Jason Levine
Premium
join:2001-07-13
USA
| reply to salzan
Re: How 'bad' are spyware cookies??
The cookie may contain HTML or JavaScript code for an exploit (and thus trigger an AV notificaton), but it's benign until the website that created the cookie reads and displays the contents. And if a website is going to do that, they'll likely skip the cookie entirely and just display the exploit code directly.
The worst thing that a cookie can do is allow an advertising network to track the sites that you've been to. For example, you land on example1.com and see an ad banner. The ad banner, served by adcompany.com, writes a cookie to your hard drive with a unique ID. In their back-end database, they associate that unique ID with example1.com.
Now you continue browsing and go to example2.com. This site also displays an ad banner from the same company. Adcompany.com reads the unique ID from the cookie and uses it to store that second site in their database. Now adcompany.com knows 2 sites that you've been to.
However, if you delete adcompany.com's cookie (or refuse it in the first place), you appear to them to be a new person every time.
In short, the "Cookie Threat" is overblown by some people. There are much worse things out there to worry about.
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ |
|
Bobby_Peru
Premium
join:2003-06-16
3 edits | said by Jason Levine  : ... The worst thing that a cookie can do is allow an advertising network to track the sites that you've been to. ... Once again, no, since it doesn't stop at just setting and tracking cookies online. Unfortunately online "advertising networks" do not exist only Virtually (sorry Mr. Larry...).
Blake's example fails to expressly make the leap that is _no_ problem for all this - the marketing can arrive at your home or workplace (mailbox, telephone, front-door) or the data can continue to be compiled with no _present_day _noticable_ effect.
"AdCompany.com" may also obtain, keep, track and correlate much more specifically identifying information, down to your name, street address, telephone number and all that can be obtained from that (from broad demographics, down to specific personal financial (health?) data from any number of dBases.)
If the "Adcompany" doesn't know who you are, they will, as soon as a single "partner" "shares" enough information to ID you with specificity. This is why online Adcompanies have associated with "brick and mortar" dBases [and run "Contests" which require submission of personal data]. They can "Supplement" the online tracking data that they collect with data from other sources.
The existence of greater risks is really not disputable, but that does not change the existence of this specific risk, nor really matter, since it is simple to greatly reduce this potential intrusion:
1) Refuse cookies that are not absolutely needed
2) Force all cookie to Session status (unless Persistent status is absolutely needed
3) Insure the removal of all cookies that are not absolutely needed to be retained when you close a TAB, as well as close your Browser
4) Prevent the AdCompanies from setting cookies and from obtaining your IP in the first place with a combination of Scrud-Filters and Cookie Controls.
[edit: forgot *Block all 3ed Party Cookies]
While you may not be able to control the compilation and spread of this personal "history" type of information in many areas (i.e. credit card usage), the cost of greatly reducing this intrusion in this particular area is extremely low (software is all free, very little time needed).
Helpful Tools:
-FireFox/Mozilla
To prevent Ad companies from the acquisition of your IP and attempting to set cookies get the AdBlock extension.
Supplement FireFox's native site-specific Cookie Control with the following extensions for ease of use and configuration: CookieCuller, CookieButton, ViewCookies.
Consider the use of a Proxy like WebWasher, or the teeny tiny mighty mighty Proxomitron to scrub and control this stuff at a lower level, for all browsers and chat clients on your machine.
[edit: typo(s), added "Contests", clarity (I hope)]
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** |
|
BrettStarr
Premium
join:2003-11-07
Las Vegas, NV
| 
Advanced Settings | | 
Managed Sites |
said by Bobby_Peru :... 1) Refuse cookies that are not absolutely needed 2) Force all cookie to Session status (unless Persistent status is absolutely needed 3) Insure the removal of all cookies that are not absolutely needed to be retained when you close a TAB, as well as close your Browser ... I totally agree with this. And it is very easy to do with IE6...if you know how. So here is how (I even attached pics):
IE > Tools > Internet Options...
1) GENERAL tab: Temporary Internet Files(TIF) area,
click Delete Cookies... to clear ALL of your cookies (if you want to start from scratch).
OR click Settings...> View files...> select and delete the cookies you don't absolutely need.
2)click PRIVACY tab:
click Advanced.. make settings as shown in pic. click OK.
click Sites... enter the domain names you always want to allow/keep cookies for (see pic for example). click OK when finished.
3) OK out.
That's it. From now on, nobody will ever be able to put a cookie on your system, EXCEPT those you have in the Managed Sites list.
Try it!...you'll be pleasantly surprised how great this works.
-
NO MORE AD TRACKING, SPYWARE, WHATEVER COOKIES and YOU WILL NEVER HAVE TO DO COOKIE CLEANING AGAIN!
ALSO, YOU DON'T NEED ANY COOKIE BLOCK LISTS EITHER. |
|
Jason Levine
Premium
join:2001-07-13
USA
| reply to Bobby_Peru
said by Bobby_Peru : the marketing can arrive at your home or workplace (mailbox, telephone, front-door) or the data can continue to be compiled with no _present_day _noticable_ effect. "AdCompany.com" may also obtain, keep, track and correlate much more specifically identifying information, down to your name, street address, telephone number and all that can be obtained from that (from broad demographics, down to specific personal financial (health?) data from any number of dBases.) If the "Adcompany" doesn't know who you are, they will, as soon as a single "partner" "shares" enough information to ID you with specificity. This is why online Adcompanies have associated with "brick and mortar" dBases [and run "Contests" which require submission of personal data]. They can "Supplement" the online tracking data that they collect with data from other sources. How would "Adcompany" know, via cookies, that the person at IP address 123.45.67.89 who loaded their banner ad from SomeCompany.com at a specific time is really Jason Levine and that I live at 123 Someroad Lane? (Not my real address obviously.  )
Sure, they *might* be able to have a marketing deal with a company that I've given my personal information to, but this is hardly a cookie issue. If they can ID me every time I load up an ad banner of theirs, why even bother with cookies?
I do agree though that you should refuse any unneeded cookies. Not so much as a security issue, but because I think that sites overuse cookies. I have my browser configured to block 3rd party cookies, and prompt me on 1st party ones. (Session cookies are always allowed.)
If a site tries to load a cookie, I decide whether to allow it or not. Most times I block it. If the site is persistent in trying to put a cookie on my computer then they get Always Block status. (I've seen sites that require a cookie read/write to load up each image on the page!)
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ |
|
Bobby_Peru
Premium
join:2003-06-16
2 edits | Jason, if you, or anyone, has any doubts about the "possibility" of alliances between cross-site online Ad/Cookie servers, like DoubleClick, and terrestrial targeted marketing firms with deep transactional (and more) data, like ABACUS, you might want consider that DoubleClick bought ABACUS some years ago.
While it is much more than a cookie issue, cookies are one place one can easily (no cost) exercise control to impede this.
»www.abacus-direct.com/corporate_profile.asp
»www.abacus-direct.com/doubleclic···tion.asp
said by ABACUS:
THE DOUBLECLICK CONNECTION
The Abacus-DoubleClick combination is more than dynamic and offers you solutions you can't find anywhere else. The Abacus-DoubleClick connection allows you to accurately identify and target your audience whether it is consumer or business to business. You can reach your customers through a multiple of channels including direct mail, Internet, e-mail, or wireless communications.
With the Abacus-DoubleClick connection you can identify where your customers and prospects are buying: web, catalog, retail or phone. This powerful pooled combination of information and technology will enable you to improve client profitability and increase your market share. »www.abacus-direct.com/products/p···ucts.asp
said by ABACUS:
ABACUS, a division of DoubleClick Inc., is a world leader in targeted marketing solutions. By combining transactional data, advanced statistical modeling, and extensive media reach, we target the customers most likely to buy your products or services.
