Assessing Privacy Risks from Flash Cookies

noodleproudΛογισμικό & κατασκευή λογ/κού

29 Οκτ 2013 (πριν από 3 χρόνια και 7 μήνες)

159 εμφανίσεις

Assessing privacy risks from flash cookies

Page |
1

SANS Technology Institute
-
Joint Writing Project, February 2011


Assessing Privacy Risks from Flash Cookies


STI
Joint Writing
P
roject


Authors:

Stacy Jordan and Kevin Fuller

Advisor: Stephen Northcutt


February

2
1
,

2011


Abstract


It is no longer
“taboo” to purchase goods and services from the Internet. In addition, the
Internet has become the new way to obtain entertainment for many people as well. Retailers
have increased their presence on
-
line and offer discounts to consumers that are not ava
ilable
in
-
store. Television networks, record companies and other media outlets have placed their
content on
-
line for people to view via their computer as well. The best website employs a
variety of different audio
-
visual and Adobe Flash elements to attrac
t people to their sites. A
method to provide a good on
-
line experience whether it is shopping or viewing a movie is by the
use of browser and flash cookies. These cookies provide retailers and content providers with
the opportunity to deliver specific a
dvertisements (ads) and store site preference information for
the user. Even though cookies help retailers and content providers tailor the on
-
line
experience, it has raised privacy concerns. This comes from the fact that not all cookies can be
deleted
using tools on the marketplace today and consumers are not given a chance to “opt
-
out”
of having their information stored for later retrieval. So the question is whether or not flash
cookies

pose

a significant privacy risk for anyone who uses the Internet
?

Assessing privacy risks from flash cookies

Page |
2

SANS Technology Institute
-
Joint Writing Project, February 2011

Executive Summary

The purpose of this paper is to provide guidance that organization
s

could use to assess the
privacy risk and data spillage as it pertains to the use of flash cookies. Several areas will be
addressed in the paper to include:



Analysis

of flash cookies



Description of risk of using flash cookies



How to identify the use of flash cookies



How to verify the storage of
flash cookies

on a computer



Use of DOS command (DIR) to find cookies stored on a computer



Technical approaches for
detection and management of flash cookies

o

Survey of tools and techniques to detect flash cookies

o

Survey of tools and techniques to manage or detect flash cookies

o

Survey of forensic

tools that can be used to examine the contents of

flash

cookies



Forensic a
nalysis of private browsing mode


Finally, the appendix section
s

of the paper will provide additional information on tools and
websites that used flash cookies.

Assessing privacy risks from flash cookies

Page |
3

SANS Technology Institute
-
Joint Writing Project, February 2011

1.

Introduction


Shopping for goods and services is no longer exclusive to traditional brick a
nd morta
r

retail stores. Today, the Internet pays a great role in how individuals get their entertainment via
online games, streaming audio and video and music downloads. Besides entertainment, on
-
line
shopping via a computer or mobile phone has allowed c
onsumers to purchase almost anything
without leaving the comforts of home. Because of the growth in online shopping, traditional and
electronic only retailers (E
-
tailers) have employed a variety of different methods to ensure that
your on
-
line shopping e
xperience is seamless and tailored to your specific requirements. This
customization of the on
-
line shopping experience is done through the use of cookies that are
delivered or “dropped” to your computer from the browser. A special type of cookie calle
d local
shared object (LSO) also known as flash cookies provide retailers with extra functionality that
have raised privacy concerns from the Federal Trade Commission and Electronic Privacy
Information Center (EPIC) to name a few. As content providers and

retailers utilize cookies for
tracking on
-
line activities, what can
a user

do to protect
them

and have a good on
-
line
experience as well?

2.

Overview of Flash Cookies

Before discussing flash cookies, defining some terms are in order. What is a cookie? A
cookie is a piece of information in the form of a very small text file that is placed on an internet
user's hard drive. It is generated by a web page server, which is

basically the computer that
operates a web site. The information the cookie contains is set by the server and it can be used
by that server whenever the user visits the site. A cookie can be thought of as an internet user's
identification
card, which
tell
s

a web site when the user has returned.
1

In most cases, not only
does the storage of personal information into a cookie go
es

unnoticed, so does access to it.
Web servers automatically gain access to relevant cookies whenever the user establishes a
conne
ction to them, usually in the form of Web requests.
2

Cookies are based on a two
-
stage process. First
,

the cookie is stored in the user's
computer without their consent or knowledge. For example, with customizable Web search
engines like My Yahoo!, a user s
elects categories of interest from the Web page. The Web
server then creates a specific cookie, which is essentially a tagged string of text containing the



