Threat Brief email tracking…

Threat Brief‘s “Daily Threat Brief, or DTB, is a daily  open source intelligence report modeled after the concept of the President’s Daily Brief (PDB). Every day the analysts of Cognito succinctly provide insights into global risk and security issues in ways that can reduce your personal and business risks and inform your strategic decision making.” You can subscribe to receive email highlights of these reports on a daily basis, more or less useful for security people.

Threat Brief does not use their business email server to send out the daily briefs, smart, they subscribe to a service provider that tracks the links in the email that you’d click on :

http://threatbrief.us1.list-manage.com/track/click?u=xxxxxxxxxxxxxxxx&id=xxxxxxxxxxxxxx=xxxxxxxxxxx*

*-Actual tracking IDs replaced by x

That’s nothing new, this have been done on the regular basis. What’s new is that the list-manage.com site does not show the email clicked link in the browser, if the browser happens to be IE11, secured as it should be in addition to Ghostery blocking tracking script.

The tracking script is blocked by Ghostery is from MailChimp Tracking:

Monkey business

Cue the jokes about monkey business, etc… 🙂

While tracking isn’t necessarily a security risk for the most part, certainly can be, it is a threat for the privacy of the end user without question. Now, why would Treat Security utilize a third-party mass-mailer that results in privacy and potential security risks for the recipients of the Daily Threat Brief? That’s beyond me… Isn’t that a contradiction to the intended purpose of the threat brief?

After evaluating the “risk and security issues” of the employed tracking method for the daily threat emails, unsubscribe is in order. Fortunately, there’s an unsubscribe link on the bottom of the daily brief, let’s see how that one works…

 

Difference between US and EU privacy laws…

The difference between the privacy laws in the US and EU can be summed up in couple of sentences.

In the US, the privacy laws are sectoral based and they do not apply to all the industries. On the other side of the pond, the EU have privacy laws that applicable to all industries, including foreign entities.

The difference between the privacy laws requires US companies to comply with EU privacy laws, if and when they do business in the EU countries. This can result in some interesting changes to their websites, when EU citizens visit the company pages.

Take for example this Microsoft website link for people in Great Britain:

Microsoft Download Site for Great Britain

If you click on the link, you’ll see this warning in your browser:

Great Britain English download
The EU privacy laws requires MS, and pretty much everyone who does business in the EU, to display this message:

By using this site you agree to the use of cookies for analytics, personalized content and ads.

One can select “No, thanks”, the end user stays on the English-GB site, and end user’s browsing activities are tracked.

The warning also ask, if you’d prefer US-English website; let’s take the same Microsoft website link for people in the US:

Microsoft Download Site for the US

If you click on the link, you’ll see no warning in your browser:

US English download

End user browser activity tracking is a given within the US, no permission is required…

That pretty much sums up the difference between the EU and US privacy laws on a personal level. Basically within the EU, people need to opt-in for allowing collection of their data, while in the US people by default are opted-in and would need to opt-out, if they object.

At either side of the pond, browser plugins or add-on is necessary to block tracking end user browser activities. For example, visiting either of the websites with the Ghostery plugin active, it’ll block the MS tracking:

ghostery and ms

PS: This blog looked at Microsoft website links for examples; other US companies have similar website redirection for EU countries.

The choice between browser security and privacy…

Enhanced Protected Mode of Internet Explorer 10 is defense in depth feature that helps prevent attackers from installing software or modifying system settings, if they manage to run exploit code. It’s an extra layer of protection that locks down parts of your system that your browser ordinarily doesn’t need to use. The Enhanced Protection Mode also disables plugins that can be activated temporarily by the end user on a site-by-site basis. And this is the point where it interfere with privacy plugins…

Neither DoNotTrackMe from Abine, nor Ghostery are comparable IE10 64-bit version with Enhanced Protected Mode enabled. While the installation of these plugins proceed without warning, the first time IE starts after installing DoNotTrackMe, it pops up this message:

DoNotTrackMe warning!

More of the same for Ghostery:

Ghostery warning!

The download page for Ghostery provides some information about the incompatibility with IE10 running on 64-bit OS:

64-bit MS OS

IE10 64-bit mode with Enhanced Protection Mode active disables these plugins, rightfully so, based on the security risk that logging with administrative account level access poses to the system. Disabling the Enhanced Protection Mode is an option at the expense of security.

IE10 32-bit mode with Enhanced Protection Mode active does not disable these plugins; however, it may provide an easy attack vector for hackers for exploiting the system with the “built-in” administrative access.

Seemingly, these IE plugins did not keep up with OS and browser advancements, they are pretty much stuck in the 32-bit software world. As such, if your system is based on 64-bit Windows with IE10, you have a choice to make. Would you prefer security over privacy, or privacy over security?

Though call…

Browser activity tracking…

Browser activity tracking has been in existence since, well, we have browsers. The first tracking method had been based on browser cookies, that provided limited local storage of 4,096 bytes or 4K. For tracking and marketing purposes the provided provided by the cookie has not been sufficient and Local Storage Objects (LSO), or Flash cookies had made its way to the end user’s PC. This method required Flash installed on the PC and the end users had/have some control over the Flash cookies. These cookie types were tied to the individual site in question, in another word there has been no collection of tracking information from all websites into a central depository.

Centralizing browser tracking information was made possible by JAVA scripts and third-party provided services, such as Google Analitics (GA). Initially, Google’s “free” service was intended to webmaster and provided detailed website statistics for the sites that opt-in to this service. In the process, Google amessed a central depository of browser activity tracking information that proved to be valuable for advertisment purposes and as such, the information is being sold to marketing companies. The “free” GA is still available and most webmesters do use this service, that provides continuous update for Google’s central depository. Google actually derives 90-95% of their income from selling advertisers the collected information. There are number of other companies that rely on the same method for generating their income and collect browser tracking information without the end user’s consent.

