Nation-backed Hackers Using Evercookie and Web Analytics To Profile Targets (securityledger.com) 47
chicksdaddy writes: There's such a fine line between clever and criminal. That's the unmistakable subtext of the latest FireEye report on a new "APT" style campaign that's using methods and tools that are pretty much indistinguishable from those used by media websites and online advertisers. The difference? This time the information gathered from individuals is being used to soften up specific individuals with links to international diplomacy, the Russian government, and the energy sector.
The company released a report this week that presented evidence of a widespread campaign (PDF) that combines so-called "watering hole" web sites with a tracking script dubbed "WITCHCOVEN" and Samy Kamkar's Evercookie, the super persistent web tracking cookie. The tools are used to assemble detailed profiles on specific users including the kind of computer they use, the applications and web browsers they have installed, and what web sites they visit.
While the aims of those behind the campaign aren't known, FireEye said the use of compromised web sites and surreptitious tracking scripts doesn't bode well. "While many sites engage in profiling and tracking for legitimate purposes, those activities are typically conducted using normal third-party browser-based cookies and commercial ad services and analytics tools," FireEye wrote in its report. "In this case, while the individuals behind the activity used publicly available tools, those tools had very specific purposes....This goes beyond 'normal' web analytics," the company said.
The company released a report this week that presented evidence of a widespread campaign (PDF) that combines so-called "watering hole" web sites with a tracking script dubbed "WITCHCOVEN" and Samy Kamkar's Evercookie, the super persistent web tracking cookie. The tools are used to assemble detailed profiles on specific users including the kind of computer they use, the applications and web browsers they have installed, and what web sites they visit.
While the aims of those behind the campaign aren't known, FireEye said the use of compromised web sites and surreptitious tracking scripts doesn't bode well. "While many sites engage in profiling and tracking for legitimate purposes, those activities are typically conducted using normal third-party browser-based cookies and commercial ad services and analytics tools," FireEye wrote in its report. "In this case, while the individuals behind the activity used publicly available tools, those tools had very specific purposes....This goes beyond 'normal' web analytics," the company said.
Re: (Score:2)
Because the advertisers don't want them to.
What can be done? (Score:2)
3rd party tools that remove all browser related data? Smarter browsers that have built in very deep clean options as a browser closes a window, tab or quits?
The 'analytics tools' are hard to escape even with a rotated VM, different browser, VPN, used OS, reported resolution, time zone?
Re: (Score:2)
I'm wondering if Lynx reports the resolution as columns x rows? (ex: 80x50)
Re:What can be done? (Score:5, Insightful)
Honestly? Stop letting arbitrary sites and their 3rd party partners run bloody scripts.
You don't go to an arbitrary website and essentially say "why you seem like a fine, upstanding web-site, by all means please execute some javascript and flash code".
Well, actually, people do it all the time. But it's been a stupid idea for the last 15 years. But for some reason the trust model of the internet continues to be built on doing exactly that.
The solution is to stop trusting the damned internet and letting every site run whatever code they and their ad partners think they feel they should.
Because, let's face it, the internet hasn't really been trustworthy in a VERY long time.
Re: (Score:2)
One major problem:
Sites are smart enough to detect that I am using evasive tactics so they simply don't allow access or make the site non-functional WITH the admonition that I have either blocked some of their stuff or I don't have the necessary stuff on board.
If I uninstall Java, Flash, and disable cookies, my goddam computer makes a nice fucking screen saver, and that's about it.
Re: (Score:2)
That's what the back button is for.
If YOU want to trust those sites, go right ahead .. I don't care what websites you use or trust.
Me, those sites which tell me I need to run Javascript or allow cookies get added to my blocked lists, and I click the back button. The next time I click on a link to that site, the whole thing is blocked.
Re: (Score:2)
So you are an assholian from another planet. How the fuck you gonna know a site has a (Java, Flash) bomb until you light the fuse?
Re: (Score:2)
uMatrix.
Applications? (Score:1)
Operating system and one browser, sure. It's part of the User-Agent field of an HTTP header.
But how can they know which browsers you have installed? And "applications"? Apart from knowing if you have Flash and Java installed, I don't see which applications they're talking about. My browser sure as hell isn't broadcas
Re:Applications? (Score:5, Interesting)
Maybe not simply 'installed', but if you use multiple browers to authenticate to the same website, and they have ways to insert tracking code on that website (such as from ad networks), they could easily link the two browsers.
Snowden's advice about blocking ad networks for security purposes actually makes perfect sense.
Re:Applications? (Score:5, Insightful)
Honestly, it has made perfect sense since the late 90s when you could get popup hell ... time and time again, ad networks have been demonstrated to be completely not trustworthy.
From back in the day when your page would get stuck loading because it was waiting for some @)##! ad site to finish loading (remember why Mozilla added the "block images from this site", or the ability to refuse cookies?) ... so popovers, popunders, misdirects, and a pretty long list of bad behavior.
How the hell it's taken this long for people to start realizing this I have no idea. It didn't become true because Snowden said it. It became true almost 20 years ago when ads started to pollute the internet, and hasn't ever stopped being true.
There's a reason many of us have disabled Flash for a VERY long time.
Me, I'd take pretty much anybody who says they work for an internet ad company and lock them in a cage with angry bears before I'd ever do anything so stupid as to trust them. Because you haven't been able to collectively trust them in almost 20 years.
Honestly, internet ads are about as trustworthy as having anonymous sex with strangers in parking lots littered with dirty needles; it's a terrible idea but people keep acting like it's the only way to keep the intertubes working.
Assume every single ad company is going to be lying, malicious dishonest people driven by greed and depraved indifference. Because enough of them are that you should.
Re: (Score:3)
It's also not even something where it only happens to shady sites, or shady/porn/etc ad networks. Even the flagship ad services, and mainstream websites have been affected.
The only way to protect yourself is to not accept arbitrary traffic from untrusted third parties
Re:Applications? (Score:5, Informative)
Tracking Browsers Without Cookies Or IP Addresses?
http://yro.slashdot.org/story/... [slashdot.org]
EFF Publishes Study On Browser Fingerprinting
http://yro.slashdot.org/story/... [slashdot.org]
EFF Says Forget Cookies, Your Browser Has Fingerprints
http://yro.slashdot.org/story/... [slashdot.org]
Browsers seem to send back a lot of basic data if asked that can build a nice profile over many visits.
Who is targeting whom? (Score:3)
Now compare this to the executive summary at the start of the article [securityledger.com]:
Does this mean non-Russian entities who do business with Russian entities are the targets?
Re: (Score:3)
ie it differs from the usual 5 eye optical collect it all options that get all the communications in the region and would not have to be found in any way
"actors are building profiles of potential victims and learning about the vulnerabilities in users’ computers.".
"and tailor future infection attempts."
"large numbers of legitimate w
Re: (Score:2)
about:config > toggle dom.storage.enable to False
and then watch Slashdot start to blow chunks. We're being tracked by Dice along with the best (worst) data scrappers.
Bad Guys Using "Good" Guys' Tools (Score:5, Informative)
NSA Uses Google Cookies to Pinpoint Targets for Hacking
https://www.washingtonpost.com/news/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/ [washingtonpost.com]
By Ashkan Soltani, Andrea Peterson, and Barton Gellman
December 10, 2013
The National Security Agency is secretly piggybacking on the tools that enable Internet advertisers to track consumers, using "cookies" and location data to pinpoint targets for government hacking and to bolster surveillance.
The agency's internal presentation slides, provided by former NSA contractor Edward Snowden, show that when companies follow consumers on the Internet to better serve them advertising, the technique opens the door for similar tracking by the government. The slides also suggest that the agency is using these tracking techniques to help identify targets for offensive hacking operations.
For years, privacy advocates have raised concerns about the use of commercial tracking tools to identify and target consumers with advertisements. The online ad industry has said its practices are innocuous and benefit consumers by serving them ads that are more likely to be of interest to them.
The revelation that the NSA is piggybacking on these commercial technologies could shift that debate, handing privacy advocates a new argument for reining in commercial surveillance.
