As even idiots nowadays are aware of, many a software attempts to
track what you do on the web (and what files did you handle) without telling
anything to you.
Such software trojans are called malwares here @
fravia's (and elsewhere), but you'll
be able to find many other names for these covert snooping activities
all over the web. (snoopers, concealed activities,
phoning home...).
Since Joe the luser doesn't understand a jack, there's a lot of
money to be made selling or trading the data he delivers and sputters around without
even knowing it. These data must be gathered in order to be sold...
thus the growing use -inter alia-
of trojan software.
The "Old" Trojan software approach
was relatively risky, though, because it had to send the gathered data over the web to some
specific address... wouldn't it be
better if those data were stored ON YOUR OWN COMPUTER, of course without you knowing or
understanding it, and easily used or perused by any third party when
you gappily browse the web? That's what's
nowadays possible thank to Microsoft explorer. Note that this service can be used by OTHER software
producers as well... Microsoft has made it possible for anyone to store info on
your own harddisk without you being aware of it... and some software producers are already
actively taking advantage of this...
For instance, as you might NOT know, ACDSee has a "feature"of storing a complete database of everything you
saw with their software (complete paths and filenames, togeter
with small thumbnails sometimes). Great "feature" once you understand that OTHER PEOPLE
can also get at it, eh?
By the way: don't you think, as I do, that it is
funny how all intrusions that tramp your privacy rights are
called 'features' nowadays? And I believe it is even more funny,
or sad, come to think of it, that not only slaves and "hoi polloi" web-commoners,
but even reversing-savvy and other
people that
should know better fall for that: "Hey, if M$IE does what I need, why should
I care if some of my data data are reported somewhere? You'r just bashing Microsoft... I'm not into anything
illegal, duh"... as if that were the problem... poor
suckers.
The idea that there might be some users (for instance me) that DO NOT WANT the whole world to
know what they have been looking at on their own computer does
not even come to their minds.
Yet in the "malwares" arena nothing can beat the most recent version of Microsoft explorer with
its "userdata persistence".
M$IE's trademarked and copyrighted userData behavior persists data across sessions, using one
UserData store for each object.
The UserData store is "persisted" in
the cache using save and load methods. Once the UserData store
has been saved, it can be reloaded even if Microsoft Internet
Explorer has been closed and reopened. And even if you have cleaned all your cookies and
everything else in sight.
You dig what this mean? Re-read the sentence above please... now think...
Sounds just like sorta new cookies, eh? I bet you didn't know
that M$IE version 5 (or more) had this persistence "feature".
Did you? Ok, you knew already, 'coz you did read the
relevant
Bugtraq advisory,
sorry if I ever had some doubts :)
"Oh boy... I knew that... in fact that's pretty useful, so I don't have to tip
everytime the whole URL/password/data eh... You'r just bashing Microsoft..."
Poor sucker.
The problem IS NOT the fact that M$IE saves your searches
and your inputted form data inside form boxes automatically for you.
The real
problem here is that these "persistence" stuff can be manipulated ad hoc
through Javascript in order to store and load data, by any web-savvy
web page author.
Once more: re-read this last sentence and understand its
implications... scary eh?
Yes,
everyone with half a brain knew that M$IE saved all the previous data that you type
into a search box -say at AltaVista- but I didn't know (and I'll bet
you that most people still don't know) that a web page could use this
same technology in a similar manner that cookies are used.
Ok, you want to understand exactly what I'm speaking about:
try this yourself if you've got M$IE version 5 (or higher)... and you should NOT have
it, as you will soon discover :)
Go to
www.microsoft.com, click on the Support menu
up top, then click on
Knowledgebase...
Enter some search terms -one or two search terms about
something whatsoever- now close out, wipe out your History, wipe out your
Temporary Files and all the bazaar.
Then wipe out cookies.
Wipe out everything you find suspect, go ahead.
Now browse back in and check M$-Knowledgebase.
Great! Hurrah! It remembers
your search term, because as a matter of fact some SECRET INFO has been written
on your own harddisk in some XML
file buried deep somewhere.
Of course, as all sparrows are singing by now,
the first thing to do immediately after installing Internet explorer... and before it
uploads the whole contents of your hard drive to microsoft... is to
disable ANY scripting support. If you do not, you'll sooner than later
learn this from your own hard experience, "helped" by the never
ending barrage of scripting exploits produced all over the web.
