Tracking Cookies:Google Offers Opt-Out

--
In keeping with the "bad news travels fast; good news is forgotten" theory, I dug up something quite good today that was only whispered in the tech news: Google lived up to their motto this past March and started offering opt-out options and tools for being free from being followed by their Tracking Cookies. Imagine that.


Not that I actually care, since I've been blocking Tracking Cookies on my web browsers for over a decade. And not that your average Internet surfer is going to notice. Google aren't exactly advertising their kind gesture.

If you've read my previous posts on Tracking Cookies you already know what to do: TURN OFF third party cookies in your web browser settings. On Mac, every browser worth using has this setting available in its Preferences under various descriptions. Here are some examples:

Safari Preferences:

OmniWeb Preferences:

Camino Preferences:

FireFox Preferences:

iCab Preferences:

Opera Preferences:

. . .

For the sake of review,
What Are Tracking Cookies?

Wikipedia.org has a very good description of them HERE.

My rendition:

Fried SPAM with cute little colored sprinkles on top. Or if you prefer sushi, how about:


Marketing people, ideally, like to help people find what they need and want. (These days we know that is generally NOT the case, thank you MBA degree mills. But I cover that subject over at my zunipus blog). The modern ideal in marketing is to follow you every minute of the day and offer you sales opportunities everywhere you go that are tailored just for you.

There are some marketing people who would be most pleased to implant a chip under your skin that triggers off automatic ads with potential sales opportunities around every corner. Some people believe this will trigger the end of the world. What a revelation. Darn, you got chip ID #666? That's not good.

Since it is illegal to 'chip' anyone in our current age, the next best thing is to 'chip' your web browser. This allows marketing people to follow you around on the Internet and trigger off automatic ads with every click.

The 'chip' in your browser is called a 'cookie', formerly 'magic cookie'. Thank Lou Montulli of Netscape for the concept and name. Cookies are actually very benign in concept. They allow the sharing of basic information between you and specific websites. For example, they are able to hold your ID and password at the Apple Store. They can also feed back to each specific website where you visited within that website. Amazon make very good use of cookies, suggesting books, music, electronics, etc., that fit within your demonstrated interests while navigating their site. It can help you find things you never knew existed.

Where cookies become evil is when they are shared among many sites. These are Tracking Cookies. Google is the King of Tracking Cookies. What you end up with is a syndicate of websites, all associated with one marketing hub, such as Google, who all share their cookie data with one another via ubiquitous Tracking Cookies. This means that your Google web searches end up with Targetted Ads aimed particularly at you.

Suppose you went to Amazon.com and went shopping for sex toys. Thanks to Google's Tracking Cookies, now the entire syndicate of Google associated web shops knows. So now you get ads for vibrators on your Google search pages. You go to SuperDuperWhatever.com for the very first time and up pop ads for warming gels, various stimulation pills, elongated probing instruments, on and on.

If this all sounds entirely offensive and invasive of your privacy, you're not alone. I personally don't give a rat's about marketing data collection, no matter what 'opportunities' they may offer. When I want something I go out and research it, all on my own, and typically end up buying the best product at the cheapest price entirely due to my efforts. No ads required. To me, advertising is a distraction at best. Therefore, my web browsers are maxed out with ad blocking plugins and settings. Even in situations where anti-ad measures fail, my brain is so used to marketing 'opportunities' on both the real and virtual landscapes that I quite literally don't see them. They don't exist in my mind's eye. There are 'subliminal' marketing theories of course, but every one of them fails from my POV.

Example:

My parents freak out whenever I visit them because I never bother to mute the TV ads. Why do I do that? I literally don't notice them! I don't care what they say. If I pay attention at all it is typically to mock them, they are usually so ridiculous and predictable. The only exceptions are abusive ads. I pick up on them rather quickly and take note of what they're selling in order that I never buy it. I also enjoy collecting examples of abusive ads. I often post perpetrators of what I call 'AD BLASTING' and 'AD SLAMMING' over at my zunipus blog. For some reason, my personality is particularly offended by any form of human abuse. Maybe it's because I'm human. With the plethora of psychopaths in world politics, religion and biznizz these days you have to wonder how many humans are left on Earth. But I rant.

We humans always discover and create new ways to thwart other people's bad choices. Blocking Tracking Cookies is simple because just about every web browser provides a method. Set it once and forget it. Happiness shall be yours young apprentice.

Well, there is one drawback: Advertising isn't going away.

You'll still be hit with it everywhere you go IRL or WWW. But instead of the ads targeting specificially you, they'll simply be generic. Darn! You'll just have to settle for having your privacy.

--

64-bit 7ista Twice Hacked via both IE 8 and Firefox 3!The End Is Nigh!

I should also mention that both Mac OS X 10.6 Snow Leopard and the iPhone got hacked via Safari. Just doing a little back-at-you priority swapping. These days it is a BIG DEAL when Mac OS X gets hacked because of its reputation as the safest GUI OS on the planet. Hacking Windows is ho hum because it happens every day.

Here are some links to somewhat detailed articles about the Day 1 results from the Pwn2Own contest at CanSecWest 2010 in Vancouver, Canada:

TippingPoint blog.
CNet.
MacWorld.

The contest still has two more days of hacking to go. But here is the current list of winners from Day 1:

PWNED! Vincenzo Iozzo and Ralf Philipp Weinmann - iPhone
PWNED! Charlie Miller - Safari [on Mac OS X 10.6]
Nils - Safari (Prize Claimed) [on Mac OS X 10.6]
PWNED! Peter Vreugdenhil - Internet Explorer 8 [on 7ista]
MemACCT - Internet Explorer 8 (Prize Claimed) [on 7ista]
Anonymous - Nokia
Anonymous - iPhone (Prize already won)
PWNED! Nils - Firefox [on 7ista]

Congratulations to all the hackers and thank you for making it clear that Internet surfing can be dangerous no matter the operating system or web browser. Details of each zero day hack are not published until they have been addressed by the companies or groups in charge of affected programs and operating systems. When the Mac OS X hacks have been published, I'll report them and provide links here.

I'll also post more from CanSecWest as it progresses. Dr. Charlie Miller will be presenting his 20 Mac OS X 10.6 Snow Leopard hacks.

The successful hacking of Windows 7ista is of particular interest because it involved bypassing the much lauded ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) built into 7ista. So much for those security technologies!

In each hack the victim computers were directed to websites containing exploit code. I'm going to hazard a wild guess that the sites used code written at least in part in the catastrophic mess known as ECMAScript, aka JavaScript/JScript. Readers of this blog will already know my low opinion of this scripting language and my desire that it be banished from the Internet forever. Listeners to the SecurityNow Podcast know that Steve Gibson of Gibson Research Corporation (GRC) called out ECMAScript as dangerous years ago. He recommends surfing the net with scripting turned OFF in all web browsers by default, only turning it on at trusted websites.

Java exploits are also well known at this time, indicating the need to also turn off Java while surfing the net, except again at trusted websites. What a shame.

(Note that JavaScript and Java have nothing whatsoever to do with each other apart from a similar name caused by a marketing moron deal between Netscape and Sun Microsystems, both companies now defunct).

'Tis The Season For Pwn2Own!

--
FUD FUD FUD FUD FUD!
FUD FUD FUD FUD!













This is the time of year when, historically, anti-Apple security FUD is at its highest pitch. The great event begins March 24th. Our dubious hacking heroes Dr. Charlie Miller and Nils will be participating.

Pwn2Own 2010
BY AARON PORTNOY
MON 15 FEB 2010 16:41PM

The TippingPoint Zero Day Initiative (ZDI) is proud to announce that the annual Pwn2Own contest is back again this year at the CanSecWest security conference held in Vancouver, BC on March 24th 2010. As the contest name implies, if you successfully exploit a target you get to keep it along with a ZDI cash prize and related benefits. This is our 4th year running and to commemorate we have increased the total cash prize amount to $100,000 USD. If you're unfamiliar with the past history of this competition check out the archived 2008 and 2009 blog entries.

