Upload
ghostery
View
1.267
Download
2
Tags:
Embed Size (px)
DESCRIPTION
DIGITAL SECURITY IS SERIOUS BUSINESS The number of publicly traded companies that listed security issues as a business risk in securities filings increased by 73% from 2012 to 2014. The average cost of a breach is $200 per record, which amounts to an average of $5.9 million paid by organizations per breach. "Security has never been higher on the agenda of CEO's and Boards. This study shows that companies can generate additional revenue while closing security gaps from non-secure marketing technology on their secure pages.” Caroline Watteeuw, the former Global Chief Technology Officer and SVP of Business Information Solutions of Pepsico and an advisor to Ghostery, Inc.
Citation preview
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 1
DIGITAL SECURITY IS SERIOUS BUSINESS Updated 9/19/14
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 2 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
DIGITAL SECURITY IS SERIOUS BUSINESS
The number of publicly traded companies that listed security issues as a business risk in securities filings increased by 73% from 2012 to 2014.1
The average cost of a breach is $200 per record, which amounts to an average of $5.9 million paid by organizations per breach.2
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 3 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
DIGITAL SECURITY IS SERIOUS BUSINESS
"Security has never been higher on the agenda of CEO's and Boards. This study shows that companies can generate additional revenue while closing security gaps from non-secure marketing technology on their secure pages.”
Caroline Watteeuw, the former Global Chief Technology Officer and SVP of Business Information Solutions of Pepsico and an advisor to Ghostery, Inc.
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 4 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
YOUR SITE IS SECURE FOR A REASON Blind spots in your site security expose your business to issues that directly impact the customer experience, hurting your company’s revenues and profits:
Poor SEO: Decline in Google Rankings
Security Threats: Man-In-The-Middle Attacks
User Experience Issues: Mixed Content Warnings
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 5 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
• You Might Not See The Security Gaps, But Your Customers Do. Consumers recognize and trust the security of a page with an address. Security warnings that result from non-secure marketing technology, commonly called “mixed content warnings” (for instance: and ) shake customer confidence and thus your company’s revenues. This happens even if the browser blocks the non-secure technology from loading.4,5
• Most Marketing Cloud Vendors Get To Your Site Indirectly. The technology of the “Marketing Cloud” — the collection of digital technologies that power, measure, socialize, and optimize performance — is controlled by a wide range of partner companies who have been granted access to your site. With so many ways for non-secure technology to end on your site it’s difficult to find the security gaps.3
• Google Rankings Suffer When Your Pages Are Not Secure. Google now rewards secure pages with a higher search ranking. Not knowing if Google finds that your secure pages contain non-secure elements can lead to valuable rankings slipping away.6
2
SECURITY BLIND SPOTS ARE WIDESPREAD, HARD TO CONTROL AND COST YOUR COMPANY MONEY
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 6 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
CONSUMERS LOSE CONFIDENCE WHEN YOUR SITE IS NOT SECURE
“Consumers have been trained to instinctively trust a green “https” before the website address. Conversely a red “http” or any pop up that tells a user they are leaving the secure https address is not trusted and thus consumers will shy away.
The result is consumers will register, often subconsciously, that the original site is unsecure and thus poses a threat. It is these subtleties in the user experience that increase or decrease page rankings and thus page views.”
EJ Hilbert - Head of the Cyber Practice for Kroll EMEA. Hilbert is a former FBI Special Agent and former Director of Security Enforcement for MySpace/Fox Interactive Media
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 7 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
YOUR SITE IS SECURE FOR A REASON
"Ensuring that websites have better transparency into the causes of browser warnings will both improve the online user experience and increase overall internet security. False SSL warnings caused by SSL misconfigurations result in a negative user experience, with websites standing to lose up to 65% of their visitors due to a false SSL warning.” Devdatta Akhawe, PhD, co-author of 'Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness'.
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 8 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
SECURITY BLIND SPOTS
"Our 2013 study showed that the issue of non-secure scripts on secure pages exposed millions of web users to the stealing of cookies and the injection of malicious javascript. This study goes many steps further due to the depth of the real-user data from the 20+ million member GhostRank community to illustrate that the prevalence of non-secure scripts is even higher on the most popular websites.” Nick Nikiforakis, Assistant Professor of Computer Science, Stony Brook University and co-author of “A Dangerous Mix: Large-Scale Analysis of Mixed Content Websites”
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 9 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
ABOUT THE STUDY
This study examines instances of non-secure digital technologies firing on secure pages across 50 companies in the Airline, Financial Services, Insurance, News Publishing and Retail industries. The data was captured from Ghostrank’s 20 million real-user community members between July 14 2014 and August 14 2014 and includes both active and passive content.
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 10
SITES STUDIED
AIRLINE
FINANCE
INSURANCE
NEWS PUBLISHING
RETAIL
Airtran Bank of America AIG Daily Mail Amazon
Alaska Air Capital One Allstate Financial Times Costco
American Chase Farmers LA Times eBay
Delta Citi Geico Le Figaro Etsy
JetBlue Mellon Nationwide NY Times Overstock
Hawaiian Air HSBC Liberty Mutual NY Daily News Kohls
Southwest PNC Progressive Telegraaf QVC
United TD The Hartford The Guardian Sears
US Air State Street Travelers USA Today Target
Virgin America Wells Fargo USAA WSJ Walmart
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 11 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
100% of Insurance Websites 100% of Retail Websites 100% of Airline Websites 90% of Financial Services Websites 90% of News Publishing Websites
1
KEY FINDING: 96 PERCENT OF WEBSITES HAVE SECURITY BLINDSPOTS
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 12 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
EVERY INDUSTRY GROUP STUDIED HAD NON-SECURE TECHNOLOGIES THAT IMPACT THE USER EXPERIENCE AND REVENUE
5
Industry
Percent of Websites with Non-Secure Technologies on Secure Pages
Distinct Non-Secure Technologies
Highest Number of Non-Secure Technologies Seen on a Website
Average Non-Secure Technologies on Secure Pages Seen on a Website
Airline 100% 223 112 53
Finance 90% 382 234 115
Insurance 100% 165 139 25
News Publishing 90% 212 100 47
Retail 100% 438 333 109
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 13 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
RETAIL WEBSITES STUDIED HAD THE HIGHEST NUMBER OF NON-SECURE TECHNOLOGIES OVERALL
Of the industries surveyed, Retail websites had the highest total number of
non-secure technologies found.
Ghostery saw 438 non-secure technologies across the 10 Retail websites studied.
The highest individual website in the study was in the Retail category and had 333
non-secure technologies.
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 14 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
FINANCIAL SERVICES WEBSITES COMPRISEDHALF OF THE TEN WEBSITES WITH THE HIGHEST INSTANCES OF NON-SECURE TECHNOLOGIES 5/10
Financial Services websites have significant security technology in place on their pages, yet 90% studied had non-secure technologies on their secure pages.
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 15 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
THE TEN WEBSITES WITH THE MOST NON-SECURE TECHNOLOGIES IN THE STUDY COVER MANY SECTORS – FINANCE BEING THE MOST AT RISK
Industry Number of Websites in the Highest Ten
Finance 5
Retail 3
Airline 1
Insurance 1
News Publishing 0
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 16
CONCLUSION: WIDESPREAD CUSTOMER EXPERIENCE AND REVENUE RISKS FROM NON-SECURE MARKETING TECHNOLOGIES
• Non-secure technologies on secure pages can decrease ROI by: – Causing mixed content warnings that increase consumer perception of risk on the page, even if the
browser is blocking the non-secure – Creating potential for man-in-the-middle attacks – Decreasing Google search rankings
• 96 Percent of websites studied had non-secure technologies on secure pages • Retail websites studied had the highest volume of non-secure technologies on
secure pages • The website with the highest number of non-secure technologies was a Retail
site with 333 • Financial Services websites made up half of the 10 highest instances of non-
secure technologies in the study
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 17 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
ABOUT GHOSTERY
Ghostery is a technology company that empowers consumers and businesses expose and eliminate the digital blindspots in the Marketing Cloud - the collection of digital technologies that power, measure, socialize, and optimize performance. Over 40 million
people globally rely on the free Ghostery browser extension to see and control the tracking technologies that follow them across
the web. Businesses rely on Ghostery Marketing Cloud Management to drive ROI by maximizing the security, performance, and
profitability of their digital assets. Key clients like Equifax, Intercontinental Hotels Group and Procter & Gamble depend on
Ghostery to take their digital business from chaos to control. Ghostery also is the leading global provider of privacy governance services, powering compliance for more than $2 billion of advertising and e-commerce transactions annually. Founded in 2009,
Ghostery is headquartered in New York City with a technology office in Salt Lake City and sales offices in London and San
Francisco. The company is backed by Warburg Pincus, LLC, the global private equity fund.
Learn more at GhosteryEnterprise.com and @ghosteryinc.
