Threat Brief email tracking…

Threat Brief‘s “Daily Threat Brief, or DTB, is a daily  open source intelligence report modeled after the concept of the President’s Daily Brief (PDB). Every day the analysts of Cognito succinctly provide insights into global risk and security issues in ways that can reduce your personal and business risks and inform your strategic decision making.” You can subscribe to receive email highlights of these reports on a daily basis, more or less useful for security people.

Threat Brief does not use their business email server to send out the daily briefs, smart, they subscribe to a service provider that tracks the links in the email that you’d click on :

http://threatbrief.us1.list-manage.com/track/click?u=xxxxxxxxxxxxxxxx&id=xxxxxxxxxxxxxx=xxxxxxxxxxx*

*-Actual tracking IDs replaced by x

That’s nothing new, this have been done on the regular basis. What’s new is that the list-manage.com site does not show the email clicked link in the browser, if the browser happens to be IE11, secured as it should be in addition to Ghostery blocking tracking script.

The tracking script is blocked by Ghostery is from MailChimp Tracking:

Monkey business

Cue the jokes about monkey business, etc… 🙂

While tracking isn’t necessarily a security risk for the most part, certainly can be, it is a threat for the privacy of the end user without question. Now, why would Treat Security utilize a third-party mass-mailer that results in privacy and potential security risks for the recipients of the Daily Threat Brief? That’s beyond me… Isn’t that a contradiction to the intended purpose of the threat brief?

After evaluating the “risk and security issues” of the employed tracking method for the daily threat emails, unsubscribe is in order. Fortunately, there’s an unsubscribe link on the bottom of the daily brief, let’s see how that one works…

 

The not so cute PUPs…

Most people know and adore pups like these:

Adorable pups

The not so cute PUPs are Potentially Unwanted Programs that may come preloaded on your brand new computers, or installed alongside of programs that you add later. Just how prevalent these PUPs are? For example, 62% of the top 50 download @download(dot)com website includes PUPs.

So, what are these PUPs why are they pushed to you? They can be anything, such as adware, browser toolbars, homepage hijackers, nagging scare-ware, etc.

Adware is pretty much self explanatory; it’ll monitor your internet access and pops up ads related to you activities. While the popup ad can be annoying, like during your power point presentation (ugh!), this puppy will also collects your personal information and sends it “home”.

Browser toolbars install themselves into your browser to make your internet “browsing easier”. In exchange, this puppy will collect and send your personal information “home”, may popup ads, or redirects your search results to its paying customers’ websites based on your internet activities.

The homepage hijacker changes your current home page and acts as the browser toolbar afterward.

Nagging scare-ware is the trial version of security software. This software promises to clean up and secure your computer. The trial version will allow scanning your system, presents a scary results, but it does not allow you to fix them until you actually purchase a licensed version. The scary results have nothing to do with the state of your computer, they are auto-generated by the software to entice you to purchase the program. This puppy may have any of the other puppies integrated that will install as well.

Ok… They are not breaking my computer, so what’s the harm?

Other than changing the behavior and performance of your computer, they also collects information about you. This information can be extensive and correlated to offline data to tailor the popup ads to you and redirect your search result based on this information. The collected information about you also sold/traded to data brokers.

Ok… But I have nothing to hide and they probably have everything  about me anyway.

That’s seemingly a fair point, but… Your computer performance will degrade and your search result isn’t what you are looking for. Some people like popup ads and that’s fine, can’t argue with that. How you view your privacy is also a personal preference.

Except that data brokers want current information about the person, since that is what valuable for them. Old data is pretty much useless as far as popping up ads is concerned. They are more than willing to pay for it and that is the main reason why these PUPs exist. If you don’t mind being a product created by these PUPs, there’s one more thing you should consider.

Malicious malware had started to utilize these PUPs to do their dirty work for them. They tie into these programs to collect your information, redirect your browser to download their malware and take over the control of your computer. Once they do, they will make you pay a ransom to have your computer back. You don’t have to believe me, just read this blog from Malwarebytes.

So, what can I do about these PUPs?

Prevention is the best proactive measure that you can take for PUPs free computer. Pay attention to the installation routine of the program that you want. Most of the PUPs are included as a recommended “additional program” that is selected by default to be installed. In most cases, you can deselect the recommended program and it won’t be installed. The more aggressive installation routines don’t allow you to deselect the PUP and some of them installs it hidden from you.

Ok, what do I do then?

Once you settled down and stopped swearing, my recommendation is installing programs that removes PUPs. There are two of them on my computers that used on a weekly basis:

  1. Malwarebyte Anti-Malware
  2. Emisoft Emergency Kit Scanner

No, they do not install PUPs, don’t be silly, and they are free…

Preferably, download and install both of them, update the engine if needed to, and run them one by one. While they are very good at removing PUPs, each software has its limitation. Just do it at least once and you’ll see how many PUPs you had on your computer. You can select to keep them, if you don’t mind the privacy and security risk that these PUPs pose to your computer, or delete them. You should also run these anti-malware programs on a weekly basis, if you want to have a PUPs free computer.

The choice between browser security and privacy…

Enhanced Protected Mode of Internet Explorer 10 is defense in depth feature that helps prevent attackers from installing software or modifying system settings, if they manage to run exploit code. It’s an extra layer of protection that locks down parts of your system that your browser ordinarily doesn’t need to use. The Enhanced Protection Mode also disables plugins that can be activated temporarily by the end user on a site-by-site basis. And this is the point where it interfere with privacy plugins…

Neither DoNotTrackMe from Abine, nor Ghostery are comparable IE10 64-bit version with Enhanced Protected Mode enabled. While the installation of these plugins proceed without warning, the first time IE starts after installing DoNotTrackMe, it pops up this message:

DoNotTrackMe warning!

More of the same for Ghostery:

Ghostery warning!

The download page for Ghostery provides some information about the incompatibility with IE10 running on 64-bit OS:

64-bit MS OS

IE10 64-bit mode with Enhanced Protection Mode active disables these plugins, rightfully so, based on the security risk that logging with administrative account level access poses to the system. Disabling the Enhanced Protection Mode is an option at the expense of security.

IE10 32-bit mode with Enhanced Protection Mode active does not disable these plugins; however, it may provide an easy attack vector for hackers for exploiting the system with the “built-in” administrative access.

Seemingly, these IE plugins did not keep up with OS and browser advancements, they are pretty much stuck in the 32-bit software world. As such, if your system is based on 64-bit Windows with IE10, you have a choice to make. Would you prefer security over privacy, or privacy over security?

Though call…

Browser activity tracking…

Browser activity tracking has been in existence since, well, we have browsers. The first tracking method had been based on browser cookies, that provided limited local storage of 4,096 bytes or 4K. For tracking and marketing purposes the provided provided by the cookie has not been sufficient and Local Storage Objects (LSO), or Flash cookies had made its way to the end user’s PC. This method required Flash installed on the PC and the end users had/have some control over the Flash cookies. These cookie types were tied to the individual site in question, in another word there has been no collection of tracking information from all websites into a central depository.

Centralizing browser tracking information was made possible by JAVA scripts and third-party provided services, such as Google Analitics (GA). Initially, Google’s “free” service was intended to webmaster and provided detailed website statistics for the sites that opt-in to this service. In the process, Google amessed a central depository of browser activity tracking information that proved to be valuable for advertisment purposes and as such, the information is being sold to marketing companies. The “free” GA is still available and most webmesters do use this service, that provides continuous update for Google’s central depository. Google actually derives 90-95% of their income from selling advertisers the collected information. There are number of other companies that rely on the same method for generating their income and collect browser tracking information without the end user’s consent.

Running hidden scripts on the end user’s system and collecting information about the end user at the very least is a privacy risk. The information collected may include sensitive private details, location, interests, age, sexual orientation, sexual habits, relationship status, religion, political views, health concerns, employment status, and more. Increasingly, the collected online information, or end user profile, is being correlated to offline information for better success rate of the advertisement campaign.

The profile based on Internet activities certainly can provide some benefits for end users and will trigger behavioral based ads showing up in the browser or email. If you’re looking for the item being advertised, you may even find this great or just cannot resist the sale price. The problem isn’t buying products on the web, rather the profile in itself. That profile maybe used by big corporations and health insurance companies to make decisions about you, that can literally affect your life and livelihood. You may not get the job where the interview went great, or your health insurance application is denied because of your “established” profile. This profile has its own life and the individual in the profile cannot change it easily, or at all.

The security risk isn’t that clear, but consider this. Hackers use the same iframe method to install malware on your computer. How it works is rather simple. The hackers gain control of the website and inserts an iframe, a.k.a. web beacon or one pixel white image, to the site’s HTTP code. The web beacon points to the malicious script, the browser downloads this script when the users visits the site, and executes it in the background on the unsuspecting end user’s PC. Much like how the tracking scripts work that also could be used for malicious purposes. In certain view, tracking scripts collecting privacy information about the unsuspecting end user is already malicious enough…

Disabling iframe will prevent tracking; however, the Internet browsing experience will suffer greatly. So, what can you do to prevent companies tracking your Internet activities?

The Do Not Track (DNT) HTTP header standard will not prevent advertisers collecting information about as posted earlier. The proposed DNT standard is heavily influenced by advertisers and as such, it protects their interest and does not care much about the end user’s privacy.

The tracking companies have a standardized method for calling and executing their scripts hidden from the end users. The method is basically an HTTP link that includes the website’s identification number. For example Google’s JAVA script is referenced as:

“google-analytics.com/ga.js”
try {
var pageTracker = _gat._getTracker(“XX-0000000-0″*);
pageTracker._trackPageview();
*Actual site ID number is removed and the full script is not shown

For people who do not want to have their Internet activities tracked, there are free browser add-ons that blocks known tracking company scripts being executed. While it is a possibility that these add-ons track browser activities, nonetheless, they do block about 1,400 known tracking companies from collecting browser activity information.

Albine DNT+

The Do not Track Plus is a corporation supported closed source browser add-on that will block tracking companies from collecting end users’ information. DNT+ should not be mistakenly identified with the proposed DNT standard; while the naming can be confusing, they have no relation whatsoever. DNT+ does actually block tracking and end user controlled vs. DNT that is voluntery at the current time and does not provide end user control. The interface displayed on the left is pretty straight forward. DNT+ can block social networking site tracking, advertisement company, and tracking company scripts. The configuration is pretty simple, under “Settings” just click on “Block all” and you’re done. DNT+ also displays the number of tracking scripts that has been blocked. And yes, the more than 13,000 number is correct and had been reached after about three month.

DNT+ is available from Abine free of charge and currently supports Firefox, Internet Explorer, Chrome, and Safari on Windows and MACs. DNT+ currently does not have mobile device offering, but it’s in the works.

The automated installation package can be downloaded here

Ghostery is a community supported open source browser add-on that is also available for free. It supports all major browser for PCs and MACs.

ghostery

The interface displayed on the right isn’t as “pretty”, but just as effective as DNT+, if not more. The configuration is simple, just select “Block all” within the “Settings” pages and it will block all known tracking scripts.

Ghostery does not display the number of scripts that had been blocked. This might be beneficial for the end users since this number can also be used for tracking purposes. One benefits of Ghostery is the knowledge pages that displays a number of interesting information about the tracking company. Among other information, the knowledge page displays the type of information collected, retention and sharing policy, privacy policy link, the number websites using the tracking company, etc.

Ghostery installation source can be downloaded from here

The images display the number of tracking companies being blocked when visited a single web page. Why there are so many companies tracking a single page?

The answer is how the web page in question had been created. Most web pages nowadays utilize “iframe” to insert contents from other websites without actually writing the content. When these other contents inserted in the visited page, they also load their tracking companies’ scripts as well. In another word when a single page is visited, there might be 10-15 other pages visited and the same number of blocked tracking scripts show up in these browser add-ons.

It is up to you, if you want blocking these tracking scripts. While certainly tracking companies already have your profile; however, stale profile is not valuable for marketing companies. As such, stale profiles are removed from their central depositories even it is not actually deleted.

Warning: Neither of the browser add-ons will block hacker’s scripts, they only block known ad, social networking, and tracking companies’ scripts.

Collusion for Firefox…

Collusion for Firefox is a browser add-on that, quote:

“Collusion is an experimental add-on for Firefox that allows you to see which sites are using third-party cookies to track your movements across the Web. It shows, in real time, how that data creates a spider-web of interaction between companies and other trackers.”

Firefox plugin

Currently the add-on somewhat informative and displays a visual presentation of tracking sites, see image on the left.

The final version of Collusion will add capabilities for blocking cookies for any node in the graph. It is somewhat interesting to see the companies tracking your Internet activities, and how your activities might be shared between these companies.

The better option is to collectively block tracking altogether by other add-ons, such as DNT+, Ghostery, No-Scripts, etc. DNT+ supports most browsers, except Opera, and Ghostery supports all browsers. The No-Scripts add-ons is available for Firefox only.

If tracking your Internet activity is a concern of yours, you do not need to wait for the final version of Collusion. Other add-ons are available now and do a good job at disabling of your Internet activities tracking.

W3C DNT Draft..

Do Not Track, or DNT, is a W3C proposed HTTP header field standard that request the web server, well, not to monitor end-user Internet activity. The DNT header field standard defines three values:

    1. Value not set: Default setting for browser installation, HTTP DNT header not sent, tracking allowed.
    2. Value set to zero (0): End user explicitly opts-in, HTTP DNT header not sent, tracking allowed.
    3. Value set to one (1): End-user explicitly opts-out, HTTP DNT header sent, tracking is disabled.

In practice, the web server reads the DNT header value, if present, and enables/disables tracking of the individual accessing the website. The DNT standard has not been finalized and honoring the DNT settings is voluntary at the time of writing. As such, users are not guaranteed privacy since advertisers are not legally required to comply with the DNT request and many don’t. Even compliance to DNT standard does not guarantee privacy for the end user; the websites will be allowed to track visitors for “research purposes”, regardless of the DNT setting, after the standard had been finalized.

The draft W3C DNT standard is in line with US privacy laws, where “explicit opt-out” required for individuals to protect their privacy. The privacy laws in Europa point to “explicit opt-in” that contradicts the proposed DNT standard. Quote from the W3C DNT standard draft:

An ordinary user agent MUST NOT send a Tracking Preference signal without a user’s explicit consent.

The draft seemingly complies with both the US and European requirements; however, that is certainly not case. If the user agent is not configured, default installation requirement for the browser, tracking is enabled. The explicit opt-in setting is the same as the default installation, no HTTP DNT header is sent and tracking enabled.

Most of the people accessing the Internet do not know about the privacy risk posed by tracking their activity on the web. For that matter, most of them don’t even know about advertisers tracking them. Those people will not “bother” changing the browsers’ default settings either, due to their limited knowledge of the browsers’ settings.

Ignorance is a bliss and loved by marketing alliances, such as DAA and DMA. These alliances and other businesses had pushed W3C to “water down” the standard to the point, where the finalized DNT standard retains the “status-quo”. That’s good news for US online advertising, estimated to be 40 billion dollars per year.