how-to block ads
|
Bobby_Peru
Premium
join:2003-06-16
3 edits | reply to Jason Levine
Re: How 'bad' are spyware cookies??
said by Jason Levine  : ... The worst thing that a cookie can do is allow an advertising network to track the sites that you've been to. ... Once again, no, since it doesn't stop at just setting and tracking cookies online. Unfortunately online "advertising networks" do not exist only Virtually (sorry Mr. Larry...).
Blake's example fails to expressly make the leap that is _no_ problem for all this - the marketing can arrive at your home or workplace (mailbox, telephone, front-door) or the data can continue to be compiled with no _present_day _noticable_ effect.
"AdCompany.com" may also obtain, keep, track and correlate much more specifically identifying information, down to your name, street address, telephone number and all that can be obtained from that (from broad demographics, down to specific personal financial (health?) data from any number of dBases.)
If the "Adcompany" doesn't know who you are, they will, as soon as a single "partner" "shares" enough information to ID you with specificity. This is why online Adcompanies have associated with "brick and mortar" dBases [and run "Contests" which require submission of personal data]. They can "Supplement" the online tracking data that they collect with data from other sources.
The existence of greater risks is really not disputable, but that does not change the existence of this specific risk, nor really matter, since it is simple to greatly reduce this potential intrusion:
1) Refuse cookies that are not absolutely needed
2) Force all cookie to Session status (unless Persistent status is absolutely needed
3) Insure the removal of all cookies that are not absolutely needed to be retained when you close a TAB, as well as close your Browser
4) Prevent the AdCompanies from setting cookies and from obtaining your IP in the first place with a combination of Scrud-Filters and Cookie Controls.
[edit: forgot *Block all 3ed Party Cookies]
While you may not be able to control the compilation and spread of this personal "history" type of information in many areas (i.e. credit card usage), the cost of greatly reducing this intrusion in this particular area is extremely low (software is all free, very little time needed).
Helpful Tools:
-FireFox/Mozilla
To prevent Ad companies from the acquisition of your IP and attempting to set cookies get the AdBlock extension.
Supplement FireFox's native site-specific Cookie Control with the following extensions for ease of use and configuration: CookieCuller, CookieButton, ViewCookies.
Consider the use of a Proxy like WebWasher, or the teeny tiny mighty mighty Proxomitron to scrub and control this stuff at a lower level, for all browsers and chat clients on your machine.
[edit: typo(s), added "Contests", clarity (I hope)]
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** | |
BrettStarr
Premium
join:2003-11-07
Las Vegas, NV
| 
Advanced Settings | | 
Managed Sites |
said by Bobby_Peru :... 1) Refuse cookies that are not absolutely needed 2) Force all cookie to Session status (unless Persistent status is absolutely needed 3) Insure the removal of all cookies that are not absolutely needed to be retained when you close a TAB, as well as close your Browser ... I totally agree with this. And it is very easy to do with IE6...if you know how. So here is how (I even attached pics):
IE > Tools > Internet Options...
1) GENERAL tab: Temporary Internet Files(TIF) area,
click Delete Cookies... to clear ALL of your cookies (if you want to start from scratch).
OR click Settings...> View files...> select and delete the cookies you don't absolutely need.
2)click PRIVACY tab:
click Advanced.. make settings as shown in pic. click OK.
click Sites... enter the domain names you always want to allow/keep cookies for (see pic for example). click OK when finished.
3) OK out.
That's it. From now on, nobody will ever be able to put a cookie on your system, EXCEPT those you have in the Managed Sites list.
Try it!...you'll be pleasantly surprised how great this works.
-
NO MORE AD TRACKING, SPYWARE, WHATEVER COOKIES and YOU WILL NEVER HAVE TO DO COOKIE CLEANING AGAIN!
ALSO, YOU DON'T NEED ANY COOKIE BLOCK LISTS EITHER. | |
Jason Levine
Premium
join:2001-07-13
USA
| reply to Bobby_Peru
said by Bobby_Peru : the marketing can arrive at your home or workplace (mailbox, telephone, front-door) or the data can continue to be compiled with no _present_day _noticable_ effect. "AdCompany.com" may also obtain, keep, track and correlate much more specifically identifying information, down to your name, street address, telephone number and all that can be obtained from that (from broad demographics, down to specific personal financial (health?) data from any number of dBases.) If the "Adcompany" doesn't know who you are, they will, as soon as a single "partner" "shares" enough information to ID you with specificity. This is why online Adcompanies have associated with "brick and mortar" dBases [and run "Contests" which require submission of personal data]. They can "Supplement" the online tracking data that they collect with data from other sources. How would "Adcompany" know, via cookies, that the person at IP address 123.45.67.89 who loaded their banner ad from SomeCompany.com at a specific time is really Jason Levine and that I live at 123 Someroad Lane? (Not my real address obviously.  )
Sure, they *might* be able to have a marketing deal with a company that I've given my personal information to, but this is hardly a cookie issue. If they can ID me every time I load up an ad banner of theirs, why even bother with cookies?
I do agree though that you should refuse any unneeded cookies. Not so much as a security issue, but because I think that sites overuse cookies. I have my browser configured to block 3rd party cookies, and prompt me on 1st party ones. (Session cookies are always allowed.)
If a site tries to load a cookie, I decide whether to allow it or not. Most times I block it. If the site is persistent in trying to put a cookie on my computer then they get Always Block status. (I've seen sites that require a cookie read/write to load up each image on the page!)
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ | |
Bobby_Peru
Premium
join:2003-06-16
2 edits | Jason, if you, or anyone, has any doubts about the "possibility" of alliances between cross-site online Ad/Cookie servers, like DoubleClick, and terrestrial targeted marketing firms with deep transactional (and more) data, like ABACUS, you might want consider that DoubleClick bought ABACUS some years ago.
While it is much more than a cookie issue, cookies are one place one can easily (no cost) exercise control to impede this.
»www.abacus-direct.com/corporate_profile.asp
»www.abacus-direct.com/doubleclic···tion.asp
said by ABACUS:
THE DOUBLECLICK CONNECTION
The Abacus-DoubleClick combination is more than dynamic and offers you solutions you can't find anywhere else. The Abacus-DoubleClick connection allows you to accurately identify and target your audience whether it is consumer or business to business. You can reach your customers through a multiple of channels including direct mail, Internet, e-mail, or wireless communications.
With the Abacus-DoubleClick connection you can identify where your customers and prospects are buying: web, catalog, retail or phone. This powerful pooled combination of information and technology will enable you to improve client profitability and increase your market share. »www.abacus-direct.com/products/p···ucts.asp
said by ABACUS:
ABACUS, a division of DoubleClick Inc., is a world leader in targeted marketing solutions. By combining transactional data, advanced statistical modeling, and extensive media reach, we target the customers most likely to buy your products or services.
The Abacus Alliance database of buyer behavior is the largest in the United States. It contains over 3.5 billion transactions from more than 90 million U.S. households and includes geographic, demographic, lifestyle, and behavioral data from catalog, retail, business-to-business, e-commerce, and publishing markets. We span multiple channels so you can integrate the most broadly based yet highly targeted campaigns for customer acquisition or retention. It's pretty obvious what can be done, and pretty obvious what they brag about doing. If it doesn't matter to a user, so be it (even though such acceptance ultimately 'trickles-down' to even greater intrusive behavior against everyone), but users should be aware.
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** | |
ttt2525
@cable.rogers | reply to BrettStarr
Wow, thank goodness for this post!! I just noticed I had about 100 spyware website entries in my "per site privacy cactions" dialog in IE. Enlightening :=0
(incl. lop.com, various porn/xx sites....) | |
Mele20
Premium
join:2001-06-05
Hilo, HI | reply to BrettStarr
Gee, I just noticed you leave banking cookies on your computer. You should never do that! Always clear those as soon as you have finished with the site. | |
avd706
insert annoying animated gif here
Premium
join:2003-02-06
Union, NJ | time for a tin-foil suit.....
let me know when cosco has a sale on Reynolds wrap... | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| Only a crass, unfeeling person jokes about schizophrenia. Stop the jokes about mental illness please.
