Results 1 to 9 of 9
  1. #1
    iNET Interactive
    Join Date
    Jan 2010
    Location
    Seattle, WA, USA
    Posts
    379
    Thanks
    1
    Thanked 29 Times in 24 Posts

    A new security threat arrives: Evercookies




    LANGALIST PLUS

    A new security threat arrives: Evercookies


    By Fred Langa

    The author of the Samy worm has released a new tool for creating permanent cookies that evade classic cookie-management tools.

    Evercookies hide themselves in eight different places, and they can regenerate themselves if you delete them.

    The full text of this column is posted at WindowsSecrets.com/2011/02/17/05 (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    Lounger
    Join Date
    Jun 2010
    Location
    Manchester, NH
    Posts
    34
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Fred,

    I normally agree with your columns. You give great advice. So I am puzzled. Did I miss something? Your advice to change my internet settings to protect against Evercookies has caused my browser (IE8) to continually prompt me when I go to a site. Specifically, when I came to Windows Secrets, I think I got prompted 16 times! When I go to My Yahoo page, I got hit with 25 prompts about safe scripts. I am going to get carpel tunnel from all this clicking! So I figure I must have missed something. In this case the solution seems worse than the disease.

    Thanks.

    Bob Oxford
    Bob Oxford
    Software Wizards, Inc.

  3. #3
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Pittsford,NY
    Posts
    874
    Thanks
    517
    Thanked 35 Times in 27 Posts
    Bob:
    I had the same results. The solution seems worse than the "disease." I reverted back; and am going to check out how
    CCleaner is supposed to handle Evercookies.
    Dick

  4. #4
    Lounger
    Join Date
    Feb 2010
    Location
    Boston, Massachusetts, USA
    Posts
    44
    Thanks
    1
    Thanked 4 Times in 2 Posts
    NoScript (NS) isn't that useful for blocking evercookies, either.

    NS does appear to block them, but how do you know when a script is an evercookie? For that matter, how do you know if any script NS is blocking is innocent or malign? Does the script animate something, is it a necessary redirect when you click a button, allow you to reorder a column? Or is it an evercookie? NS doesn't tell you. Since you don't know if an otherwise legitimate site is using evercookies, whenever you tell NS to allow a site to use a script you're effectively opening the floodgates.

    Clearly what we need is something like NS, but with a description of the script you're deciding to allow or not. At the very least NS or a similar utility should have a checkbox option to specifically block evercookies or to pop up a warning specifically for evercookies. Does anybody know of such a utility? Am I missing some option in NS? (I just looked and can't find anything applicable in NS.)

  5. #5
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    I tried to install and use BleachBit 0.8.7 on Windows 7 Home Premium 64-bit. It could not even scan Adobe Reader before it froze and stopped responding. This program is for me a complete dud.

    And the idea of blocking all JavaScripts is absurd. Most web sites will not work without JavaScript, and Evercookie does not identify itself uniquely to users of script blockers. Definitely not a solution. I guess we'll have to trust CCleaner and Click'N'Clean to do the job for now.

    I just set an Evercookie at Samy.pl, and tested various situations in Google Chrome 9. Just closing a tab or closing the browser does not get rid of Evercookie. But both CCleaner and Click'N'Clean do get rid of Evercookie. Blocking trackers, such as with AdBlock and Abine TACO does not block Evercookie. But given that even the simplest cleanup tools do take care of the whole issue as it stands now, I see no reason for all the hype and FUD about this issue. This is no different from any other type of Extended Cookie or Local Storage Object issue --- use the right cleanup tools and this is a non-issue.
    Last edited by bobprimak; 2011-02-17 at 15:40.
    -- Bob Primak --

  6. #6
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    On the separate issue of password managers and the strength of passwords, I have elsewhere in The Lounge posted what Roger Grimes of InfoWorld has said. The length of a password is a much better indicator of its strength than its complexity. Forget about punctuation and special characters. Upper and lower case and numerals are all you need, provided your passwords are long enough (16 to 32 characters). Phrases, slightly mutilated or substituted, work best for most folks, as they can be remembered by humans, but make no sense to crackers.
    -- Bob Primak --

  7. #7
    Star Lounger
    Join Date
    Dec 2009
    Location
    Sydney, Australia
    Posts
    74
    Thanks
    6
    Thanked 6 Times in 6 Posts
    Re: password managers.
    I really can't see the point of having a 30 character long password or phrase. To type it is a pain, and to store it somewhere carries risk. How is anyone going to crack an 8 mixed character password? Certainly not the thief who steals your computer. Even a keystroke logger is not going to achieve much unless he has full access to your computer. The latter is the risk, and then a 30 character password is no better than an 8. Or even a single basic 6-letter password for all the sites that no-one would gain anything by hacking, and moreover, you don't care if they do.

    I have put similar comments on a number of tech forums, and no-one has yet said why the 8 character approach is not sound. Please can you security gurus let me know what the problem might be.

  8. #8
    New Lounger
    Join Date
    Dec 2009
    Location
    Santa Barbara CA
    Posts
    15
    Thanks
    25
    Thanked 0 Times in 0 Posts

    Keepass ??

    I appreciate your suggestion for KeePass as a password manager but no one, not even the developer, has any information that I can find about how to integrate with current passwords etc....and, in fact, not very good documentation at all.

    In fact, having looked at several password managers over the past few years I have yet to find one with professional or even useful documentation. Have I missed something??
    James, Santa Barbara CA

    Windows XP Professional sp3
    Pentium 4, 3.40GHz, Step 10, 64-bit, 4.00 GB (2.87), WDC , 1TB, 7200rpm, SATA, 3.0GB/s, NVIDIA GeForce 8400 GS, 512MB (EVGA),
    MS Security Essentials 2.0, WAU on, Secunia PSI, Google Chrome, IE8, MS Silverlight, Windows Live Essentials, MS Office Ultimate 2007, MS Office Visio Pro 2007, MS Office Live Add-In, Zune, iTunes, Foxit Reader, Adobe Flash Player, Java, CCleaner, Registry Crawler

  9. #9
    New Lounger
    Join Date
    Aug 2010
    Location
    Central PA, USA
    Posts
    13
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I tried to do what you suggested as well. If I selected "Prompt", I was subjected to a blizzard of prompts, just trying to do normal browsing. If I selected "Disable", many sites (like godaddy.com) just don't work very well... Am I missing something? Is there some other way?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •