Tracking data via HTTP cookies is nothing new, but supercookies -- the latest trend in tracking technologies -- have changed the rules of the game.
Most users have at least heard of tracking cookies, and all major browsers support some level of control over them. But most users don't even know when supercookies have invaded their systems. Supercookies collect far more data than traditional tracking cookies and are much more difficult to get rid of.
The term supercookies, or Flash cookies, is often used to refer specifically to the local shared objects (LSOs) created by the Adobe Flash plug-in. Users download the plug-in through their browsers to view Flash-based animations and videos. Once installed, Flash generates the supercookies in the form of files stored on their computers. The supercookies collect data similar to that collected by traditional cookies -- primarily personal browsing habits, such as what websites users visited and when those visits occurred.
But there are several significant differences between tracking cookies and supercookies. Supercookies are more persistent, more difficult to delete and more effective at tracking user data. In addition, supercookies can grow as large as 100 KB each, compared with 4 KB for a regular tracking cookie. Supercookies are also browser-independent, so they're still able to track user activity even if the user switches browsers. In fact, browsers can't even access supercookies because they're stored in folders not accessible to the browsers.
Unfortunately, avoiding supercookies is no easy task. A significant amount of Web content relies on having the Flash plug-in installed, yet users are never notified that supercookies are being created and tracking their browsing habits. In addition, the companies that implement the supercookies can access the data whenever users visit their sites. Those companies can then share that data with third-party organizations, without users ever knowing what hit them.
How supercookies threaten enterprise desktop security
Although tracking users' browsing habits might not seem in itself much of a security threat to the enterprise, supercookies take this tracking to a whole new level. Using Flash LSOs, an advertiser -- or a less-reputable entity -- can uniquely identify users and share those identities across domains, giving Flash the ability to read data on other domains, even if users have blocked all cookies and enabled private browsing.
In fact, supercookies can read tracking cookies -- including session cookies that contain authenticated content -- and store that information so that even if the cookies are deleted, the information is preserved. An attacker who gains access to the supercookie data, whether directly from the user or from the organization collecting that data, can use the information as a precursor to a social engineering attack that manipulates individuals into revealing even more confidential and secure data. From that data, the criminal can then infiltrate secure systems and network resources or introduce malware into those systems. The more cybercriminals can learn from the supercookie data, the more effectively they can target their attacks.
Controlling supercookies for better desktop security
Controlling supercookies on enterprise endpoints is no small task. The proliferation of Flash throughout the Web, plus the lack of user awareness, makes eliminating supercookies a daunting task. With people bringing their own laptops and other mobile devices into the enterprise and working on systems at home, the task becomes almost unmanageable.
What's worse, Flash LSOs represent only one type of supercookie. Attackers can use storage isolated by Silverlight to collect user data, as can ETags, which are HTTP identifiers used to validate cached data. And the next generation of supercookies -- the Evercookie -- takes tracking to even greater heights. The Evercookie can use a multitude of mechanisms to store user data in order to compile unique identities across domains. These mechanisms can include standard tracking cookies, supercookies, Silverlight-isolated storage, RGB values in PNG files, ETags and HTML 5 sessions.
There are no easy solutions to eliminating supercookies, but IT can take a few steps to help mitigate the threat:
- If possible, have users disable Flash altogether or until it's needed. Chances are this will be a tough one to pull of, given how many sites depend on Flash.
- Have users physically delete supercookies and isolated storage files. Some browsers now support add-ins that will delete supercookies automatically. For example, Mozilla Firefox supports the BetterPrivacy add-in, which removes supercookies from a system. In addition, more applications are now available that will eliminate supercookies, such as CCleaner or Flush.
- Have users set their privacy settings on Adobe's website on the Global Privacy Settings panel.
- Configure group policy to manage Flash. Consider using a product such as PolicyPack, which is a group policy extension that prevents Flash from being updated and blocks supercookie storage.
Not surprisingly, most of the methods to address supercookies are specific to Flash LSOs because they currently represent the predominant threat. But the industry is changing rapidly, so staying on top of this issue -- in terms of new forms of supercookies and the technology available to address them -- is the best defense IT has to protect the enterprise.
The good news is that lawmakers are seeking ways to crack down on the use of supercookies, and the Federal Trade Commission is going after those who misrepresent their use. Yet neither is a guarantee that unscrupulous attackers won't take advantage of the technology. Awareness of these threats is a good place to start, and any steps that can be taken against them is the better than no action at all.
ABOUT THE AUTHOR:
Robert Sheldon is a technical consultant and freelance technology writer. He's authored numerous books, articles and training material related to Windows, databases, business intelligence and other areas of technology. He has also published the novel Dancing the River Lightly and Ebook Now, a step-by-step guide to publishing ebooks. He's recently begun working on the 5-Spot ebook travel series. You can find more information at http://rhsheldon.com.
This was first published in March 2012