Cookie Forgery Tools: This is not Good News!

For years now, there have been two schools of thought about cookies: The paranoid and the pragmatic.

The paranoid school equates cookies with the devil and says that they should be exorcised at every opportunity. The pragmatic school says they're useful and harmless.

I've always straddled the fence on this one, judiciously keeping some and erasing others when I run my clean-up utility.

Now, it seems that some of us will never look at cookies the same way again, while other will be yelling, "We told you so!"

A pair of open-source tools that sniff network traffic for cookies, then use the data to feed those purloined files back to Web sites, will let hackers easily impersonate users, a security expert said yesterday.

The tools, dubbed "cookiesniffer" and "cookieserver" by Michele Dallachiesa, their Italian creator, pose a significant risk to users, said Paul Henry, a vice president at San Jose-based Secure Computing Corp.

"Simply put, cookies are now as susceptible as static passwords in the age of Web 2.0," said Henry in a posting to his personal blog on Monday. "With the release of [these] tools CSRF [cross-site request forgery] is nearing the Script Kiddie level of execution," Henry continued. "Beyond warning users to log off of sites before visiting another and clearing cookie data, serious consideration must now perhaps be given to rewriting Web apps to take advantage of the use of one-time tokens."

www.computerworld.com...

I'm not sure at this time how one might protect oneself from such an attack, except to delete all cookies immediately.

I'm not really sure what the implications are except that someone might be able to access my Amazon account or my bank account by hijacking my cookies, neither of which sounds like something I'd like to happen.

Also, there are some sites whose cookies I like to keep for all the important data they store to make my visits more convenient.

This might have the effect of dampening the enthusiasm about doing business online, something a lot of us have come to appreciate.


[edit on 2007/12/11 by GradyPhilpott]

I have been paranoid since the beginning.
I deleted it all, with bleach above supposed NSA recovery standards.

::shrug::

It's either that or I take a hammer to my hard drive everytime I am done online. But that would get a little expensive.

On a side note, I swear I read Skeptic say that he has NEVER deleted a single cookie since Al Gore created the internet(s). I would be interested on how he views this.

~B

I thought when I first opened it up, it was about Sugar Cookies and food. But yeah Cookies are nice, but the only way they can be used against you if you always check the "keep me logged in", on your bank web site or other areas. But yeah, Cookies have always been readably(?) to reading by other people with programs, but yeah just remember to delete the cookies from your website where you use personal information at. And hey Cookies are mostly harmless.

At the very least, this thread reminded me that I should probably do my regular cookie cleaning. Thats good.

I have always been very leery of cookies, but as I have created a few websites myself, I realized the benefits to them, if I could learn to do php better that is!

One thing that struck me about cookies is that they could always be used as 'one-time' tokens, but it is either the laziness of user or programmer (I don't know which, probably both) that you have the need for cookies, and then as result, 'suspicious cookies'.

These suspicious cookies are the ones that are from websites that more often than not, you have never visited (from ads perhaps?), that have a death date of like 2047. These seem to be the 'watchers' that see where you go, and help point ads to you. Sometimes the suspicious cookies come from sites that have no reason to use cookies, besides watching you. Maybe I am a bit off in my wording...

What I want is a program that acts like a funnel for all the stuff my computer tries to send out, but allows me to see what they are trying to send. I have used some firewall/sniffer programs, but I am to much of a 'creative type' that I don't really understand what it tells me. I want better understanding of how I am being watched/used by the system. Once again maybe I am wording things incorrectly.

Either way, I think that this announcement about cookiesniffing is the actualization of the paranoia about cookies we have always felt.
DocMoreau

I clean cookies the way I wipe my feet at the door. Every time. I may be just new enough to the web not to be lazy, but I'll take the extra effort to log in and put in whatever data I chose to return to a site. But the bottom line is that I'll do the deciding, each and every time. Even here.

Didn't anybody here read Hansel and Gretal? The wicked witch can follow you home and devour your information.

cookies cleaned, thanks for making me think.

[edit on 11-12-2007 by Animal]

Hmmmmm...cookies. One of our suppliers showed up at my office today with a tray of freshed baked cookies for Christmas. I gained eight pounds.

Actually I'm a bit confused about them at the moment. I run my spyware programs and find no spyware at all. Shouldn't that take care of them? Still, I know I have them because ATS always remembers me. (Like I could be hard to forget )

I run my cleaning programs and still, ATS remembers me.

There has got to be something I'm over looking. (besides logging out.)

Unless you are on a network then someone using a network sniffer is going to have to be on backbone or somewhere traffic is flowing. Isn't that going to be under the security of providers (ISPs) and the companies like ATT and others. So it still can happen but then all the network exploits apply also.

