Langa Letter: The Web-Bug Boondoggle - InformationWeek
05:30 PM
Fred Langa
Fred Langa
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Langa Letter: The Web-Bug Boondoggle

Don't be suckered in by the latest security hysteria. "Web bugs" aren't the threat you fear they are.

In most cases, Web bugs are nothing more than a simple counting mechanism that involves no tracking of any personal user information whatsoever. They're used most often in banner ads, placed there by the advertiser. The bug is an HTML or script snippet that calls an invisible graphic from the advertiser's own Web server at the same time as the rest of the ad is displayed. The bug's purpose is to enable the advertiser to verify that the ad was seen/delivered the number of times the Web site owner says it was. If the site owner claims far more hits than were registered by the bug, the advertiser knows something is fishy with the counts.

As such, a Web bug is usually no more evil than the rubber tubes that highway engineers stretch across roadways to count cars, or a turnstile in a public space designed to count how many people enter or leave.

What's more, any graphic--any graphic at all--can be used as a Web bug; almost any link can be used as a Web bug. Any time a text or graphic is called from any Web server, the server can collect all the information mentioned in the Bugnosis quote above, and more. Web bugs have no special powers or abilities. They're just static GIFs, and they're usually invisible for no reason other than to make them unobtrusive.

On the face of it, it's silly to focus on Web bugs as nefarious evil things when they provide no information that can't be given by another graphic or link.

The Cookie Connection
In a way, the Web-bug hysteria is similar to the bad rap that cookies got several years ago, when millions of people panicked because cookies were "tracking" them from site to site and "sending the collected information to spammers." A lot of companies made a lot of money--and still do--selling anticookie software to prevent this evil, covert tracking.

Of course, the great cookie scare turned out to be almost entirely groundless. Cookies are just static text files (you can open any cookie with NotePad or your favorite text editor), and they normally record prosaic information such as "this person already saw ad number X from us today, don't show him the same one again." Or: "Here's a returning visitor who's previously logged in. Instead of asking for her password again, use the password stored in this private cookie."

Most cookies are not only benign; they're helpful. But because they normally use space-saving codes (example: a "1" might mean "returning visitor who's previously registered"), they seem mysterious, and thus cause some people to freak out.

Likewise, Web bugs are unknown, invisible, and mysterious, so they must be evil, right?

A second time: Baloney.

Yes, The Dark Side Is There
Can cookies and Web bugs be used for evil intent? Sure. Almost any technology can be subverted. But it's rather difficult for a site to do harm using a Web bug.

Let's look at the worst-case scenario, where a Web bug could be used to send personal information about you from one site to another. The Bugnosis site describes it this way, and it sounds terrifying:

Companies use Web bugs to ... transfer previously input personally identifiable information (name, address, phone number, E-mail address, etc.) about visitors of a Web site to an Internet marketing company. This information is typically used for online profiling purposes. It also can be combined with other offline demographic data such as household income, number of family members, type(s) of car(s) owned, mortgage balance, etc.

But note the first key phrase: "previously input." There's no way for a Web bug (or a cookie) to scour your system for information you don't intend to reveal, and then secretly send that stolen info to some outside source.

For anything like the above worst-case scenario to happen, you would have to voluntarily provide sensitive personal information to an evil site in the first place. If you don't do so, the site has nothing to share with anyone. The Bugnosis fear fantasy collapses and the Web bug is just like any other Web graphic or link. It carries zero--that's zero, zip, nada, zilch--additional security risk. Your "hit" from a Web bug is just one more anonymous data point in the server logs. Big deal.

2 of 4
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
5/16/2014 | 3:01:41 PM
Antibug software discovred
Web bug have some advantages and some disadvantages too. It helps the webmaster in order to keep the traffic records. But nowadays, technolohy is improving and everything would be possible by the use of technology in near future. gel fuel fireplaces
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll