The Macrosite for News, Analysis and Opinion about the Future of the Internet
Jason Mick

Steps to Mitigate Enterprise Risk From 'Supercookies'

Written by Jason Mick
10/10/2012 9 comments
no ratings
DISCUSS     Email This

When Stanford University computer science researcher Jonathan Mayer discovered last year that Microsoft’s MSN.com, Flixster.com, and other top Websites were circumventing traditional cookie-centric privacy protections via untraditional tracking technologies, it was an eye-opener to the business sector.

Persistent tracking raises at least two challenges for enterprise IT: First, it may require preventive countermeasures to keep other firms from mining your users’ activity. Second, it may require you to keep a closer eye on your monetization partners for the subtle signs of abusive behavior.

Looking at the first issue, consider that consumer privacy may be a valuable commodity, but in the wrong hands, corporate secrets can lead to millions of dollars in damages. That’s not to say a simple URL is a key to all your company’s secrets or that companies that track or whose partners track are really going to stoop to corporate espionage.

Still, at the end of the day, the only sensible policy is risk mitigation; you don’t want someone monitoring your users’ Web history.

To defeat untraditional tracking technologies, it’s important to understand them. “Supercookies,” “evercookies,” or “zombie cookies” refer to a broad class of tracking technologies designed to circumvent the “same origin” policy -- which, according to Mayer, is the rule that “cookies can only be read and modified by the domain that set them.”

A supercookie stores away data deviously, so that when the user goes to delete the cookie, a script will still be able to resurrect it, T-1000-style. Hence, Flash shared objects, Javascript cache, HTTP ETags, and -- most recently -- HTML5 local storage all can be retrieved using supercookies.

The bad news is that blocking all of these potentially retrievable technologies can be difficult to impossible without breaking certain Webpages.

For that reason, the following policies may be the best choice to adopt on sensitive machines:

  1. If possible from a manageability standpoint, use a modern browser that supports privacy-enhancing extensions, such as Firefox or Chrome.
  2. Disable the DOM (Document Object Model) storage in your browser settings. This stops the browser from storing client data.
  3. Set the cache clearing in your browser to the strictest possible setting.
  4. When in doubt, install Flash and/or Javascript blockers and encourage employees/administrators (depending on the size of your deployment) to leave as much content blocked as possible.

Since IT can’t block everything, one valuable tactic is to identity obfuscation: Have employees, when possible, access the Internet via wireless modems on managed laptops or, alternatively, via mobile devices. When traffic is originating from an enterprise’s local gateways, it’s easy to identify the user, and in theory it’s easier to use persistent tracking to perform some sort of cyberespionage. The more page requests that are routed through semi-anonymous wireless infrastructure, the harder it will be to perform such concerted malfeasance.

It is also worth mentioning the flip side of the tracking coin -- being on guard for content monetization partners pushing such technologies on your domains. After all, Microsoft, Flixster-owner Time Warner, and others all claim that the persistent tracking they were accused of was accidental.

Most large companies have a variety of content monetization partners for their domains. While it can be tough to keep track of what they’re putting on a firm’s pages, it’s important to inform them of expectations up front and in writing. If you don’t support violating users’ trust by overriding their privacy settings, tell your partners you want to stick with traditional cookies and you don’t want to adopt other more questionable tracking schemes.

Lastly, be clear to your end users who your monetization partners are and what their expectation of privacy on your site(s) is. The more transparent your policies, the more goodwill you’ll generate. And that means that if a partner does violate your rules and your customer’s trust, the reputation damage will to a certain extent be mitigated.

Related posts:

— Jason Mick is senior news editor at the independent tech news site DailyTech.
DISCUSS     Email This
Current display:       newest comments first       display in chronological order
DavidSilversmith
Thinkernetter
Sunday October 21, 2012 10:11:15 PM
no ratings

Interesting suggestions, but what about employees who can't do their jobs in these scenarios?

What if your own company's web site uses some of these approaches you are suggesting IT block?

What if your affilaites or business partners use some of these approaches and employees need to visit/monitor these sites to do their jobs?

