Sunday, November 9, 2014

Cellphone supercookies

Verizon and AT&T are adding ‘supercookies’ to your cellphone browsing.

Cookies do not come from Keebler. They are files in your browser that a website asks you to hold and give back to it when it asks for it. When they were conceived soon after the birth of the Web they were an innocuous means for a web server to remember what you, among hundreds of people who may be browsing its pages, are doing. Since then clever programmers have found valuable and sinister ways to use cookies. In response users and browsers took steps that block not just bad, but good cookies and the arms race continues.

Thus is born the supercookie which does not reside in the browser. Generally it is some form of fingerprinting of specific characteristics of your computer. It is easy for a web server to ask the browser to report plug-ins and fonts it knows about and also CPU capability and screen resolution, among other features. It will use these statistics to better customize the web page, graphics, and video it sends you. A half-dozen pieces of information uniquely identifies me out of over 4.5 million computers. The website can then collect this information in a database correlated to personal facts it already knows about.

Recently the popular press has picked up on another type of supercookie being fed us by the cell carriers. Verizon has acknowledged that they’ve added this “feature” since 2012 and it has also shown up on tests of AT&T phones. The technique involves the fact that your cell carrier, like any ISP, is a man in the middle for everything you send out on their network. In this case, they are adding a text identifier to every HTTP transmission you send over cellular data – it is not included if you connect via WiFi.

Verizon’s goal was to allow websites,, for a fee to send them your code and receive some of the plethora of personal data Verizon knows about you. This could include details such as your demographics, phone number, and which store you just walked into at the mall. Unfortunately for Verizon, because the ID is included whether the website subscribes or not, the website could just as easily build their own dossier on that ID. The ID is still attached to your browsing even if you opt out of allowing Verizon to sell your data.

The only way to block this identifier is to make your communications on the cellular network all through a secure channel. They cannot attach the ID to HTTPS browsing. Fortunately major social networking sites such as Facebook, Google, and Twitter use HTTPS all the time. For all the other websites you might visit, your only recourse is to install and use a VPN.

Although Verizon is the only carrier to admit that they include and are monetizing this ID; the technology is available to every cellular company, ISP, or public access site.

Steve Gibson’s Security Now
·         The entire podcast:
·         His show notes and other text:
Wired Magazine describes the process
My articles on cookies
EFF fingerprint test
Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at
(cc) 2014- Bill Barnes - Disclaimer - Home Page - Blogs Home

Sunday, October 5, 2014

The slippery slope

I fell into a well. I knew it was there. The field is pockmarked with many wells and I knew they were out there. Some are camouflaged while others have a big sign that says “jump in here!” Some of the shallower ones are actually more dangerous.

The well I landed in is one of the deepest, but, hopefully, one of the less dangerous. Even so, I caught myself near the top and set a bosun’s chair, but it keeps slipping farther down the well.

The well is called an ecosystem and its purpose is to ensure that once you are in one company’s ecosystem, you will consume more and more of their products to the exclusion of their competitors.

In personal computing the first serious ecosystem competition was Apple vs Microsoft. Once you made a commitment to one operating system or the other, your choice of software was pretty much determined with little overlap. With the beginning of broadly available online connectivity the battle was between networks such as AOL and CompuServe which initially couldn’t trade email. Now the competing ecosystems are the likes of Amazon and EBay for merchandise and Facebook and Google for everything else.

Why does business need an ecosystem? It’s branding to the nth degree. When I was growing up, you were either a Chevy or a Ford person. Later it was Coke or Pepsi. Loyalty to a name could ensure prosperity for a company, independent of the quality of the product. Now it’s “do you live on a wall or in a hangout?”

Say you want an e-reader with a mostly broad and reliable supply of books. You download the Kindle apps and register for an account to buy books and synchronize your desktop reader with your phone’s. The next best seller you buy “you can get the Audible version too for $3.” And, “this book was made into a movie – watch it on Prime.” Later you need a toaster for a cousin’s wedding – order from Amazon because you get free shipping. That’s an ecosystem.

The ecosystem I fell into is Google. Beware the credo of the internet that “if you can’t figure out what the website is selling, you are the product.” Google delivers us to its advertisers. More than that, it delivers our profile to its advertisers.

