Sign in to follow this  
Followers 0
Colonel Panic

The next generation of spyware

3 posts in this topic

Last week I was listening to some back episodes of Security Now!, and there were a few episodes from July-August devoted entirely to a company called Phorm.com.

This company calls itself a new Internet "start-up" but it's really the latest creation of 121 Media, the same notorious company responsible for the ContextPlus/PeopleOnPage advertising system and developers of the infamous Apropos rootkit spyware program which caused so many headaches for Internet Explorer users a few years back. ContextPlus/PeopleOnPage closed up shop back in 2006, but it seems their parent company 121 Media is still going strong with a new approach to the consumer spying game. Instead of tricking users to install malicious programs on their own machines, they're moving up the "food chain" and targeting users from the ISP level. Their end goal is to achieve complete "behavioral tracking" of all Internet users' Web activity.

Phorm made headlines earlier this year when they were named in a lawsuit against UK Internet service provider British Telecom by thousands of their own customers whose personal Web activity was monitored and recorded by Phorm without their knowledge or consent in a secret testing operation. Apparently, Phorm has already struck deals with Britain's 3 largest ISPs to spy on users. Privacy groups are also petitioning the British government to stop ISPs from engaging in these invasive (and illegal under UK and EU wiretapping laws) ad-targeting schemes. I vaguely remember reading about this, but I never actually followed up on the story until I heard about what this company is actually doing.

From a hacker perspective, the Phorm “Webwise” system is as interesting as it is invasive to Internet users. It basically involves Phorm paying off ISPs to allow them the privilege of sniffing all packet traffic between users and the ISP. Phorm seeks to install high-capacity packet sniffing hardware within the ISPs' infrastructure that would intercept all traffic to and from remote domains, then use a series of redirects to trick the user's browser into accepting a 1st person cookie from Phorm's servers as if it were coming from the actual host the browser is pointing to. Over time, the user would accumulate many thousands of these "Webwise" cookies on his or her hard drive, a different one for each website visited, in addition to the cookies placed there by the websites themselves.

Here's a blog entry that explains the details of how the system operates. (Click on the link to the pdf document for a more detailed explanation.) It actually incorporates a domain spoofing attack as a commonplace business practice. This is basically wire fraud by definition. An 18-year-old kid could be sentenced to years in FPMITAP for doing essentially the same thing.

The fact that they would employ such an invasive system without users' knowledge speaks volumes about their ethical integrity. Are these the kind of people you want to be monitoring your every move on the Internet?

This company is actively marketing its system to ISPs in the United States, so this same kind of technology might be in place in your ISP very soon. Other companies are also developing similar (albeit less invasive) technologies to implement this "behavior tracking" concept at the ISP level. There is currently a legal battle going on in Congress over this activity, but Phorm is still going ahead with its usability testing in the UK despite their legal troubles there, so who knows?

How Phorm's “Webwise” system works:

"The Phorm “Webwise” System" - Light Blue Touchpaper, Computer Security Lab of Cambridge University, 4th April 2008

"Stealing Phorm Cookies" - Light Blue Touchpaper, Computer Security Lab of Cambridge University, 22nd April 2008

Recent news about this technology in the US:

"The F.T.C.’s Bully Pulpit on Privacy" - Bits Blog, The New York Times, 21st July 2008

"AT&T Mulls Watching You Surf" - Bits Blog, The New York Times, 14th August 2008

"NebuAd, Phorm delay ad trials" - Security Focus - 5th September 2008

"Dealing With I.S.P. Snooping" - Bits Blog, The New York Times, 8th September 2008

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

lugradio did a segment on phorm etc. anyway, i heard the latest news on companies like phorm, NebuAd etc was all their shares fell and they were doing really, really badly. one of the CEOs left too. it looks like all the bad publicity they got did the job and their spyware won't be used.