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 18
GLOSSARY • Digital marketing technology or digital marketing vendor: Ghostery defines a “digital marketing
technology” as code within a webpage or called by another technology (i.e. piggyback tag or third-party tag) which communicates with a server, transfers data, and has been identified by Ghostery as participating in advertising and marketing activities such as ad targeting, analytics, social media and ad serving. Digital marketing technologies can be images, objects, documents, iframes, or scripts. See: http://www.ghosteryenterprise.com/company-database/
• Non-secure digital marketing technologies: Ghostery defines a “non-secure digital marketing technology” as an http t (see above) that is called from an https url.
• Website: Ghostery defines a “Website” as a site’s top level server such as site.com or school.edu. • Secure web page: A secure web page is an http web page that uses an added security layer and is
denoted by “https.” The security layer is usually an SSL (secure socket layer,) a commonly-used protocol for managing the security of a message transmission on the Internet; it uses a program layer located between the Internet's HTTP and TCP program layers. http://en.wikipedia.org/wiki/HTTP_Secure
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 19
• Man-in-the-Middle attack: A Man-in-the-Middle attack is a type of cyber attack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other. A Man-in-the-Middle Attack allows a malicious actor to intercept, send, and receive data meant for someone else, or not meant to be sent at all, without either outside party knowing until it is too late. http://en.wikipedia.org/wiki/HTTP_Secure
• Mixed content: “Mixed content” is a term to describe a web page that contains both secure and non-secure content elements (images, scripts, etc.) Mixed content jeopardizes the security of the entire page, and causes browsers to warn site visitors and attempt to block the non-secure content. See: http://www.troyhunt.com/2013/06/understanding-risk-of-mixed-content.html
GLOSSARY (cont.)
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 20
REFERENCES
1 “Corporate Boards Race to Shore Up Cyber Security” (The Wall Street Journal June 29, 2014) 2 “2014 Cost of Data Breach Security US” (IBM 2014) 3 “Global Tracker Report” (Evidon February 2013)
4 “Crying Wolf: An Empirical Study of SSL Warning Effectiveness” (Carnegie Mellon 2009) 5 “A Dangerous Mix: Large-scale analysis of mixed-content websites (Chen et al. 2013) 6 “HTTPS As a Ranking Signal” (Google blog August 6, 2014)
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 21 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
FOR MORE INFORMATION: [email protected] @ghosteryinc
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 22 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
APPENDIX A: Study Breakdown By Industry Type
Industry Percent of Websites With Non-Secure Technologies Found
No Non-Secure Technologies Found
Airline 100%
Financial Services 90% State Street
Insurance 100%
News Publishing 90% Telegraaf
Retail 100%
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 23 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
APPENDIX B: Distinct Non-Secure Technologies Found Per Industry in Study
Industry Non-Secure Technologies Min Max Average
Airline 223 1 112 53
Financial Services 382 2 234 115
Insurance 165 2 139 25
News Publishing 212 2 100 47
Retail 438 20 333 109
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
APPENDIX C: Non-Secure Technologies Loaded Per 1000 Calls on Secure Pages Loaded
Industry Non-Secure Calls Per 1000 on Secure Pages
Website With Highest Non-Secure Calls Per 1000 on
Secure Pages
Highest Number of Non-Secure Calls Seen on a
Website
Airline 1.9 7.4 3578
Financial Services 1.5 51.7 5518
Insurance 1.0 9.6 1665
News Publishing 1.4 389.6 5575
Retail 3.0 43.6 19820
24
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 25 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
*Based on a 7/14/14 - 8/14/14 Ghostery Inc. Security Study
Website Digital Marketing Technology Number of Times Seen on Secure Pages
Allstate.com geoPlugin 29
Allstate.com Google Adsense 24
Allstate.com Adcash 15
Allstate.com Omniture (Adobe Analytics) 9
Allstate.com Google Analytics 6
Allstate.com Mixpanel 5
Allstate.com ScoreCard Research Beacon 4
Allstate.com DoubleClick 3
Allstate.com ValueClick Media 3
Allstate.com Right Media 2
SAMPLE DATA:Allstate Non-Secure Technologies (Top 10)
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 26 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
*Based on a 7/14/14 - 8/14/14 Ghostery Inc. Security Study
Website Digital Marketing Technology Number of Times Seen on Secure Pages
HawaiianAir.com BridgeTrack 37
HawaiianAir.com Intermarkets 7
HawaiianAir.com Commission Junction 3
HawaiianAir.com DoubleClick 3
HawaiianAir.com Adap.tv 1
HawaiianAir.com Adobe Test & Target 1
HawaiianAir.com Adometry 1
HawaiianAir.com Adzerk 1
HawaiianAir.com Atlas 1
HawaiianAir.com Dotomi 1
SAMPLE DATA:Hawaiian Air Non-Secure Technologies (Top 10)
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 27 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
*Based on a 7/14/14 - 8/14/14 Ghostery Inc. Security Study
Website Digital Marketing Technology Number of Times Seen on Secure Pages
Walmart.com DoubleClick Spotlight 2498
Walmart.com DoubleClick 640
Walmart.com Omniture (Adobe Analytics) 634
Walmart.com Criteo 394
Walmart.com DoubleClick Floodlight 253
Walmart.com Experian Marketing Services 251
Walmart.com AppNexus 202
Walmart.com MediaMath 181
Walmart.com TriggIt 157
Walmart.com Rocket Fuel 123
SAMPLE DATA:Walmart Non-Secure Technologies (Top 10)
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 28 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
*Based on a 7/14/14 - 8/14/14 Ghostery Inc. Security Study
Website Digital Marketing Technology Number of Times Seen on Secure Pages
Wellsfargo.com Google Analytics 390
Wellsfargo.com DoubleClick 224
Wellsfargo.com Twitter Badge 195
Wellsfargo.com Intermarkets 152
Wellsfargo.com Google Adsense 125
Wellsfargo.com Omniture (Adobe Analytics) 122
Wellsfargo.com ScoreCard Research Beacon 105
Wellsfargo.com Adcash 86
Wellsfargo.com Quantcast 86
Wellsfargo.com geoPlugin 65
SAMPLE DATA:Wells Fargo Non-Secure Technologies (Top 10)
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 29 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
*Based on a 7/14/14 - 8/14/14 Ghostery Inc. Security Study
Website Digital Marketing Technology Number of Times Seen on Secure Pages
WSJ.com DoubleClick Spotlight 134
WSJ.com AppNexus 86
WSJ.com DoubleClick 80
WSJ.com MaxPoint Interactive 62
WSJ.com ValueClick Media 47
WSJ.com Resonate Networks 43
WSJ.com Livefyre 39
WSJ.com ChartBeat 36
WSJ.com Krux Digital 33
WSJ.com MediaMath 29
SAMPLE DATA:Wall Street Journal Non-Secure Technologies (Top 10)
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 30 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
Sample Data: Allstate Non-Secure Technologies (Raw Data)
*Based on a 7/14/14 - 8/14/14 Ghostery Inc. Security Study
Company Secure Host Secure Path Tag Non-‐Secure Tag URLAllstate myaccount.allstate.com /anon/login/login.aspx Omniture (Adobe Analytics) images.apple.com/metrics/scripts/s_code_h.jsAllstate myaccount.allstate.com /secured/billing/paybill.aspx Adcash www.adcash.com/script/java.php?option=rotateur&r=247707Allstate myaccount.allstate.com /secured/home.aspx Right Media ads.yahoo.com/cms/v1?esig=1~d816e430d739f6042b0cff31022d2e86413f153e&nwid=10000482675&sigv=1&_msd=1Allstate purchase.allstate.com /auto/PersonalQuote.aspx Omniture (Adobe Analytics) allstate.122.2o7.net/b/ss/allstatedevelopment/1/H.21-‐-‐NS/0Allstate termlife.allstate.com / Google Adsense pagead2.googlesyndication.com/pagead/gen_204?id=cyclops&qid=xu_HU8HaOqfe0AGJ_YDACQ&me=41:1405612012953,148,102:40,0,-‐1:100,0,-‐2:182,5,-‐11:174,3,-‐2:184,0,-‐1:918,1,0:982,0,-‐1:21,o,u,0,158,83:4,1,-‐1:41,1,-‐1:23,1,-‐2:21,0,-‐1:23,2,-‐4:24,1,-‐3:29,3,-‐9:21,2,-‐7:31,2,-‐7:3,v,t,0,177,29:21,7,-‐20:79,o,t,0,193,-‐51:0,e,M&v=2&pv=0.27686018915846944&s=3Allstate email.allstate.com /owa/ Mixpanel api.mixpanel.com/track/?data=eyJldmVudCI6ICJFbWFpbCBPcGVuZWQiLCAicHJvcGVydGllcyI6IHsiRW1haWwgTmFtZSI6ICJTdWdnZXN0ZWQgQ29udGVudCAoV2Vla2x5KSBBd2Vzb21lIiwgInVzZXJJZCI6ICIyNTk2MyIsICJFbWFpbCBTdWJqZWN0IjogIlNlZSBob3cgeW91ciBwb3N0cyBhcmUgZG9pbmciLCAiZGlzdGluY3RfaWQiOiAiMjU5NjMiLCAiRXhwZXJpbWVudCI6IG51bGwsICJvcmdJZCI6IDE1MCwgInRva2VuIjogImM3MzQyNWQ4YzgwZGMwMzE4YzUzZTM1NWExMTRhYjNhIiwgIiR1c2VybmFtZSI6ICIyNTk2MyJ9fQ%3D%3D&ip=1&img=1Allstate email.allstate.com /vdesk/hangup.php3 ValueClick Media cdn.fastclick.net/js/adcodes/pubcode.min.js?sid=9991&media_id=6&media_type=8&version=1.4&exc=1Allstate myaccount.allstate.com /anon/login/login.aspx Xaxis oascentral.comcast.net/RealMedia/ads/adstream_jx.ads/comcast.net/com-‐hp/cc00000001/11405520866839@Frame1?_OAS_GEO_OVERRIDE_=US:UNKNOWN&am=SEG_WIFI&am=SEG_XH&am=ILCCOMCOMU3889&am=plk20hy&am=plk58msuv&Allstate webmail.allstate.com /owa/ Constant Contact r20.rs6.net/on.jsp?ca=c271e5bd-‐d711-‐4a30-‐82c1-‐0c83d0cdc0e4&a=1102427229882&d=1118024635340&r=3&o=http://ui.constantcontact.com/images/p1x1.gif&c=8c767230-‐bf92-‐11e3-‐9f3d-‐d4ae5292c973&ch=8d4756c0-‐bf92-‐11e3-‐9f3e-‐d4ae5292c973Allstate drivewise.allstate.com /dw/drivewise/common/login NetSeer cmi.netseer.com/redirect?ex=27&t=16
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 31 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
Sample Data: Hawaiian Air Non-Secure Technologies (Raw Data)
*Based on a 7/14/14 - 8/14/14 Ghostery Inc. Security Study
