Tracking Cookies

ECE 4112 Final Project

Phillip Shatzman and Jeff Magee

December 4, 2007

Overview

• Background

• Tracking Cookies in Action

• Code analysis

• Cookie Defense

• Spybot – Search & Destroy

• What students will learn / do

Background

• Track web activity– Marketing

• Online Retailer

• Privacy violations– Compiled in databases

• Multiple cookies per website– e.g. Link4Ads

• Third-party cookies– Pop-up banners

Tracking Cookies in Action

• Created 3 “domains”

• Each uses the same ad service

• Result: Each domain can target specific services based on users browsing habits

Live Webpage Demo

Index Webpage Code<html><frameset rows="20%,15%,65%"><frame src="welcome.html"><frame src="c:\ece4112\ads\determineadcasino.html"><frame src="info.html"></frameset></html>

• Advertisement frame is different for each, but in the same domain (“ad”)– determineadflorida, determineadretire

determinead Webpage Code<script language="Javascript">

function checkCookie(){ //Initialization of variables to be used var lf = "\n"; //character for next line var CookieString = document.cookie; var CookieSet = CookieString.split(';'); var SetSize = CookieSet.length; var CookiePieces; var ReturnValue=""; //set default empty return if no

cookie found var x = 0; for (x = 0; ((x < SetSize) && (ReturnValue == "")); x++){ CookiePieces = CookieSet[x].split('=');

determinead Code (cont.)

if (CookiePieces[0].substring(0,1) == ' ' ){

CookiePieces[0] =

CookiePieces[0].substring(1, CookiePieces[0].length);

}//end if

if (CookiePieces[0] == "ad1"){

ReturnValue = CookiePieces[1];

}//end if

}//end for

return ReturnValue;

}//end checkCookie()

determinead Code (cont.)

function SetCookie(cookieName,cookieValue,nDays){

var today = new Date();

var expire = new Date();

if (nDays==null || nDays==0) nDays ==1;

expire.setTime(today.getTime() + 3600000*24*nDays);

document.cookie = cookieName+"="+escape(cookieValue)+";expires="+expire.toGMTString();

}

determinead Code (cont.)

if (CookiePieces[0].substring(0,1) == ' ' ){

CookiePieces[0] =

CookiePieces[0].substring(1, CookiePieces[0].length);

}//end if

if (CookiePieces[0] == "ad1"){

ReturnValue = CookiePieces[1];

}//end if

}//end for

return ReturnValue;

}//end checkCookie()

determinead Code (cont.)var returnval = checkCookie(); if (returnval == ""){ // no cookie found SetCookie("ad1","florida",100); returnval="florida";}

if (returnval == "casino"){SetCookie("ad1","floridacasino",100);window.location.href="floridacasino.html";}

else if (returnval == "retire"){SetCookie("ad1","floridaretire",100);window.location.href="floridaretire.html";}

else if (returnval == "casinoretire"){SetCookie("ad1","floridacasinoretire",100);window.location.href="floridacasinoretire.html";}

else window.location.href=returnval+".html"</script>

Cookie Defense

• Several Methods– Delete Cookies on Close– “Learning”– Block all Cookies

• Can do this in most any browser

Cookie Defense – Delete on Close

• Delete cookies when exiting

• Can still be tracked while browsing

• On open, no website will know you– Pro: Past activity unknown to tracking

websites since cookies are gone– Con: Legitimate websites with logins often

use cookies to remember users

Cookie Defense – “Learning”

• Two options: Block bad or Allow good

• Block Bad– Accept Cookies– See a bad cookie, delete and block source

• Accept Good– Block All Cookies– When finding a legitimate website, allow

• Pro: Very effective after a long time

• Con: Takes a while and is a pain

Cookie Defense – Block All

• No cookies allowed on PC.– Pro: Most effective– Con: Many legitimate websites require

cookies.

• Alternative: Block all and allow individual– AKA, “Accept Good Learning”– More of a pain than “Block Bad Learning”

Cookie Defense – Internet Explorer Settings

• IE has similar settings to Firefox except it also has built-in, customizable security levels

Spybot – Search and Destroy

• Searches the computer for tracking cookies.– Uses a frequently updated list of known tracking

cookies

• Freeware

• Can be used for many security issues on computers, such as Spyware

Spybot – Tracking Cookie Scan

Spybot – After Scan Actions

• Immunize (see previous slides screenshot)

• Add the domains found in Spybot to the blocked cookies list using the “learning” mode defense discussed earlier

Students Will…• Gain a understanding of tracking cookies

• See them in action by visiting mock pages

• Analyze the code to see how it worked

• Secure their browser against bad cookies

• Use anti-spyware software to protect browser

Questions?