Cookies...yummy or deadly?

[arran]

I don't need to worry about ways to clean out flash cookies, because I use Malware Defender to block them from being created in the first place. hence my flash cookies always remain at 0.

[m00nbl00d]

Quote:

Originally Posted by ssj100

[...]

Even for malicious web-sites, who cares if they know that I visited them and downloaded a piece of malware (which is easily got rid of by Sandboxie by the way haha...in fact, the malware couldn't do anything anyway, since I have start/run/internet access restrictions, as well as a monitoring classical HIPS).

[...]

As I said at the very beginning, for what I understand of cookies, and I thought I had mentioned it, they will tag you with an identification. That's why, for example, Amazon remembers Rmus and his preferences.

You shouldn't be concerned if a malware site "knows" you've been there. You should worry, though, if they know you've been at other websites, such as your on-line bank account, etc. The problem are not cookies (because some are useful, as you said), rather the called tracking cookies.

Then, you've got third-party cookies. Say, you visit www.wilderssecurity.com, and there are plenty contents here, like images, etc and they all come from outside the domain, you'll, probably, end up allowing other folks cookies, as well, without any need or use. So, cookies aren't useful most of the time, and I actually consider most of them an abuse to our privacy.

So, while www.wilderssecurity.com cookies would be useful for you to be remembered, cookies from domain B, C, D, E, F, etc aren't. They are of no use.

You're here at www.wilderssecurity.com, and there's an advertisement, in the form of a banner, say. If no protection is set against third-party cookies, then a cookie will be stored. If you go to some other site, forum, etc, sharing banners from the same servers, considering that a cookie has been previously set, that server will know you've been here, at some other site, at some other forum, etc.

Why should anyone else but www.wilderssecurity.com know you've here?

Is like going to shopping, right? Who cares if the X shop knows you bought Y product? Makes sense, you bought it there, after all. But, does that mean that every other shop, sharing the same sponsor (the advertisement banner), would have to know that I've been at shop X, buying Y product?
I don't think so.


But, that's how I feel.

[funkydude]

Quote:

Originally Posted by arran

I don't need to worry about ways to clean out flash cookies, because I use Malware Defender to block them from being created in the first place. hence my flash cookies always remain at 0.

Why the hell would I install an additional program that:

1. Is supposed to block malware, cookies aren't malware
2. Uses resources
3. Isn't needed whatsoever.

Flash settings, like firefox, have a default function to block flash cookies. So here I go.

"I don't need to worry about ways to clean out flash cookies, because I've blocked them in the settings manager from being created in the first place. hence my flash cookies always remain at 0. "

[Keyboard_Commando]

http://news.netcraft.com/archives/20..._accounts.html

The danger are session cookies for important places, like banking, email providers, being exploited and your info being stolen.

[funkydude]

All the needed instructions are on the blog post:

Quote:

Originally Posted by funkydude

Well I followed that guide http://www.imasuper.com/66/technolog...rivacy-killer/ thank you very much for the post!

The flash config screen is here:
http://www.macromedia.com/support/do...manager03.html

Edit: The settings are kept in flash, saved across all browsers, so you need not re-apply them.

[funkydude]

Quote:

Originally Posted by ssj100

Thanks for the information. It will come in handy when I get convinced that I need to block these cookies haha.

These cookies have no function whatsoever, and so far, I haven't found anything flash based that isn't working properly with them blocked, they seem pointless to me.

[Keyboard_Commando]

ssj100

I think the people at risk are those following mass trends ... Users of Twitter, Youtube, Myspace, Facebook, these are obvious places that scripting dangers are going to be lurking. They're todays honeypots.

[Keyboard_Commando]

Quote:

Originally Posted by ssj100

I see. I personally don't use Twitter, Myspace, Facebook or any social sites like these. How does Youtube fit with those sites though? The only reason why I visit Youtube is to watch videos there (I don't have an account for it etc).

Well I noticed lately with Youtube people are scripting a link to appear whilst playing clips "Go to this site to see the HD version" or "See more of this artist here" have you noticed that too? I haven't placed a clip on Youtube so I have no idea how its done. But I am pretty sure this could be exploited to run all kinds of trouble.

[trismegistos]

Cookies are privacy risks but can be financially dangerous(he he) if you do online banking or buying.

Examples:
http://hackademix.net/2008/09/10/nos...ecure-cookies/

http://www.nist.org/news.php?extend.176
quote:
Phishing schemes are about to get a whole lot easier. Targeted attacks are much more likely to work now than ever before. Cookies stored on your computer can be retrieved by bad guys half a world away. Even big search engine companies like Google and Yahoo are shaking in their boots. What happened? The bad guys have discovered Cross-Site Scripting (XSS) and the Internet has sudden become a lot more dangerous...
Through the magic of Cross-Site Scripting (XSS) even professional security people will have a hard time recognizing a phishing message. XSS also allows for the theft of cookies, and thus personal information and possibly passwords, stored on your computer.
---end of quote---
Below is an old exploit of a vulnerability quickly patched concerning "hacking hotmail account". Vulnerabilities will be discovered and that old exploit will be used against everyone by stealing a victim's cookies... http://www.exploitx.com/132/hacking-hotmail/
quote:
This exploit is using the cookie from hotmail.msn.com to access the ‘victims’ inbox. Because the cookie is not limited to the domain hotmail.msn.com, I can also use an exploit on the site msn.com to steal the cookie from the victim. When I searched msn.com for an exploit called “HTML Injection” or “Cross Site Scripting” (XSS), it took me about 30 minutes to find one. With this exploit type I’m able to insert additional pieces of html or javascript into a page of msn.com. When I insert the code: , the user will see a message box just like the picture below when he visits that site.

The real HTML injection example with popup can be viewed at:[removed]

With the text you can see in the “alert message-box” above, everybody with some knowledge is able to access my inbox. This text is send by my browser to hotmail every time I visit a site with the domain “msn.com”. This method is used so hotmail knows I am still logged in. The text in the popup is called a “cookie”. A trick used by attackers is to fake somebody else’s cookie. I will explain one easy method, although there are different ways of doing it. I can fake cookies with a helper program called “Proxomitron”.
---end of quote---

[trismegistos]

Quote:

Originally Posted by ssj100

Wow, very interesting. Again, I guess we are all at risk of these sorts of attacks, because I'm pretty sure almost everyone allows cookies permanently for trusted sites like Amazon etc.

Personally, I wouldn't really care if someone got into the various web-based e-mail Inbox's I have, because I never store sensitive data like my password or credit card number etc in my e-mail accounts.

As for making online purchases and banking, as I said before, using a freshly installed IE 8 each time saves me from a lot of these problems.

How I wish every jane and john doe doing online purchases will be as tech savy as you. M:-)

[Rmus]

Quote:

Originally Posted by ssj100

For example, Rmus, you admit that you accept cookies for Amazon etc. Therefore, Amazon knows exactly what you're browsing and looking at, within their web-site. You obviously don't care that they know, and actually find it useful.

Actually, they know my entire purchasing history even without a cookie, since for more years than I can remember, I've purchased there with a debit card, meaning that my account will have a record of everything. What does it matter? All the stored cookie does is identify me upon connecting to the page. BTW - a password is still required to access my account. Having the cookie does not provide that information. The main site is HTTP. When I click on "My Account" I am taken to a secure HTTPS site with a login box. Every site handles these things differently, and it's imperative to find out how these thing work before you set up an account, so that you understand and are aware of the site's procedures.

In another example, my local library knows everything I've checked out since I applied for a card years ago. So what? There are government agencies that know more about me than a web cookie will ever provide. From where I'm sitting, this is all much ado about nothing -- speaking only for myself, of course.

Quote:

Originally Posted by ssj100

However, the issue of usability and convenience comes into play. Rmus obviously finds allowing cookies on Amazon very helpful (good usability and convenience), but does perhaps sacrifice some security (eg. puts himself at risk of the cross site scripting vulnerability).

Are you talking about persistent or non-persistent XSS? There certainly have been some sensational examples of the latter, but in each case, the specific circumstances would not have applied to me at all.

As far as man-in-the-middle attack -- mentioned in one the links cited in another post here -- so many unique factors have to be in place in my case -- very common on local wired and wireless networks which I do not use.

As far as the sensational cookies and web email exploits - guessing user information, etc -- again, so many specific factors have to be present, such as using this type of email in the first place.

I realize that it's a bit self-serving, but over the years I found that I can be responsible only for myself and those in my sphere of influence -- those I've helped set up a system. I just don't encounter the situations that have been reported in the media. These sensationalized stories help sell products, of course, and make for interesting reading, but as a security-minded person who takes the time to dig beneath all of this, I find that establishing secure policies and procedures at the user level takes care of most everything!

Autorun.inf vulnerability is a perfect example. But that's been discussed in another thread.

----
rich

[Fly]

I know people who allow third-party cookies/tracking cookies without care, without noticable problems.

Still, I see no reason to allow them.

I use IE 7, allowing direct cookies, blocking indirect cookies, box for session cookies unticked. Yet, there are ways around this to place tracking cookies on my computer, but with my setup I block at least 99%.

Much more tricky are 'web bugs', sometimes called 'web beacons', which can be used to track people, and are impossible to avoid (by the average user).

[cqpreson]

I see all you said.But in the eyes of me,cookies is just a web page which has your symbol.So they are not bad.We should allow them.If we demand security,we only need to allow cookies which come form our allowable websites.It is just enough.

[arran]

Quote:

Originally Posted by funkydude

Why the hell would I install an additional program that:

1. Is supposed to block malware, cookies aren't malware
2. Uses resources
3. Isn't needed whatsoever.

Flash settings, like firefox, have a default function to block flash cookies. So here I go.

"I don't need to worry about ways to clean out flash cookies, because I've blocked them in the settings manager from being created in the first place. hence my flash cookies always remain at 0. "

I never said you should install MD, I was just saying that it is a method I use.

Quote:

Originally Posted by Fly

Much more tricky are 'web bugs', sometimes called 'web beacons', which can be used to track people, and are impossible to avoid (by the average user).

True there is more web bugs out there than what most people think, I do look at my admuncher logs occasionally and there is always web bugs which it has blocked. I also have no script blocking them if admuncher misses any.

[trismegistos]

Quote:

Originally Posted by Fly

I use IE 7, allowing direct cookies, blocking indirect cookies, box for session cookies unticked. Yet, there are ways around this to place tracking cookies on my computer, but with my setup I block at least 99%.

Much more tricky are 'web bugs', sometimes called 'web beacons', which can be used to track people, and are impossible to avoid (by the average user).

Active contents on webpages can find lots of ways to harvest cookies. Another thing to consider is the favorite icons or favicons. Favicons is also used to track user and set cookies aside from the web bugs.

A workaround will be Proxomitron with filters like from altosax... http://prxbx.com/download/Configs/Altosax.zip

A healthy paranoia is a good thing but too much is bad. Awareness that these things happen is good and one should not debunked that these are simply overstated and profit-motive. We may never know the minds of these evil profiteering rings of cybercriminals all over cyberspace.

[Rmus]

Hello trismegistos,

Interesting stuff! (some new to me)

I was discussing what I wrote for this this thread yesterday with a friend who was interested in how cookies work. She uses Opera 9.64 as I do and has configured cookies as I've suggested. I just ran the GRC cookie test here:

http://www.grc.com/cookies/forensics.htm

and these are my results:

Can I assure her that she is protected from the things you talk about?

thanks,

rich