- Table of Contents
- Overview
- Web Application Security
- Operating System Security New
- Network Security
- Hardening Your System
- Overview
- Start with the Operating System
- Protection/Prevention Tools
- Detection Tools: Snort
- Detection Tools: IDS for Windows
- Detection Tools: Honeypots
- Detection Tools: Honeyd
- Auditing Tools: KNOPPIX
- Auditing Tools: Fragroute
- Beginning SOHO Security
- Graphics Attacks
- Reverse Engineering and Program Understanding
- White Box vs. Gray Box Analysis
- Using Gray Box Techniques to Find Vulnerabilities in Microsoft SQL Server
- Using Cipher.exe
- Tor: An Anonymous Internet Communication System
- Using the Applied Watch Command Center to Manage Open Source Security, Part 1
- Using the Applied Watch Command Center to Manage Open Source Security, Part 2: Product Review of the Applied Watch Command Center
- Using the Applied Watch Command Center to Manage Open Source Security, Part 3
- Access Control Systems, Part 1
- Access Control Systems, Part 2
- Access Control Systems, Part 3
- Beginner's Guide to Programming for Security Practitioners
- Business Continuity Planning and Disaster Recovery Planning, Part 1
- Business Continuity Planning and Disaster Recovery Planning, Part 2
- Physical Security: The Often Neglected Information Security
- Breaking Physical Security
- Tracking with Flash "Cookies"
- Wireless Security
- Mobile Security
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security New
- Additional Resources
Tracking with Flash "Cookies"
Last updated Oct 5, 2007.
Cookies have long been a part of the online experience because they provide that much needed connection between the web site and the user that disappears when the browser is closed. Without the existence of cookies, the Internet would be a lot less user friendly. This is because the cookie holds information that lets the cookie owner know who you are and more. For example, the cookie could hold authentication data that can be used to automatically log you into a website, or settings that the web application reads that help it create a customized website with visual aspects you have predefined.
While this is great, cookies have long had a bad name because they can be abused and misused by online marketing agencies to track your surfing habits. For example, doubleclick.net will place a cookie on your computer when you visit Slashdot.org, a very popular site for computer geeks. Once this cookie is on your computer, doubleclick.net now has the ability to build a profile that tells them what websites you go to. With this knowledge, from they can then feed you customized advertising that fits your apparent interests. To illustrate, if you next went to Pandora.net, doubleclick.net will check to see if there is a cookie belonging to its domain and will read the id value from that cookie. It then does a quick look up in its database and sees that you also have been to Slashdot.org. As a result, you are probably a male computer geek who likes music.
Obviously, this type of privacy violation gets under the skin of people like myself. I don't want someone tracking me around online knowing what I do and where I go. For me, it is essentially the same thing as wearing a GPS unit all the time that anyone can tap into. So, to mitigate the perceived risks, I delete my cookies regularly. Other options to avoid cookie tracking include blocking all cookies via the browser, or using two different browsers — one for research and the other for casual surfing. The point is that the community in general is aware of the risks associated with cookies and can use a collection of tools/techniques to maintain control as they see fit.
So, what if we told you there was another way that companies can track you around the Internet that is even more effective than cookies? Well, this is not only possible, but via this method it is possible to track users from site to site, even if they bounce between Firefox, IE and Opera. For someone who likes their privacy, this type of intrusion is concerning. And what is more concerning is that few seem to know about it.
Tracking with Flash
Flash based web content is exploding on the Internet. It seems as if most major site out there incorporates at least some little flashy component, which means most users have Flash enabled browsers. While there is no denying the visual attractiveness of this technology, there have been and still are numerous security related threats that should be understood before using Flash.
First, Flash operates outside the boundaries of your browser. Much like Java applets, Flash movies are independent and rely on the security model within itself. As a result, it has been discovered that Flash movies do not follow the rules that browsers have implemented for years. For example, you can change the referrer in a Flash GET request made to a website. In addition, you can also send HTTP Basic Auth requests via Flash files. As a result, it is trivial to use a hidden Flash movie on a website that attempts to gain access to your firewall/router via hidden HTTP GET requests. If your router's password was not changed from the default, a malicious Flash file can change your settings.
Since Flash runs independently from the browser, it needs its own temporary storage area for web sites to store information related to the Flash movie. In many ways, this process mirrors how browsers and cookies operate. With one exception, not many people know about this dump and, as a result, they don't know it should be cleaned out with the cookies. Otherwise, you could be leaving behind sensitive data that you were not even aware existed. To illustrate, Pandora.com uses these Flash files to store your account information, so even if you dump your cache/cookies, the Flash components of Pandora will grab the v4_UserCredentials.sol file from your local system and use that data to validate your browser.
On Windows XP, you can find the dump at C:\Documents and Settings\<User name>\Application Data\Macromedia\Flash Player\#SharedObjects\. To purge your Flash "cookies," you can either delete the content from this folder or use Adobe's flash or go to http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html#117498 and use the Adobe Flash Player Setting Manager to set your disk space usage to by sliding the bar all the way to the left. You can also access this manager by right clicking on any Flash movie, clicking on the folder, and sliding the bar as shown in Figure 1.
)
Figure 1: Adjusting the Flash Player settings for privacy
However, if you do this and then return to Pandora.com, you are now presented with a window telling you that you must enable Flash storage! So, just like JavaScript, which many people do not allow to run due to security concerns, you must make the choice to get the most out of your surfing experience, or put security as your top priority.
Summary
If we look at the peripherals to the main HTML parsing engine of the browser, you can see that there is a seriously discouraging pattern. The cookie is either disabled or deleted often by most IT professionals, and even the average user knows there are risks. ActiveX is all but non-existent on the Internet because it has been found to be vulnerable to numerous serious bugs. JavaScript is untrusted because it is very dangerous and equally as powerful. So, is it no surprise that Flash should suffer the same consequence?
Unfortunately, not many people know that Flash has these issues and as such, marketers are using Flash to bypass the cookie blockers. In addition, your sensitive data is at risk if you use a website that stores data in the Flash store that you do not know is there. Just consider the ramifications if I would have used Pandora at a public terminal! So, if this is new to you, take it to heart and spread the word — your Flash cache can come back to haunt you.
Digg
Del.icio.us
Your Account
Account Sign In
View your cart