Early in the commercialization of the web online advertising was like magazine advertising. A site might attract sci fi junkies or wine aficionados, but if one person moved from one site to the other there was no way to know it was the same person. Then along came DoubleClick. They realized if everyone had ads from them, they could read their own cookies regardless of who owned the content. Then they would know that I drink wine, watch Dr Who, and also am shopping for a snowmobile. So, I get skiing ads on Wine Spectator and comiccon ads at Eddie Bauer.

Google’s got a pot of money and is looking for synergistic businesses to buy. So they pick up DoubleClick and then YouTube (lots of interest-specific profiling to do there). Hop over to their core product and what takes up the prominent position in any search? Ads. Ads that not only apply to your current search, but also all of your web surfing.

They also created an email service where people spend lots of time and provide a pretty decent online office suite. Of course, to use those personalized services, you have to sign in to their system. For convenience, one sign in gives you access to all these services and leave the “keep me signed in” box checked so you don’t even have to enter your password every time you restart your browser. Now your searches are not just an anonymous cookie, but you with a detailed profile with a name, email address, chronic diseases, and more. Don’t worry, Google’s motto is “Don’t be Evil.”

How do I cope with the ecosystem?

I take the effort to uncheck “keep me signed in” and try to remember to sign out when I’m done. I avoid logging into other sites while logged into high value sites (financial or personal information). I have four browsers and never sign in to any account from two of them. I seek out my browser’s configuration to ensure “do not track” is enabled and third party cookies are disabled. I also set all cookies to be cleared when I close the browser – but that can be a real nuisance sometimes. I use the Firefox plugins Ghostery to alert me who (besides the site I actually went to) is watching what I do and NoScript to ensure those third parties can’t sneak malicious or tracking code onto the pages I’m viewing.

By the way, if you carry a smartphone, you’re permanently in Google’s or Apple’s ecosystem (or Microsoft’s for a couple of you). This is in addition to Verizon’s and ATT’s ecosystem, or whoever your carrier is, which has been true as long as there have been portable phones. You might also be in Samsung’s or Amazon’s or HTC’s ecosystem if the phone manufacturer chooses to watch over you for more than system upgrades.

If you’ve installed an app from Facebook, Twitter, or a myriad of others; they also could be watching over you even if you’re not actively using the app. And now some retailers and entire malls have technology that can identify the radio signals your phone is constantly putting out to track you from sweaters to socks or from Gap to Banana Republic to Sears Automotive.

The only way to stay out of the well is to stay out of the field. But we know that means living in the 20th century. Why did we so expectantly await the future?

NOTE: Products and companies are named as representative. It is not my intention to imply any one person or company is better or worse than any other.

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at
(cc) 2014- Bill Barnes - Disclaimer - Home Page - Blogs Home

Tuesday, April 29, 2014

The power of notoriety

Heartbleed and you
If you don't see this, you're using an old version of IE. Read "If you really want to keep your Windows XP." (April 2014)

Just after I posted my item on The Second Factor (1), I saw a syndicated story under the heading of “Double-layer passwords offer additional protection online.” It started out “If the Heartbleed security threat teaches us anything, it’s that passwords don’t offer total protection.” (2)

While that was a good article on why and how multi-factor authentication is valuable, its reference to Heartbleed was as valid a lead as a picture of a scantily-clad model.

Don’t get me wrong. Both topics are important considerations for your security online. But I haven’t seen any clear lay explanation as to the risk and impact of Heartbleed on the ordinary user.

First the technical details. Heartbleed was a flaw in OpenSSL, a component of certain webservers, from 2012 until April 9, 2014. Depending on whom you listen to, this flaw could have affected between 66% and 17% of all websites on the internet. I’m inclined to lean toward the lower number.(*) But this is still serious since the count is of sites, which included the likes of Google and Yahoo.

Due to the high risk from the flaw, OpenSSL team had issued a patch within 72 hours of being notified and less time from any broad awareness. Most of the larger secure sites implemented the patch immediately. In fact, I first became aware of the flaw when I started getting notices from my banks that they either were never vulnerable, or had already patched their system.

What does Heartbleed do? The flaw allows a hacker to induce the server to send him the contents of a small portion (64 kilobytes) of its memory (remember that a webserver will have 8-64 gigabytes of memory). The affected memory would contain random bits of the server’s recent activity.

