In part one of this series, I explored the privacy threats presented by targeted advertising, and asked why we should care. Browser referral, social media buttons and cookies were examined as examples of basic methods used to track our movements across the internet. I also explored why advertisers track us, and examined browser …
I never realised things were so confusing and complicated, so this was very interesting. However I have to point out the writer has a real bee in their bonnet about Java, and that rant is rather bizarre.
Yes a rant
The problem with Java according to the evidence presented seems to be poor auto-updating and a large install base of old versions so that old and vunerable versions of java are frequently available for exploit.
This is a real problem for the internet as a whole but not an indication that up-to-date versions are inherently less secure than up-to-date versions of other plug-ins.
I must be missing something...
I've developed Java Applets, and Java Web Start apps, and I thought they did run in a sandbox, and could only do something dangerous if it was signed with a certificate backed by a trusted CA (ok, ok, recent events makes this somewhat less than meaningful) and the user accepts the certificate when prompted.
And what to do when https certificates for your company's webmail, and even some sun/oracle sites throw up warnings. You get so used to saying yes because you know the site is ok, that one day you'll be caught out by another site...
Agree about the anti-java rant. It would have been more meaningful if it had been backed up by examples.
I assume he is in the pay of a competitor, probably Microsoft rather than Apple - even though Silverlight is briefly mentioned as another stanchion of the evercookie, and I didn't notice Android coming into it.
(Android stinks of Java, you know! And it killed Steve Jobs! But, if you're Microsoft, that part's good!)
A fully up-to-date Java probably isn't a much bigger threat than an up to date flash. But the problem is that java is often not updated! It is usually less up-to-date than flash, in many cases due to compatibility with critical applications.
During 2010, java exploits skyrocketed. Many researchers claimed they had in fact surpassed flash's astounding list of vulnerabilities. Sandboxed (in theory) or not, Java has become THE way to use an exploit to drop malware on a windows PC.
If there is enough interest, I'd be happy to write a quick summary article talking about the research. Suffice it to say that no, I'm not a paid shill for anyone here - why would Microsoft, aspiring cloudmongler of extraordinaire – hire a sysadmin? They are busy spending billions trying to ensure my kind are completely unnecessary!
I am willing to bet that Silverlight, Flash and Java have a roughly equal number of bugs with roughly equal severity per line of code. The issues that lead to their risk level are a combination of distribution and patching.
As discussed above, Java is the one that is least updated amongst the bunch, and who really cares about malware on the PCs of both Silverlight users? As near as I can tell, Silverlight is used for Microsoft properties, small handful of other websites to display video and storing evercookies.
So no, I’m not promoting or demoting one technology over another here. I am saying that allowing Flash/Java/Silverlight (or anything remotely similar) to simply launch on any website they feel like launching is bad. Not only is it a privacy issue, but it is a security hole by which fun things can take over your PC.
Use a plug-in to force them to ask for each and every website whether or not they have permission to execute.
If you don’t believe me about Java, then there is a safe, simple experiment you can run. Set the Java console to enabled at startup. (http://download.oracle.com/javase/1.5.0/docs/guide/deployment/deployment-guide/console.html) Every time Java is launched from a webpage, a popup will appear that shows you “hey, something is activating Java…and this is what it is doing.”
Browse around the web for a few months with it on. You’ll be quite surprised how many websites use Java that you didn’t know about, and how many are trying to exploit vulnerabilities. The largest problem behind Java isn't that it is vulnerable, it is that nobody seems to realise how broken it really is.
We all defend against Flash. It's time to do the same against Java.
Another tidbit about Java
It can store files anywhere it's running user context can store them. So exactly do you build an evercookie killer when the Java storage component can be anywhere? (Each site could tuck a file away in a new place.) Not good.
Yes a rant. Nope..
If they can abuse it they will.
DONT KNOW WHAT FUCKING PLANET YOU ARE ON BUT IF YOU WANT TO GO 'meep meep peoples do not keep their javas up to date' THEN YOU ARE THE ENEMY!!!1!!!
If they can abuse it they will.
>> You’ll be quite surprised how many websites use Java that you didn’t know about,
Yeah, but ultimately, that's the idea of web-browser-side Java, right?
>It can store files anywhere it's running user context can store them.
No it can't.
