Threat Brief email tracking…

Threat Brief‘s “Daily Threat Brief, or DTB, is a daily  open source intelligence report modeled after the concept of the President’s Daily Brief (PDB). Every day the analysts of Cognito succinctly provide insights into global risk and security issues in ways that can reduce your personal and business risks and inform your strategic decision making.” You can subscribe to receive email highlights of these reports on a daily basis, more or less useful for security people.

Threat Brief does not use their business email server to send out the daily briefs, smart, they subscribe to a service provider that tracks the links in the email that you’d click on :

http://threatbrief.us1.list-manage.com/track/click?u=xxxxxxxxxxxxxxxx&id=xxxxxxxxxxxxxx=xxxxxxxxxxx*

*-Actual tracking IDs replaced by x

That’s nothing new, this have been done on the regular basis. What’s new is that the list-manage.com site does not show the email clicked link in the browser, if the browser happens to be IE11, secured as it should be in addition to Ghostery blocking tracking script.

The tracking script is blocked by Ghostery is from MailChimp Tracking:

Monkey business

Cue the jokes about monkey business, etc… 🙂

While tracking isn’t necessarily a security risk for the most part, certainly can be, it is a threat for the privacy of the end user without question. Now, why would Treat Security utilize a third-party mass-mailer that results in privacy and potential security risks for the recipients of the Daily Threat Brief? That’s beyond me… Isn’t that a contradiction to the intended purpose of the threat brief?

After evaluating the “risk and security issues” of the employed tracking method for the daily threat emails, unsubscribe is in order. Fortunately, there’s an unsubscribe link on the bottom of the daily brief, let’s see how that one works…

 

Difference between US and EU privacy laws…

The difference between the privacy laws in the US and EU can be summed up in couple of sentences.

In the US, the privacy laws are sectoral based and they do not apply to all the industries. On the other side of the pond, the EU have privacy laws that applicable to all industries, including foreign entities.

The difference between the privacy laws requires US companies to comply with EU privacy laws, if and when they do business in the EU countries. This can result in some interesting changes to their websites, when EU citizens visit the company pages.

Take for example this Microsoft website link for people in Great Britain:

Microsoft Download Site for Great Britain

If you click on the link, you’ll see this warning in your browser:

Great Britain English download
The EU privacy laws requires MS, and pretty much everyone who does business in the EU, to display this message:

By using this site you agree to the use of cookies for analytics, personalized content and ads.

One can select “No, thanks”, the end user stays on the English-GB site, and end user’s browsing activities are tracked.

The warning also ask, if you’d prefer US-English website; let’s take the same Microsoft website link for people in the US:

Microsoft Download Site for the US

If you click on the link, you’ll see no warning in your browser:

US English download

End user browser activity tracking is a given within the US, no permission is required…

That pretty much sums up the difference between the EU and US privacy laws on a personal level. Basically within the EU, people need to opt-in for allowing collection of their data, while in the US people by default are opted-in and would need to opt-out, if they object.

At either side of the pond, browser plugins or add-on is necessary to block tracking end user browser activities. For example, visiting either of the websites with the Ghostery plugin active, it’ll block the MS tracking:

ghostery and ms

PS: This blog looked at Microsoft website links for examples; other US companies have similar website redirection for EU countries.

The choice between browser security and privacy…

Enhanced Protected Mode of Internet Explorer 10 is defense in depth feature that helps prevent attackers from installing software or modifying system settings, if they manage to run exploit code. It’s an extra layer of protection that locks down parts of your system that your browser ordinarily doesn’t need to use. The Enhanced Protection Mode also disables plugins that can be activated temporarily by the end user on a site-by-site basis. And this is the point where it interfere with privacy plugins…

Neither DoNotTrackMe from Abine, nor Ghostery are comparable IE10 64-bit version with Enhanced Protected Mode enabled. While the installation of these plugins proceed without warning, the first time IE starts after installing DoNotTrackMe, it pops up this message:

DoNotTrackMe warning!

More of the same for Ghostery:

Ghostery warning!

The download page for Ghostery provides some information about the incompatibility with IE10 running on 64-bit OS:

64-bit MS OS

IE10 64-bit mode with Enhanced Protection Mode active disables these plugins, rightfully so, based on the security risk that logging with administrative account level access poses to the system. Disabling the Enhanced Protection Mode is an option at the expense of security.

IE10 32-bit mode with Enhanced Protection Mode active does not disable these plugins; however, it may provide an easy attack vector for hackers for exploiting the system with the “built-in” administrative access.

Seemingly, these IE plugins did not keep up with OS and browser advancements, they are pretty much stuck in the 32-bit software world. As such, if your system is based on 64-bit Windows with IE10, you have a choice to make. Would you prefer security over privacy, or privacy over security?

Though call…