Nation-backed Hackers Using Evercookie and Web Analytics To Profile Targets (securityledger.com)

← Back to Stories (view on slashdot.org)

Nation-backed Hackers Using Evercookie and Web Analytics To Profile Targets (securityledger.com)

Posted by Soulskill on Friday November 20, 2015 @01:57AM from the life-imitates-ads dept.

chicksdaddy writes: There's such a fine line between clever and criminal. That's the unmistakable subtext of the latest FireEye report on a new "APT" style campaign that's using methods and tools that are pretty much indistinguishable from those used by media websites and online advertisers. The difference? This time the information gathered from individuals is being used to soften up specific individuals with links to international diplomacy, the Russian government, and the energy sector.

The company released a report this week that presented evidence of a widespread campaign (PDF) that combines so-called "watering hole" web sites with a tracking script dubbed "WITCHCOVEN" and Samy Kamkar's Evercookie, the super persistent web tracking cookie. The tools are used to assemble detailed profiles on specific users including the kind of computer they use, the applications and web browsers they have installed, and what web sites they visit.

While the aims of those behind the campaign aren't known, FireEye said the use of compromised web sites and surreptitious tracking scripts doesn't bode well. "While many sites engage in profiling and tracking for legitimate purposes, those activities are typically conducted using normal third-party browser-based cookies and commercial ad services and analytics tools," FireEye wrote in its report. "In this case, while the individuals behind the activity used publicly available tools, those tools had very specific purposes....This goes beyond 'normal' web analytics," the company said.

47 comments

Min score:

Reason:

Sort:

err Evercookie is well-documented? by Anonymous Coward · 2015-11-20 02:17 · Score: 0

Why aren't browsers following the source, fixing the actual exploits, and making sure that Delete Everything actually does?
1. Re:err Evercookie is well-documented? by fustakrakich · 2015-11-20 06:14 · Score: 2
  
  Because the advertisers don't want them to.
  
  --
  “He’s not deformed, he’s just drunk!”
What can be done? by AHuxley · 2015-11-20 02:18 · Score: 1

Some new version of the The EFF SSL Observatory https://www.eff.org/observator... to send details on strange altered deeper browser settings?
3rd party tools that remove all browser related data? Smarter browsers that have built in very deep clean options as a browser closes a window, tab or quits?
The 'analytics tools' are hard to escape even with a rotated VM, different browser, VPN, used OS, reported resolution, time zone?

--
Domestic spying is now "Benign Information Gathering"
1. Re:What can be done? by U2xhc2hkb3QgU3Vja3M · 2015-11-20 02:24 · Score: 2
  
  I'm wondering if Lynx reports the resolution as columns x rows? (ex: 80x50)
2. Re:What can be done? by gstoddart · 2015-11-20 02:26 · Score: 5, Insightful
  
  Honestly? Stop letting arbitrary sites and their 3rd party partners run bloody scripts.
  You don't go to an arbitrary website and essentially say "why you seem like a fine, upstanding web-site, by all means please execute some javascript and flash code".
  Well, actually, people do it all the time. But it's been a stupid idea for the last 15 years. But for some reason the trust model of the internet continues to be built on doing exactly that.
  The solution is to stop trusting the damned internet and letting every site run whatever code they and their ad partners think they feel they should.
  Because, let's face it, the internet hasn't really been trustworthy in a VERY long time.
  
  --
  Lost at C:>. Found at C.
3. Re:What can be done? by Anonymous Coward · 2015-11-20 03:16 · Score: 0
  
  It is absolutely astonishingly to me that only a few of us have learned this lesson by now. It isn't like this is something new. It's akin to letting a thousand random parties into your house every single day, whatever mix of teachers and mob thugs and priests and pimps they might be, and then acting surprised when your jewels go missing. And then, doing the same thing day after day.
  Seriously, I have ZERO sympathy any more. A lot of us said enabling javascript by default was a bad idea when it first appeared, and lo, it turned out to be a bad idea. It has some legit uses, but not very many compared to its use for tracking your browsing, foisting ads, popups, and outright jacking your machine via some exploit or another. But what did we do? Oh, we let commercial interests create a web that barely works any more without javascript enable. Rather than tell them, "no thanks, we don't want that kinda web", we said, "SURE! Bring it on - that sounds just peachy!" Well, guess what, people?
4. Re:What can be done? by Anonymous Coward · 2015-11-20 03:23 · Score: 0
  
  Amen. I don't really wish any website to profile and track me. Does anybody want that, besides corporations?
  "...While many sites engage in profiling and tracking for legitimate purposes..."
5. Re:What can be done? by CaptainDork · 2015-11-20 04:28 · Score: 1
  
  One major problem:
  Sites are smart enough to detect that I am using evasive tactics so they simply don't allow access or make the site non-functional WITH the admonition that I have either blocked some of their stuff or I don't have the necessary stuff on board.
  If I uninstall Java, Flash, and disable cookies, my goddam computer makes a nice fucking screen saver, and that's about it.
  
  --
  It little behooves the best of us to comment on the rest of us.
6. Re:What can be done? by gstoddart · 2015-11-20 05:15 · Score: 1
  
  One major problem:
  Sites are smart enough to detect that I am using evasive tactics
  That's what the back button is for.
  If YOU want to trust those sites, go right ahead .. I don't care what websites you use or trust.
  Me, those sites which tell me I need to run Javascript or allow cookies get added to my blocked lists, and I click the back button. The next time I click on a link to that site, the whole thing is blocked.
  
  If I uninstall Java, Flash, and disable cookies, my goddam computer makes a nice fucking screen saver, and that's about it.
  Then you use the web entirely dependent on shiny baubles and cat videos, and that is your problem.
  I haven't allowed java or flash in a browser I own in years. I only selectively allow javascript and cookies. I need to trust a site AND really want their information to allow scripts, otherwise I don't give a damn.
  I'm looking for information, not bloody video games and videos of idiots lighting themselves on fire.
  But when one of these sites fucks up your computer, don't run around saying how tragic it is that letting sites run code has caused you problems.
  
  --
  Lost at C:>. Found at C.
7. Re:What can be done? by CaptainDork · 2015-11-20 07:53 · Score: 1
  
  So you are an assholian from another planet. How the fuck you gonna know a site has a (Java, Flash) bomb until you light the fuse?
  
  --
  It little behooves the best of us to comment on the rest of us.
8. Re:What can be done? by KGIII · 2015-11-20 11:20 · Score: 1
  
  uMatrix.
  
  --
  "So long and thanks for all the fish."
9. Re:What can be done? by Anonymous Coward · 2015-11-20 12:00 · Score: 0
  
  It is absolutely astonishingly to me that only a few of us have learned this lesson by now. It isn't like this is something new. It's akin to letting a thousand random parties into your house every single day, whatever mix of teachers and mob thugs and priests and pimps they might be, and then acting surprised when your jewels go missing. And then, doing the same thing day after day.
  Seriously, I have ZERO sympathy any more. A lot of us said enabling javascript by default was a bad idea when it first appeared, and lo, it turned out to be a bad idea. It has some legit uses, but not very many compared to its use for tracking your browsing, foisting ads, popups, and outright jacking your machine via some exploit or another. But what did we do? Oh, we let commercial interests create a web that barely works any more without javascript enable. Rather than tell them, "no thanks, we don't want that kinda web", we said, "SURE! Bring it on - that sounds just peachy!" Well, guess what, people?
  This is correct and stated simply. Now take this line of thinking and apply it to immigration and Microsoft Windows spying.
Applications? by U2xhc2hkb3QgU3Vja3M · 2015-11-20 02:23 · Score: 1

The tools are used to assemble detailed profiles on specific users including the kind of computer they use, the applications and web browsers they have installed, and what web sites they visit.
Operating system and one browser, sure. It's part of the User-Agent field of an HTTP header.
But how can they know which browsers you have installed? And "applications"? Apart from knowing if you have Flash and Java installed, I don't see which applications they're talking about. My browser sure as hell isn't broadcasting that I use Apple's Keynote.
1. Re:Applications? by oneiros27 · 2015-11-20 02:33 · Score: 4, Interesting
  
  Maybe not simply 'installed', but if you use multiple browers to authenticate to the same website, and they have ways to insert tracking code on that website (such as from ad networks), they could easily link the two browsers.
  Snowden's advice about blocking ad networks for security purposes actually makes perfect sense.
  
