Qu00l.net
Here's what Schneier had to say in his June 15, 1999 Crypto-Gram:
'Looking back from the future, 1999 will have been a pivotal year for malicious software: viruses, worms, and Trojan horses (collectively known as "malware"). It's not more malware; we've already seen thousands. It's not Internet malware; we've seen that before, too. But this is the first year we've seen malware that uses e-mail to propagate over the Internet and tunnel through firewalls. And it's a really big deal.'
And he's quite right about this, 1999 was a pivotal year for malwares. But he missed the real threat as it slid under his radar and tunneled through his firewall: Malwares are also trend of deception, datamining, destruction and privacy invasion fueled by vast amounts of dot.com venture capital (in order to have a
'viable buisness model' in a world of free information) designed only to snare unwitting and unawares persons who are using search engines, sharewares, commecrial software and as we shall see, anything and everything in between.
In my quest I have found malwares that fall into several broad, and often overlapping categories. These are, in no particular (well, alphabetical) order; adwares, censorwares, destroywares, spywares, trojanwares, and web-bug type of transient or persistant malwares.
Of course the government is doing this also, and people are 'freaked'. More on that later.
Date: Wed, 09 Feb 2000 20:10:28 -0500 From: Chris BrentonTo: firewalls@Lists.GNAC.NET Cc: "fw-1-mailinglist@lists.us.checkpoint.com" Subject: How much info are you leaking? Greetings all, Back on 12/19/99 I posted a rather verbose message to the Firewalls list on how a number of search engines are taking the search criteria you are entering and submitting it back to DoubleClick. Basically what you see is just after submitting your parameters to a search engine, your browser connects to ad.doubleclick.net in order to send something similar to the following: http://ad.doubleclick.net/adl/site_you_searched.com/result_front;kw=Tell+me+about+rashes;cat=stext;ord=11996981 Where the "kw" string is your list of search parameters (key words?) and "ord" (based on research by Adrian Colley) is a hex conversion of your cookie ID. In other words, your ID and what you've been looking for gets sent back to DoubleClick. Based on this article: http://news.cnet.com/news/0-1005-200-1531929.html?tag=st.ne.1002.tgif this info may eventually get correlated with the rest of your personal info. Kind of a "personality profile" if you will, similar to the modern day credit report. Do a search on "evil hacker sites" and this gets associated with your profile. Of course the problem is that if your five year old searches for "pictures of naked monkeys" they may associate these key words with your ID as well. This has organizational security implication as well. For example how much would your competitors pay to know what info you are searching for? IMHO given the number of sites involved in this "info sharing" the practice has become a few steps shy of placing a sniffer outside your firewall. As mentioned in that original post, I've setup a "DoubleClick honeypot" to ID the sites that are submitting this info back to DoubleClick. The list I have so far is: aj.com ajkids.com altavista.digital.com anywho.com av.com babycenter.com boston.com buy.com corptech.com drcoop.com greatdomains.com hoovers.com imdb.com infoseek.com foodtv.com redhat.com remarq.com rocketlinks.com rtq.net yellowpages.com The two that really bug me are RedHat (happens from their search page, not the main page) as you would expect them to be more sensitive to these kinds of issues and drcoop.com as the site is for searching medical info (I now know *way* too much about what ails my users ;). Note that these are *not* just ad partners, these sites forward your search info back to DoubleClick. Since this is all outbound TCP/80 traffic, it burns right though most firewalls. If you try and block all HTTP to DoubleClick, many browsers choke and kick an error back to the user. The only real effective means of killing this traffic is to proxy through JunkBusters or a honeypot similar to my setup (detailed in my 12/19 post). Just curious if there is anyone out there that can add/delete from the above list. I'm also wondering _why_ they do it. Do this sites receive some form of financial return for submitting this info? Why don't they state what they are doing in their privacy statement? I'm also wondering if people feel an ORBS kind of setup is in order. It's really starting to trouble me just how much information is getting reported back to a single agency under the guise of "target advertising". If the government was doing this people would be freaked. Thoughts? All input appreciated, Chris -- ************************************** cbrenton@sover.net
Date: Wed, 09 Feb 2000 20:06:06 -0600 From: EricTo: firewalls@Lists.GNAC.NET Subject: Re: How much info are you leaking? I have ads.doubleclick.net (and many other similar sites) in my host file as 127.0.0.1. Not only does it keep my computer from giving them free information, it also seems to make alta vista searches much faster since it doesn't have to wait for responses from doubleclick.net. Eric Johnson
Date: Wed, 9 Feb 2000 19:53:17 -0600 From: Jeff BachtelTo: firewalls@Lists.GNAC.NET Subject: Re: How much info are you leaking? Just a thought, but doublclick.net _does_ have an opt-out cookie you can send to help keep information from being correlated to your company. Combined with a single caching proxy server (ie squid) (hey, you want to reduce the amount you transfer from the internet anyway), it provides a certain degree of anonymity. Having your web cache send id=OPT_OUT as part of the http cookie vars is left as an exercise for the reader (or SA)