How do you combine these ideas with business reality for employees who need to visit web sites and use online technology to get their jobs done?

aum007
Thinkernetter
Sunday October 21, 2012 1:59:36 PM
no ratings

Mick,

You mentioned obfuscation but what about good old Encryption to make things even more difficult for the bad guys to make sense of things???

Check this Paper out(from Vormetric).

enterprise-encryption.vormetric.com/rs/vormetric/images/wp-vormetric-encryption-performance.pdf

Encryption(on the Client end )can be a very useful solution.

Regards

Ashish.

aum007
Thinkernetter
Sunday October 21, 2012 1:56:40 PM
no ratings

Mitch,

Do you have to give the Bad Guys Ideas???

Lol!!!


So true.

Everything that you have mentioned is extremely accurate and is basically how the Bad Guys work.

Regards

Ashish.

Mitch Wagner
Thinkernetter
Friday October 12, 2012 12:17:56 PM
no ratings
An attacker knowing which URLs employees visit can be harmful. Imagine an attacker finds out that the M&A department of BigCo is making frequent visits to articles, blogs, and financial and regulatory reports about SmallCo.
Michael P. Kassner
Thinkernetter
Thursday October 11, 2012 8:10:49 AM
no ratings

I wrote an article for Internet Evolution March 2011 about how these type of cookies work: 

 

http://www.internetevolution.com/author.asp?section_id=787&doc_id=204643

 

mhhfive
IQ Crew
Thursday October 11, 2012 2:31:20 AM
no ratings

Maybe cookies need to have a level of encryption that they currently don't have to preserve the "same origin" rule more reliably? Are there no calls for more secure cookies?

Jason Mick
Thinkernetter
Wednesday October 10, 2012 4:12:03 PM
no ratings

@Jerry

Good points!

I like NoScript too... with it, Microsoft's cookie-reviving script could have been easily blocked.  Such things may seem like paranoia, but when you consider the magnitude and value of financial/trade secrets that a CFO or CTO holds, it's arguably justified.

Essentially some less scrupulous vendors have developed technologies to essentially offer malware-like gains -- persistent tracking, overriding user settings --  in a way that's much harder to detect that traditional malware (as who really knows what's living in your Flash player's cache?).

I agree with you about privacy policies.  It is a matter of choice, but I think it's a good choice, in that you're letting customers/clients know you're doing your best to respect them.

Kim Davis
Thinkernetter
Wednesday October 10, 2012 3:49:43 PM
no ratings

Another big headache, for enterprise IT, but I guess it's best to be proactive about addressing it.

Jerry Bishop
Thinkernetter
Wednesday October 10, 2012 2:55:46 PM
no ratings

I am also a big fan of Do Not Track and the browser extensions Ghostery and Collusion to provide immediate notice of a site's tracker technologies. So I suppose that I should note that on IE's home page Collusion finds 16 trackers and Ghostery flags 8.

I will leave it to others to decide if the published Privacy Statement is an accurate description of these practices or not. I will say, this is something every organization should do given the increased attention that online privacy policies are receiving from regulators, consumers and competitors.

 

The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Jason Mick
Jason Mick
Jason Mick   5/14/2013   5 comments
Whether you’re an engineering firm that uses CAD for parts design, or an e-business that leverages Photoshop for user-interface graphics, you likely require a modest graphics-processing unit. In the old days, this was a daunting hurdle to innovation, but today, the situation has improved thanks to technologies like NVIDIA’s GRID and Microsoft’s RemoteFX. Such virtualized graphics protocols allow you to load-balance graphics-intensive workloads from virtual desktops on a server-side graphics card.
Jason Mick
Jason Mick   4/30/2013   20 comments
Take a trip down memory lane and imagine, if you will, a system-on-a-chip with Apple IIe-like specs -- 4KB of RAM and 32KB of flash. Add some modern niceties like an ARM Cortex-M0+ 32-bit pipeline, 12-bit DAC, and low-power UART, and you have Freescale's recently unveiled Kinetis KL02, which the company calls "the world's smallest ARM Powered MCU."
Jason Mick
Jason Mick   4/12/2013   35 comments
Recent reports from the NPD, IDC, and Gartner suggest the end is nigh for ye olde personal computer. They imply that 2017 will be the magic year tablet sales will surpass PC purchases.
Jason Mick
Jason Mick   3/18/2013   28 comments
From “feeling blue” to the “blue screen of death,” the color blue has a number of negative associations. So it might seem an odd moniker for Microsoft to choose as the code name for its new operating system. But that’s exactly what the world’s top operating system maker has done.
Jason Mick
Jason Mick   3/11/2013   21 comments
Flu season is almost over and the healthcare community is using lessons it learned this year to prepare for the 2013-2014 season.
5
of
Alison Diana
Striking a Balance for Website Upgrades
1|24|13   |   1:59   |   3 comments