As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Also, never go to your bank from a favorites link. Always type in the address. These are just ordinary, standard safety measures.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
BrettStarr
Premium
join:2003-11-07
Las Vegas, NV
1 edit | reply to Mele20
said by Mele20 :Gee, I just noticed you leave banking cookies on your computer. You should never do that! Always clear those as soon as you have finished with the site. I think you misunderstand. The managed list of sites are those you will ALLOW cookies for. It doesn't mean I keep them. You most certainly can delete them at any time, but must always have the entry in the managed sites list to allow site to set the cookie in the first place.
-
edit: Regardless of how you handle cookies, you should at least block THIRD PARTY cookies. Those are the "bad" spyware, tracking cookies 95% of the time (Doubleclick, etc). | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Mele20
said by Mele20 :As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Huh? My bank has never mentioned this to me, but even a rudimentary understanding of how cookies work - at least those by clueful banks - suggests that you're demonstrating that you don't know how they work.
When you login to a secure site, the login page sends your username and password (presumably over SSL), and after validating that you're who you claim to be, a new "session" is created. This session data includes thinks like your username, time you started, IP address, etc. and is stored on the server, and a unique and random session ID is assigned.
The ID itself has no inherent meaning, nothing is "encoded" in it (it's "opaque"), and this is what is sent to you in your cookie. My last Wells Fargo cookie contained B-200409191637071418511140.
When you submit following pages (transfer money, check balance, etc.), the ID passed in your cookie is looked up in the session database, and it checks to see if you're still allowed, who you are, has it been too long since you did anything (to allow "idle sessions" to timeout), coming from the same IP address, etc. the IP test is not that simple, to allow for changes, but there are provisions to see that a cookie is not being shared.
When you click the Logout button, this not only deletes the cookie from your browser, but it invalidates the session in the database, so even if you hung onto or intercepted that cookie, it would not work. Yes, the cookie value would be sent to the server, but it would look it up and find that either (a) the session had been deleted entirely, or (b) the session had been marked explicitly "expired". Expired sessions cannot be revived by anything on the browser side without going through a new login process.
Any site that has a clue about security has designed the site to mitigate the effect of "cookie theft", so even aside of the fact that I run a secure network that prevents people from stealing my cookies, aside from the fact that banking cookies travel over unsniffable connections, there is nothing anybody could do with my banking cookies even if they got them.
If you feel better deleting your cookies, that's fine, but saying "only an idiot doesn't" puts you squarly in tinfoil hat territory and shows that you have only a limited grasp of how cookies are actually used.
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
Mele20
Premium
join:2001-06-05
Hilo, HI
| Sigh. I am fully aware of all that you have thought necessary to "teach" me. My banks still recommend deleting the cookies after the visit. They are NOT deleted on exit. If you want someone to use your computer sometime and see what bank you use from your banking cookies you didn't delete fine. I prefer to guard against that. I always close the browser after visiting one of my banks also for the same reason. I do this even though it is unlikely anyone else would use this computer.
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| reply to Steve
Quick example of why tracking a session by IP address doesn't work, proxy servers. A proxy server means a couple of things, first that multiple individual clients could be connecting from the same IP address (ie the proxy server), and second a single client might use more then one proxy server for sequential requests and hence would have a different source IP address (AOL clients for example).
Three questions which might help the discussion and understanding of cookies.
Are cookies secure, meaning that can site1 read site2's cookies?
What kind of information can a cookie contain?
