Skip to main content

Are cookies spyware? WWDS?

Should cookies that track your web surfing be considered ? (WWDS). To the many millions of people trying desperately to keep their home Windows PC from collapsing under the load of adware, spyware, bots, worms and virii, and looking on the internet for help, it might seem like there is a raging (or at least simmering) debate about cookies -- are they spyware or not? This debate is mainly fueled mainly by the tension between adware vendors (typically shady or at least shadowy new media advertising outfits that match ads to web surfing habits) and anti-spyware vendors. The former need cookies to provide value added advertising, while the latter want to make the malware situation seem as bad as possible by releasing reports periodically about how much worse it's getting. Even if cookies are discounted entirely, the malware situation is indeed getting worse every year, and is very bad here in 2006. There really shouldn't be much debate about this, and there doesn't really seem to be much debate among serious and independant security professionals. Tracking cookies may not be executables, but it's reasonable to consider many of them to be spyware. A cookie can be considered to be spyware any time it's part of a larger adware system which may identify a particular user and their web surfing history, or any time it reports information back to a web server that the user didn't specifically authorize to disclose. This would certainly include disclosure to 3rd party web sites, which is seldom done with the web surfer's knowledge or permission. (I'm probably casting a bit of a wider net here than some folk would.) This argument is also a bit of a slippery slope. It's only a quick slide down that slope to see Dilbert's perspective. Dilbert would say that all cookies should be considered "spyware" unless proven innocent. Given the , "idiots" (that's everyone at one time or another, including you, me, and Scott Adams, author of The Dilbert Principle) will assure that:
  • information which shouldn't be stored in cookies will continue to be stored in cookies, and
  • browser defects from time to time will continue to allow cookies to be read by 3rd parties.
So, to the extent that your bank (or whatever) stores identity information in cookies that are subsequently read by other web sites, any cookie on your system could be an avenue for disclosure of sensitive information. is working with DSL providers, Cable Modem service providers, and other network providers to help reduce the crushing load of spyware often managed by botnets. We're working to bring our uniquely effective anti-botnet and anti-worm technology to the DSL and Cable Modem networks that are used to spread spyware through worms and bots. Help reclaim the internet. Place an or button on your blog or web site today. Yes, this is shameless self promotion, but it's for a good cause.

Comments

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the Verified by Visa system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual dom...

Virus Vulnerability for RFID (Radio Frequency ID tags)?

The breeding ground for the computer virus will be expanding continually and rapidly over the next decade as appliances, automobiles, and all manner of other things become equipped with wireless networking and miniature computers. Cell phone and similar networks may enable worms to leap between devices over long distances and other networks over short distances. Researchers have recently demonstrated that RFID tags may be vulnerable next. Articles on the topic: RFID worm created in the lab [NewScientist.com] Viruses leap to smart radio tags [BBC.co.uk] RFID tags could carry computer viruses [SecurityFocus.com] The details for the curious: RFID Viruses and Worms The AntiVirus paradigm that we [the IT community and industry] have foisted upon PC users is already breaking down under the strain of too many virus variants and too many non-technical PC users. The paradigm probably won't work at all for cell phones and the paradigm is completely broken for the typical RFID devic...

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident. I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company. Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber