 Good morning. My name is Clinton Wong and I'm here to talk to you about an alternate cookie tracking system called local shared objects and What its implications are for your privacy? So to tell you a little bit about myself I'm a software engineer in and I work in Silicon Valley and I've written two O'Reilly books a web client programming with Pearl and HTTP pocket reference so To start off this talk isn't really about anything new. In fact, this is something that's been widely known about three years ago But in the hallways of Silicon Valley when I talk to my coworkers unless you're a security researcher This is actually something that not a lot of people know and if people are writing software don't know this chances Are just the regular user doesn't know about it either. So I decided to do this talk to basically Have a public service announcement to tell you Something you should know but you probably don't and because you don't it might hurt you so If you look at this Wikipedia entry for local shared objects, it tells you basically exactly what I'm going to be spending 20 minutes Telling you about But I'll explain it in a little more detail so you can sort of understand and manage it better and then after that There are a few other things I'd like to tell you that are not related to local shared objects Which I'm going to refer to as just LSOs from now on But also it'd be useful to know and once you know it'll help your privacy So a quick survey how many people know that browsers have something called Cookies and that websites can use them to track you Okay, a good number of people How many people know about Adobe local shared objects Okay, some other people too. All right, so before we talk about local shared objects Let's talk about first what the established system already is HTTP cookies are what people refer to commonly as just plain cookies and it's something that is well documented from the Internet Engineering Task Force and There are various documents that describe how the protocol between your browser and your server work and also how cookies work So let's take a look at that and if you've read any of my books You might have noticed that I like to explain at a protocol level how things work So let's take a look at when your browser goes to Google.com First it figures out using DNS like where to find Google.com so it gets the IP address of the Google the main Google web server and then I'll establish a TCP connection to port 80 And I'll send this over that connection It looks pretty simple So there is the first line is a request and then the rest of it Is a description of what the browser is and what kind of content it can accept and who it thinks it's talking to and things like that and The Google web server will reply with response and the first line is basically a status code and also a bunch of information about itself The one thing to note here is the bold line in the middle and it says set cookie and then there's a name value pair I've it's a really long string. So I've truncated it, but This is something to remember for the next slide Because when you talk to Google again with your web browser your web browser remembers that name value pair and Realize it back and that's how Websites can have a session to associate Your request with you. It's a unique way of identifying you and it's stored in your browser So browsers let you manage this. Here's a screenshot from Firefox 3 and In the middle you can see that you can tell Firefox to Accept or deny cookies in general whether to allow or deny third-party cookies, which are cookies that Come from websites that you didn't explicitly go to for example add websites that are referenced from Wherever you happen to be visiting and you can also set the expiration policy the web server the web server Will tell you what the expiration date is but if you want to you can say well clear all the cookies when I quit Firefox and likewise you can Look at each individual cookie and there's usually an option in your browser To just clear all private data in general. So your your browsing history the name and the username and passwords that it remembers everything including cookies and On top of managing cookies in your web browser. You can also Filter them using web proxies. You could this is a common scenario that That corporations use Chances are there's a there's a proxy server in your far wall and if you're inside a corporate network You have to explicitly use it to get to the internet at large They generally don't filter cookies, but they could if you care To filter cookies on your own and not really use your browser to do that You can use something called Provoxy and the website is at the bottom of the slide And basically you can run your own web server on your own computer and tell your web browser to use it And then you kind of don't have to care what your web browser is doing because Provoxy You can configure a bunch of policies to filter or allow cookies to go through it to the website you're talking to okay, so Now let's talk about local shared objects so adobe Developed something called flash and there's a flash plug-in that most all web browsers have and It's pretty much something that a lot of websites use so you can't really turn flash off Otherwise, there's some functionality that you're missing This is how YouTube works. How you watch a video. This is how Pandora works So you can listen to music using their website, this is how ads are delivered to have rich media and and so this is this is an interesting and useful thing to have around it and it's something you can't really turn off and Flash has its own Cookie system similar to HP cookies and it's called local shared objects so The interesting thing about this is that these local shared objects are not clear to when you tell your browser to clear Private data or to clear your cookies in fact Unlike regular HTTP cookies. There's no expiration for them so if you don't know they're there and it looks like a lot of people don't then they're just there forever and well That's bad because you might be clearing your browser thinking that everything's actually cleared but the website developer has a way to actually permanently store stuff on your web browser and And use it forever. So maybe your privacy is Endangered in some way because you think you've cleared it and it actually has not been cleared So just to drive the plane home in Firefox if you This page does absolutely nothing and this clear private data in Firefox doesn't do anything either and When you try this with all the different web browsers out there Safari Firefox Camino Internet Explorer, none of them know how to clear this local shared objects from your flash plugin and Companies know about this so this is a Three-year-old Article, but it basically says hey, there's a company out there that's going to take your regular cookies and store them as local shared objects and if you clear your regular cookies Well, it'll just restore them from your local shared objects So this is a marketing technology. It's not clear how many people actually use this, but it's definitely out there So it's possible that any website you visit could be storing data permanently on your computer Simply because you don't know it's there So It's actually not that bad. How do you how do you fix this right? So how do you get those configuration panels for? Flash to configure your local shared object policy Adobe does have a web a page that explains how to do this on so the URL is here You don't have to write it down because This presentation is on the deaf con cities. You can just look at it later But basically if you go to this URL here, then that URL has a flash app and then when your browser Looks at that the flash plugin will load it and run it and and there it is So here's this page that not many people actually know about And you can actually sort of configure how your your flash plugin works and clearly here You there's an option to allow Third-party flash content to store data on your computer. That's basically talking about local shared objects You can configure the size of the local shared object though chances are people don't really store that much on your computer They could and likewise if you visit this other URL you can look at the individual Individual cookies if you will and and clear them or delete all of them and if you've never Realized that this is here. This might be a startling thing to look at It's probably a very large thing a lot of ad tracking companies and common sites like YouTube and in this example Yahoo, right? so It's not very easy to filter these local shared objects With HTTP it's clearly defined in the cookie header and set cookie header and the proxy can just Can clear that and look at the website you're using and decide what to do with it So I decided to log into Pandora, and I stripped a lot of information out, but basically Pandora will ask you for your username and password and store that as a local shared object but also send it along to the web server because it needs to know what your settings are and If you look at the request it's it's that very last line Which I've truncated and it's this really long hex string and Well For a web proxy. It's not really clear. This is even a local shared object at all It just looks like a post and some data, and so it's not very easy to really filter in any way Likewise the response from the product from the Pandora web server looks like this there's a bunch of XML data that it Returns and that's up to the flash plug-in to interpret but really from a Proxy point of view. There's nothing really there that says this is also like in a local shared object either So it's not very easy to to filter this Okay So having said all of that Now you know that they exist local shared objects and Roughly how to manage them and so you can clear them No, and you can turn off local shared object support and and have a more private browsing experience Okay, so what what else is useful to know here? so I'm going to talk about things that are not local shared objects, but Chances are you don't know about them unless you work in security industry and they'll be useful So this is the Washington Mutual website It's a regular screenshot. I've done nothing special with it and Well, there's something wrong here Does anyone know roughly what it is can you raise your hand? Okay, some people know All right, so here's a hint. Okay, so this is that page again, and here's some of the HTML from that page and Okay, so you're posting your username and password to an SSL HDP us Location so that means you're sending it encrypted. So what's the problem, right? well The problem is if you notice here, you just visit WWW.com you're using HDP That's not using encryption in any way and when you use SSL there's something called a certificate and That ensures that you actually are talking to who you think you're talking to and the reason and the fact that you're Not using it means you don't really know you're talking to Washington Mutual at all It could be that someone in the middle has tampered with the data Let's say you're using a Wi-Fi connection and whoever runs the Wi-Fi is malicious and decided to do some nasty hack here. So that means This regular HTML They could have changed Such that you're posting it to some arbitrary site that they want you to post it to and well It may not actually log you into the Washington Mutual website You've at this point divulged your username and password to some arbitrary place, right? So that's that's bad this is also something that's well known it's documented three years ago and basically People who develop web web services need to realize that when you have a login page. It has to be HTTPS basically HTTP over SSL and in my survey of the major financial institutions. They actually do get this Washington Mutual is pretty much the only one that I could find So people are catching on but still it's three years later. That's It's as with anything in security. It's a matter of awareness Okay Okay, so what's wrong with with this chances are this is something a lot of people use this is yahoo mail It's really similar So basically This is something that was talked about last year at black hat and there's a technique called side-jacking on a regular trusted network the data between you and Yahoo is pretty much private, but if you're on something like a Wi-Fi connection. Well, everyone can see the traffic and That means when you're communicating with say the Yahoo web server Their cookies flying around and there's not any encryption here And so everyone can see your cookie, which means they can actually use your cookie while you're still logged in And that means they can impersonate you they can do whatever they want as you when you're logged in Google Realized this is happening and there's a special URL you can go to HTTPS and Gmail and Google.com and after you log in your entire session will be SSL encrypted So that problem goes away with yahoo and hotmail. I Don't know a solution for this. I tried looking if you know Please let me know afterwards and I'll update the slides and the updated information will be on the defcon website So that's pretty much it. I Hope you've learned something about local shared objects and how to improve your privacy and never log into a Financial institution or anywhere else where you care about your privacy using the HTTP the page must be HBS and For your email try to use something or pressure your current mail provider to have an all SSL session for For your traffic and that's pretty much it. Thank you