  --
  Build it, and they will come^Hplain.
2. Re:Applications? by AHuxley · 2015-11-20 02:34 · Score: 4, Informative
  
  A few years ago (2010~2011)
  Tracking Browsers Without Cookies Or IP Addresses?
  http://yro.slashdot.org/story/...
  EFF Publishes Study On Browser Fingerprinting
  http://yro.slashdot.org/story/...
  EFF Says Forget Cookies, Your Browser Has Fingerprints
  http://yro.slashdot.org/story/...
  Browsers seem to send back a lot of basic data if asked that can build a nice profile over many visits.
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:Applications? by gstoddart · 2015-11-20 02:56 · Score: 4, Insightful
  
  Snowden's advice about blocking ad networks for security purposes actually makes perfect sense.
  Honestly, it has made perfect sense since the late 90s when you could get popup hell ... time and time again, ad networks have been demonstrated to be completely not trustworthy.
  From back in the day when your page would get stuck loading because it was waiting for some @)##! ad site to finish loading (remember why Mozilla added the "block images from this site", or the ability to refuse cookies?) ... so popovers, popunders, misdirects, and a pretty long list of bad behavior.
  How the hell it's taken this long for people to start realizing this I have no idea. It didn't become true because Snowden said it. It became true almost 20 years ago when ads started to pollute the internet, and hasn't ever stopped being true.
  There's a reason many of us have disabled Flash for a VERY long time.
  Me, I'd take pretty much anybody who says they work for an internet ad company and lock them in a cage with angry bears before I'd ever do anything so stupid as to trust them. Because you haven't been able to collectively trust them in almost 20 years.
  Honestly, internet ads are about as trustworthy as having anonymous sex with strangers in parking lots littered with dirty needles; it's a terrible idea but people keep acting like it's the only way to keep the intertubes working.
  Assume every single ad company is going to be lying, malicious dishonest people driven by greed and depraved indifference. Because enough of them are that you should.
  
  --
  Lost at C:>. Found at C.
4. Re:Applications? by Fire_Wraith · 2015-11-20 04:05 · Score: 2
  
  Nevermind the fact that ad networks have been used on multiple occasions as delivery mechanisms for malware, including "drive by" attacks where you don't even need to click anything. Just visit a seemingly innocuous page, and bam, infected.
  
  It's also not even something where it only happens to shady sites, or shady/porn/etc ad networks. Even the flagship ad services, and mainstream websites have been affected.
  
  The only way to protect yourself is to not accept arbitrary traffic from untrusted third parties in the first place - i.e., ad blockers, noscript, etc.
5. Re:Applications? by Anonymous Coward · 2015-11-20 04:18 · Score: 0
  
  and I've been following this before I'd heard Snowden's Advice simply because most of the ad sites take so fucking long to load. Block em and the page tends to load in less then a second and if it's dependent on Jscript/Flash I'm not going to bother sticking around or coming back as there's no usable content.
  Combine this with the damn hosts file to block as many of them as possible and I've lessened the threat surface enough to be more confident in using the net.
6. Re:Applications? by Anonymous Coward · 2015-11-20 05:12 · Score: 0
  
  Me, I'd take pretty much anybody who says they work for an internet ad company and lock them in a cage with angry bears ...
  What do you have against bears?
Who is targeting whom? by Crowd+Computing · 2015-11-20 02:30 · Score: 2

The article appears conflicted as to who is attacking whom. Read the PDF report the article is based on. In the table of contents on page 2, we see the following item:

Likely Intended Targets: Government Officials and Executives in the U.S. and Europe
Now compare this to the executive summary at the start of the article:

In-brief: FireEye is warning about a sophisticated campaign of online surveillance that combines web “super cookies” and common analytics software to target individuals with links to international diplomacy, the Russian government and the energy sector.

Does this mean non-Russian entities who do business with Russian entities are the targets?
1. Re:Who is targeting whom? by AHuxley · 2015-11-20 02:49 · Score: 2
  
  It seems someone is interested in that part of the world and any related traffic but has to use, can only use, can afford or wants to be seen as using browser methods.
  ie it differs from the usual 5 eye optical collect it all options that get all the communications in the region and would not have to be found in any way
  "actors are building profiles of potential victims and learning about the vulnerabilities in users’ computers.".
  "and tailor future infection attempts."
  "large numbers of legitimate websites"
  "they anticipate their desired victims will visit as part of their normal online activity. "
  
  --
  Domestic spying is now "Benign Information Gathering"
Easy to Prevent by Anonymous Coward · 2015-11-20 02:47 · Score: 0

The Evercookie is easy to handle, especially with Firefox:
about:config > toggle dom.storage.enable to False
Whitelist cookies rather than allow them all. Set session cookies. Whatever works for you. Block analytics tools with Disconnect, NoScript, Privacy Badger, uBlock Origin.
1. Re:Easy to Prevent by PPH · 2015-11-20 06:18 · Score: 1
  
  about:config > toggle dom.storage.enable to False
  and then watch Slashdot start to blow chunks. We're being tracked by Dice along with the best (worst) data scrappers.
  
  --
  Have gnu, will travel.
Bad Guys Using "Good" Guys' Tools by Anonymous Coward · 2015-11-20 02:51 · Score: 5, Informative

NSA Uses Google Cookies to Pinpoint Targets for Hacking
https://www.washingtonpost.com/news/the-switch/wp/2013/12/10/nsa-uses-google-cookies-to-pinpoint-targets-for-hacking/
By Ashkan Soltani, Andrea Peterson, and Barton Gellman
December 10, 2013
The National Security Agency is secretly piggybacking on the tools that enable Internet advertisers to track consumers, using "cookies" and location data to pinpoint targets for government hacking and to bolster surveillance.
The agency's internal presentation slides, provided by former NSA contractor Edward Snowden, show that when companies follow consumers on the Internet to better serve them advertising, the technique opens the door for similar tracking by the government. The slides also suggest that the agency is using these tracking techniques to help identify targets for offensive hacking operations.
For years, privacy advocates have raised concerns about the use of commercial tracking tools to identify and target consumers with advertisements. The online ad industry has said its practices are innocuous and benefit consumers by serving them ads that are more likely to be of interest to them.
The revelation that the NSA is piggybacking on these commercial technologies could shift that debate, handing privacy advocates a new argument for reining in commercial surveillance.
According to the documents, the NSA and its British counterpart, GCHQ, are using the small tracking files or "cookies" that advertising networks place on computers to identify people browsing the Internet. The intelligence agencies have found particular use for a part of a Google-specific tracking mechanism known as the “PREF” cookie. These cookies typically don't contain personal information, such as someone's name or e-mail address, but they do contain numeric codes that enable Web sites to uniquely identify a person's browser.
In addition to tracking Web visits, this cookie allows NSA to single out an individual's communications among the sea of Internet data in order to send out software that can hack that person's computer. The slides say the cookies are used to "enable remote exploitation," although the specific attacks used by the NSA against targets are not addressed in these documents.
The NSA's use of cookies isn't a technique for sifting through vast amounts of information to find suspicious behavior; rather, it lets NSA home in on someone already under suspicion - akin to when soldiers shine laser pointers on a target to identify it for laser-guided bombs.
Separately, the NSA is also using commercially gathered information to help it locate mobile devices around the world, the documents show. Many smartphone apps running on iPhones and Android devices, and the Apple and Google operating systems themselves, track the location of each device, often without a clear warning to the phone's owner. This information is more specific than the broader location data the government is collecting from cellular phone networks, as reported by the Post last week.
"On a macro level, 'we need to track everyone everywhere for advertising' translates into 'the government being able to track everyone everywhere,'" says Chris Hoofnagle, a lecturer in residence at UC Berkeley Law. "It's hard to avoid."
These specific slides do not indicate how the NSA obtains Google PREF cookies or whether the company cooperates in these programs, but other documents reviewed by the Post indicate that cookie information is among the data NSA can obtain with a Foreign Intelligence Surveillance Act order. If the NSA gets the data that way, the companies know and are legally compelled to assist.
The NSA declined to comment on the specific tactics outlined in this story, but an NSA spokesman sent the Post a statement: "As we've said before, NSA, within its lawful mission to collect foreign intelligence to protect the Un
1. Re:Bad Guys Using "Good" Guys' Tools by Anonymous Coward · 2015-11-20 04:04 · Score: 1
  
  For those interested, Bruce Schneier's comments to the above article are here: NSA Tracks People Using Google Cookies, and the EFF's comments are here: NSA Turns Cookies (And More) Into Surveillance Beacons.
'legitimate' tracking by anti-pop-frustration · 2015-11-20 03:12 · Score: 2

While many sites engage in profiling and tracking for legitimate purposes
There's no such thing as legitimate tracking
1. Re:'legitimate' tracking by emho24 · 2015-11-20 04:40 · Score: 1
  
  There's no such thing as legitimate tracking
  This this a thousand times this
  
  --
  You must gather your party before venturing forth.
2. Re:'legitimate' tracking by dotancohen · 2015-11-20 11:30 · Score: 1
  
  There's no such thing as legitimate tracking
  So you would like to enter your username and password for every Gmail page load and AJAX request and every slashdot comment? The server should have no way of knowing that you are the same you who entered "anti-pop-frustration" and "hunter2" in the login form just two page views ago?
  
  --
  It is dangerous to be right when the government is wrong.
3. Re:'legitimate' tracking by St.Creed · 2015-11-20 13:01 · Score: 1
  
  Session cookies are a completely different subject. Don't confuse the issue.
  
  --
  Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
These don't exist... by shaitand · 2015-11-20 03:14 · Score: 1

"While many sites engage in profiling and tracking for legitimate purposes.."