Companies need to take advantage of new technologies to simplify interfaces, improve capabilities, and enhance back-office processes. But they can't upgrade their Websites too often.
Mitch Wagner
TweetDeck Gets a Second Life
11|5|12   |   9:54   |   13 comments

A recent release of the popular TweetDeck app for Twitter power-users gives new life to software that had previously taken a wrong turn. Here's a quick walk-through of the new TweetDeck, to show you why it should be at the top of your Twitter toolkit.
Mary E. Shacklett
Law Will Define Next-Gen Privacy
4|25|12   |   1:48   |   7 comments

The plan for unmanned police drones to patrol traffic and other city conditions in Seattle has sparked a new set of legal concerns about privacy. Law traditionally lags technology, but we can expect now to see a new round of activity in the courts as legal definitions begin to emerge on what "next-gen privacy" will look like.
Ann Cavoukian
Privacy Is Everyone's Responsibility
11|1|11   |   4:01   |   17 comments

Ontario's privacy commissioner offers advice to businesses and users for protecting privacy online.
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   No comments

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Brian Baron
How Edmunds.com Uses Analytics to Customize Site
3|14|13   |   0:47   |   No comments

The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Brian Baron
How Edmunds.com Drives Conversions With Analytics
3|1|13   |   1:20   |   No comments

The automotive website uses propensity modeling of customer behavior to convert more site visitors into leads, says Brian Baron, director of business analytics, in an interview at the Predictive Analytics Innovation Summit.
Wisdom of the Big Chair
IT Losing the Security Battle
1|7|13   |   3:15   |   No comments

ITRC found that more than 600 security breaches took place in 2012. Flaws were found in some of the nation's most respected companies: Apple, Citibank, and Wells Fargo. So, it seems the bad guys are doing better than the men in the white hats.
IETV: the thinkerNet on film
5
of
Kim Davis
Big-Data Can’t Always Sell Wine
5|21|13   |   2:23   |   4 comments

Whole Foods Global Wine Purchaser Doug Bell told me about some of the constraints on using analytics in the US wine market.
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   No comments

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Brian Baron
How Edmunds.com Uses Analytics to Customize Site
3|14|13   |   0:47   |   No comments

The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
an IBM information resource
sponsored content
big blue blog
Todd Watson
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Keep Critical Data With a Knowledge Management System
Taimoor Zubair
Fortune 500 companies lose at least $31.5 billion a year by failing to share knowledge. A Knowledge Management System (KMS) can help companies significantly reduce these costs.
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Is Your Site .Com or .Irrelevant?
Dan Cypra
Businesses often struggle to decide which domain to use. When it comes to purchasing a domain name, you have plenty of extensions to choose from, ranging from .com and .net, to .me, and even .mobi. But which one should you pick?
CLICK FOR MORE
IT Helps Companies Find the Water
Matt Heusser
I've been writing about how the next evolution of the Internet might just be an advertising revolution, and how corporate IT can stay involved as the enablers and providers of the technologies that make this possible.
CLICK FOR MORE
Is Your Site .Com or .Irrelevant?
Dan Cypra
Businesses often struggle to decide which domain to use. When it comes to purchasing a domain name, you have plenty of extensions to choose from, ranging from .com and .net, to .me, and even .mobi. But which one should you pick?
CLICK FOR MORE
M2M: Rise of the Machines? Not Yet
David Weldon
In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M.
CLICK FOR MORE
Is Your Site .Com or .Irrelevant?
Dan Cypra
Businesses often struggle to decide which domain to use. When it comes to purchasing a domain name, you have plenty of extensions to choose from, ranging from .com and .net, to .me, and even .mobi. But which one should you pick?
CLICK FOR MORE