This memory could be the contents of its own webpages which anyone could view. It could be the computer language instructions to manage the website. It could also be bits of the conversation between your browser and the server that establishes your secure connection in advance of telling your bank to pay a bill.

All the hacker has to do is get the same server to send him a few thousand 64 KB downloads. Then he has to scan through the mostly binary data for the flecks of gold that are recognizable. Once found, he has to refine those flecks into real knowledge that he can exploit for value. (If that sounds tedious, all of the tasks can be automated.)

What is the risk to you? It’s possible those flecks of gold may include your account name and password. But if the hacker’s goal is passwords, that’s an inefficient way to get them. Every week credentials are being stolen in million-account lots through other security lapses and flaws.

A far more valuable nugget to look for is the webserver’s master key to all its SSL/TLS communications. If a hacker has this, he can create a fake website that your browser will accept as authentic. Then he can execute a perfect phishing or man-in-the-middle attack against any visitor to his bogus site. He can also decrypt previous “secure” traffic to most sites. Of course, the latter two attacks require the hacker either be in the middle or have access to previously recorded internet traffic.

What should you do? Unfortunately, because of how the flaw works, there is no way to know that a specific site has, or has not, been hacked. If your partner has advised you that they have eliminated any risk from this flaw, you should change your password for that site. Take this opportunity to use a strong and unique password for each of your high value web accounts. If available, you might enable 2-factor sign-on to reduce the possibility of an account being hijacked.

Once a site has been patched, they should have received a new SSL certificate and revoked their old, compromised certificate. Unfortunately, as of this writing, there is no reliable way to ensure you know that you aren’t accepting a stolen certificate. Some browsers, maybe with some deep settings, will warn you that a certificate has been revoked. There is one site that will test whether your browser properly recognizes a revoked certificate. There is one known website that can actually serve you a revoked certificate. If you go to, you should receive an error. If your browsers test good and give you the error, you can read more about revocation at(4).

There’s more at risk than just websites. Although I have not seen an authoritative list, SSL is by far the dominant method of protecting electronic communication on the internet. Potentially vulnerable services run the gamut from a sophisticated private VPN to the heavily consumer cloud storage services. They could also include the likes of email, chat and VoIP, or routers for both home use and controlling the internet.

Unfortunately, many of these services are either embedded deeply into the technology or are never managed again after the original configuration. They will be patched slowly or not at all.

Fortunately, as the variety of programs for exploit increases, the number of clients shrinks. If the host in a peer-to-peer network serving two nodes is invaded, it could be devastating for those two, but will not affect anyone else.

Like the number of potentially vulnerable webservers, many of these services are not at risk from Heartbleed because their communications are not encrypted in the first place. Your chat, email, and cloud backups have been coursing through the internet as plain text; easily readable by anyone with a tap on the line – and I don’t mean just governments.

Bill Barnes with Dewey Williams, PCCC

(*) The reported risk to 66% of all websites refers to the number of websites that are running webservers that might use OpenSSL. These are primarily the programs Apache and nginx.
This number has to be reduced by the large number of websites that don’t even offer SSL. Again subtract the number what did not install the affected versions of OpenSSL and you get a much lower percentage of the Web. However, with worldwide web sites numbering in the 9 digits (decimal); whether the affected percentage is 30% or 10%, it’s still a huge number. (5)

Blog post “The Second Factor”.
(2) AP article “Double-layer passwords …” read in The Charlotte Observer.
(3) Test website for a revoked certificate.
(4) Explanation of revoked certificates. (also on podcasts referenced below)
(5) The number of websites truly at risk.

More references
An early announcement on Heartbleed.
Text and podcasts on Heartbleed.

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at
(cc) 2014- Bill Barnes - Disclaimer - Home Page - Blogs Home

Sunday, April 27, 2014

The Second Factor

The Second Factor

Sometimes when creating or logging into an online account the system will ask for a phone number or a second email address. Recently my users are asking me “why do they want that?” One user ignored the request so many times the system locked her out of a portion of her account until she provided it.

This alternate point of contact is called a second factor authentication and is a means for the website to verify that you are the person who signed up for the account. It is similar to your bank asking for the last digits of your Social Security Number or the doctor’s office wanting your date of birth. These are bits of information that they know came from you and should be different from anyone else who might share your name or other primary login.