The only way it could possibly be legitimate is if they weren't stealing my private data... which reduces the number of parties who could legitimate track/profile to one, myself.
1. Re:These don't exist... by drinkypoo · 2015-11-20 03:23 · Score: 1
  
  The only way it could possibly be legitimate is if they weren't stealing my private data...
  It's not theft. You're not being deprived of something, and it's information that you're sending them when you use your browser so you're literally handing it to them. It may be misuse of information, however.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:These don't exist... by shaitand · 2015-11-23 03:10 · Score: 1
  
  "You're not being deprived of something"
  
  I'm being deprived of my right to privacy but more tangibly I'm being deprived of the value of the data they are stealing. My browsing history is data that belongs to me and only me and they are stealing that data and then selling it. The proceeds from any sale or use of my data are rightfully mine. They are also violating my copyright. My browsing history is a one of a kind creative work.
  
  "it's information that you're sending them when you use your browser"
  
  A quick change artist is literally being handed the incorrect amount of money by a representative of the company they are stealing from at the register, it is still theft. The same with me handing over my data in a man in the middle attack (which many of these collection tactics effectively are). It was not my intention to give them my data, I did not knowingly or willingly agree to their cookie or tracking, therefore it is also unauthorized systems access. And no, the legal section or terms and conditions section being present on one of the websites I visited does not constitute a meeting of minds.
Self-destructing cookies by comrade1 · 2015-11-20 03:21 · Score: 3, Informative

I used a combination of plugins self-destructing cookies, disconnect, and u-block. Works well. Just don't whitelist Google sites or social media. You can use your browser's password store if you get tired of having to log in after every time you close your browser window.
As always by Anonymous Coward · 2015-11-20 03:22 · Score: 0

Thanks again, Samy!
Tor Browswer? by Anonymous Coward · 2015-11-20 04:25 · Score: 0

Me, I am no bad guy, but I think spying on innocent people is just plain evil and probably mostly illegal in the US. Does the Tor browser do the best job of projecting your privacy or is firefox with no script ghostery betterpriacy plugins actually just a good , just as bad? Does the Tor browser protect from this thing? I just read the other day that Tor was defeated by a university + FBI effort in 2014. I suppose that is a temporary problem that could happen again?
You know I am all for the government tracking and catching criminals. But why can't they and the ad companies just leave regular people out of this? Tracking everybody is wrong, and privacy sure as shit does matter.
cookies are evil by Anonymous Coward · 2015-11-20 04:31 · Score: 0

Clearly, all corporations should stop using cookies. They only exist to let advertisers track you, and push crap to your browser. Delete all cookies! Don't let the terrorists win!
My parents were so wrong by U2xhc2hkb3QgU3Vja3M · 2015-11-20 06:34 · Score: 2

As a child, they kept telling me that monsters were not real.
But in fact, the cookie monster really does exists.
1. Re: My parents were so wrong by Anonymous Coward · 2015-11-20 06:49 · Score: 0
  
  Why u no fighting for teh bitcoinz anymore?
2. Re: My parents were so wrong by Anonymous Coward · 2015-11-20 07:02 · Score: 0
  
  Holly Holm
3. Re: My parents were so wrong by U2xhc2hkb3QgU3Vja3M · 2015-11-20 07:43 · Score: 1
  
  I still am, the link should be in my signature.
4. Re:My parents were so wrong by dotancohen · 2015-11-20 11:32 · Score: 1
  
  As a child, they kept telling me that monsters were not real.
  But in fact, the cookie monster really does exists.
  Out parents also told us that sharing was good. Look at what RIAA has done to people who thought that was good advice.
  
  --
  It is dangerous to be right when the government is wrong.
5. Re: My parents were so wrong by Anonymous Coward · 2015-11-20 12:04 · Score: 0
  
  It is, he has sigs turned off.
6. Re:My parents were so wrong by antdude · 2015-11-20 16:40 · Score: 1
  
  They are real according to Sesame Street! Om nom, nom, nom...
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
witch coven? by Anonymous Coward · 2015-11-20 09:15 · Score: 0

it figures overweight social rejects (satanists, witches, pagans) would take their devious activities online where they can hide like the cowards they are
What is an APT campaign? by mmell · 2015-11-20 09:52 · Score: 1

Is it like an APK campaign?
(sorry, I just couldn't resist. Get some help, Al)
At least by Ol+Olsoc · 2015-11-20 12:27 · Score: 1

According to the referenced story, Better Privacy will take care of the evercookie. And not using scriptblocker is the web's version of unprotected sex with Charlie Sheen.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.