How Advertisers Became the NSA's Best Friend

[Matsuda]

This week, new documents from NSA leaker Edward Snowden arrived with some troubling revelations: the NSA has been piggybacking on Google's network, using the company’s "preferences" cookie to follow users from site to site, proving their identity before targeting them with malware.

It means the agency has tapped into one of the most popular features on the web and the core of Google's multibillion-dollar ad-targeting empire. Instead of just targeting ads and saving preferences, the infrastructure is being used to find people the NSA is interested in and silently infect their devices with malware.

What's still unclear is whether the NSA is directly hacking Google or using some other way to track these cookies. But while the company is officially keeping quiet, the simple math of cookie tracking makes it likely that the NSA didn't need any help from Google.

Tracking cookies offers the NSA the perfect system for following suspects across the web: it's pervasive, persistent, and for the most part, it's still unencrypted. "It solves a bunch of tricky problems for bulk web surveillance that would otherwise be quite difficult," says Jonathan Mayer, a fellow at Stanford's Center for Internet and Society who worked with the Washington Post on the report.

The right cookie will follow you as your phone moves from 3G to a coffee shop's Wi-Fi network, and in many cases it'll broadcast your unique ID in plain text.

For the NSA, it's practically made to order. If the agency can suss out a particular person’s unique cookie ID, they can watch for the ID at the cookie-delivery spot (in this case, Google) and get a full record of the person’s movements on the web.

The Washington Post doesn’t describe how the agency uses those cookies to deliver malware, but many researchers have already guessed at a likely mechanism. With control of the network, the agency could be able to interject packets in place of a standard cookie, seeding your device with whatever program they want.

The result would look like a cookie from Google, but actually be a malware packet disguised as a cookie, tailored to whichever site the agency knows you’re visiting. It’s still just speculation, but it gives a sense of just how powerful the cookie system is for a network-level attacker like the NSA. Once the agency controls cookies, it can use them as a free pass into almost any machine on the web.

It’s hard to guard against these attacks because encryption schemes are uniquely tricky to implement for cookies. As cryptographer Ed Felten points out, regular encryption doesn't work in the case of unique cookie IDs. (The encoded version of a unique ID is a unique ID itself — all you've done is change the number.)

The more permanent solution is HTTPS-based encryption, but the more complex handshake slows down load times, which scares away many trackers. The result is a lot of identifying information being sent over public tubes with little to no protection.

The problem is that Google is one of the few companies that enables HTTPS on principle, even if that makes the +1 buttons load a little slower. HTTPS is enabled in both Google's DoubleClick ad cookies and service-based preference cookies — including the PREF cookie that's mentioned in the new Snowden documents.

If the NSA was going to be following that cookie, unlike most of the cookies floating around the web, the agency needs to negotiate at least a little bit of HTTPS. It’s certainly plausible that they found a way around it. We know from earlier leaks that the NSA has ways of getting around SSL, and it may have followed the Google cookies using similar tricks — but it seems more likely that the agency would have moved on to easier pickings, given the prevalence of unencrypted tracking-cookie networks.

Ironically, Google’s good security practices are slightly incriminating here: the more secure its network, the more likely it is that the attackers were working from the inside, whether through legal compulsion or tapping private networks.

The most likely explanation, favored by UC Berkeley cryptographer Nicholas Weaver, is a little less exciting. "I suspect it's an old slide, written from back when Google's cooperation wasn't needed," Weaver says.

"But I'm not certain about it." The Washington Post dates the slide to a presentation given in April, 2013, three months after Snowden first made contact with Greenwald, which is well after Google implemented HTTPS for its PREF cookies.

Still, it could have been an outdated slide or Snowden could simply have gotten the date of the presentation wrong. Many observers are skeptical, including Mayer. "It doesn't appear the NSA had any particular access to Google infrastructure," Mayer says. "This was based on watching tracking cookies flow across the open web."

The larger problem is figuring out where we go from here. Google’s PREF cookie is a powerful tool, reaching every page with a Google Search bar, Google Map, or +1 button — but it’s hardly the only cookie that could be used this way.

Tools like Ghostery will show dozens of cookies following you from site to site, whether it’s for ads, analytics, or universal log-ins like Facebook. Any one of those cookies could be used the same way: to find a single person and drop malware silently into their device. As long as one of them is unencrypted, the NSA will have an unimpeded path through, and while the companies are competing on load times rather than security, they have little incentive to switch.