This is not the same as when a website shows you a picture of the Statue of Liberty or a Corvette after you’ve logged in. With that the website is proving its identity to you because an imposter would not know which picture you are expecting. Second factor authentication allows you to prove you are you to the website.

If the website offers second factor, it’s a good thing. Imagine if someone were looking over your shoulder and stole your password. Then they could login as you and change your settings such that you are no longer getting notifications from the site. If it were a shopping site with a memorized credit card, you might not know what they are buying until you get the bill.

Typically the second factor will send you a one-time code that you must enter before proceeding. Check your email, type 4-6 digits or click a link, and you’re in. Often it will set a cookie in your browser and not inconvenience you even that much every time.

Ideally, the second factor should be delivered out of band – that is, through a different network than you used for your first factor. An excellent option is to send you the code for a website by cell text or voice telephone. If instead of looking over your shoulder, someone stole your computer, he might have access to your email as well as the website.

Second factor is more reliable than asking how many sisters you have or which high school you went to. Someone who’s gone to the trouble of stealing your identity could also find out that information. Instead it relies on responding with unique real-time information delivered to a device you would likely not lose at the same time as losing your computer.

If you provided the second factor channel (such as your cell phone number) at the time that you created the account, there is no way it could be hijacked. You’re well on your way to accomplishing the triumvirate of identity: something you know, something you have, something you are. That is: your logon and password (both something you know), your cell phone or a dongle (something you have), and your biometrics (like a fingerprint reader).

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at
    (cc) 2014 Bill Barnes - Disclaimer - Home Page - Blogs Home

Saturday, April 5, 2014

If you really want to keep your Windows XP

These tips are in no particular order. Note that some tips may require also following other tips that might come after or before them.
  • Always log on as a Limited User unless you absolutely must update some software.
    Lack of administrator rights blocked over 90% of the Windows OS* malware in 2013.
  • Keep all your software and applications up to date. Make a list of programs that need regular updates and check for updates at least monthly.
  • Don’t use Internet Explorer; install the latest versions of Opera, Chrome, or Firefox.
  • Install and use the NoScript and Ghostery plugins for Firefox.
  • Uninstall JAVA. At least, disable it in all browsers.
  • Uninstall or restrict use of Adobe products. A recommended alternate PDF reader is Sumatra (I have not used it). Use the built-in readers in Chrome or Firefox instead of a plugin. 
  • If downloading an Office document, preview it in a viewer instead of the full program. Disable any macros.
  • Uninstall Microsoft Security Essentials and use a 3rd party antivirus such as the free options from Avast, AVG and others.
  • Upgrade to Microsoft Office 2007 or newer. Better still, move to a non-Microsoft suite.
  • Upgrade to Internet Explorer 8 (the highest level that works with XP).
  • Don’t access the internet (including email) from your XP computer. Don’t install unknown software downloaded from the internet by other computers.
  • If you must browse the web, restrict the ability of malware to get to you:
    • Ensure you are behind a router – the first-line firewall – and that Windows firewall is active.
    • Configure your email reader to display only text – no pictures or links.
    • Use Firefox with NoScript. Learn the controls in NoScript and don’t casually allow everything.
    • Browse only to sites you are familiar with.
  • If you must use email on XP, restrict the ability of malware to get to you:
    • Use webmail. In particular, gMail online is practically immune to transmitting malware to your system.
    • Use a mail client other than Outlook or Outlook Express.
    • Configure your mail client to display messages as “text only.”
    • Do not open email attachments or follow links until you have independently verified with the sender they are benign. Read our article on evaluating an email.
  • Shut your computer off when not using it.
    You may discover you have very little need for XP. Plus, older computers are less efficient and you’ll save on your energy bill. 
* Logging on as a Limited User will block most malware that attacks flaws in and installs to the Windows operating system. This does not include malware that attacks flaws in individual programs such as JAVA, email, Microsoft Office, or .pdf documents.

Additional References
Some of these references are documents and must be downloaded and viewed in their program. Yes, they're safe for XP.
PC Club of Charlotte’s original presentation,266.0.html and

Security researcher Steve Gibson’s comments: (first page) and

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at
(c) 2014 Bill Barnes - Disclaimer - Home Page - Blogs Home