When the contest starts, you can follow the results at TippingPoint's blog HERE. The favorite to lose this year is Microsoft Internet Explorer, either or both versions 7 and 8. Here is the schedule posted by ZDNet:

Day 1:
Microsoft Internet Explorer 8 on Windows 7
Mozilla Firefox 3 on Windows 7
Google Chrome 4 on Windows 7
Apple Safari 4 on Mac OS X Snow Leopard

Day 2:
Microsoft Internet Explorer 7 on Windows Vista
Mozilla Firefox 3 on Windows Vista
Google Chrome 4 on Windows Vista
Apple Safari 4 on Mac OS X Snow Leopard

Day 3:
Microsoft Internet Explorer 7 on Windows XP
Mozilla Firefox 3 on Windows XP
Google Chrome 4 on Windows XP
Apple Safari 4 on Mac OS X Snow Leopard

ZDNet also reports that a number of mobile devices are part of a second set of hacking contests:

Apple iPhone 3GS
RIM Blackberry Bold 9700
A Nokia device running Symbian S60 (likely the E62)
A Motorola phone running Android (likely the Droid)

Apple, apparently in preparation for Pwn2Own, released Safari v4.0.5 on March 10, 2010. It patched 16 security vulnerabilities. You can read about it HERE and HERE. Six patches were specifically for the Windows version of Safari. The other ten patches affected both Mac and Windows versions of Safari. Nine of the patches were specifically for WebKit, which is an Open Source project used in a number of web browsers, including Safari, OmniWeb, Chrome, Shiira, Midori, S60, Android and the Palm Pre web browser. Four of the patches patched the ImageIO used in the version for Windows. Does this cover the gamut of security vulnerabilities in Safari? The hackers at Pwn2Own consistently have surprises up their sleeves.

You can read the details of this year's Pwn2Own contest HERE.

The general concept of the contest is to gather contestants and provide them with a hacking events schedule well ahead of time. The contestants typically come to the contest prepared with a specific hack or set of hacks they will use on the target computers via interaction with the accompanying web browser. This year the contest is somewhat different in that each successive day will include the hacking of older versions of Internet Explorer with older versions of Windows. But the general contest provides three days of hacking using three pairings of web browsers and operating systems. Day 1 does not allow any access to applications on the target computer. Day 2 allows what I call 'LUSER sabotage' access to the target computers via default installed applications for each operating system. Day 3 provides popular third party applications on each computer that can be used as part of 'LUSER sabotage' hacking.

In years past the FUD mongering contingent have danced around like village idiots pointing out how quickly Macs have been hacked on Day 2. In reality, the speed of any hack is nearly irrelevant. This is due to the weeks of preparation provided to all contestants, who presumably have already proven their zero day hacks before the contest has begun. What is relevant is the existence of the hack and how much 'LUSER sabotage' is required to apply it.

This year two senior contestants, Dr. Charlie Miller and Nils, will be using Safari v4.0.5 to hack into Mac OS X 10.6.2 Snow Leopard. Vincenzo Iozzo and Ralf Philipp Weinmann, as well as an 'anonymous' human, will be hacking into the iPhone.

One concern I have this year is that Safari is not being used to hack into any version of Windows. Instead only IE 7 & 8, FireFox 3 and Chrome 4 are being tested. Presumably the choices of Windows browsers were made according to market share as well as hacker interest. I'm also a bit annoyed that no Windows Mobile phones were included in the contests. Microsoft have announced the dumping of their current mobile OS for an entirely new mobile OS. But there is no reliable time line for this change, making the hackability of current Windows Mobile devices entirely relevant.

Hack and Enjoy!

Security Concerns After Installing Snow Leopard

--
We all hopefully know that, at this time, Mac OS X is the safest commercial GUI OS on the planet. But in the spirit of perfection, here are some problems I found with the default installation of Snow Leopard. Some of them are very bad. Some are merely worrisome.

1) The firewall is OFF. So TURN IT ON!!! You can do this in the Security preferences.
--> I'm very annoyed with Apple on this blunder. Firewall protection is fundamental these days. A good scolding is in order. I have no doubt the professional security experts will do the job for me.

2) Automatic login is ON. So TURN IT OFF!!! You can do this is the Accounts preferences.
--> Again, Me = very annoyed. Again this is fundamental. Scold scold scold. You'd think no one at Apple had ever studied the security hell known as Windows. Both firewall protection and login protection were lacking in Windows for years, leading to major hacking and cracking.