1
http://www.aboutcookies.org/Default.aspx?page=5

2
http://www.cookiecentral.com/c_concept.htm


Assessing privacy risks from flash cookies

Page |
4

SANS Technology Institute
-
Joint Writing Project, February 2011

user's preferences, and it transmits this cookie to the user's computer. The user's Web browser,
if
cookie
-
savvy, receives the cookie and stores it in a special file called a cookie list. This
happens without any notification or user consent. As a result, personal information (in this case
the user's category preferences) is formatted by the Web server,
transmitted, and saved by the
user's computer. During the second stage, the cookie is clandestinely and automatically
transferred from the user's machine to a Web server. Whenever a user directs her Web browser
to display a certain Web page from the serve
r, the browser will, without the user's knowledge,
transmit the cookie containing personal information to the Web server.
3


Figure 1:

E
xample of http cookie

HTTP cookie is a text file that is easily viewable and does not require any special
software.
The usage of http or browser cookie came into being in the early 1990 as the result of
electronic commerce (E
-
commerce), specifically adding a “shopping cart” feature to company
website by Netscape.
4

In order to provide a new visual experience for surfing

the Internet,
Macromedia created a program called flash. Flash is used to create multimedia applications,
including interactive content and animations embedded into web pages. Flash player is not
natively built into web browsers, but rather is a plugin

that works across multiple operating
systems and all of the most popular web browsers
.

An estimated 99% of desktop web browsers
have the free Flash player plugin
. Java makes up the next highest installation rate at 80%.



3
http://www.cookiecentral.com/c_concept.htm

4
Cranor, Lorrie and McDonald, Aleecia “The survey of

the use of adobe flash local shared objects to respawn http
cookies”
http://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab11001.pdf

Assessing privacy risks from flash cookies

Page |
5

SANS Technology Institute
-
Joint Writing Project, February 2011

Apple’s Quicktime is installed on

57% while Adobe Shockwave and RealNetwork’s RealPlayer
round out the list.
5


Now that we have defined cookie and flash, what is a flash cookie? A flash cookie is a
special type of browser cookie that can store data up to 100k. Local shared objects,
sometimes
referred to as "Flash cookies," are data files that can be created on your computer by the sites
you visit. Shared objects are most often used to enhance your web
-
browsing experience.
6


Figure
2
:
E
xample of flash cookie

By assigning a unique i
dentifier to a computer and preserving it in the space for the local shared
object, a website can recognize that someone has already visited the site, and advertisers can
use the information to determine that a visitor has previously viewed an ad. Websites

that
require users to fill out personal information can also associate that data with the identifier.
7

Technical differences between HTTP cookies and local shared objects (LSO)s

In a recent paper by Dr. Lorrie Cranor and Ms. Aleccia McDonald, a summary of technical
differences
between HTTP cookies
and L
SOs.
8






5

http://www.adobe.com/products/player_census/flashplayer


6
http://www.adobe.com/products/flashplayer/articles/lso/

7
http://www.informationweek.com/news/showArticle.jhtml?articleID=160901743

8
Cranor, Lorrie and McDonald, Aleecia “The survey of the use of adobe flash local shared objects to respawn http
cookies”

http://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab11001.pdf

Assessing privacy risks from flash cookies

Page |
6

SANS Technology Institute
-
Joint Writing Project, February 2011

Other internet technologies use local storage for similar purposes (e.g. Microsoft Silverlight,
Java and HTML5). Aside f
rom technical differences, HTTP cookies and LSO are often used to
perform the same functions. However, users interact with HTTP cookies and LSOs in different
ways
.
9

Even though HTTP cookies and LSO perform the same function(s), the
re

are specific
advantag
es for using flash cookies in addition to HTTP cookies.

Why are flash cookies used?