Cookies are needed to create sessions using HTTP (www sites). It is a stateless protocol so cookies save data between requests. Even erasing cookies won't help if someone gets the data out of it on its way to your computer (as mentioned in the article). You'll delete it after they have it.

This is the price we pay for the design of thin client / server setup of the web for commerce.

Originally posted by GradyPhilpott
I'm not sure at this time how one might protect oneself from such an attack, except to delete all cookies immediately.

While these new tools make such activity possible... in theory... is it probable?

"Sniffing" the traffic of a specific HTTP stream for a particular site... parsing the packets... identifying a user... getting cookie data... then acting on the data is a long road to travel.

This is really much more of a concern for e-commerce than normal every day browsing and web usage... and then, with e-commerce, the real transaction is via much more secure HTTPS.

Sorry. But I'm not seeing the big danger here.

-hrm-

This all seems rather odd.

Those "open" source "tools" were only just released into the wild yesterday. There are no confirmed reports from independent security analysts as to the effectiveness of the cookiesniffer and cookieserver. And yet, suddenly the very next day, a software firm with a vested interest in "cookie paranoia" is heavily quoted in an article about these tools on a website for a magazine with lots-and-lots of security software advertisers?


huh?

Originally posted by roadgravel
Unless you are on a network then someone using a network sniffer is going to have to be on backbone or somewhere traffic is flowing. ....

You've just described everyone on a cable modem. The only question is how large the "block" of people they share their bandwidth with.

reply to post by SkepticOverlord


The problem is that frequent web surfers compile thousands of cookies. If any one of those cookies is malicous it could cause untold damage to not only a persons computer, but also their wallet and identity. I find it ironic that the guy who helped put this conspiracy site together, thinks it is ok to make money by arranging for unsolicited content to be put on its readers computers. How much more Big Brother can you get?

I don't really blame you as you need to make a buck, but this internet model will not work for the long term. Does anyone allow popups anymore? It won't be long until everyone blocks all but the most essential cookies. The internet will eventually be like cable. If ATS is not in your plan and you come to this site, you would then be given the option to add ATS, for let's say $.25 a month or something along those lines. I'm sure people would give up a little choice to avoid seeing these repetitive ads all over the screen.

Well, we can all hope that e-commerce will be all over this insofar as they have the most to lose over a mass hysteria reaction.

I realize that these tools are new and that probably it will be awhile before anyone exploits them, but when they say that these tools are simple enough to use that "script kiddies" will have no problem employing them, then I think that should send shivers up anyone's spine.

Anyway, there's not really much that any of us can do except exercise good web hygiene and hope for the best.

Originally posted by SkepticOverlord

Those "open" source "tools" were only just released into the wild yesterday. ... suddenly the very next day, a software firm with a vested interest in "cookie paranoia"...

Nice catch.

Just before joining ATS I started enjoying my online experience much better after I let go of some paranoia and took the plunge (which included joining a conspiracy site) and went with a cable modem (a firewhat?).

I still have AV software and regularly run crap cleaner and ad-aware (especially after banking or doing something financial) but I figure if someone wants to know my surfing habits bad enough they will get them no matter how hard I agonize over it or try to fight it.

Now I'm careful but not as fanatic as I used to be. You'd think spending too much time of ATS would have the opposite, effect but it doesn't.
.

I* use firefox, and I use adblock plus on firefox, no cookies, and NO ADS, it's great and my pages load faster.

I suppose I could use an open source Text browser to get the same effect

It the data is moved using HTTPS it is encrypted. Ecommerce uses HTTPS.

The cookies that are plain text (HTTP) most likely won't have bank accounts, etc. It might mean a user/password for a forum,etc could be intercepted. The average script kiddie isn't going to have access to the traffic get gather data. May be someone in your office might have access but not most parts of the internet.

Originally posted by thedigirati
I* use firefox, and I use adblock plus on firefox, no cookies, and NO ADS, it's great and my pages load faster.

I suppose I could use an open source Text browser to get the same effect

According to ATS rules you can get banned for blocking cookies and ads.
Edited to add: And for one line post.

[edit on 11-12-2007 by disgustedbyhumanity]

At some point I used to make my web browser ask every time whether i wanted to accept the cookie or not (who wouldn't ), however, this proved ineffective as you are bombarded with tons of cookies from advertisements, so a better and more effective way was to set the browser to only accept cookies from the site I visit. Like our mothers always told us not to accept cookies from strangers

well if those programs are included in a rootkit...

You can't do anything these days without someone messing things up. What is wrong with people? I can't understand the mindset of those who make trojens,worms, viruses, and everything known to man in order to make life a little bit more f***ed up.

reply to post by cloakndagger


it's those very same people who's skills are used for good as well as evil. Exposing disinfo agents getting access to information.

Much like a gun.