Company Secure Host Secure Path Tag Non-‐Secure Tag URLHawaiian Air apps.hawaiianairlines.com/MyHawaiianMiles/MyTrips/ManageTrip.aspxBridgeTrack ads.bridgetrack.com/a/i/?BT_CON=15&BT_PID=1657729&BT_Ext=ORI%3D%26DES%3D%26PAX%3D0%26TYP%3DRoundTrip&PNR=Hawaiian Air apps.hawaiianairlines.com/myhawaiianmiles/Login.aspx Intermarkets cdn.intermarkets.net/u/Intermarkets/AdFeedback/processAdFeedback.jsHawaiian Air apps.hawaiianairlines.com/myhawaiianmiles/MyTrips/ManageTrip.aspxBridgeTrack ads.bridgetrack.com/a/i/?BT_CON=15&BT_PID=1657729&BT_Ext=ORI%3D%26DES%3D%26PAX%3D0%26TYP%3DRoundTrip&PNR=Hawaiian Air checkin.hawaiianairlines.com/wci/start Media Innovation Group b3.mookie1.com/2/LB/4459175926@x96?Hawaiian Air partners.hawaiianairlines.com/pages/rewards/shopListing.aspxAdometry log.dmtry.com/138091/0/2973/109753508/57743978/56157/0/0/0/1.ver?at=p&d=Post&ta=0&tp=63&vd=1&jf=0&jt=5&jsv=4.5.0&oc=ADO&nc=0&num=0&sr=1920x1080x24&tz=7&url=http%3A%2F%2Ffw.adsafeprotected.com%2Frjsi%2Fdc%2F28084%2F2631580%2Fadi%2FN3271.126328.SPECIFICMEDIA%2FB8058661.109753508%3Bsz%3D300x250%3Bclick%3Dhttp%3A%2F%2Fx.vindicosuite.com%2Fclick%2Fv%3D5%253Bm%3D3%253Bl%3D240743%253Bc%3D697926%253Bb%3D3017778%253Bts%3D20140808164702%253Bui%3DFwR7CEBv3xeSLR4MTZKTIdSJjldyPR4xv9GwT24Xp8GdYRmsIu3nbaZp_X2wt-‐wChQ8Q_iLYmYdeD1NYaS965w%253Bz%3DCMbMKhCymLgBGiQwNzBhMGE1MS02YWFhLTQwMmEtODZjOC0zZjU0NTY4ZDQ5OGQqJDA3MGEwYTUxLTZhYjQtZTY3MC04NmM4LTNmNTQ1NjhkNDk4ZEDT1SlNAAAAAFUAAAAAXczMTD1lQhYyPW3NzEw9dczMTD2SAQNVU0S9AczMTD3QAQDYAQA%253D%253Bdct%3D%3Bord%3D1407530822%3Fadsafe_pb%3D%253CPASSBACK_URL%253EHawaiian Air www.hawaiianairlines.com/hawaiianmiles/pages/frequent-‐flyer-‐miles-‐membership-‐levels.aspxAdzerk static.adzerk.net/reddit/ads.html?sr=-‐reddit.com,loggedin&bust2#http://www.reddit.comHawaiian Air apps.hawaiianairlines.com/myhawaiianmiles/Login.aspx Quantcast widget.quantcast.com/user/widgetImage?domain=drudgereport.com&widget=10&timeWidth=1&daysOfData=7Hawaiian Air checkin.hawaiianairlines.com/wci/start Atlas view.atdmt.com/jaction/HA_Special_Offers_PageHawaiian Air fly.hawaiianairlines.com /reservations/1/FlightPrices.aspxDoubleClick www.googletagservices.com/tag/js/gpt.jsHawaiian Air fly.hawaiianairlines.com /reservations/1/FlightPrices.aspxLiveRail ad4.liverail.com/?LR_PUBLISHER_ID=1912&LR_SCHEMA=vast2-‐VPAID&LR_ADMAP=in%3A%3A0&LR_PARTNERS=709839&LR_URL=http://www.arcadeweb.com
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 32 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
Sample Data: Walmart Non-Secure Technologies (Raw Data)
*Based on a 7/14/14 - 8/14/14 Ghostery Inc. Security Study
Company Secure Host Secure Path Tag Non-‐Secure Tag URLWalmart affiliates.walmart.com / LinkShare merchant.linksynergy.com/fs/banners/2149/2149_10003964.jpgWalmart corporate.walmart.com /privacy-‐security/ MediaMath pixel.mathtag.com/event/js?mt_id=366527&mt_adid=116823&v1=&v2=&v3=&s1=&s2=&s3=Walmart savingscatcher.walmart.com/dashboard Gravity Insights i.api.grvcdn.com/personalization/fonts/SourceSansPro/sourcesanspro-‐bold-‐webfont.svg#source_sans_proboldWalmart www.walmart.com /cart2/cart.do Adometry log.dmtry.com/873028/0/3687/75727622/56074393/635261/0/0/0/1.ver?at=p&d=Post&ta=0&tp=100&vd=1&jf=0&jt=2&jsv=4.5.0&oc=ADO&nc=0&num=0&sr=1920x1080x24&tz=5&url=http%3A%2F%2Fwww.walmart.com%2Fip%2FGraco-‐Pack-‐n-‐Play-‐Playard-‐Ariel%2F20753127Walmart www2.walmart.com /wmflows/checkout DoubleClick Spotlight pubads.g.doubleclick.net/activity;dc_iu=/55875582/Walmart-‐US/Commerce/Order_Confirmation;ord=9556469279341.4?Walmart corporate.walmart.com /_submit/feedback MediaMath pixel.mathtag.com/event/js?mt_id=366527&mt_adid=116823&v1=&v2=&v3=&s1=&s2=&s3=Walmart corporate.walmart.com /contact-‐us/store-‐corporate-‐feedbackMediaMath pixel.mathtag.com/event/js?mt_id=366527&mt_adid=116823&v1=&v2=&v3=&s1=&s2=&s3=Walmart survey.walmart.com /WMExp/Processor BrightRoll vast.bp3848655.btrll.com/vast/3848655?n=471386826&br_w=400&br_h=300&br_source=i&br_adtype=p&br_adpos=a&br_autopl=u&br_sound=o&br_comp=0x0&br_comptype=i&br_pageurl=http%3a%2f%2fb4.arcadeweb.com%2fvast.php%3fp%3dYTQxMzM5MDI0Njk6paWxgbfzKRJVQwHTA0BhdOlMJMKy3qTyoTxUWRohQ3YsOUJp%2bWn8L9Yvstf%2btfWqs1to9wgQElevTyiSTs3FKUFPX93H6dI1z4KoDAnZCyUS3xP%2f2gG%2b%2fCE8LZ2kkzGv9PShkZyvPDrC0%2f7YG6QE2xV5KVrfQ0z6L7iW6EFTiIqE4xjCSv%2bXDgX2sJqKJezphpk7xY0Rb0ys%2bZJLwQTac95IKdKDaPS6V8yVVCN8OQ%3d%3d%26shown%3d0%26w%3d400%26h%3d300%26index%3d1%26vf%3d1&br_conurl=http%3a%2f%2fb4.arcadeweb.com%2fvast.php%3fp%3dYTQxMzM5MDI0Njk6paWxgbfzKRJVQwHTA0BhdOlMJMKy3qTyoTxUWRohQ3YsOUJp%2bWn8L9Yvstf%2btfWqs1to9wgQElevTyiSTs3FKUFPX93H6dI1z4KoDAnZCyUS3xP%2f2gG%2b%2fCE8LZ2kkzGv9PShkZyvPDrC0%2f7YG6QE2xV5KVrfQ0z6L7iW6EFTiIqE4xjCSv%2bXDgX2sJqKJezphpk7xY0Rb0ys%2bZJLwQTac95IKdKDaPS6V8yVVCN8OQ%3d%3d%26shown%3d0%26w%3d400%26h%3d300%26index%3d1%26vf%3d1&br_contyp=g&br_medrat=o&br_privpol=y&br_skip=nWalmart www.walmart.com /cart2/cart.do Omniture (Adobe Analytics) i2.walmartimages.com/webanalytics/omniture/s_code.jsWalmart classrooms.walmart.com/lists/61-‐Middle-‐School-‐Supplies-‐ListExperian Marketing Services d.audienceiq.com/r/dd/id/L21rdC80NC9jaWQvMjQ4NDMzMDMvdC8yL2NhdC8yNTMwMTgwNA
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 33 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
Sample Data: Wells Fargo Non-Secure Technologies (Raw Data)
*Based on a 7/14/14 - 8/14/14 Ghostery Inc. Security Study
Company Secure Host Secure Path Tag Non-‐Secure Tag URLWells Fargo billpay.wellsfargo.com /billpay/application/EBillFrameBlueKai tags.bkrtx.com/js/bk-‐coretag.jsWells Fargo connect.secure.wellsfargo.com/payments/channel/viewTransferConfirmgeoPlugin www.geoplugin.net/json.gp?jsoncallback=fnWells Fargo icomplete.wellsfargo.com/oas/status/details Intermarkets cdn.intermarkets.net/u/Intermarkets/AdFeedback/processAdFeedback.jsWells Fargo oam.wellsfargo.com /oam/access/challengeRegistrationSetupDisplayTwitter Badge urls.api.twitter.com/1/urls/count.json?url=https://oam.wellsfargo.com/oam/access/challengeRegistrationSetupDisplay?OAM_TKN=aa4716ddd3977de36f5b95f861f32ccf497fbce230a491782d6c16a9acd6c987Wells Fargo online.wellsfargo.com /das/cgi-‐bin/session.cgi Adcash www.adcash.com/script/java.php?option=rotateur&r=168413Wells Fargo online.wellsfargo.com /das/cgi-‐bin/session.cgi Adknowledge cache.blogads.com/37323961/feed.jsWells Fargo online.wellsfargo.com /das/cgi-‐bin/session.cgi Advertising.com o.aolcdn.com/ads/adsWrapper.jsWells Fargo online.wellsfargo.com /das/cgi-‐bin/session.cgi Amazon Associates c.amazon-‐adsystem.com/aax2/amzn_ads.jsWells Fargo wellsoffice.wellsfargo.com/ceoportal/signon/index.jsp Facebook Connect connect.facebook.net/en_US/all.jsWells Fargo www.wellsfargo.com / AppNexus ib.adnxs.com/tt?id=3341204&cb=DC766C8D720449822546403
Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved. 34 Confidential | Draft for Discussion Purposes Only | © 2014 Ghostery, Inc. All Rights Reserved.
Sample Data: Wall Street Journal Non-Secure Technologies (Raw Data)
*Based on a 7/14/14 - 8/14/14 Ghostery Inc. Security Study
