Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Privacy

Nation-backed Hackers Using Evercookie and Web Analytics To Profile Targets (securityledger.com) 47

chicksdaddy writes: There's such a fine line between clever and criminal. That's the unmistakable subtext of the latest FireEye report on a new "APT" style campaign that's using methods and tools that are pretty much indistinguishable from those used by media websites and online advertisers. The difference? This time the information gathered from individuals is being used to soften up specific individuals with links to international diplomacy, the Russian government, and the energy sector.

The company released a report this week that presented evidence of a widespread campaign (PDF) that combines so-called "watering hole" web sites with a tracking script dubbed "WITCHCOVEN" and Samy Kamkar's Evercookie, the super persistent web tracking cookie. The tools are used to assemble detailed profiles on specific users including the kind of computer they use, the applications and web browsers they have installed, and what web sites they visit.

While the aims of those behind the campaign aren't known, FireEye said the use of compromised web sites and surreptitious tracking scripts doesn't bode well. "While many sites engage in profiling and tracking for legitimate purposes, those activities are typically conducted using normal third-party browser-based cookies and commercial ad services and analytics tools," FireEye wrote in its report. "In this case, while the individuals behind the activity used publicly available tools, those tools had very specific purposes....This goes beyond 'normal' web analytics," the company said.

This discussion has been archived. No new comments can be posted.

Nation-backed Hackers Using Evercookie and Web Analytics To Profile Targets

Comments Filter:
  • Some new version of the The EFF SSL Observatory https://www.eff.org/observator... [eff.org] to send details on strange altered deeper browser settings?
    3rd party tools that remove all browser related data? Smarter browsers that have built in very deep clean options as a browser closes a window, tab or quits?
    The 'analytics tools' are hard to escape even with a rotated VM, different browser, VPN, used OS, reported resolution, time zone?
    • I'm wondering if Lynx reports the resolution as columns x rows? (ex: 80x50)

    • by gstoddart ( 321705 ) on Friday November 20, 2015 @09:26AM (#50969343) Homepage

      Honestly? Stop letting arbitrary sites and their 3rd party partners run bloody scripts.

      You don't go to an arbitrary website and essentially say "why you seem like a fine, upstanding web-site, by all means please execute some javascript and flash code".

      Well, actually, people do it all the time. But it's been a stupid idea for the last 15 years. But for some reason the trust model of the internet continues to be built on doing exactly that.

      The solution is to stop trusting the damned internet and letting every site run whatever code they and their ad partners think they feel they should.

      Because, let's face it, the internet hasn't really been trustworthy in a VERY long time.

      • One major problem:

        Sites are smart enough to detect that I am using evasive tactics so they simply don't allow access or make the site non-functional WITH the admonition that I have either blocked some of their stuff or I don't have the necessary stuff on board.

        If I uninstall Java, Flash, and disable cookies, my goddam computer makes a nice fucking screen saver, and that's about it.

        • One major problem:

          Sites are smart enough to detect that I am using evasive tactics

          That's what the back button is for.

          If YOU want to trust those sites, go right ahead .. I don't care what websites you use or trust.

          Me, those sites which tell me I need to run Javascript or allow cookies get added to my blocked lists, and I click the back button. The next time I click on a link to that site, the whole thing is blocked.

          If I uninstall Java, Flash, and disable cookies, my goddam computer makes a nice fucking scre

  • The tools are used to assemble detailed profiles on specific users including the kind of computer they use, the applications and web browsers they have installed, and what web sites they visit.

    Operating system and one browser, sure. It's part of the User-Agent field of an HTTP header.

    But how can they know which browsers you have installed? And "applications"? Apart from knowing if you have Flash and Java installed, I don't see which applications they're talking about. My browser sure as hell isn't broadcas

    • Re:Applications? (Score:5, Interesting)

      by oneiros27 ( 46144 ) on Friday November 20, 2015 @09:33AM (#50969405) Homepage

      Maybe not simply 'installed', but if you use multiple browers to authenticate to the same website, and they have ways to insert tracking code on that website (such as from ad networks), they could easily link the two browsers.

      Snowden's advice about blocking ad networks for security purposes actually makes perfect sense.

      • Re:Applications? (Score:5, Insightful)

        by gstoddart ( 321705 ) on Friday November 20, 2015 @09:56AM (#50969543) Homepage

        Snowden's advice about blocking ad networks for security purposes actually makes perfect sense.

        Honestly, it has made perfect sense since the late 90s when you could get popup hell ... time and time again, ad networks have been demonstrated to be completely not trustworthy.

        From back in the day when your page would get stuck loading because it was waiting for some @)##! ad site to finish loading (remember why Mozilla added the "block images from this site", or the ability to refuse cookies?) ... so popovers, popunders, misdirects, and a pretty long list of bad behavior.

        How the hell it's taken this long for people to start realizing this I have no idea. It didn't become true because Snowden said it. It became true almost 20 years ago when ads started to pollute the internet, and hasn't ever stopped being true.

        There's a reason many of us have disabled Flash for a VERY long time.

        Me, I'd take pretty much anybody who says they work for an internet ad company and lock them in a cage with angry bears before I'd ever do anything so stupid as to trust them. Because you haven't been able to collectively trust them in almost 20 years.

        Honestly, internet ads are about as trustworthy as having anonymous sex with strangers in parking lots littered with dirty needles; it's a terrible idea but people keep acting like it's the only way to keep the intertubes working.

        Assume every single ad company is going to be lying, malicious dishonest people driven by greed and depraved indifference. Because enough of them are that you should.

        • Nevermind the fact that ad networks have been used on multiple occasions as delivery mechanisms for malware, including "drive by" attacks where you don't even need to click anything. Just visit a seemingly innocuous page, and bam, infected.

          It's also not even something where it only happens to shady sites, or shady/porn/etc ad networks. Even the flagship ad services, and mainstream websites have been affected.

          The only way to protect yourself is to not accept arbitrary traffic from untrusted third parties
    • Re:Applications? (Score:5, Informative)

      by AHuxley ( 892839 ) on Friday November 20, 2015 @09:34AM (#50969413) Journal
      A few years ago (2010~2011)
      Tracking Browsers Without Cookies Or IP Addresses?
      http://yro.slashdot.org/story/... [slashdot.org]
      EFF Publishes Study On Browser Fingerprinting
      http://yro.slashdot.org/story/... [slashdot.org]
      EFF Says Forget Cookies, Your Browser Has Fingerprints
      http://yro.slashdot.org/story/... [slashdot.org]
      Browsers seem to send back a lot of basic data if asked that can build a nice profile over many visits.
  • by Crowd Computing ( 4269575 ) on Friday November 20, 2015 @09:30AM (#50969369)
    The article appears conflicted as to who is attacking whom. Read the PDF report [fireeye.com] the article is based on. In the table of contents on page 2, we see the following item:

    Likely Intended Targets: Government Officials and Executives in the U.S. and Europe

    Now compare this to the executive summary at the start of the article [securityledger.com]:

    In-brief: FireEye is warning about a sophisticated campaign of online surveillance that combines web “super cookies” and common analytics software to target individuals with links to international diplomacy, the Russian government and the energy sector.

    Does this mean non-Russian entities who do business with Russian entities are the targets?

    • by AHuxley ( 892839 )
      It seems someone is interested in that part of the world and any related traffic but has to use, can only use, can afford or wants to be seen as using browser methods.
      ie it differs from the usual 5 eye optical collect it all options that get all the communications in the region and would not have to be found in any way
      "actors are building profiles of potential victims and learning about the vulnerabilities in users’ computers.".
      "and tailor future infection attempts."
      "large numbers of legitimate w
  • by Anonymous Coward on Friday November 20, 2015 @09:51AM (#50969519)

    NSA Uses Google Cookies to Pinpoint Targets for Hacking
    https://www.washingtonpost.com/news/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/ [washingtonpost.com]
    By Ashkan Soltani, Andrea Peterson, and Barton Gellman
    December 10, 2013

    The National Security Agency is secretly piggybacking on the tools that enable Internet advertisers to track consumers, using "cookies" and location data to pinpoint targets for government hacking and to bolster surveillance.

    The agency's internal presentation slides, provided by former NSA contractor Edward Snowden, show that when companies follow consumers on the Internet to better serve them advertising, the technique opens the door for similar tracking by the government. The slides also suggest that the agency is using these tracking techniques to help identify targets for offensive hacking operations.

    For years, privacy advocates have raised concerns about the use of commercial tracking tools to identify and target consumers with advertisements. The online ad industry has said its practices are innocuous and benefit consumers by serving them ads that are more likely to be of interest to them.