What kind of information should a cookie contain and why?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
Khaine
join:2003-03-03
Australia
| reply to Mele20
said by Mele20 :Sigh. I am fully aware of all that you have thought necessary to "teach" me. My banks still recommend deleting the cookies after the visit. They are NOT deleted on exit. If you want someone to use your computer sometime and see what bank you use from your banking cookies you didn't delete fine. I prefer to guard against that. I always close the browser after visiting one of my banks also for the same reason. I do this even though it is unlikely anyone else would use this computer. Banking cookies are generally session only, and hence are deleted when the session ends {when you close the web browser}
tracking cookies are at worst a privacy issue, they have little if any security concerns with their use. | |
Mele20
Premium
join:2001-06-05
Hilo, HI
1 edit | I end up with a bunch of banking cookies from just ONE bank after I close the browser. All my banks set permanent cookies. I don't know what bank you are using. I use major national banks. Even my two local banks set permanent cookies but they don't set as many as some of the national banks. They are almost as bad as Dell which sets about 15 cookies each time you visit. FF complains about Dell and the banks setting too many cookies both session and permanent.
Edited to ask since when is PRIVACY not a SECURITY issue??? That is the main security issue!
--
The first and foremost function of our jurors is to protect private citizens from a tyrannical and intrusive government...Jurors are the last line of defense for liberty. Thomas Jefferson 1789 | |
Bobby_Peru
Premium
join:2003-06-16
4 edits | reply to Khaine
said by Khaine :tracking cookies are at worst a privacy issue, they have little if any security concerns with their use. Not to pick on Khaine , but perhaps he has hit on the key to the polarization in past and present attempts here to discuss cookies.
Tracking cookies have been, are, and will continue to absolutely, and most certainly be, a huge "privacy issue". This is self-evident from even a glance at www.abacus-direct.com (as linked and quoted in my post above). Of course there are other Ad-Servers and other deep 'consumer' (NewSpeak for humans/citizens) dBases, along with the Googles, Amazons, Pay-Pals, MSN/Passports, various "site-meters"....
If some self-appointed guardians of membership in the "Security (Professional?) Community" wish to completely exclude the realm of hundreds of millions of user's Privacy from their bailiwick, it is important that those who may be relying on these folks understand this serious self-imposed limitation, so as to know not to place any reliance on them for anything in this area. It would be nice to have them along for this effort, but, oh well...
If they, or others feel no concern in this area, that is one thing, but to dismiss other people's very reasonable and legitimate concerns over such growing intrusions into their lives with derogatory childish epitaphs, which also serve to stifle discussion, is more of a reflection on themselves than they are probably willing and/or able to admit, and should be viewed for exactly what they are - cheap rhetorical discussion killers.
Once they have provided the world with this notice, they could then safely sit out any discussions related to this pesky little Privacy thing.... Dismissing such petty concerns to the non-letter-wearing masses.....
Thanks to those who have helped clear up this misunderstanding.
Discussion of Blake's three most recent questions would get this back towards his OP for those users who do find this area to be important.
Expanding on his list: when are cookies really absolutely essential on a single site, what info would be required there, and is there really no other mechanism to accomplish this?
-------------------
For the commoners, non-letters-on-sleeve wearing masses - who may be relying on a wider definition of Security than that of a strict Security Professional Community construction -
"WordNet (r) 2.0"
security n
1: the state of being free from danger or injury; "we support the armed services in the name of national security" [ant: insecurity]
2: a formal declaration that documents a fact of relevance to
finance and investment; the holder has a right to receive interest or dividends; "he held several valuable securities" [syn: certificate]
3: a department responsible for the security of the
institution's property and workers; "the head of security was a former policeman" [syn: security department]
4: measures taken as a precaution against theft or espionage , or sabotage etc.; "military security has been stepped up since the recent uprising" [syn: security measures], ...
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** | |
Khaine
join:2003-03-03
Australia
| reply to Mele20
said by Mele20 :Edited to ask since when is PRIVACY not a SECURITY issue??? That is the main security issue! Well generally I lump privacy and annomity together, and since security relies heavily on trust I tend to keep it seperate.