Flash cookies provide the only method by which a flash movie can store information on a
user's computer. Intended uses of the object include storing a user's name, a favori
te color or
the progress in a game. The actual information is stored in a .SOL file in a special directory on
the user's computer.
10

Flash cookies offer several advantages that lead to more persistence
than standard HTTP cookies. Flash cookies do not hav
e expiration dates by default, whereas
HTTP cookies expire at the end of a session unless programmed to live longer by the domain
setting the cookie.
11

Another advantage of flash cookies is the concept of “re
-
spawning”. What is re
-
spawning? When a website s
ets an HTTP cookie with an identifier it also sets a flash cookie
with the same value. If the user deletes the HTTP cookie and then revisits the website, the
value previously set and now stored in the flash cookie is transferred to the HTTP cookie. In a
paper by Soltani et al, researchers documented at least four instances of “respawning,” where
users deleted their HTTP cookies only to have them recreated based on LSO data. LSOs used
to respawn HTTP cookies sounds like the “best practices” description p
ut forward in a W3C
document on mobile web use:

Cookies may play an essential role in application design. However since they may be
lost, applications should be prepared to recover the cookie
-
based information when
necessary. If possible, the recovery should use automated means, so the user does not
hav
e to re
-
enter information.
12

But a major reason for the use of flash cookies is that these cookies are very difficult to
remove from an end
-
user computer. Because flash cookies are stored in a different location
than HTTP cookies, thus users may not know

what files to delete in order to eliminate them.
Additionally, they are stored so that different browsers and stand
-
alone Flash widgets installed



9
Ditto

10
http://www.adobe.com/products/fl ashpl ayer/arti cl es/l so/

11
http://papers.ssrn.com/sol 3/Del i very.cfm/SSRN_I D1446862_code364326.pdf?abstracti d=144
6862&mirid=2

12
Cranor, Lorri e and McDonal d, Al eeci a “The survey of the use of adobe fl ash l ocal shared obj ects to respawn http
cooki es”
http://www.cyl ab.cmu.edu/fi l es/pdfs/t
ech_reports/CMUCyLab11001.pdf


Assessing privacy risks from flash cookies

Page |
7

SANS Technology Institute
-
Joint Writing Project, February 2011

on a given computer access the same persistent Flash cookies. Flash cookies are not
controlled by the browse
r. Thus erasing HTTP cookies, clearing history, erasing the cache or
choosing a delete private data option within the browser does not affect Flash cookies.
13

It is important to differentiate between the varying uses of flash cookies. These files
(any loc
al storage in general) provides the benefit of allowing a given application to ‘save state’
on the user’s computer and provide be
tter functionality to the user.
14
Have you ever wondered
how or why your favorite internet website saved your preferences or show
ed advertisements
(ads) tailored to your buying habits? This is no accident as merchants utilize many different
tactics to ensure what you see from their website is what the consumer wants to buy. One of
the tactics used by on
-
line retailers is behaviora
l targeting. From Wikipedia, behavioral
targeting or behavioral targeting is a technique used by online publishers and advertisers to
increase the effectiveness of their campaigns. Behavioral targeting uses information collected
on an individual's web
-
browsing behavior, such as the pages they have visited or the searches
they have made, to select which advertisements to display to that individual.

Practitioners believe this helps them deliver their online advertisements to the users who
are most likely

to be interested. Behavioral marketing can be used on its own or in conjunction
with other forms of targeting based on factors like geography, demographics or the surrounding
content. Behavioral targeting allows site owners or ad networks to display c
ontent more
relevant to the interests of the individual viewing the page. On the theory that properly targeted
ads will fetch more consumer interest, the seller may ask for a premium for these over random
advertising or ads based on the context of a site.
15

This so
-
called behavioral targeting is coming under scrutiny, in part since Google bought
one of the largest practitioners


DoubleClick


and recently announced it would start using its
troves of user data to deliver targeted ads. Its main money makers,
the small text ads next to
search results and on websites across the net, simply rely on the words in a search or on a
webpage to place ads, a tactic known as contextual ads.
16

As a result, computer users have demanded specialized software to lessen the abi
lity of
advertisers to engage them. Later in the paper, a listing of specialized software will be provided
to detect, manage and delete flash cookies. However, most behavioral advertising still relies on



13
http://papers.ssrn.com/sol 3/Del i very.cfm/SSRN_I D1446862_code364326.pdf?abstracti d=1446862&mirid=2

14
Di tto

15
http://en.wi ki pedi a.org/wi ki/Behavi oral _targeti ng

16
http://www.wi red.com/epi center/2009/08/you
-
del et
ed
-
your
-
cooki es
-
thi nk
-
agai n/

Assessing privacy risks from flash cookies

Page |
8

SANS Technology Institute
-
Joint Writing Project, February 2011

cookies, but that doesn't mean cookies are the onl
y tool advertisers can use to track Internet
users' behavior. More and more of what you see on a single Web page is being delivered from
multiple sources. Images, scripts of Web code, and "Flash cookies" may all be delivered by third
parties, just as ads a
nd cookies have been delivered by third parties for years. If these other
kinds of objects are designed to be unique to an individual
-

that is, if the same object can
uniquely identify a person across multiple Web sites
-

that opens up the possibility for

them to
be used for behavioral advertising.
17

3.