3) In Accounts preferences, under the 'Guest Account', the checkbox "Allow guests to connect to shared folder" is ON. If you have no interest in guests doing anything on your Mac, turn this off.
--> If you are on a LAN with other people and want to allow sharing, leaving this on is important. But if you are on your own at home, it's safer IMHO to just leave this off until such time as you want to use it. Mobile laptop users most likely want this off by default until such time as they return to their LAN. I would have much preferred Apple left this off by default after installation.

4) In the Accounts preferences, Login Options, "Display login window as:" is set to "List of Users". I suggest you change this to "Name and Password".
--> Family computer users should ignore me on this one. At home, who cares. But if your computer is going out into the wild, I like the added security of forcing any would-be hackers to have to guess at BOTH your username AND password. Why give them a break and give away usernames?

5) In the Security preferences, General tab, "Require a password to unlock each System Preferences Pane" is turned OFF. I like this checked ON.
--> This is one of those fiddly things that maximize security but can also be annoying. Turning it on means that no rogue software running on your Mac can play around with your system preferences. As soon as it did you'd see boxes popping up requesting your administrator password. Theoretically this could happen with one of the current Trojan horses for Mac OS X. So to play it safe, check it on. But it's not a major deal. On the other hand, it's not exactly paranoia either.

6) This one is for MacBooks and iMacs only: In the Security preferences, General tab, at the bottom of the window are the setup switches for your infrared remote. The remote can be used to access Front Row, among other things. After installation it is important that you 'Pair' your specific remote with your Mac. Otherwise, as it says in settings, "This computer will work with any available remote." That's BAD. Therefore, hit the "Pair" button and go through the process.
--> This is a very good chore to follow immediately after your Snow Leopard installation. If you are extra paranoid about having a remote, or you lost your remote, you can always check ON "Disable remote control infrared receiver."

7) Software Update preferences are set to "Download updates automatically". Please turn this OFF.
--> Allowing your computer to automatically download anything is BAD. It has already been proven that it is possible to hijack a server address, have it fake being an update server, then have it spew at you malware downloads. No, it has never happened to Macs. But it can. Therefore, only YOU should approve ANYTHING that is downloaded. No auto-downloads EVER. OK?

8) Safari preferences, in the General tab, "Open 'safe' files after download" is checked ON. Please turn this OFF and leave it off forever.
--> Much as it is nice to have .zip and .dmg files open up for us immediately after they download, get out of the habit. This is another really BAD IDEA in all cases. It is as bad as auto-downloads. Instead, you personally want to open anything you have downloaded.

Imagine this: Some malware was somehow downloaded to your computer, via Safari, and automatically opens up its downloaded file. There it is in front of you in a window and you think everything is OK and run the application that was inside. You may have just infected yourself with the malware. Therefore, making sure that only you open anything you personally download is important as part of a deliberate process of verifying that you are not installing a Trojan or other malware. And remember to always verify a file or application is 100% legitimate before you download it or open it.

Once we get into the habit of clickity-click on every little thing, we can get ourselves into trouble. Some people say that going through all these extra steps of caring about exactly what you are doing can become drudgery and you end up doing clickity-click anyway. Nope! That never happens with me. Instead what I found is that I got into the habit of being careful. That is the entire point, and making that point a habit is very good for all of us.

There is some other minor stuff of concern in Snow Leopard, but I need a break. You can breathe now and/or break into joyful LaUGhTeR at all these extraneous security precautionary maniaism stuff things. It's OK. I'll just go cry quietly into my hanky. I can take it. (;_;)

Windows users have to be incredibly meticulous about all this security rigmarole. Every little nook and cranny of Windows can be a security hole. We Mac OS X users get to relax, mostly, about security regiments. At the moment, the worst we can do is download and install a Trojan and get out Mac zombied. That's all! ;-) If we think about being careful, no Trojans can get us.

Nonetheless, I'm attempting to show other Mac users how to be as safe as possible. Therefore, all of the above list applies if you are security conscious. I use myself as a guinea pig to see what it takes to be stealthed and defended to the MAX, and to see if I can stand it. The answer is yes, I can stand it. But I woudn't wish it on my granny!