Seen from that vantage, the problem isn’t Google: it’s everyone. "The quid pro quo of the behavioral advertising ecosystem stinks," says ACLU technologist Chris Soghoian. "Our web browsers and mobile operating systems have been designed with defaults that facilitate tracking of our activities. It’s only natural that the NSA would try to harness it." The web runs on tracking.

It powers our analytics, our ads, and personalized services from Facebook to Netflix. It’s not clear what unwinding that system would even mean. Universal HTTPS would be a start (some have already proposed it), but the deeper problem is a web that’s built for speed rather than security.

Most ad-networks have never even considered how to guard against a network-level attacker like the NSA.

Hardening those networks would be a massive undertaking, requiring new security at every level and no small amount of performance tradeoffs. Even now, after the Snowden has proved how real the threat is, it may not be a leap they’re willing to take.




Source

[Ambrocious]

Well, if I funded a company then I would also wager to have CEO or close to executive power if need be just because I payed for it. I can call the shots really. In Q Tel, the same company that funds the C.I.A. also funds Google as well. Think about it.

In-Q-Tel sold 5,636 shares of Google, worth over $2.2 million, on Nov 15, 2005.^[6]The stocks were a result of Google’s acquisition of Keyhole, the CIA funded satellite mapping software now known as Google Earth.

As of August 2006,^{[dated info]} In-Q-Tel had reviewed more than 5,800 business plans, invested some $150 million in more than 90 companies, and delivered more than 130 technology solutions to the intelligence community.^[4][7] In 2005 it was said to be funded with about $37 million a year from the CIA.^{[8][dated info]}

Former board members include Norman Augustine, William Perry, Anita K. Jones and Gilman Louie.^{[citation needed]}

Source

Kinda makes you wonder doesn't it?

Edited December 12, 2013 by Ambrocious

[Avitar]

Why not just use a cookie blocker and delete them regularly?

Kinda makes you wonder doesn't it?

You should start a thread, Ambro. On how to surf anonymously. Include the browser, the addons and the programs needed.

[Ambrocious]

Why not just use a cookie blocker and delete them regularly?

Kinda makes you wonder doesn't it?

You should start a thread, Ambro. On how to surf anonymously. Include the browser, the addons and the programs needed.

There is a lot of confusion about anonymity that makes people think that there are true safe ways of surfing online when in reality, there is no real safe ways of being completely anonymous. There are steps you can take to be more secure however, if you’re wondering what those are, here is a starter list:

1) Use Firefox; its add-ons have the most flexible usability and range from just for fun to security. Getting the add-ons AdBlockPlus and NoScript will help to prevent unwanted ads and scripts from running without your permission. DoNotTrackMe also has some pretty good protection against over 600 tracking companies which prevents them from seeing where you have gone to online.

2) Even though some say having an antivirus doesn't do much good, you should still have one. I suggest for a good free antivirus avast. If you can afford to pay for it, get Kaspersky.

3) Grab some antimalware programs like SUPERAntiSpyware and MalwareBytes.

4) Additional programs to help you out are CCleaner, HitmanPro, PrivaZer, TuneUp Utilities.

5) Tor: Some people say it's still safe but nothing is ever 100 percent safe. The reason for using Tor, many people still don't know this is so that people can access the "Dark Net" or the "Deep Web" or "The Hidden Internet" without having your real IP adress being tracked. If you want to learn about this, I have made a post at ePirate which might fascinate you. The hidden Internet is often likened to the Wild Wild West and you should be cautious when on there because of it's many various....content types. Tutorial: How To Access THE HIDDEN WIKI (Deep web, secret Internet)

6) Grab a VPN. There are some free ones out there, give CyberGhost a try out. If you want to pay for a good VPN, try out PrivateInternetAccess. For anyone who doesn't know what a VPN is, learn about it HERE.

Edited December 13, 2013 by Ambrocious

[janedoe]

Why not just use a cookie blocker and delete them regularly?

As I just noted here, many sites are deliberately coded to fail completely if you block first and third party cookies. You can delete them whenevr you close the browser, but: 1) most people don't do this because they like not having to re-login every time to their favorite sites, and 2) if you browse again with the same IP address then deleting the previous batch of cookies doesn't help, since your browsing sessions would be associated with the help of your IP anyway thus enabling an unbroken tracking log.

@Ambrocious: You're right, there's no guarantee Tor is safe (many Tor nodes are known to be compromised by the NSA, given its cracking of many encryption standards it's known they can read at least some of the encrypted traffic, plus they also target browser and other vulnerabilities to de-anonymize Tor users), and of course no guarantee of a VPN's security either.

Edited December 13, 2013 by janedoe