This 'persistence'
depends on scripting support.
I cannot guarantee that all sorts of Microsoft "persistences" works like this,
however the persistence I've watched in Microsoft explorer use
XML to store data on the user's hard drive, and this data is known as
-surprise- "userdata". This "userdata persistence" can be
seperately disabled, just like cookies, in the M$IE security
preferences (under "allow userdata persistence").
If you want
to take a look at what such "userdata" has already stored inside your
computer, check out the XML files stored in (under win2k)
"\Documents and Settings\username\Application
Data\Microsoft\Internet Explorer\Userdata\"
In theory this userdata can only be read
from the same place that wrote it, much like cookies. It works
from different locations inside your hard drive as well, different
directories cannot -in theory- read eachothers userdata.
Thus some bozos believe that this feature could be quite handy,
since it allows for more data-storage (in terms of bytes) than cookies,
and it is in XML.
The difference with this is it can just fill up a database,
recording everything you do. While advertising is certainly the
most likely commercial application, such tactics could be used in
other ways such as legal action. Its also a good way of enforcing
censorship in controlled environments for many target
audiences.
Whether this (hidden) information may really be of great
value may be
debatable, but I wouldn't want anybody (especially low-life forms like marketers)
to
know what social vice website I view nor my preferred political or religious
sites, nor the sites I visit in other countries etcetera.
Just because the chances
of such info being used are small doesn't mean this info won't be used, duh.
Inside M$IE 5.1 there is also an option (in the advanced tab) called
"Enable Page Hit Counting". Here is what the
Help says about it:
Specifies whether you want Internet Explorer to allow Web
sites to track your Web page usage. Selecting this check box
allows sites to create a log on your computer of which pages
you view, even when you are viewing Web pages offline.
That log is sent to the site the next time you go to it.
By tracking the usage and popularity of specific Web pages,
content providers can tailor future content to match your
interests.
As usual Microsoft did chose the most
innocuous and eufemistical description and name as possible.
Oddly enough, in M$IE vesion 5.5, that option is still there, and enabled by
default. HOWEVER, instead of being listed as "Enable Page Hit
Counting" it is simply a blank field beside a checkbox.
If you
right-click it and do a "What's this" on it, it lists the same
text you just output...
Perhaps this is some kind of "feature" to keep people from turning
it off? Who knows? Isn't it disturbing to know they're trying to
hide it?
So, in version 5.1, they have "Enable Page Hit Counting"
and "Userdata
Persistence", and in version 5.5 they have "Userdata Persistence",
and the
page hit counting option is unlabelled (but at least still present).
You may want to ask Microsoft what they have to say about this crap.
Does this have anything to do with Passport?
It
would seem that Passport is little more than a cookie
circumvention process in order to provides commercial bastards with way more
data than cookies can.
While you are looking at those darn tabs inside M$IE,
there's plethora of potential
security issues that you can (try to) mitigate. Microsoft was nice enough
to at least provide the options (given that one luser out of 1000 has
ever given a look to these settings, they probably can afford to leave them
there...), yet Microsoft was not nice enough to choose the secure
default...
Advanced Tab
-----------
Profile Assistant (Allows web sites to upload information about
you from somewhere. The Windows Address Book?)
Install on Demand (Web sites can install "Web Components" on
demand. Vague enough for you?)
Of course you should always search from the Address bar, unless you
want to tell MSN what you
are looking for...
Security Tab
------------
ActiveX control settings (duh)
Tons of Script options which have known issues (which is why they
are in this dialog box in the first time, duh)
Automatic Logon (Sends your weakly encrypted NTLM network password
hash to anyone who asks)
You know what these automatic logon "NTLM credentials" are?
It's your local NT logon, bozo.
Apparently
if you are are MYBOX\Administrator, M$IE will happily advertise
this and a weak hashed password to anyone who asks.
Now put up a nice porn-site as
a lure (+fravia, this should go in the lure section,
eheh :)... how many admins are surfing porn sites as MYDOMAIN\Administrator
right now?
As a matter for further developments on this track:
whenever I find myself somewhere
forced to use this explorer crap (I myself prefer Opera or even Lynx, of course) I
later discover files (not bugs-images: files, duh) on my computer,
which come evidently from web sites
that I have never visited... matter for thoughts, eh?
As even idiots nowadays are aware of, many a software attempts to
track what you do on the web (and what files did you handle) without telling
anything to you.