Those Annoying Cookies

There has been a lot of uproar recently about how ISPs are now able to monetize our browsing history. It’s certainly scary thinking that a company can record what you do on-line and then sell this information to others who can use it for reasons unknown.

But we are already being tracked today (and have been for some time) to some extent by cookies put onto our computers when we visit websites. Cookies are not automatically bad, but many cookies were designed for the express purpose of spying on us and to track and record our web behavior.

Cookies differ from viruses, worms, trojan horses and other kinds of malware which are active pieces of code that can make almost any imaginable change to a computer. Lately ransomware is the worst of the new viruses which encrypts your hard drive and won’t unlock it until you pay a ransom fee to have the virus removed (and often then your system still won’t unlock).

Cookies instead are strings of text stored on your computer. In the most benign cases a cookie can be a time log that records when you visited a given web site so that the web site owner will recognize you when you return. And many benign cookies are friendly and convenient and are used to store your log-on passwords so that you don’t have to log in every time you visit a web site. But since cookies are text files they can record a lot more information and in the most extreme cases can be used as a place to record your browsing history – the same thing we are worried about the ISPs monetizing.

Cookies are routinely used by retail shopping sites. They not only record who you are but they know what you viewed and what you purchased at a site. These adware cookies allow a web site owner to direct you to a tailored page when you visit their site based upon your past history on the site. They may send a previous shopper to a page showing the things you are interested in, or for a non-shopper may offer discounts to lure you to buy.

Shopping sites and others similar web services like cookies because it’s the only easy tool they have to identify you. If you browse a website without somehow logging in to identify yourself a web site has no idea that you have been to their site before. All that any web site can see from a non-identified user is the identity of the ISP you use to get to that site. But by putting a cookie on your computer, even if a web owner doesn’t know your name, they know your past behavior at their site and the cookie provides a ‘memory’ about you.

Of course, some cookies are more aggressive. Once sitting on your hard drive they can gather data that identifies more about who you are, so that when you return to a web site the owner might know your identity and can tailor items and prices to you.

Years ago it was fairly easy to deal with cookies. They often were named for the web service that created them, such as your bank or the log-in page to your ISP. We learned not to delete these cookies in order to avoid having to log in every time we visited a web site or service. But today there are huge volumes of cookies.

I rarely do anything personal on my work computer. I rarely shop from it, play games, watch video or do anything personal. I mostly use my work computer to do research and to read industry articles. I also run an ad blocker to minimize ads that can see my computer. Even with this limited use I get hundreds of cookies every week. Most people don’t realize that when you visit a web page with ads that many of those ads dump a cookie on your computer – and you don’t need to click on the ad for this to happen. Many web sites have been created just for this purpose, such as web sites that make you click through multiple pages of a ‘slide show’ to see the ten cutest puppies or the ten best town in America. Those sites are ad heavy and pound your computer with cookies and sometimes even malicious malware.

The worst thing about cookies to me is that I don’t know who is placing cookies on my computer or what they want to use them for. Since some cookies can be malicious I worry that they are recording my web browsing history or passwords or other information I want to keep private. The worst of the bad cookies are persistent and bury themselves in places that are hard to find. These kinds of cookies cross the line to look more like viruses, but it’s still considered to be a cookie if it just records things and become a virus when the actively change something on the computer.

I sometimes wonder if we worry about the wrong things in the cyberworld. ISPs certainly have the opportunity to know a lot of things about me, but they also are likely to be at least a little cautious about blatantly abusing their customers. It seems more likely that most big ISPs will use our data for their own market purposes and may not sell our data to competitors or the wide world.

But the people who put cookies on our computers don’t have any such restraints. They get on our computers anonymously and we have no idea what they are doing with any given cookie. It’s now well-known that there have been detailed profiles created about each of us and I have to think that a lot of the data used to populate these profiles comes from cookies. Most people I talk to do not use ad blockers or routinely purge cookies the same way I do – and I don’t even know if what I do really makes a difference. If there are even just a handful of the more malicious cookies hidden on my computer somebody might already be tracking a lot of the things I do.

Your Weakness Might be Your People

Staff-buttonToday I’m going to talk about something that most company owners or general managers don’t want to be reminded about. I’ve read a number of things lately that remind me that often the employees at a company, while your biggest resource, can also sometimes be your biggest weakness.

What do I mean by that? For one thing, I’ve read several industry security reports lately that all say that company employees are the largest single reason that networks are getting compromised. Many companies now have pretty good firewalls and so hackers are no longer trying to break directly into company networks. Instead they are using techniques that get your employees to let them inside.

One of the primary new hacker tools is spoofed email. They will get valid email addresses for somebody inside the company, and then create fake and infected emails from that person to others in the company. Their hope is that somebody inside the company will open and download a file containing a virus from an infected spoofed email. Generally, once they see the structure of your email addresses it’s not that hard to figure out other email addresses inside the company.

The other way that hackers get in is with the older techniques of having somebody inside a network go to a web site that’s infected. I just reported in a recent blog that Menlo Security tested the top million websites (by traffic volume) and found that 6% of them contained malware of some sort. Much of this malware is just tracking spyware that isn’t too harmful, but some of it can be the deadliest malware on the web.

Cisco said last year that malware from web advertising is possibly the biggest new security threat. And malware is no longer just on suspicious web sites but can be found on very mainstream websites. This is due to the very odd system we have for getting advertising to websites. I discussed this in a blog earlier this year, and such malware is just as likely to come from a major news site as it is from someplace more suspicious.

The main defense against these kinds of problems is to continuously talk about these issues so that your employees are aware of them. The interesting thing is that employees are far likelier to open or download a file from an infected email at work than they are at home. For some reason employees are not as cautious with suspicious emails at work as they are on their home computers. If something is spoofed to look like it came from somebody inside the company they are likely to open it.

The other issue that brought this to mind recently is that I have several clients who have been the victims of embezzlement by employees. Of course, this is a crime that has been around forever and almost every time this happens people are shocked that it could happen to them. My first college degree is in accounting and I had several courses that dealt with these issues since it’s something that auditors are supposed to look for and uncover.

Accountants understand that there are two primary kinds of embezzlement. There is the loner who finds a way to write checks to themselves or to a bogus vendor they have created. This kind of embezzlement is almost always due to lax financial controls. If every check that is written must be approved by somebody who is going to make sure that a payment is legitimate, then it’s very hard for somebody to pull this off. Generally companies get into this kind of trouble when they have somebody with the sole authority to write checks or where people can somehow bypass the controls. Sadly, the temptation to steal is just too much for some people.

The other kind of embezzlement is a lot harder to catch and comes when a number of employees collude together to commit fraud. In that situation they are often able to bypass even the best internal controls. For instance, one employee can ask for a payment to a bogus vendor while another  employee cohort can vouch that it’s legitimate. I remember a huge case of this when I worked at Southwestern Bell many years ago where a large group of employees at the company colluded to buy huge amounts of telecom cable and electronics and have it delivered to a fake company warehouse.

It’s a shame that we live in a world where you have to worry about these sorts of things, but it happens to a lot of companies sometime during their corporate life. Almost invariably the person who is stealing from the company seems like the least likely candidate and surprises everybody.

I didn’t write this blog to cause you to be suspicious of your employees or staff. But it never hurts once in a while to think about these things because, sadly, one of your biggest weaknesses really can be your employees. And that can really hurt.