Running hidden scripts on the end user’s system and collecting information about the end user at the very least is a privacy risk. The information collected may include sensitive private details, location, interests, age, sexual orientation, sexual habits, relationship status, religion, political views, health concerns, employment status, and more. Increasingly, the collected online information, or end user profile, is being correlated to offline information for better success rate of the advertisement campaign.

The profile based on Internet activities certainly can provide some benefits for end users and will trigger behavioral based ads showing up in the browser or email. If you’re looking for the item being advertised, you may even find this great or just cannot resist the sale price. The problem isn’t buying products on the web, rather the profile in itself. That profile maybe used by big corporations and health insurance companies to make decisions about you, that can literally affect your life and livelihood. You may not get the job where the interview went great, or your health insurance application is denied because of your “established” profile. This profile has its own life and the individual in the profile cannot change it easily, or at all.

The security risk isn’t that clear, but consider this. Hackers use the same iframe method to install malware on your computer. How it works is rather simple. The hackers gain control of the website and inserts an iframe, a.k.a. web beacon or one pixel white image, to the site’s HTTP code. The web beacon points to the malicious script, the browser downloads this script when the users visits the site, and executes it in the background on the unsuspecting end user’s PC. Much like how the tracking scripts work that also could be used for malicious purposes. In certain view, tracking scripts collecting privacy information about the unsuspecting end user is already malicious enough…

Disabling iframe will prevent tracking; however, the Internet browsing experience will suffer greatly. So, what can you do to prevent companies tracking your Internet activities?

The Do Not Track (DNT) HTTP header standard will not prevent advertisers collecting information about as posted earlier. The proposed DNT standard is heavily influenced by advertisers and as such, it protects their interest and does not care much about the end user’s privacy.

The tracking companies have a standardized method for calling and executing their scripts hidden from the end users. The method is basically an HTTP link that includes the website’s identification number. For example Google’s JAVA script is referenced as:

“google-analytics.com/ga.js”
try {
var pageTracker = _gat._getTracker(“XX-0000000-0″*);
pageTracker._trackPageview();
*Actual site ID number is removed and the full script is not shown

For people who do not want to have their Internet activities tracked, there are free browser add-ons that blocks known tracking company scripts being executed. While it is a possibility that these add-ons track browser activities, nonetheless, they do block about 1,400 known tracking companies from collecting browser activity information.

Albine DNT+

The Do not Track Plus is a corporation supported closed source browser add-on that will block tracking companies from collecting end users’ information. DNT+ should not be mistakenly identified with the proposed DNT standard; while the naming can be confusing, they have no relation whatsoever. DNT+ does actually block tracking and end user controlled vs. DNT that is voluntery at the current time and does not provide end user control. The interface displayed on the left is pretty straight forward. DNT+ can block social networking site tracking, advertisement company, and tracking company scripts. The configuration is pretty simple, under “Settings” just click on “Block all” and you’re done. DNT+ also displays the number of tracking scripts that has been blocked. And yes, the more than 13,000 number is correct and had been reached after about three month.

DNT+ is available from Abine free of charge and currently supports Firefox, Internet Explorer, Chrome, and Safari on Windows and MACs. DNT+ currently does not have mobile device offering, but it’s in the works.

The automated installation package can be downloaded here

Ghostery is a community supported open source browser add-on that is also available for free. It supports all major browser for PCs and MACs.

ghostery

The interface displayed on the right isn’t as “pretty”, but just as effective as DNT+, if not more. The configuration is simple, just select “Block all” within the “Settings” pages and it will block all known tracking scripts.

Ghostery does not display the number of scripts that had been blocked. This might be beneficial for the end users since this number can also be used for tracking purposes. One benefits of Ghostery is the knowledge pages that displays a number of interesting information about the tracking company. Among other information, the knowledge page displays the type of information collected, retention and sharing policy, privacy policy link, the number websites using the tracking company, etc.

Ghostery installation source can be downloaded from here

The images display the number of tracking companies being blocked when visited a single web page. Why there are so many companies tracking a single page?

The answer is how the web page in question had been created. Most web pages nowadays utilize “iframe” to insert contents from other websites without actually writing the content. When these other contents inserted in the visited page, they also load their tracking companies’ scripts as well. In another word when a single page is visited, there might be 10-15 other pages visited and the same number of blocked tracking scripts show up in these browser add-ons.

It is up to you, if you want blocking these tracking scripts. While certainly tracking companies already have your profile; however, stale profile is not valuable for marketing companies. As such, stale profiles are removed from their central depositories even it is not actually deleted.

Warning: Neither of the browser add-ons will block hacker’s scripts, they only block known ad, social networking, and tracking companies’ scripts.

Collusion for Firefox…

Collusion for Firefox is a browser add-on that, quote:

“Collusion is an experimental add-on for Firefox that allows you to see which sites are using third-party cookies to track your movements across the Web. It shows, in real time, how that data creates a spider-web of interaction between companies and other trackers.”

Firefox plugin

Currently the add-on somewhat informative and displays a visual presentation of tracking sites, see image on the left.

The final version of Collusion will add capabilities for blocking cookies for any node in the graph. It is somewhat interesting to see the companies tracking your Internet activities, and how your activities might be shared between these companies.

The better option is to collectively block tracking altogether by other add-ons, such as DNT+, Ghostery, No-Scripts, etc. DNT+ supports most browsers, except Opera, and Ghostery supports all browsers. The No-Scripts add-ons is available for Firefox only.

If tracking your Internet activity is a concern of yours, you do not need to wait for the final version of Collusion. Other add-ons are available now and do a good job at disabling of your Internet activities tracking.