Date: Wed, 09 Feb 2000 23:34:00 -0500 From: Chris BrentonTo: Jeff Bachtel Cc: firewalls@Lists.GNAC.NET Subject: Re: How much info are you leaking? Jeff Bachtel wrote: > > Just a thought, but doublclick.net _does_ have an opt-out cookie you > can send to help keep information from being correlated to your > company. IMHO this takes care of the personal privacy issue but does not address the corporate. The search criteria submission does not use cookies, so even if you have this setting disabled you are going to submit info back to DoubleClick. If you could get a look at a DoubleClick log entry on one of the ad.doubleclick.net servers, it would look like this: [Thu Feb 6 13:31:22 2000] [client 10.25.60.50] /home/httpd/html/adi/altavista.digital.com/result_front;kw=Vanessa+Paradis;cat=stext;ord=25034863 Note the source IP is clearly identified. A quick whois can tie this back to the source organization. So while you may be able to "opt out" of the cookie setting, the info submission tied to your IP address still takes place. > Combined with a single caching proxy server (ie squid) (hey, Your still passing cookies, your still tied to the organization's IP. You are absolutely on the right track though. Add JunkBuster to the mix as it can be tweaked to not forward this info. > you want to reduce the amount you transfer from the internet anyway), > it provides a certain degree of anonymity. Actually, this is an annoying side effect of the whole ad thing. TTL values are set so that you have to reload each time you hit the page. This kills the efficiency of a proxy and thus sucks up additional bandwidth. I've noticed my cache hit rating has slowly dropped over the last year or so. :( > The idea of a sort of ORBS is interesting (and may have merit). If, > for instance, ads.doubleclick.net.relays.worbs.net returns a valid ip > (loopback), then have your proxy server transparently handle traffic > to that site. Agreed. This is pretty much how I run my honeypot. > However, and automated ORBS would be fairly difficult to > implement, as verification of information relaying is not as easy as > it is for open relays of email. Agreed here as well. I've noticed many sites pass back a blank "kw=" string so its not like you can even key in on that. Still, it would be nice to send a clear message that many Internet users take exception to this kind of practice. Thanks! Chris
Date: Thu, 10 Feb 2000 10:47:49 +0000 From: Dorian MooreCc: firewalls@Lists.GNAC.NET, "fw-1-mailinglist@lists.us.checkpoint.com" Subject: Re: How much info are you leaking? I know this is flame bait.... but I'm not trying to start a flame war, I just find this rather off topic for a 'firewalls' list... Although I'm a fan of personal privacy, and of saving bandwidth, I do find it somewhat ironic that this topic of 'tracability' is an issue on a forum concerned in a large part about the security of computer systems against other users, and who would be scared at the idea of someone trying to attack them through an open system which is designed to hide the identity of the surfer. Yes, doubleclick or whatever company sending adverts is a pain in the arse. Yes we all have to manage the bandwidth of all the users into our network, yes we don't like being sold things, but this is a capatilist society : moreso the internet has become so [a lot of that virtual real-estate out there isn't worth a penny of the money that it's valued at, IMHO], and part of that battle is against Doubleclick, Experian [who traditionaly did that kind of analysis of information through such things as your credit card spending habits, which a lot of people don't even think about] for our privacy, but I think that you also should look at it this way : doubleclick target you with adverts : brilliant, it means I don't get adverts for stupid irrelevant things amidst the content that I surf. The better of two evils in my opinion. And I agree security and privacy can be construed as the same thing - if someone was to break into my house without doing any damage, or removing any property it would be an invasion of privacy but a breach of security, teh same as if they did the same to my computer system - but I've had a lot of problems with people posting incredibly rude and malicious messages onto forums software we host, primarily through things like anonimizer, cgicache, and privada : and I find that much more troublesome than people holding the return IP address of my organisation and information on what I, or my colleagues, search on [even if it is 'how do I build nuclear bombs' or 'US government conspiracy']. I'd rather be able to get more information on my attackers, and have more available about me, than less - but then I feel I've got nothing to hide : ultimately we live, we die ... if you have a problem with what you do in between that's a philosophical issue and definetly off topic. Maybe people should undestand more the British progpaganda from the second world war when they are using form based services on the web : 'Walls Have Ears' - are warning against eavsdropping and spying that is still relevant today. I know of much more dangerous information analysis going on outside of the internet than on it. As I said, this is my opinion on the matter.... and my opinion isn't worth much, I just thought some people might want to know they weren't the only ones who may think like this [or am I the only one?] Peace d.
Date: Thu, 10 Feb 2000 08:20:53 -0500 From: Chris BrentonTo: d@kleber.net Cc: firewalls@Lists.GNAC.NET, "fw-1-mailinglist@lists.us.checkpoint.com" Subject: Re: How much info are you leaking? Dorian Moore wrote: > > Yes, doubleclick or whatever company sending adverts is a pain in the > arse. Yes we all have to manage the bandwidth of all the users into our > network, yes we don't like being sold things, but this is a capatilist > society : This is the exact attitude I'm trying to get past. Its not about bandwidth or advertising. Its about personal and organizational information and the potential abuses of that information when its in the hands of a corporate entity in our "capitalist society". Please don't look at what DoubleClick is spoon feeding you, look at what they are doing and draw your own conclusions. > I've had a lot of problems with people posting incredibly rude and > malicious messages onto forums software we host, primarily through > things like anonimizer, cgicache, and privada : Then don't accept them. As someone who works in security I certainly don't feel we should all be anonymous. These are your resources to manage as you see fit and you should be free to accept/deny/log what ever you want. The latest series of attacks certainly shows that too much anonymity can be a bad thing. This does not mean that having someone else logging what you are doing without you knowledge is necessarily a good or even useful thing. Cheers, Chris
Interhack:
"The Internet Privacy Project is an ongoing study of how systems on the Internet affect the privacy of the Internet population. From this page, we'll provide pointers to papers and advisories we release, as well as some of the tools that we develop in the process of our studies. "
Richard Smith, who coined the term 'web bug' has a number of papers and programs that discuss such malwares as M$ GUIDs, Real and more.
Dick Hazeleger's PDF list of 710(!!!) spywares.
Also here in HTML.
John Fitzsimons excellent list of other Spywares.
Another long list of spywares.
Cookie lores
from pir.org.
Web-Bug FAQ from R. Smith.
