Tracking Cookies ECE 4112 Final Project Phillip Shatzman

  • Slides: 21
Download presentation
Tracking Cookies ECE 4112 Final Project Phillip Shatzman and Jeff Magee December 4, 2007

Tracking Cookies ECE 4112 Final Project Phillip Shatzman and Jeff Magee December 4, 2007

Overview • • • Background Tracking Cookies in Action Code analysis Cookie Defense Spybot

Overview • • • Background Tracking Cookies in Action Code analysis Cookie Defense Spybot – Search & Destroy What students will learn / do

Background • Track web activity – Marketing • Online Retailer • Privacy violations –

Background • Track web activity – Marketing • Online Retailer • Privacy violations – Compiled in databases • Multiple cookies per website – e. g. Link 4 Ads • Third-party cookies – Pop-up banners

Tracking Cookies in Action • Created 3 “domains” • Each uses the same ad

Tracking Cookies in Action • Created 3 “domains” • Each uses the same ad service • Result: Each domain can target specific services based on users browsing habits

Live Webpage Demo

Live Webpage Demo

Index Webpage Code <html> <frameset rows="20%, 15%, 65%"> <frame src='data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20415%20289%22%3E%3C/svg%3E' data-src="welcome. html"> <frame src='data:image/svg+xml,%3Csvg%20xmlns=%22http://www.w3.org/2000/svg%22%20viewBox=%220%200%20415%20289%22%3E%3C/svg%3E' data-src="c: ece

Index Webpage Code <html> <frameset rows="20%, 15%, 65%"> <frame src="welcome. html"> <frame src="c: ece 4112adsdetermineadcasino. html"> <frame src="info. html"> </frameset> </html> • Advertisement frame is different for each, but in the same domain (“ad”) – determineadflorida, determineadretire

determinead Webpage Code <script language="Javascript"> function check. Cookie(){ //Initialization of variables to be used

determinead Webpage Code <script language="Javascript"> function check. Cookie(){ //Initialization of variables to be used var lf = "n"; //character for next line var Cookie. String = document. cookie; var Cookie. Set = Cookie. String. split('; '); var Set. Size = Cookie. Set. length; var Cookie. Pieces; var Return. Value=""; //set default empty return if no cookie found var x = 0; for (x = 0; ((x < Set. Size) && (Return. Value == "")); x++){ Cookie. Pieces = Cookie. Set[x]. split('=');

determinead Code (cont. ) if (Cookie. Pieces[0]. substring(0, 1) == ' ' ){ Cookie.

determinead Code (cont. ) if (Cookie. Pieces[0]. substring(0, 1) == ' ' ){ Cookie. Pieces[0] = Cookie. Pieces[0]. substring(1, Cookie. Pieces[0]. length); }//end if if (Cookie. Pieces[0] == "ad 1"){ Return. Value = Cookie. Pieces[1]; }//end if }//end for return Return. Value; }//end check. Cookie()

determinead Code (cont. ) function Set. Cookie(cookie. Name, cookie. Value, n. Days){ var today

determinead Code (cont. ) function Set. Cookie(cookie. Name, cookie. Value, n. Days){ var today = new Date(); var expire = new Date(); if (n. Days==null || n. Days==0) n. Days ==1; expire. set. Time(today. get. Time() + 3600000*24*n. Days); document. cookie = cookie. Name+"="+escape(cookie. Value)+"; expires="+expire. t o. GMTString(); }

determinead Code (cont. ) if (Cookie. Pieces[0]. substring(0, 1) == ' ' ){ Cookie.

determinead Code (cont. ) if (Cookie. Pieces[0]. substring(0, 1) == ' ' ){ Cookie. Pieces[0] = Cookie. Pieces[0]. substring(1, Cookie. Pieces[0]. length); }//end if if (Cookie. Pieces[0] == "ad 1"){ Return. Value = Cookie. Pieces[1]; }//end if }//end for return Return. Value; }//end check. Cookie()

determinead Code (cont. ) var returnval = check. Cookie(); if (returnval == ""){ //

determinead Code (cont. ) var returnval = check. Cookie(); if (returnval == ""){ // no cookie found Set. Cookie("ad 1", "florida", 100); returnval="florida"; } if (returnval == "casino"){ Set. Cookie("ad 1", "floridacasino", 100); window. location. href="floridacasino. html"; } else if (returnval == "retire"){ Set. Cookie("ad 1", "floridaretire", 100); window. location. href="floridaretire. html"; } else if (returnval == "casinoretire"){ Set. Cookie("ad 1", "floridacasinoretire", 100); window. location. href="floridacasinoretire. html"; } else window. location. href=returnval+". html" </script>

Cookie Defense • Several Methods – Delete Cookies on Close – “Learning” – Block

Cookie Defense • Several Methods – Delete Cookies on Close – “Learning” – Block all Cookies • Can do this in most any browser

Cookie Defense – Delete on Close • Delete cookies when exiting • Can still

Cookie Defense – Delete on Close • Delete cookies when exiting • Can still be tracked while browsing • On open, no website will know you – Pro: Past activity unknown to tracking websites since cookies are gone – Con: Legitimate websites with logins often use cookies to remember users

Cookie Defense – “Learning” • Two options: Block bad or Allow good • Block

Cookie Defense – “Learning” • Two options: Block bad or Allow good • Block Bad – Accept Cookies – See a bad cookie, delete and block source • Accept Good – Block All Cookies – When finding a legitimate website, allow • Pro: Very effective after a long time • Con: Takes a while and is a pain

Cookie Defense – Block All • No cookies allowed on PC. – Pro: Most

Cookie Defense – Block All • No cookies allowed on PC. – Pro: Most effective – Con: Many legitimate websites require cookies. • Alternative: Block all and allow individual – AKA, “Accept Good Learning” – More of a pain than “Block Bad Learning”

Cookie Defense – Internet Explorer Settings • IE has similar settings to Firefox except

Cookie Defense – Internet Explorer Settings • IE has similar settings to Firefox except it also has built-in, customizable security levels

Spybot – Search and Destroy • Searches the computer for tracking cookies. – Uses

Spybot – Search and Destroy • Searches the computer for tracking cookies. – Uses a frequently updated list of known tracking cookies • Freeware • Can be used for many security issues on computers, such as Spyware

Spybot – Tracking Cookie Scan

Spybot – Tracking Cookie Scan

Spybot – After Scan Actions • Immunize (see previous slides screenshot) • Add the

Spybot – After Scan Actions • Immunize (see previous slides screenshot) • Add the domains found in Spybot to the blocked cookies list using the “learning” mode defense discussed earlier

Students Will… • • • Gain a understanding of tracking cookies See them in

Students Will… • • • Gain a understanding of tracking cookies See them in action by visiting mock pages Analyze the code to see how it worked Secure their browser against bad cookies Use anti-spyware software to protect browser

Questions?

Questions?