Check this out: I have Little Snitch popping up asking if this app can go do that on the Internet. I have the mess known as 'JavaScript' turned OFF by default in my web browser. I only turn it on only for trusted websites. My browser is set to never accept cookies from third party sites. That stops Tracker Cookies. I read up on the latest security problems and updates via Apple, Intego, Secunia and SANS, among others. That means I've always got the lastest versions of Flash, Shockwave, AIR and Adobe Reader installed in order to avoid Adobe security vulnerabilities. The same goes for FireFox, QuickTime, iTunes, etc. I have Intego VirusBarrier installed, kept up-to-date with malware signatures and always running. I also have both ClamXav and iAntiVirus freeware installed (mostly for testing). And there's more! (0_0)

That's just me playing with Mac security for my interest and yours. You could ignore all this stuff, except the advice about Trojan horses!!!, and be happy as can be. You've got a Mac.

But there are ways to be SAFER. That's why I write this blog. Put it to use as you will. Hopefully you won't actually need any of this stuff. But maybe you will...

Share and Enjoy!
Glad to be of service!
Nothing ever goes wrong at
Cirus Cybernetics Corpororpororpor*@%

;-Derek
--

GarageBand v5.1: Tracking Cookie Security Patch

--
Apple is now offering an update via 'Software Update' to GarageBand version 5.1, available for users of Mac OS X 10.5.7. You can read about the included security patch HERE.

To quote Apple:

Impact: A user's web activity may be tracked by third parties and advertisers.

Description: When GarageBand is opened, Safari's preferences are changed to always accept cookies. The default preference is to accept cookies only for the sites being visited. The altered setting may allow third parties and advertisers to track a user's web activity. This update addresses the issue by not changing the preference setting. Users who have run previous versions of GarageBand should confirm that their Safari preferences are set as desired.


What's going on:
GarageBand is allowing what are called 'Tracking Cookies' to be accepted by Safari. This type of cookie is used for marketing purposes to watch your individual behavior on the net. IOW you are under surveillance. This is essentially the same as having a chip implanted in your brain that collects data on your interests. It triggers off advertisements that 'fit your interests' as you visit further web pages. I personally find this form of marketing to be invasive and disrespectful. I never allow it.

If you think you've been messed over by this bug in GarageBand, here is what I suggest:

1) Update to GarageBand v5.1.

2) Just to be safe, make a backup of Safari's 'Cookies.plist' file. You will find it here:

~/Library/Cookies/Cookies.plist

3) As Apple suggests, go into Safari's Preferences and hit the 'Security' tab. Change the 'Accept cookies' setting to "Only from sites I visit". This stops any 3rd party cookies from being dumped into your browser, killing off any chance of being infected with Tracking Cookies.

4) Click the "Show Cookies" button. It is just below the settings in #2.

5) Either painstakingly go through your cookies and 'Remove' those you don't want, or simply hit the 'Remove All' button. This makes certain that all Tracking Cookies have been deleted along with all your other cookies.

There are of course complications after tossing your cookies. The most common result is not being able to automatically log in to sites where you have an account or membership. If you haven't kept track of all your IDs and passwords then you're hosed and will have to create new accounts. My solution is to keep a personal list of my net IDs and passwords in text file stored on the encrypted .DMG volume that loads when I log into my user account. I also keep my IDs and passwords encrypted inside the application 1Password, which is a shareware super form of keychain. I've mentioned it here on the blog several times.

In the worst case scenario where you MUST have something that was stored in your cookies, you can always swap back in your backed up Cookies.plist file from step #2 above.

Tracking Cookies aren't actually malware, and having a few buried in your cookie pile won't kill you. Nonetheless, they are a form of spyware. They are also IMHO of no benefit to anyone but marketing companies.
--

May 12: Massive Mac Update Day

--
Macintosh updates on the second Tuesday of the month?! D�ja vu man. Is Apple syncing updates with Microsoft? Is this to make Enterprise IT folks happy? I strongly suspect so.

I prefer the ASAP approach. Waiting around for the second-Tuesday-of-the-month is a dim idea from my POV. Hmph. What happens in the Microsoft world is that hackers get geared up for THE DAY and pounce on all the announced security holes via new malware. This works very well because only a small percentage of people update their Microsoft software on THE DAY. This allows hackers a window of opportunity to get into user machines while the getting is good. Alternatively, the ASAP approach provides no expectation time for hackers. It also gets security patches out in the field immediately rather than waiting around for potentially weeks, during which time each security hole sits out there ripe for the hacking.