0

Share this post


Link to post
Share on other sites

Well, "deep-packet inspection" technologies have been used at most ISPs for quite a few years. The FBI has had "Carnivore" boxes installed in ISPs for about a decade now, to filter email traffic and copy the correspondence of select users (a court order used to be required for this, but under the convoluted new rules of the "USA Patriot Act", who knows anymore?). Also, the NSA has been sniffing traffic on the Internet at large since at least the early '00s. In my opinion, it's only a matter of time before the corporate interests start getting very serious about entering this game, either to implement "behavioral marketing" strategies (as in the case with Phorm, NebuAd and others), or to gather evidence of alleged copyright infringement and piracy. If we Internet users want to ensure the safety of our online privacy, we need to make sure our elected officials understand that we consider this an important issue.

Market spying companies can track your Web browsing even without infiltrating your ISP (albeit to a lesser extent), by using 3rd party cookies. These are cookies from servers at domains other than the ones you deliberately connect to, that are allowed by your browser to be placed on your hard drive, in your browser's cookies directory. For example, say you go to a Web site that offers tips for home improvement. A marketing company such as DoubleClick (the largest in this field, pretty ubiquitous on the Web and now owned by Google) has a deal with that Web site that allows them to place inline banner ads which inject JavaScript code into their pages. That JavaScript places a 3rd party cookie (called a "Dart" cookie) from one of DoubleClick's "Dart" servers onto your hard drive. The Dart cookie is a persistent record of the specific Web page you visited, the date/time of your visit, a unique ID that identifies you as a user, and an expiration date which is usually several years into the future. DoubleClick now knows that you've "expressed an interest" in home repair or remodeling, so they will start serving you ads related to this topic whenever you visit any Web site which subscribes to their ads. Every time you visit another Web site which is a partner of the DoubleClick network, DoubleClick's servers will place another one of its cookies on your computer identifying you and the site you're visiting, then it will read the contents of the Dart cookies on your hard drive and serve up ads related to what they have perceived as your "interests", based on their ever-growing record of your Web browsing activities.

Because DoubleClick only compiles and updates its records when you visit one of its "partner" sites, this technique is nowhere near as invasive as the ISP-based "behavior tracking" technologies. However, there's no way of knowing when you visit a Web site, whether it contains DoubleClick code or not (unless you're running a packet sniffer). This technology is nothing new, and there are other companies besides DoubleClick which operate in pretty much the same way. Google was one of DoubleClick's main competitors with their AdSense system, until they bought out DoubleClick earlier this year. Now they've incorporated the DoubleClick technology and network into their own, greatly expanding its capabilities in the process.

Google offers a choice to opt out of this "service", but there's an even better way which will allow you to opt out of virtually all such companies' "interest-tracking" efforts. You can easily block these companies from tracking your Web usage by simply disabling the "3rd-party cookies" feature in your browser. This will not disrupt any of your normal Web browsing activities or alter your user experience in any way, because Web sites generally use 1st-party cookies for things like user authentication and persistent settings management. The only practical, common use for 3rd party cookies is for behavioral tracking, and there might possibly be some even more insidious uses for it.

To stop Firefox from accepting 3rd-party cookies, go to Edit > Preferences, click the Privacy icon at the top of the dialog box and then deselect the Accept third-party cookies checkbox:

25qu83r.png

Note that all browsers except Opera and Safari ship with 3rd-party cookies enabled by default. So unless you're using Opera or Safari, if you don't want 3rd parties keeping records of your Web browsing activities, you'll have to manually disable 3rd-party cookies in the settings yourself.

Why should you care if these companies are keeping records of your Web activity, if they're only using it for advertising purposes? Well for one thing, they're exploiting your machine's resources like network bandwidth and hard drive space to make money by spying on your personal business and selling that data to other companies, and you're getting nothing out of the deal in return, except more targeted ads. If you use Firefox and an extension like AdBlock, then there's absolutely no reason for you to have 3rd-party cookies enabled.

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0