I didn't mean to trivialise this issue. It is an important issue, and with governments pushing more and more draconian laws reducing our privacy it is becoming very important to keep our rights. | |
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to Mele20
said by Mele20 :...since when is PRIVACY not a SECURITY issue??? That is the main security issue! Privacy and security are linked only in our interests. The perceived linkage may in fact be a result of the use of multifunction security apps such as firewalls which perform other tasks including cookie and active content management. Fact is, one can have good rock solid security with no particular interest in privacy protection and it will not impact his security. The obverse isn't necessarily true. Privacy only becomes a security issue once security has already been breached. So for example ID theft is a privacy issue which began with a breach in security.
That's not to say privacy isn't a legitimate concern. It is but there is only so much one can do to protect it.
--
FOUR MORE YEARS!! - of fear. | |
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to Mele20
said by Mele20 :Sigh. I am fully aware of all that you have thought necessary to "teach" me. OK, so you actually do understand that there aren't any technical reasons to worry about banking cookies, but you do anyway? Is this like throwing spilled salt over your shoulder? Do you read your horoscope too?
Steve
--
Stephen J. Friedl • Unix Wizard • Microsoft MVP • Tustin, California USA • my web site | |
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to Mele20
said by Mele20 :
Only a crass, unfeeling person jokes about schizophrenia. Stop the jokes about mental illness please.
Tin-foil hat has nothing to do with schizophrenia, and everything to do with being overly and unnecessarily paranoid. If someone says you wear a tin-foil hat, that person thinks you are too paranoid. That's all there is to it.
quote:
never go to your bank from a favorites link. Always type in the address.
And why not? What is the difference between typing it in, and clicking the bookmark which I've had forever? None, other than the bookmark being faster.
quote:
Are cookies secure, meaning that can site1 read site2's cookies?
As far as I know and in general, yes. Heck, I've tried. There may exist a few exploits which may allow cookies to be read by a hostile webserver, but I don't recall any off the top of my head, and they probably have a) long been patched and b) only work in IE, if they do exist. Some may rely on a previously compromised system. They're just text files, after all. Only the browser really stands in the way.
quote:
What kind of information can a cookie contain?
Anything. Whatever data the webserver wants to put in it, it can.
quote:
What kind of information should a cookie contain and why?
This is a thorny one. Personally I think cookies should only contain information pertinent to the functionality of a site, for example, "color=blue" on a site you can customize. They could also be used to skip scripts which may slow the site down. Reading "Resolution=1024x768" when a user returns could save the webserver the processing cycles it takes to run a script that determines a returning user's resolution.
That cookies are used for advertising purposes is an unfortunate side-effect of the need for advertisers to support and defray the costs of maintaining a web presence. To that end you could say that keeping cookies around, letting the advertisers track you, is in some small way supporting the usefulness of the www. The more information the advertisers have about you, the more money they can potentially make, leading to potentially buying space on more websites, thereby supporting more websites. Perhaps this is an overly optimistic view, but it's better than "evil advertisers tracking you" and certainly less worrisome.
--
TCPA - Treacherous Computing
Kerio 2.1.5 - Best damn firewall
Licenses should be per user, Ditch Norton! Get F-Prot! | |
VirtualLarry
Premium
join:2003-08-01
3 edits | reply to Steve
said by Steve :said by Mele20 :As for banking cookies, only an idiot would keep those. Even your bank will tell you to get rid of them. Huh? My bank has never mentioned this to me, but even a rudimentary understanding of how cookies work - at least those by clueful banks - suggests that you're demonstrating that you don't know how they work. Considering that many online sites use "magic cookies" as an authentication token, then they are essentially equivalent to a username/password authentication. Most people recommend never 'storing' your username/password combos in your browser for important sites (like banking), because of the risk of a potential browser exploit revealing them and allowing them to be stolen. Since "magic cookies" are logically equivalent to usernames and passwords, it would seem prudent to follow the same security precautions regarding them as well.