@Destroy All Monsters
Is it, really? I thought the point of browser-side Java was to provide me an applet that performed a service. Either it was a game, or it was a file browser, or some other useful widget. The browser-side java something-or-other should be obvious. Something visible that provides the user a benefit.
What it shouldn’t be is a 1px dot somewhere under a div, hidden away whose sole purpose is to plant a cookie, read files off your PC, or drop malware via an exploit.
Browser-side java can be a good thing. In the real world however the bad guys are using it a heck of a lot more than the good guys. What’s worse, when the good guys do use it, they are typically slow to update, requiring older versions of java (with known exploits!) to be used if you want to use that one critical java app on that one website.
Any browser plug-in, be it Java, Flash or Silverlight should be obvious when in use. It should ask the user “do you want to use this third-party software that may screw up your computer, kick your dog and end the world as we know it?” It should warn you each and ever time that it kicks in if your version of the plug-in is out of date.
Browsers – by and large – are secure. Yes, there are exploits discovered for each of the main browsers every year. But far more as discovered – and regularly exploited – for these “common browser extensions” than the underlying browsers themselves.
Browser extensions should never be activated without your knowledge. Especially risky ones like Java that have a great deal of access to your PC. The idea of browser-side java is to provide the end-user with a useful applet that does something the user wants it to do.
Not to operate – ever – without the user’s knowledge.
To quote wikipedia:
on 5 January 2011, Adobe Systems, Google Inc., and Mozilla Foundation finalized a new browser API (dubbed NPAPI ClearSiteData). This will allow browsers implementing the API to clear Local Shared Objects. Four months later, Adobe announced that Flash Player 10.3 enables Mozilla Firefox 4 and "future releases of Apple Safari and Google Chrome" to delete Local Shared Objects
So things aren't as bad as they could be, clearing cookies in firefox at least deals with LSOs if flash is up to date. Not experimented with the others, but presumably they had time to do it.
And yeah,for me java is disabled except when needed. just good sense.
+1 for the Aliens ref
It was either this or the alien icon, obviously.
For this interesting couple of articles.
Even if I'm not that paranoid, I'm now quite fond of NoScript for one simple reason : browsing is now faster than ever! :)
Re: problems with java
1 - It ends up installed on a lot of machines where it's never used. Or even known of.
2 - Update doesn't integrate with the OS so it doesn't get updated regularly. Or at all, see 1 above.
3 - It has (had) some rather nasty bugs.
Does CCleaner whomp evercookies properly? Or is Bitbleacher the best choice at the moment.
(couldn't get a straight answer from some googling)
I spent 4 hours trying to get a straight answer myself. Short version: nope, CCleaner doesn't kill them. Apparently, in addition to the methods talked about in this article - which I wrote about a month ago - a couple new HTML5 methods have come into play which CCleaner doesn't kill.
Unless browser makers seriously change their lax attitude towards the issue, HTML5 will be the death of individual privacy on the Internet.
thanks for the response, even if it isn't what I want to hear. looks like i'm back to the good ole dban and reinstall. that'll get the evil little buggers.
btw, how come you don't get a cool vulture icon on your posts?
Could be a lot of reasons for that. My account was originally created way back before I ever started writing for El Reg...could be that somewhere in the CMS it's flagged as "old-fashioned commenttard" instead of "user group that has access to El Reg icon." It could be they reserve it for some subset of writers that I don't belong to? (I am a freelancer, not a staffer.) It could just as easily be as simple as "I've never asked."
In short: I have no idea. It’s all good though; I’m a commenttard first, and a writer second. Why should I have a different icon than all my other commenttard brethren?
Regarding CCleaner: don't lose hope! The folks behind CCleaner do a great job of trying to keep up with the times. They have made significant efforts specifically relating to the evercookie before, and I suspect that they will come through for us in the future. It takes time, research and effort to keep up with the kind of scum who use evercookies. The kind of effort that sometimes seems like a legitimate parallel to malware research.
Maybe we should be asking Microsoft/AVG/Kaspersky/Symantec/etc. to step up and add it to their antimalware products.
"I also cook(ie)".
....don't worry about it and "Just say No" when they try to sell you something.
They are not trying to sell you anything - you are the product!
Useful program, SandboxIE.
You can force any (well known) browser (or, if you configure it yourself, lesser known ones) to run entirely sandboxed. Any files that change from that app (inc. LSOs) can be wiped on exit , so only your existing session is affected. The only thing that will recur after that, is your IP.