The Abacus Alliance database of buyer behavior is the largest in the United States. It contains over 3.5 billion transactions from more than 90 million U.S. households and includes geographic, demographic, lifestyle, and behavioral data from catalog, retail, business-to-business, e-commerce, and publishing markets. We span multiple channels so you can integrate the most broadly based yet highly targeted campaigns for customer acquisition or retention. It's pretty obvious what can be done, and pretty obvious what they brag about doing. If it doesn't matter to a user, so be it (even though such acceptance ultimately 'trickles-down' to even greater intrusive behavior against everyone), but users should be aware.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to Jason Levine
said by Jason Levine :However, if you delete adcompany.com's cookie (or refuse it in the first place), you appear to them to be a new person every time. Yes and no. I have detected my IP address in cookies served from various sites (not in a while though). I have also seen sites insert my IP address into the query strings and posted data from form submittal. So while deleting stored cookies will prevent most sites from tracking you it won't help if they are using your IP as a unique id unless your IP address changes frequently.
--
FOUR MORE YEARS!! - of fear. |
|
ghost16825
Use security metrics
Premium
join:2003-08-26
| said by hpguru : said by Jason Levine :However, if you delete adcompany.com's cookie (or refuse it in the first place), you appear to them to be a new person every time. Yes and no. I have detected my IP address in cookies served from various sites (not in a while though). I have also seen sites insert my IP address into the query strings and posted data from form submittal. So while deleting stored cookies will prevent most sites from tracking you it won't help if they are using your IP as a unique id unless your IP address changes frequently. That's exactly it. If your IP address changes frequently and you delete cookies before the IP changes over in all reality what can be done? |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| But who has a dynamic IP these days? My IP hasn't changed since the last time I shut the computer down when I went on vacation. That was Sept 2003. I bought this computer November 2003 and have had the same IP address all this time. I have Road Runner as my ISP. I have noted for years that if you want a new IP with Road Runner you must shut down the computers for at least 96 hours and sometimes it must be even longer. Three weeks will do it.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·RoadRunner Cable
 ·Clearwire Wireless
| reply to ghost16825
said by ghost16825 :That's exactly it. If your IP address changes frequently and you delete cookies before the IP changes over in all reality what can be done? That's it exactly. I'll take it a step further & ask even if your IP doesn't change frequently in all reality what can be done?
--
Dave said "By the way, 4294967295 is just another way to write -1". |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
| reply to Mele20
A cookie is not required to track you by your IP address (referring back to the earlier posts on IP addresses appearing in cookies.)
The other end has to know your IP address in order to send you back the information you've requested (the web page).
By the way, you can often force an IP address change by using a router the allows MAC address cloning. (Caution, if you happen to choose a MAC address that someone else on your ISP is using, you may find your IP address changing too frequently.)
--
(Virus&Hijacking FAQ + Submit suspected malware + Backups FAQ + Security FAQ TOC) |
|
ttt2525
@cable.rogers | reply to BrettStarr
Wow, thank goodness for this post!! I just noticed I had about 100 spyware website entries in my "per site privacy cactions" dialog in IE. Enlightening :=0
(incl. lop.com, various porn/xx sites....) |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | reply to BrettStarr
Gee, I just noticed you leave banking cookies on your computer. You should never do that! Always clear those as soon as you have finished with the site. |
|
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ | time for a tin-foil suit.....
let me know when cosco has a sale on Reynolds wrap... |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| Only a crass, unfeeling person jokes about schizophrenia. Stop the jokes about mental illness please.
As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Also, never go to your bank from a favorites link. Always type in the address. These are just ordinary, standard safety measures.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
BrettStarr
Premium
join:2003-11-07
Las Vegas, NV
1 edit | reply to Mele20
said by Mele20 :Gee, I just noticed you leave banking cookies on your computer. You should never do that! Always clear those as soon as you have finished with the site. I think you misunderstand. The managed list of sites are those you will ALLOW cookies for. It doesn't mean I keep them. You most certainly can delete them at any time, but must always have the entry in the managed sites list to allow site to set the cookie in the first place.