Considering how some recent privacy-violating browser exploits have worked, such as Download.Ject and most recently the GMail one, which did indeed work by stealing cookie-based authentication, I believe, although I didn't look at the nitty-gritty technical details, then this risk is very real. To pretend that it isn't, is being a bit dis-ingenious and and pretentiously dismissive towards Mele20, isn't it?
said by Steve :When you login to a secure site, the login page sends your username and password (presumably over SSL), and after validating that you're who you claim to be, a new "session" is created. This session data includes thinks like your username, time you started, IP address, etc. and is stored on the server, and a unique and random session ID is assigned. The ID itself has no inherent meaning, nothing is "encoded" in it (it's "opaque"), and this is what is sent to you in your cookie. When you submit following pages (transfer money, check balance, etc.), the ID passed in your cookie is looked up in the session database, and it checks to see if you're still allowed, who you are, has it been too long since you did anything (to allow "idle sessions" to timeout), coming from the same IP address, etc. When you click the Logout button, this not only deletes the cookie from your browser, but it invalidates the session in the database, so even if you hung onto or intercepted that cookie, it would not work. Yes, the cookie value would be sent to the server, but it would look it up and find that either (a) the session had been deleted entirely, or (b) the session had been marked explicitly "expired". Expired sessions cannot be revived by anything on the browser side without going through a new login process. That whole secenario assumes that the site in question was designed with a 'clueful' approach to security. Unless you can guarantee that every site on the internet, in which you conduct "secure" transactions with, is as clueful, then it would seem prudent to follow some personal security practices to protect yourself, rather than trusting every other big company to do it for you. Personal responsibility, you see.
(Interestingly enough, I just got done reading this thread »www.blacksheepnetworks.com/secur···331.html from 2002, discussing major retailers passing customer CC and other sensitive financial data "in the clear" over WiFi. Very disturbing. It tends to discount the idea that companies are always interested in proper security, because they aren't. They're only interested in implementing IT technology as cheaply as possible, to maximize profits of course. Not all banks are interested in paying for properly-secure web-development. Indeed, look at the number that still require IE for access.)
said by Steve :Any site that has a clue about security has designed the site to mitigate the effect of "cookie theft" Funny, I thought that the tech/development guys at Google were the "smartest of the smart", and yet they fell prey to a "cookie exploit". The risks are real, don't downplay or deny them, it does a disservice to security-concious people everywhere.
Btw, I do always try to "logout" from my webmail, but there are occasions when that doesn't happen. Thankfully, webmail sessions time-out after about 10 minutes of inactivity.
There are other sites that do not operate using session cookies, but instead use permanent "magic" cookies for authentication. Verizon is one of them, and they do not "time-out". If you stole those cookies, you could intercept someone's e-mail, create a sub-account, give the username/password for the sub-account to your buddy, and they could run up huge charges on your VZ ISP account.
All because of a stolen authentication cookie.
said by Steve :If you feel better deleting your cookies, that's fine, but saying "only an idiot doesn't" puts you squarly in tinfoil hat territory and shows that you have only a limited grasp of how cookies are actually used. I think that perhaps it would have been better phrased as "only an idiot doesn't know that they are a risk" - because they are. If you, or your bank's site (for example) take steps to mitigate that risk, then they are less of a risk, but they are a risk. Security is all about deciding what is an acceptable level of risk... for yourself.
Also, regarding the issue of session vs. persistant cookies - I think that you fail to consider the behavior of "persistent browsers" like myself. My browser uptime is over eight days now, and I've visited countless sites. "Session" cookies to me, are just as persistant as permanent ones, effectively, because of my browsing behavior. I always manually delete my session cookies after I'm done visiting a site that uses cookies for secure authentication.
PS. In case you were curious Steve, I only stumbled upon that other thread while investigating some Kerio firewall weaknesses, which led me to your post on that list regarding "BACKSTEALTH". I've decided to re-evaluate my own approach to security, having realized that I've become far too complacent and trivializing some risks that perhaps I should not. | |
|