    The revelation that the NSA is piggybacking on these commercial technologies could shift that debate, handing privacy advocates a new argument for reining in commercial surveillance.

    According to the documents, the NSA and its British counterpart, GCHQ, are using the small tracking files or "cookies" that advertising networks place on computers to identify people browsing the Internet. The intelligence agencies have found particular use for a part of a Google-specific tracking mechanism known as the “PREF” cookie. These cookies typically don't contain personal information, such as someone's name or e-mail address, but they do contain numeric codes that enable Web sites to uniquely identify a person's browser.

    In addition to tracking Web visits, this cookie allows NSA to single out an individual's communications among the sea of Internet data in order to send out software that can hack that person's computer. The slides say the cookies are used to "enable remote exploitation," although the specific attacks used by the NSA against targets are not addressed in these documents.

    The NSA's use of cookies isn't a technique for sifting through vast amounts of information to find suspicious behavior; rather, it lets NSA home in on someone already under suspicion - akin to when soldiers shine laser pointers on a target to identify it for laser-guided bombs.

    Separately, the NSA is also using commercially gathered information to help it locate mobile devices around the world, the documents show. Many smartphone apps running on iPhones and Android devices, and the Apple and Google operating systems themselves, track the location of each device, often without a clear warning to the phone's owner. This information is more specific than the broader location data the government is collecting from cellular phone networks, as reported by the Post last week.

    "On a macro level, 'we need to track everyone everywhere for advertising' translates into 'the government being able to track everyone everywhere,'" says Chris Hoofnagle, a lecturer in residence at UC Berkeley Law. "It's hard to avoid."

    These specific slides do not indicate how the NSA obtains Google PREF cookies or whether the company cooperates in these programs, but other documents reviewed by the Post indicate that cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. If the NSA gets the data that way, the companies know and are legally compelled to assist.

    The NSA declined to comment on the specific tactics outlined in this story, but an NSA spokesman sent the Post a statement: "As we've said before, NSA, within its lawful mission to collect foreign intelligence to protect the Un

  • by anti-pop-frustration ( 814358 ) on Friday November 20, 2015 @10:12AM (#50969699) Journal

    While many sites engage in profiling and tracking for legitimate purposes

    There's no such thing as legitimate tracking

    • by emho24 ( 2531820 )

      There's no such thing as legitimate tracking

      This this a thousand times this

    • There's no such thing as legitimate tracking

      So you would like to enter your username and password for every Gmail page load and AJAX request and every slashdot comment? The server should have no way of knowing that you are the same you who entered "anti-pop-frustration" and "hunter2" in the login form just two page views ago?

  • "While many sites engage in profiling and tracking for legitimate purposes.."

    The only way it could possibly be legitimate is if they weren't stealing my private data... which reduces the number of parties who could legitimate track/profile to one, myself.
    • The only way it could possibly be legitimate is if they weren't stealing my private data...

      It's not theft. You're not being deprived of something, and it's information that you're sending them when you use your browser so you're literally handing it to them. It may be misuse of information, however.

      • "You're not being deprived of something"

        I'm being deprived of my right to privacy but more tangibly I'm being deprived of the value of the data they are stealing. My browsing history is data that belongs to me and only me and they are stealing that data and then selling it. The proceeds from any sale or use of my data are rightfully mine. They are also violating my copyright. My browsing history is a one of a kind creative work.

        "it's information that you're sending them when you use your browser"

        A quick cha
  • by comrade1 ( 748430 ) on Friday November 20, 2015 @10:21AM (#50969789)
    I used a combination of plugins self-destructing cookies, disconnect, and u-block. Works well. Just don't whitelist Google sites or social media. You can use your browser's password store if you get tired of having to log in after every time you close your browser window.
  • by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Friday November 20, 2015 @01:34PM (#50971049)

    As a child, they kept telling me that monsters were not real.

    But in fact, the cookie monster really does exists.

    • As a child, they kept telling me that monsters were not real.

      But in fact, the cookie monster really does exists.

      Out parents also told us that sharing was good. Look at what RIAA has done to people who thought that was good advice.

    • by antdude ( 79039 )

      They are real according to Sesame Street! Om nom, nom, nom...

  • Comment removed based on user account deletion
  • According to the referenced story, Better Privacy will take care of the evercookie. And not using scriptblocker is the web's version of unprotected sex with Charlie Sheen.

No spitting on the Bus! Thank you, The Mgt.

Working...