Cyber Security Awareness Tip #28: Cookies
It's tuesday morning, and your morning briefing is for a group of new employees. You have a bunch of network and security topics to cover in a short time, and the audience is generally non-technical.
What do you tell them about cookies? What risks are there, and what risks have been blown out of proportion? What straightforward practical steps can they take to minimize privacy issues? Have you done some behind-the-scenes work for them in setting up their applications to similarly protect their privacy?
I'll update the diary with your tips; please submit them at http://isc.sans.org/contact.html .
Cookies have an odd role in the security debate. They get lumped in with malware, trojans, and other exploits. This gets confusing for non-technical users; it sounds like cookies can capture keystrokes and take over their machines.
The first thing I try to make clear is that cookies are a privacy issue. The servers at the other end of a web session can remember who you are and what rights you have; this is generally a good thing. If you don't want this, don't log in to that site or even create an account.
They can also track what IP addresses you use and what pages you visit in what order, whether you sign up for an account or not. This raises an interesting question; is it a problem if, for example, Barnes and Noble knows what pages you visit?
The theory is that cookies should only be served up from the web site you're visiting. But what about cookies associated with content served up by sites like Doubleclick? The privacy issues become much more severe here; Doubleclick and similar sites can track your actions across all the sites they serve (for some more coverage of this, see http://www.spywarewarrior.com/uiuc/btw/browser-sec-intro.htm#cookies ).
Since we can't know how this tracking information is used, I encourage coworkers and friends to disable cookies in their web browsers. For the sites that they trust that do require cookies, most browsers allow exceptions.
Here are some tips submitted by readers:
- Someone sniffing your web sessions may be able to capture the cookies coming back from the web server and take over your login.
- Don't log into your online bank, credit cards, company web sites from Internet Cafes or airports.
- Make sure that the site reads https:// before submiting userid and passwords.
- Make sure the URL/Domain you are at is the one you meant to go to. A link that says "https://your-bank.com" is not the same as "https://yourbank.com"
- Don't depend on security tools that remove cookies after the fact; don't store them in the first place.
- Allow only some first-party cookies, using an exceptions list (a whitelist)
- Allow those cookies only for the current session
- Deny *all* third-party cookies
- Delete all cookies on browser exit
Many thanks to Dan, Mario, Mark, and one anonymous submitter for their submissions.
-- Bill Stearns, http://www.stearns.org
Daylight Saving Time Reminder for the USA and Canada
For our USA and Canada readers, don't forget that the start and stop of daylight saving time changed this year. You've got one more week to go before you move back one hour. For those in Europe, you should have moved back one hour this weekend. Of course, if you keep your watch on Zulu time then this is not an issue for you.
Details: http://aa.usno.navy.mil/faq/docs/daylight_time.php
and http://en.wikipedia.org/wiki/Daylight_saving_time
UPDATE
Ken wrote to tell us some interesting facts. This year's change also applies to (most of) Canada, the Bahamas, Bermuda, and the French territory of Saint Pierre and Miquelon as well. Here's some additional references:
While Cuban DST started three weeks early this year as per all of the above, it ends this weekend as per old rules, not next weekend.
Ken said that with inconsistencies like that, his province of Newfoundand and Labrador changing its clocks at midnight not 2:00am, etc, it's no wonder it took vendors two, three time zone releases back in the spring to get all the details straight!
If you use or manage Windows Mobile devices, take a look at http://www.microsoft.com/windowsmobile/daylightsaving/default.mspx for more information on patches and workarounds.
Marcus H. Sachs
Director, SANS Internet Storm Center
Comments