Disclaimer: Happy SandboxIE user - nothing to do with the developer :)
I don't know if this is pertinant...
but I've noticed the Flash advertisments on some sites (such as Photobucket, when uploading pictures) disable the audio mute button on my laptop. I haven't been able to find any mention of this by searching the internet (because my searches return answers related to onscreen 'buttons' for Flash devs)- is this related?
I appreciate that the El Reg forums aren't at tech support forum, but it seems that if it can take control of my webcam and mic, fluffing with my physical mute button should be easy.
I can independantly verify this. Worrying, to say the least. More through lab time is required to figure out which combinations of browser/flash/OS are affected.
Download a new android keyboard now!
Re: previous post: through = thorough. Autocorrect is my nemesis.
As a follow-up, to the previous discussion it seems like this behaviour goes away if you disable Flash's ability to tinker with mic/webcam via the Flash settings page. Under some circumstances. If that setting isn't properly secured, then the physical mute button seems to be something flash can block no matter the active window context.
With the mic/webcam setting properly secured, Flash still seems able to block the physical mute button, but only when that specific window is active. Whether or not the tab in question has to be the active tab seems to depend on the individual browser’s sandboxing capabilities.
Later versions of Firefox for example can be set up to launch a new sandbox every few tabs. So the behaviour seems weird and inconsistent, but there is an underlying logic to the whole thing.
Assuming f course that there was ever any logic to the ability of Flash to ever be able to prevent you from using the physical mute (or volume up/down) buttons in the first place.
Note: tested only under Windows XP and 7. I have not tested under Windows 8, Android or Linux.
"Like trying to kill Steven Seagal"
So a truckload of pies and waiting a bit should do it then?
NoScript is a form of flagellation for the modern age. I find RequestPolicy is rather less painful to use and it stops XSS exploits and ad network tracking (which is what 99% of us are interested in) without making most pages ungracefully collapse into an unusable mess.
Java-free and glad of it
"All it takes is one bad website to get Flash or Java open, and all your carefully crafted privacy defences are wiped out."
In regards to the browser's privacy/security-zones settings, they're enforced by GPO.
Regarding Java, part of the reason it's such a pariah was illustrated nicely by Dino Dai Zovi in slide #10 of his "Attacker Math 101" presentation. It's an easy way to leapfrog the mitigations of the browser, escape the sandbox and integrity restrictions in the case of Chrome or IE, and move right on with the attack. You can get the PDF from here if interested: http://trailofbits.com/2011/08/09/attacker-math-101/ I'm glad to report my small fleet is Java-free.
Regarding NoScript, or the equivalent use of Zones in IE, the fatal flaw is that over 50% of the malicious websites in the world at any given time, are normally safe. If The Reg is on my "approved" list and they get hacked... game over.
The man talks sense
Most users never use Java apps, there's no sense in leaving it on, better to disable it and deal with the edge cases when someone actually needs it.
My SOP is to disable Java, Flash, auto fill and PDF plugins, most of the web works just fine sans flash since iOS support became a big deal, and in the cases where only flash will do, it's built into googles chrome browser which keeps it up to date without user intervention.
On a different yet related note, a good few years ago I knocked up a script that encoded a users IP and forum ID into the reply button jpeg on a MMOG forum, this enabled us to identify who was leaking screen grabs from private areas of the forum. /misspent youth.
BTW, using the Canvas element to read encoded information from an image is very devious. The coverage and description of the threats was very well done. I just took exception to the overly drastic advice.
not overly drastic
I don't have flash (never have) nor silverlight (ditto), java (same), I effectively nuke jscript with noscript, it very rarely gets enabled, I disable cookies except for a few minutes when gmailing or el-reg-ing, and block a huge list of dubious/ad sites[*]. Doesn't make me invisible (reminded to self - munge referrer string) but it makes it harder. Bonus: firefox is much faster like this.
If I need to do something jscripty like searching on script-wormy job sites, well, there's vmware. And I don't run as admin.
I'm not prepared to willing to trade security for liberty, or worse, ease of use. Try it, it's really not so bad.
[*] I do have a problem with this, the sites I value like this one need to make money somehow. It's a dilemma.
(note to Trevor - good articles, keep them up)
"Like trying to kill Steven Seagal"
I consider it more like Tony Danza. There were decades where the useless, painful, horrid hack simply could not be killed off.