-
edit: Regardless of how you handle cookies, you should at least block THIRD PARTY cookies. Those are the "bad" spyware, tracking cookies 95% of the time (Doubleclick, etc). |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Mele20
said by Mele20 :As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Huh? My bank has never mentioned this to me, but even a rudimentary understanding of how cookies work - at least those by clueful banks - suggests that you're demonstrating that you don't know how they work.
When you login to a secure site, the login page sends your username and password (presumably over SSL), and after validating that you're who you claim to be, a new "session" is created. This session data includes thinks like your username, time you started, IP address, etc. and is stored on the server, and a unique and random session ID is assigned.
The ID itself has no inherent meaning, nothing is "encoded" in it (it's "opaque"), and this is what is sent to you in your cookie. My last Wells Fargo cookie contained B-200409191637071418511140.
When you submit following pages (transfer money, check balance, etc.), the ID passed in your cookie is looked up in the session database, and it checks to see if you're still allowed, who you are, has it been too long since you did anything (to allow "idle sessions" to timeout), coming from the same IP address, etc. the IP test is not that simple, to allow for changes, but there are provisions to see that a cookie is not being shared.
When you click the Logout button, this not only deletes the cookie from your browser, but it invalidates the session in the database, so even if you hung onto or intercepted that cookie, it would not work. Yes, the cookie value would be sent to the server, but it would look it up and find that either (a) the session had been deleted entirely, or (b) the session had been marked explicitly "expired". Expired sessions cannot be revived by anything on the browser side without going through a new login process.
Any site that has a clue about security has designed the site to mitigate the effect of "cookie theft", so even aside of the fact that I run a secure network that prevents people from stealing my cookies, aside from the fact that banking cookies travel over unsniffable connections, there is nothing anybody could do with my banking cookies even if they got them.
If you feel better deleting your cookies, that's fine, but saying "only an idiot doesn't" puts you squarly in tinfoil hat territory and shows that you have only a limited grasp of how cookies are actually used.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| Sigh. I am fully aware of all that you have thought necessary to "teach" me. My banks still recommend deleting the cookies after the visit. They are NOT deleted on exit. If you want someone to use your computer sometime and see what bank you use from your banking cookies you didn't delete fine. I prefer to guard against that. I always close the browser after visiting one of my banks also for the same reason. I do this even though it is unlikely anyone else would use this computer.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Steve
Quick example of why tracking a session by IP address doesn't work, proxy servers. A proxy server means a couple of things, first that multiple individual clients could be connecting from the same IP address (ie the proxy server), and second a single client might use more then one proxy server for sequential requests and hence would have a different source IP address (AOL clients for example).
Three questions which might help the discussion and understanding of cookies.
Are cookies secure, meaning that can site1 read site2's cookies?
What kind of information can a cookie contain?
What kind of information should a cookie contain and why?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
Khaine
join:2003-03-03
Australia
| reply to Mele20
said by Mele20 :Sigh. I am fully aware of all that you have thought necessary to "teach" me. My banks still recommend deleting the cookies after the visit. They are NOT deleted on exit. If you want someone to use your computer sometime and see what bank you use from your banking cookies you didn't delete fine. I prefer to guard against that. I always close the browser after visiting one of my banks also for the same reason. I do this even though it is unlikely anyone else would use this computer. Banking cookies are generally session only, and hence are deleted when the session ends {when you close the web browser}
tracking cookies are at worst a privacy issue, they have little if any security concerns with their use. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
1 edit | I end up with a bunch of banking cookies from just ONE bank after I close the browser. All my banks set permanent cookies. I don't know what bank you are using. I use major national banks. Even my two local banks set permanent cookies but they don't set as many as some of the national banks. They are almost as bad as Dell which sets about 15 cookies each time you visit. FF complains about Dell and the banks setting too many cookies both session and permanent.
Edited to ask since when is PRIVACY not a SECURITY issue??? That is the main security issue!
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 |
|
