Cookies...yummy or deadly?

Discussion in 'privacy general' started by ssj100, Jul 10, 2009.

Thread Status:
Not open for further replies.
  1. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,832
    These cookies have no function whatsoever, and so far, I haven't found anything flash based that isn't working properly with them blocked, they seem pointless to me.
     
  2. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    ssj100

    I think the people at risk are those following mass trends ... Users of Twitter, Youtube, Myspace, Facebook, these are obvious places that scripting dangers are going to be lurking. They're todays honeypots.
     
  3. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Well I noticed lately with Youtube people are scripting a link to appear whilst playing clips "Go to this site to see the HD version" or "See more of this artist here" have you noticed that too? I haven't placed a clip on Youtube so I have no idea how its done. But I am pretty sure this could be exploited to run all kinds of trouble.
     
  4. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Cookies are privacy risks but can be financially dangerous(he he) if you do online banking or buying.

    Examples:
    http://hackademix.net/2008/09/10/noscript-vs-insecure-cookies/

    http://www.nist.org/news.php?extend.176
    quote:
    Phishing schemes are about to get a whole lot easier. Targeted attacks are much more likely to work now than ever before. Cookies stored on your computer can be retrieved by bad guys half a world away. Even big search engine companies like Google and Yahoo are shaking in their boots. What happened? The bad guys have discovered Cross-Site Scripting (XSS) and the Internet has sudden become a lot more dangerous...
    Through the magic of Cross-Site Scripting (XSS) even professional security people will have a hard time recognizing a phishing message. XSS also allows for the theft of cookies, and thus personal information and possibly passwords, stored on your computer.
    ---end of quote---
    Below is an old exploit of a vulnerability quickly patched concerning "hacking hotmail account". Vulnerabilities will be discovered and that old exploit will be used against everyone by stealing a victim's cookies... http://www.exploitx.com/132/hacking-hotmail/
    quote:
    This exploit is using the cookie from hotmail.msn.com to access the ‘victims’ inbox. Because the cookie is not limited to the domain hotmail.msn.com, I can also use an exploit on the site msn.com to steal the cookie from the victim. When I searched msn.com for an exploit called “HTML Injection” or “Cross Site Scripting” (XSS), it took me about 30 minutes to find one. With this exploit type I’m able to insert additional pieces of html or javascript into a page of msn.com. When I insert the code: , the user will see a message box just like the picture below when he visits that site.

    The real HTML injection example with popup can be viewed at:[removed]

    With the text you can see in the “alert message-box” above, everybody with some knowledge is able to access my inbox. This text is send by my browser to hotmail every time I visit a site with the domain “msn.com”. This method is used so hotmail knows I am still logged in. The text in the popup is called a “cookie”. A trick used by attackers is to fake somebody else’s cookie. I will explain one easy method, although there are different ways of doing it. I can fake cookies with a helper program called “Proxomitron”.
    ---end of quote---
     
  5. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    How I wish every jane and john doe doing online purchases will be as tech savy as you. M:)
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,941
    Location:
    California
    Actually, they know my entire purchasing history even without a cookie, since for more years than I can remember, I've purchased there with a debit card, meaning that my account will have a record of everything. What does it matter? All the stored cookie does is identify me upon connecting to the page. BTW - a password is still required to access my account. Having the cookie does not provide that information. The main site is HTTP. When I click on "My Account" I am taken to a secure HTTPS site with a login box. Every site handles these things differently, and it's imperative to find out how these thing work before you set up an account, so that you understand and are aware of the site's procedures.

    In another example, my local library knows everything I've checked out since I applied for a card years ago. So what? There are government agencies that know more about me than a web cookie will ever provide. From where I'm sitting, this is all much ado about nothing -- speaking only for myself, of course.

    Are you talking about persistent or non-persistent XSS? There certainly have been some sensational examples of the latter, but in each case, the specific circumstances would not have applied to me at all.

    As far as man-in-the-middle attack -- mentioned in one the links cited in another post here -- so many unique factors have to be in place in my case -- very common on local wired and wireless networks which I do not use.

    As far as the sensational cookies and web email exploits - guessing user information, etc -- again, so many specific factors have to be present, such as using this type of email in the first place.

    I realize that it's a bit self-serving, but over the years I found that I can be responsible only for myself and those in my sphere of influence -- those I've helped set up a system. I just don't encounter the situations that have been reported in the media. These sensationalized stories help sell products, of course, and make for interesting reading, but as a security-minded person who takes the time to dig beneath all of this, I find that establishing secure policies and procedures at the user level takes care of most everything!

    Autorun.inf vulnerability is a perfect example. But that's been discussed in another thread.

    ----
    rich
     
  7. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,060
    I know people who allow third-party cookies/tracking cookies without care, without noticable problems.

    Still, I see no reason to allow them.

    I use IE 7, allowing direct cookies, blocking indirect cookies, box for session cookies unticked. Yet, there are ways around this to place tracking cookies on my computer, but with my setup I block at least 99%.

    Much more tricky are 'web bugs', sometimes called 'web beacons', which can be used to track people, and are impossible to avoid (by the average user).
     
  8. cqpreson

    cqpreson Registered Member

    Joined:
    May 18, 2009
    Posts:
    348
    Location:
    China
    I see all you said.But in the eyes of me,cookies is just a web page which has your symbol.So they are not bad.We should allow them.If we demand security,we only need to allow cookies which come form our allowable websites.It is just enough.
     
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,135
    I never said you should install MD, I was just saying that it is a method I use.


    True there is more web bugs out there than what most people think, I do look at my admuncher logs occasionally and there is always web bugs which it has blocked. I also have no script blocking them if admuncher misses any.
     
  10. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Active contents on webpages can find lots of ways to harvest cookies. Another thing to consider is the favorite icons or favicons. Favicons is also used to track user and set cookies aside from the web bugs.

    A workaround will be Proxomitron with filters like from altosax... http://prxbx.com/download/Configs/Altosax.zip

    A healthy paranoia is a good thing but too much is bad. Awareness that these things happen is good and one should not debunked that these are simply overstated and profit-motive. We may never know the minds of these evil profiteering rings of cybercriminals all over cyberspace.
     
    Last edited: Jul 11, 2009
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,941
    Location:
    California
    Hello trismegistos,

    Interesting stuff! (some new to me)

    I was discussing what I wrote for this this thread yesterday with a friend who was interested in how cookies work. She uses Opera 9.64 as I do and has configured cookies as I've suggested. I just ran the GRC cookie test here:

    http://www.grc.com/cookies/forensics.htm

    and these are my results:

    cookieTest.gif

    Can I assure her that she is protected from the things you talk about?

    thanks,

    rich
     
  12. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Hi,
    I'm not much on a better position to assure her, because of lack of expertise and experience as you are. You can assure her although security experts other than you tend to inflate these kind of attacks but real world scenario just like in the physical realm, the actual chances of bad guys trying to steal your money is still not that high, it's more of a misfortune or badluck. Ofcourse, we may never know how these things will be prevalent as days goes by with the current financial downturns.

    As Steve Gibson, usually recommends to most people, just use Noscript with Sandboxie. With Noscript: it has built-in anti XSS and cookie protections, anti-clickjacking protection etc, even if one will enable scripting. Or your configuration set up which passed with flying colors from the GRC site is enough for her.

    I'll let the experts like you speak with finality to ease the concerns of people like me... $-)
     
    Last edited: Jul 12, 2009
  13. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,135
    Yea but Sandboxie won't prevent it during your actual Browsing session, it only cleans them out afterwards if you flush the toilet.
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,941
    Location:
    California
    I'm really not an expert on this - I read a lot and apply what I read to my own situation and others I'm in contact with. That's about it.

    ----
    rich
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,941
    Location:
    California
    Well, from what I've observed in other threads, you are very knowledgeable about a lot of computer stuff. If I appear to know more about this topic, it's only because I've read and investigated more.

    It sounds like you have a healthy dose of skepticism -- a refreshing and important ingredient in computer security! Start by looking for current in-the-wild exploits. That will reveal what it is you need to protect against. Often much noise is generated about this and that discovery of a vulnerability. Not all vulnerabilities result in active, in-the-wild exploits. Not all exploits pertain to everyone's particular situation. (What if you don't use Hotmail, for example?)

    15+ years ago, the only thing I knew about a computer cookie was that it was a text file. So, when an article appeared warning of malware spreading via a cookie, I said, Wait a minute!

    Now, that's a rather extreme example of erroneous information, but less obvious examples spread needless fear and misunderstanding. As with other aspects of security, it's necessary to question (as you are here) and delve beneath the surface of articles/reports/blogs that purport to warn of impending catastrophy.

    At that time, I was accepting all cookies. I noticed one day that there were several hundred. 99% would never see the light of day again, since I was not likely to ever return to most of the sites. But the clutter bugged me, so from that point on I stored only those cookies necessary for regularly visited sites, or others I chose to store. For sites that I probably wouldn't visit again, Opera provides discarding a cookie when the browser is closed, hence, it is not stored.

    Today's browsers permit per site configuration of cookies, making it easy to keep control of things. Nonetheless, for 15+ years, on my security/privacy danger scale of 0 - 10, I had to add a [-1] value to indicate "cookie" on the scale.

    Looking in my Cookie Manager in Opera, my DSLR cookie shows:

    dslr-cookies2.gif

    Do you know what these are?

    They are the much-hyped google-analytics cookie. In 2005 Google purchased the Urchin Software Corporation, which was described as:

    My first encounter with this was one evening when connecting to csmonitor.com news site as I did every evening, I got a firewall alert to connect to an IP on port 443. The alert was because I use a custom address group for Port 443 and this IP was not in the group, hence, the alert.

    Looking at the page code, I saw google-analytics:

    Code:
    <script src="https://ssl.google-analytics.com/urchin.js" type="text/javascript"></script>
    I emailed the webmaster and received a reply explaining what this service is. Later, I discovered that in addition to DSLR, ISC (sans.org) also use this service. A representative of the latter posted a message about this after receiving a number of inquiries. Having learned that this service helps web masters to analyze their traffic, it no longer bothered me. After all, web site analysis has been around in various guises for years. The difference here -- this bothers a lot of people -- is that the analysis data is stored in a user account on a Google server, which is collated and returned to the user in charts, etc. The implication is that Google could surreptitiously harvest users' account data for their own use.

    Another example: Google Search. If a person is bothered by tracking, don't store the cookie.

    I did an experiment once: For six months I accepted all cookies including 3rd-party tracking cookies. Even the much-maligned double-click stuff. I never noticed anything different in my surfing. No popups. No one came knocking at my door with ads. No mail. Well, I got irritated again by all of the clutter so I purged everything and started over with per site configuration.

    Cookies is a big topic with lots of sub topics. Users have to decide for themselves the importance of each, and how to deal with it.


    ----
    rich
     
  16. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    http://www.cgisecurity.com/xss-faq.html

    Some interesting stuff. There ^^

     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,941
    Location:
    California
    A few other quotes:

    ----
    rich
     
  18. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    I've been constantly told, on here and elsewhere, cookies are a privacy issue, not a security matter.

    I always disagreed and said that, if it was possible to steal them from users, then all sorts of unwanted consequences could arise. As Rmus has just noted, this has/can and does occurr.

    Exactly what the thieves do with the info will vary with, what they get, and how much etc. I prefer to not keep ANY cookies EVER, never have and i doubt if i ever will. Sure i have always type in my user name and passwords everytime i log in somewhere, but that's a very mild inconvenience i'm more thah happy to live with. It only takes a few seconds anyway.

    Cookies, no fanx !
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  20. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Just to be clear, clearing out the sandbox will get rid of both cookies and flash cookies right?
     
  21. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Thanks ssj!
     
  22. tlu

    tlu Guest

    Yes, this article is very good and summarizes everything. I block all cookies in Firefox by default and manage them with Cookie Monster by allowing cookies only on sites where needed (often only as session cookies). And I have also disabled flash cookies, of course.
     
  23. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Can flash cookies be disabled in FF or do you need to do it via the macromedia flash player page?
     
  24. tlu

    tlu Guest

    Either via the flash player site (that's how I did it) or with Better Privacy.
     
  25. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,060
    I'm still using IE 7. :doubt:

    Are these third party cookies supposed to be in my regular cookies folder ?

    I don't see them there.
     
Loading...
Thread Status:
Not open for further replies.