Therefore, I hope this second-Tuesday-of-the-month security update is merely coincidence. Sorry Enterprise IT folks! Having THE DAY each month for security patches may be convenient, but it is BAD security protocol. Security wins in this business.


Rules for System Update Preparation:

1) You know what I'm going to say: Make A Backup! Expect updates to go wrong. They often do.

2) Repair your boot system! It is amazing how many system updates go bad simply because the boot system was corrupt. What else would you expect? Boot from your system installation disk and run the repairs inside Disk Utility.

3) Repair your boot system preferences! Despite the myths, bad file permissions are also a prominent reason why system updates go bad. Again, what else would you expect? Note: You also need to repair your permissions AFTER the update. Adobe always leave behind a mess. Even Apple make slip ups! Apple left behind bad permission settings after Leopard Server Update 10.5.6! Expect it to happen. Use Disk Utility.

4) Don't forget to update! Keeping up with system updates is very important! Check this out:

An example of how few computer users actually apply updates: The Microsoft Windows security hole exploited by the Conficker worm was patched way back in October, 2008. And yet, the Conficker worm zombied an estimated 15 MILLION+ Windows boxes after Microsoft provided the patch. Incredible.

The Update List:

Your Mac's System Update app will tell you what updates are necessary for your particular setup. The list of updates from 5/12 is long. All the links below are for each update's general description and download page. Each page has a further link to its detailed information page. If you would like to go directly to the security improvements list for each update, please go HERE.

Safari v3.2.3 for Windows, 19.69 MB

Safari v3.2.3 for Tiger, 26.29 MB

Safari v3.2.3 for Leopard, 40 MB

Safari v4.0 Public Beta Security Update for Tiger, Leopard, Windows XP and Windows Vista

Security Update 2009-002 for Tiger PPC, 75 MB

Security Update 2009-002 for Tiger Intel, 165 MB

Security Update 2009-002 for Tiger Server PPC, 130 MB

Security Update 2009-002 for Tiger and Leopard Server, Universal, 203 MB

Mac OS X Combo Update 10.5.7 Leopard, including 2009-002, 729 MB

Mac OS X Server Combo Update 10.5.7 Leopard, including 2009-002, 951 MB

Mac OS X Update 10.5.7 Leopard, including 2009-002, 442 MB

Mac OS X Server Update 10.5.7 Leopard, including 2009-002, 452 MB

Coming up will be my summary and analysis of the security improvements provided by these updates.
--

Pwn2Own Browsers Hacked: IE 8, "Safari" and "Firefox"

--
This time of year is now one of traditional contention. It's time for Pwn2Own at CanSecWest. It is a fun contest held among security experts to crack the chosen subjects for each year. This year a selection of web browsers was used.

Of course after the contest there is lots of snickering and gossip. But for better or worse, what exactly happened at the contest is rarely revealed, meaning that the specific cracks used are not allowed to be published so they can be provided to the programmers of the cracked software for consideration and patching.

Questionable aspect of this year's contest: Windows 7ista was used in PC testing. It's in beta.

Losers so far this year:

1) "Safari" for Mac. I use quotes as I have not been able to find what version was used. Presumably it is the latest public release, and not the version 4 beta. It was cracked within 2 minutes. How cracked? Unstated. My speculation: That hell hole known as "JavaScript" which these days includes JScript, a holey mess perpetrated by Microsoft. Apple have consistently had JavaScript security problems, starting with QuickTime in 2006 over at MySpace.

2) "Firefox". Again I use quotes as I have not found the version number. Neither do I know which platform, which may well mean both Mac and PC. How cracked? Unstated.

3) Internet Explorer 8.0. This browser was JUST released. Oops. It should have stayed in beta. Again, specifics of the crack have not been made public.

For further details, keep an eye on the Security Watch blog at PC Magazine and the TippingPoint DVLabs blog. You can also follow TippingPoint's Twittering. The contest will conclude later today (Friday, 2009-03-20).
--