Company Secure Host Secure Path Tag Non-‐Secure Tag URLWSJ buy.wsj.com /offers/html/offerPrnUpPI.htmlMaxPoint Interactive mpp.mxptint.net/2/6657/?rnd=2093531899WSJ customercenter.wsj.com/public/view/login.html Adometry log.dmtry.com/132500/189/3491/1181/330/248925/0/0/0/1.ver?at=p&d=Post&ta=0&tp=81&vd=1&jf=0&jt=1&jsv=4.5.0&oc=ADO&nc=0&num=0&sr=1280x800x24&tz=4&url=http%3A%2F%2Fonline.wsj.com%2Fhome-‐pageWSJ customercenter.wsj.com/view/home.html ScoreCard Research Beacon b.scorecardresearch.com/b?c1=8&c2=6135404&c3=3000&c4=17647&c10=3173401&ns__t=1407940638493&ns_c=UTF-‐8&c8=JSFrame&c7=http%3A%2F%2Fonline.wsj.com%2Fstatic_html_files%2Fjsframe.html%3Fjsuri%3Dhttp%3A%2F%2Fad.doubleclick.net%2FN2%2Fadj%2Finteractive.wsj.com%2Ffront_sub%3Bu%3DV1-‐ZTBkZDk5ZDYtODc1Yy00NjRlLTk3NzYtODlkNzQxNTU4ZDJm**300x250%2C336x280%2C300x600****220%2C228%2C227%2C12592%2C20725%2C13478%2C20974%2C22985%2C21058%2C21061%2C21154%2C23420%2C23446%2C21065%2C21059%2C21079%2C21081%2C21082%2C21085%2C21087%2C21078%2C12915%2C21062%2C21064%2C21063%2C21060%2C21086%2C21084%3Bkuid%3Dne9v9nal4%3B%3Bp39%3D220%3Bp39%3D228%3Bp39%3D227%3Bp39%3D12592%3Bp39%3D20725%3Bp39%3D13478%3Bp39%3D20974%3Bp39%3D22985%3Bp39%3D21058%3Bp39%3D21061%3Bp39%3D21154%3Bp39%3D23420%3Bp39%3D23446%3Bp39%3D21065%3Bp39%3D21059%3Bp39%3D21079%3Bp39%3D21081%3Bp39%3D21082%3Bp39%3D21085%3Bp39%3D21087%3Bp39%3D21078%3Bp39%3D12915%3Bp39%3D21062%3Bp39%3D21064%3Bp39%3D21063%3Bp39%3D21060%3Bp39%3D21086%3Bp39%3D21084%3B%3Btile%3D7%3Bsz%3D300x250%2C336x280%2C300WSJ id.wsj.com /access/509b1a086458232f6e000002/latest/login_standalone.htmlAppNexus ib.adnxs.com/seg?add=1578697&t=2WSJ id.wsj.com /access/509b1a086458232f6e000002/latest/login_standalone.htmlIntegral Ad Science dt.adsafeprotected.com/dt?asId=76efb4d6-‐0d21-‐11e4-‐97b0-‐00259069c34e&tv={c:iwUHX7,pingTime:5,time:134753,type:p,fc:0,rt:0,cb:0,np:1,th:0,em:true,fr:true,slTimes:{i:4040,o:129908,n:0,pp:805,pm:0,gpp:805,gpm:0,gi:4040,go:129908,gn:0,fi:6643,fo:126404,fn:1706},slEvents:[{sl:o,fsl:fn,gsl:go,t:22,wc:0.0.1146.712,ac:717.369.300.600,am:i,cc:0.0.300.600,piv:57,obst:na,th:1,reas:f},{sl:pp,fsl:fo,gsl:gpp,t:129908,wc:0.0.1146.712,ac:717.369.300.600,am:i,cc:0.0.300.600,piv:57,obst:na,th:0,reas:},{sl:i,fsl:fi,gsl:gi,t:130713,wc:0.0.1146.712,ac:717.195.300.600,am:i,cc:0.0.300.600,piv:86,obst:na,th:0,reas:}],slEventCount:3,uf:0,tt:jss,fm:oKcZOYQ+11|12|13|14|151|152|16|17|18|19*.22492-‐2571276|1a|1b|1c|1d1|1e|1f|1g,dtt:564,pc:0,ov:0}&br=c&adsafePrivacyPolicy=http://integr.al/privacy-‐policyWSJ portfolio.wsj.com /auth/portfolio_login DoubleClick Spotlight ad.doubleclick.net/activity;src=1373310;type=rapta615;cat=track812;u=V1-‐ODBmODkzMWQtZDk4YS00ZGQyLTkwNGItYjQ0MDRlNWYyZTc4;ord=848144?WSJ portfolio.wsj.com /marketing Turn r.turn.com/r/beacon?b2=Wg7NDNqjfn8DHtWyTdw0hccfpHiLCI-‐5t5es9XC57Yz3IaLUHmUxgcFB5MDCx9QC9Uh1dG6nBJqBb_n8Dn23KA&cid=WSJ signin.wsj.com /login.asp DoubleClick cm.g.doubleclick.net/pixel?google_nid=bluekai&google_cm&google_sc&a=11&WSJ subscribe.wsj.com /hpupgrade Turn r.turn.com/r/beacon?b2=iVXhpQdP31vtxinJjuJkZrDXF3ErZ-‐hMvWbQdxD55sT3IaLUHmUxgcFB5MDCx9QCeFl_0Sx_EPjpycu8ndMeJg&cid=WSJ www.subscribe.wsj.com /hpheaderlink/ DoubleClick Spotlight ad.doubleclick.net/activity;src=4327673;met=1;v=1;pid=110089638;aid=283275739;ko=0;cid=58762664;rid=58651741;rv=3;×tamp=1405962456345;eid1=2;ecn1=0;etm1=1;eid2=1718676;ecn2=0;etm2=1;