Browsers should not have access to your harddrive, period.
They should have some seperate program where I can enter/store my credentials per website, For which the browser should supply them with the appropriate entry in this collection which a specific website then can read and log me in automatically. Any other reason why websites would want to be storing any data is bull anyway.
And the funny thing is: The Register is as bad as any of them, why did I get advertisement of a certain clothing website I visited on your site? Adsense is bad, it's one of the worst offenders of cookie/browser history misuse.
A Virtual Machine.
Work in it.
Then wipe it.
Re virtual machine
I have been thinking along the same line's but the problem is that a virtual machine takes a long time to start, compared to the browser and consumes lots of resources, if loaded with a normal OS. All just to run one browser and its plug-ins. Maybe fitting the VM with a pared-down Linux with just enough stuff to run the browser would mitigate this problem? On Linux, one could perhaps use UML to implement a light-weight sandbox for the browser. Its not a real VM, but the Linux kernel run as a user-mode process. Not as watertight as a complete VM, but might be sufficient for sandboxing malware, which would have to be aware of bugs in both the browser or plug-in and UML in order to break out.
I think there already exists an experimental Linux distro where all apps run in sandboxes (not sure of details).
Oh for gawd's sake. One might as well have the news and entertainment delivered via Morse code...
Do what I do. Surf websites that cover topics in which I have zero interest. This confuses the advertisers to no end.
Java: just say no
> Provides 4 links to sites
> One from 2011 basically moaning about people not updating Java
> One from 2007 that is actually about a Quicktime bug
> One by Krebsonsecurity.com, which uses Google Analytics to check the readers' goodies
> One from 2010 where Microsoft complains about Java
> Calls is "unbelievably broken"
My face when.
The best I can get out of this is a citation by Microsoft:
"[Microsoft] said that Oracle, which is now ultimately responsible for Java after its Sun acquisition, should collaborate with competitor Microsoft to automatically distribute Java patches"
Yes, good idea. Please implement.
Java - Machine independent code
Meaning - it won't run on any machine.
Run without Java?
well that's me screwed then?
Huge amounst of hardware uses java, as do our (external 3rd party) websites that we HAVE to use.
So Ill remove java and refuse to use it and tell my management that I can't do my job becuase this authour says so.
Oh hold on, this is the real world i live in.
If you need Java to do your job, then 1) make sure it's up-to-date, and 2) make sure it's only permitted to run on the sites where it's needed. If you use IE and have Admin privileges available, you can do this by arbitrarily disabling Java in the Internet Zone. Then set the Trusted Zone security to Medium-High and add the necessary sites to it. Now test your config using a Java-driven site like www.time.gov (click a time zone).
I'll also add 3) use Microsoft's EMET to add mitigations to Java.exe, as well as your web browsers, media players, PDF software, and other Internet-facing software.
But... but.. without Java, how can I bore everyone about bloody Minecraft all the time?
Wait, you use in-browser java to play Minecraft? Why not just download it? It's safer. That way, if an update trundles along that breaks everything (because that NEVER happens in Minecraft...) you can play the old, downloaded version until Moot caves and fixes whatever new features made everything go boom.
@Blacklight RE: SandboxIE: Good idea!
@Destroy All Monsters RE: Virtual machine: Good idea!
I can attest to both of those methods working, albeit some what inconvenient, but worth it, none-the-less.
Can any one tell me, are Flash LSO's the method sites like Mega Upload use to keep track of how much video I've watched, even when I change IP's, clear cookies, etc.?
Do some of these people live in the real world?
...lynx links elinks netsurf dillo uzbl
HOw I deal with a lot of this - prevention
how do you do prevention?
Lock the bloody directories into which the various pieces mentioned in the article are written.
for example: the directory to which Flash writes its various files is locked. The browser CAN NOT write to it. The site works, as all the information is kept in the browser. Upon exiting the bowser - there is nothing left.
"By default, NoScript only allows scripts and objects coming from the website you are visiting to run."
Not so, Trevor, I'm afraid.
NoScript does not allow ANY scripts to run by default. You must allow each domain from which you want to approve scripts to run.
You are correct.
I was wrong. That is a tidbit of information I should know, but which has passed out of my brain as 95% of the websites I go to are either whitelisted, or don't run scripts.
Can we get a beer here?