with trojanized apps.”
This is legitimate, good advice. From a security standpoint, we all know it’s a bad idea to download torrents, or open links or attachments in unsolicited emails. When you acquire something from a source that isn’t vetted and proven to be secure, you run the risk of being infected with malware. But increasingly, even choosing software that’s just a bit off the beaten path, is considered a security risk.
Earlier this year, Microsoft’s Bing search engine served up sponsored links to sites infested with malware.
“Traditionally, we would advise people to stay away from the smaller players because they may not have the resources to assure that there are proper security measures,” Segura continued, highlighting the problem now faced by those looking to stay safe online and still enjoy the convenience and speed of the modern web’s access to information and media.
As we’ve seen from security scares in recent months, even those trusted sources aren’t perfect. When it comes to knowing who to really trust with your data and security, there isn’t much choice out there. Even some of the platforms and services offered by some of the biggest companies in the world aren’t necessarily safe, simply because they don’t receive quite as much attention as their contemporaries.
Vulnerability on the edge
In the case of spaces as limited as web browsers or search engines, options for the security-minded are tighter than ever. Being a “major player” isn’t enough here.
Microsoft’s Edge browser was its most recent attempt to take on the likes of Chrome and Firefox, and its search engine, Bing, has been hoping to claw back some of Google’s market share for years. Despite the backing of such a major company, both platforms have been part of some serious security gaffs in recent months. That’s at least partially thanks to malware.
Earlier this year, Microsoft’s Bing search engine served up sponsored links to malware infested sites when users ran the Edge browser to try and download Chrome.
“Protecting customers from malicious content is a top priority, and we have removed the ads from Bing and banned the associated account,” a Microsoft spokesperson told Digital Trends. “We encourage users to continue to report this type of content so we can take appropriate action.”
As that same spokesperson made clear to us, the malware made it past technologies in Edge that are meant “to ensure you are protected while surfing the web, and are talking to the website you think you are talking to.” Bing also supports “a variety of automated malware-scanning technologies within its indexing and crawling pipeline,” we were told.
“Browser vendors have known about these issues for years … “
To Malwarebyte’s Segura, though, the fact that malware was still served up to Bing users isn’t surprising. Although there are a plethora of security technologies in place in the Edge browser and in the Bing search engine, this is a problem inherent in the current model of profit-driven search advertising.
“Browser vendors have known about these issues for years, but there always seems to be ways for malicious advertisers to kind of game the system and still come up on top,” he said. “The problem is that unless search engines really say they are not going to use any ads, then the problem is always going to be there to some degree.”
But it’s not just search engines that face difficulties with malware slipping through the cracks of large organizations. Even Apple’s famously insular and closed-off Mac App Store has been used by malware authors to spread their dangerous software. As recently as September 2018, a paid-for application that claimed to be able to protect your Mac from spyware actively collected browser information and sent it to a server in China.
With far fewer people using it than the populous iOS App Store, it receives far less attention from Apple and is more vulnerable to malware attacks. Despite that concern, the Apple name resides on it just as it does the iOS App Store, suggesting to Mac owners that it receives the same scrutiny and therefore making it more vulnerable to attack.
Being a “major player” in one space doesn’t necessarily translate to others. And unfortunately, that’s where malware tends to sneak in and force even near-trillion-dollar companies to succumb. Microsoft’s Edge, again, is the best example of this.
Limited and flawed options
As of the end of 2018, more than 60 percent of all web users now use the Chrome browser. That’s a good thing when we’re talking about security. No longer are we faced with a world dominated by Internet Explorer and its Swiss cheese security, or Flash Player’s similarly porous defenses. But it’s not a great thing when it comes to providing options and alternatives.
Stick to software that’s well-known, has been well-vetted, and is well-funded enough to protect itself and its users.
This was exemplified by Microsoft’s recent announcement that Edge, its flagship Windows 10 browser, was to be replaced by something else built on the Chromium engine that’s used in Google’s Chrome browser. It was something a company like Firefox immediately saw as a bad decision for the future of the internet.
“Microsoft is officially giving up on an independent shared platform for the internet,” Firefox said in a recent address. “By adopting Chromium, Microsoft hands over control of even more of online life to Google, [which is] so close to almost complete control of the infrastructure of our online lives.”
Firefox is one of the few alternative browsers left in the fight. Despite it being possibly more secure and certainly more private than Chrome, it only commands a few percent of the web’s user base. It’s not hard to see why its developers see the rapidly contracting market as deeply troubling.
If security isn’t the only reason that Chrome dominates the browser landscape, it is a major part of it. Microsoft has never truly recovered from the ballooning public sentiment that its browsers with an “E” logo just weren’t secure or bug-free enough to consider using as anything other than a download tool for a better browser.
Combine our tendencies with an (often deliberately encouraged) limited landscape of viable software options, and it’s easy to see that there is a real snowball effect of the most common platforms only increasing their hold on our service choices. In turn, due to their popularity, those services become even greater targets for malware authors.
The exceptions to the rule
We, and our sources for this article, stick to the stance that to be as safe as you can be online, you should stick to software that’s well-known, well-vetted, and well-funded enough to protect itself and its users.
However, there’s a caveat. Some products are being developed to offer an alternative to the typical options, and they are built with security in mind from the ground up. They have the potential to become big players in various software markets. Their desire to move away from some of the profit models that make traditional software and services so susceptible to attack could make for more secure choices for consumers in the future.
For example, the Vivaldi browser hopes to bring back some of the most popular technological features of classic Opera web browsing. The Brave Browser is built on Chrome’s Blink engine, but is created with privacy and security in mind, automatically blocking web trackers and advertisements. It’s also exploring a pay-to-browse scheme that would see users rewarded with cryptocurrency for time spent looking at advertisements while browsing.
In the search engine space, there are more privacy-focused options than ever. DuckDuckGo continues to grow in popularity, while alternatives like Search Encrypt, StartPage, or the blockchain-powered BitClave provide even greater breadth of choice.
The power to decide how we access the online world in all its guises still resides with us. It’s our choices that shape the future of the internet. If we want more varied options, we have to vote with our fingertips and download those apps and run those services. Malware is indeed scary and we should be wary of it enough to be smart with how we use online services, but there are better options out there than the few that we’re already familiar with. We just need to be willing to search them out.