According to the documents, the NSA and its British counterpart, GCHQ, are using the small tracking files or "cookies" that advertising networks place on computers to identify people browsing the Internet. The intelligence agencies have found particular use for a part of a Google-specific tracking mechanism known as the “PREF” cookie. These cookies typically don't contain personal information, such as someone's name or e-mail address, but they do contain numeric codes that enable Web sites to uniquely identify a person's browser.
In addition to tracking Web visits, this cookie allows NSA to single out an individual's communications among the sea of Internet data in order to send out software that can hack that person's computer. The slides say the cookies are used to "enable remote exploitation," although the specific attacks used by the NSA against targets are not addressed in these documents.
The NSA's use of cookies isn't a technique for sifting through vast amounts of information to find suspicious behavior; rather, it lets NSA home in on someone already under suspicion - akin to when soldiers shine laser pointers on a target to identify it for laser-guided bombs.
Separately, the NSA is also using commercially gathered information to help it locate mobile devices around the world, the documents show. Many smartphone apps running on iPhones and Android devices, and the Apple and Google operating systems themselves, track the location of each device, often without a clear warning to the phone's owner. This information is more specific than the broader location data the government is collecting from cellular phone networks, as reported by the Post last week.
"On a macro level, 'we need to track everyone everywhere for advertising' translates into 'the government being able to track everyone everywhere,'" says Chris Hoofnagle, a lecturer in residence at UC Berkeley Law. "It's hard to avoid."
These specific slides do not indicate how the NSA obtains Google PREF cookies or whether the company cooperates in these programs, but other documents reviewed by the Post indicate that cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. If the NSA gets the data that way, the companies know and are legally compelled to assist.
The NSA declined to comment on the specific tactics outlined in this story, but an NSA spokesman sent the Post a statement: "As we've said before, NSA, within its lawful mission to collect foreign intelligence to protect the Un
Re: (Score:1)
For those interested, Bruce Schneier's comments to the above article are here: NSA Tracks People Using Google Cookies [schneier.com], and the EFF's comments are here: NSA Turns Cookies (And More) Into Surveillance Beacons [eff.org].
'legitimate' tracking (Score:3)
While many sites engage in profiling and tracking for legitimate purposes
There's no such thing as legitimate tracking
Re: (Score:2)
There's no such thing as legitimate tracking
This this a thousand times this
Re: (Score:2)
There's no such thing as legitimate tracking
So you would like to enter your username and password for every Gmail page load and AJAX request and every slashdot comment? The server should have no way of knowing that you are the same you who entered "anti-pop-frustration" and "hunter2" in the login form just two page views ago?
Re: (Score:2)
Session cookies are a completely different subject. Don't confuse the issue.
These don't exist... (Score:2)
The only way it could possibly be legitimate is if they weren't stealing my private data... which reduces the number of parties who could legitimate track/profile to one, myself.
Re: (Score:2)
The only way it could possibly be legitimate is if they weren't stealing my private data...
It's not theft. You're not being deprived of something, and it's information that you're sending them when you use your browser so you're literally handing it to them. It may be misuse of information, however.
Re: (Score:2)
I'm being deprived of my right to privacy but more tangibly I'm being deprived of the value of the data they are stealing. My browsing history is data that belongs to me and only me and they are stealing that data and then selling it. The proceeds from any sale or use of my data are rightfully mine. They are also violating my copyright. My browsing history is a one of a kind creative work.
"it's information that you're sending them when you use your browser"
A quick cha
Self-destructing cookies (Score:3, Informative)
My parents were so wrong (Score:3)
As a child, they kept telling me that monsters were not real.
But in fact, the cookie monster really does exists.
Re: (Score:2)
I still am, the link should be in my signature.
Re: (Score:2)
As a child, they kept telling me that monsters were not real.
But in fact, the cookie monster really does exists.
Out parents also told us that sharing was good. Look at what RIAA has done to people who thought that was good advice.
Re: (Score:2)
They are real according to Sesame Street! Om nom, nom, nom...
Re: (Score:2)
At least (Score:2)