Structure of flash cookies

In the blog posting by
Kristinn

Gunnison

on SANS Computer Forensics and Incident
Response, he provided the structure of flash cookies (LSO).

The LSO is stored as a binary file in a
network or big
-
endian style. The file is structured in three
sections:

•First 16 bytes are the file's header.

•The objects name in ASCII

•A series of data objects, that contain the actual values of the LSO
18

In addition, Eric Huber in his presentation at CE
IC 2010 stated flash cookies have a common
structure but come in three versions:
19



Settings Cookie



Content Cookie



Master Settings Cookie

A
generic flash
settings cookie shows information on
how flash cookies are handled for a
particular website.

T
he cookie would have the name of the website along with
information

on
whether or not flash cookies are allowed for a particular website.




17
http://www.cdt.org/content/control l i ng
-
your
-
data

18
http
://computer
-
forensi cs.sans.org/bl og/2010/02/17/local
-
shared
-
obj ects
-
aka
-
flash
-
cookies/

19

Eri c Huber, CEI C 2010 Adobe Fl ash Cooki es

Assessing privacy risks from flash cookies

Page |
9

SANS Technology Institute
-
Joint Writing Project, February 2011


Figure

3
:
E
xample of settings cookie

Content flash cookie

will

contain

data from a specific
website. The data in
the cookie is pretty
random

it is dependent on what was done when the cookie was

saved.

Figure
4
:

E
xample of content cookie

Finally, m
aster settings flash cookie shows complete information
about how flash is configured
on the local computer along with
a listing of all domains visited as well.

Assessing privacy risks from flash cookies

Page |
10

SANS Technology Institute
-
Joint Writing Project, February 2011


Figure
5
:
E
xample of master settings cookie


Both master and settings cookies are stored in the same general location while
a content cookie
for a specific website is

stored in their “domain” directory.

How do
flash objects work?

A local shared object can be read only by the website domain that created the object.
For example, if you asked www.[siteA].com to store your login name, it might use Flash Player
to write a local shared object that contains the login
name information. That local shared object
can only be read by www. [siteA].com; it cannot be read by www.[siteB].com, or even a different
address location2. [siteA].com.

20


4.

How to identify the use and storage of
flash cookies on a
computer

Almost all webs
ites generate a browser cookie that is stored in a specific directory based
on the operating system. Browser cookies are easily located and deleted through the various
third
-
party tools and browser plug
-
ins. Windows XP store browser cookies
in

C
:
\
Docume
nts



20
http://www.adobe.com/products/fl ashpl ayer/arti cl es/l
so/

Assessing privacy risks from flash cookies

Page |
11

SANS Technology Institute
-
Joint Writing Project, February 2011

and Settings
\
[username]
\
Cookies
\
.While Windows Vista and Windows 7 stores browser cookies
in two folders:

C:
\
Users
\
[User Name]
\
AppData
\
Roaming
\
Microsoft
\
Windows
\
Cookies

C:
\
Users
\
[User Name]
\
AppData
\
Roaming
\
Microsoft
\
Windows
\
Cookies
\
Low

Below is the
location of flash cookies based on operating systems:

Windows XP:


%APPDATA%
\
Macromedia
\
Flash Player
\
#SharedObjects
\
<random code>
\
<domain>
\
<path
-

maybe°>
\
<object name>.sol


%APPDATA%
\
Macromedia
\
Flash Player
\
macromedia.com
\
support
\
flashplayer
\
sys

C:
\
WINDO
WS
\
system32
\
Macromed
\
[subdirectories]
\
filename.sol

For AIR Applications:

%APPDATA%
\
<AIR Application Reverse Domain Name>
\
Local
Store
\
#SharedObjects
\
<flash filename>.swf
\
<object name>.sol

Windows Vista and later:

For Web sites:

%APPDATA%
\
R
oaming
\
Macromedia
\
Flash Player
\
#SharedObjects
\
<random
code>
\
<domain>
\
<path
-

maybe°>
\
<object name>.sol

And also: %APPDATA%
\
R
oaming
\
Macromedia
\
Flash
Player
\
macromedia.com
\
support
\
flashplayer
\
sys

For AIR Applications:

Users
\
%USER%
\
AppData
\
Roaming
\

Mac OS X:

For We
b sites:

~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/<random
code>/<domain>/<path
-

maybe°>/<object name>.sol and
~/Library/Preferences/Macromedia/Flash
Player/macromedia.com/support/flashplayer/sys/<object name>.sol

For AIR Applications:

~/Library/Preferences/<AIR Application Name>/Local
store/#SharedObjects/<flash filename>.swf/<object name>.sol

Linux/Unix:

Assessing privacy risks from flash cookies

Page |
12

SANS Technology Institute
-
Joint Writing Project, February 2011

~/.macromedia/Flash_Player/#SharedObjects/<random id>/<domain>/<path
-

maybe°>/<flash
filename>.swf/<object name>.sol

Additionally,
f
lash player can save the file

(cookie)

in any path specified by the S
hockwave
Flash (S
WF
)

developer, relative to the current domain.
21

As a result, thi
s is one way

to enforce the rule that each domain may only store up to 100k on
the local system.
22


Figure
6
:
Listing showing LSO domains

To start the search for websites that use flash cookies, the list of the top 100 popular
website
s

maintained by Quantcast along with a few specific sites (
www.va.gov
,
www.georgia.gov
,
www.cdc.gov
,
www.ftc.gov
, wendywilliams.com and uncf.org
).
Sometimes
the directory that store flash cookie
s

will show the “Read Only” attribute in

Windows Explorer
and this will need to be “unchecked” in order for flash cookies to save properly.

To verify
whether or not a website utilize
s

flash cookies, a search of *.sol on the local hard drives was
conducted. Individual websites that use flash
cookies have separate directories that store their
specific flash cookies.




21
http://en.wi ki pedi a.org/wi ki/Local _Shared_Obj ect#Fi l e_l ocati ons

22

Ti l bury, Chad
http://computer
-
forensi cs.sans.org/bl og/2009/08/28/fl ash
-
cookie
-
forensi cs/

Assessing privacy risks from flash cookies

Page |
13

SANS Technology Institute
-
Joint Writing Project, February 2011


Figure
7
:

Listing of flash cookies

Another method to detect whether or not a flash cookie has been installed is through the
use of Adobe’s Flash Player setting manager utility located at:
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.ht
ml
.


Figure
8:
Adobe flash player setting
s

manager


When the tool is initially run, it provides informational text that
state
the
results shown are

from
the actual tool. Most importantly,
Adobe has a “disclaimer” statement

which notifies the user
that the company does not have access to the list.

Assessing privacy risks from flash cookies

Page |
14

SANS Technology Institute
-
Joint Writing Project, February 2011

Note: To see a complete listing of sites, the use of the scroll bar is required
.










Figure
9:

Website Storage Settings

Privacy Choice

Final method used to verify the use of flash cookie
s

is by employing a tool distributed by
Privacychoice.org. PrivacyChoice offers tools to help you understand and make choices about
your online privacy. You can

see how online tracking works (TrackerScan), see your tracking
profile, decide whether companies can collect information about what you do across websites
(TrackerBlock), or opt
-
out of seeing targeted ads (PrivacyMark).
23

Their tool is for the Mozilla
Firefox browser and generates a separate page that shows the results of the tool.

Figure #
10

shows the results of the tool when the site does not utilize flash cookies for tracking
on its primary domain:






Figure 1
0
: No
tracking cookies used




23
http://www.pri vacychoi ce.org/
faq#mi ssi on

Assessing privacy risks from flash cookies

Page |
15

SANS Technology Institute
-
Joint Writing Project, February 2011

Figure #
11

shows the result of the tool when a site does utilize flash cookies for tracking on its
primary domain but not from secondary domain:


Figure 11
: Primary domain cookies

Figure #1
2

shows the result of the tool when
a site
not only utilizes

flash cookies but secondary
domains from other companies using

flash cookies as well:







Figure 1
2
: Primary and Secondary domain cookies

Figure #1
3

shows information about
the policies provided by the company in reference to their
tracking cookie
s:







Figure 13
: Company Policies

Assessing privacy risks from flash cookies

Page |
16

SANS Technology Institute
-
Joint Writing Project, February 2011


One thing to note is that Flash based advertisements also
has
the ability to save LSOs. This is
important because in some cases we can't necessarily conclude that it was the user's intent to
access the
domain. The ori
gin of the LSO is often obvious
, but further testing or additional
artifacts may be necessary to make any definitive conclusions.
24


Figure 14
: Example

of flash
-
based advertising

LSO


5.

Analysis of flash cookies


In this section of the paper, flash cookies that were created in Action Message Format 0
(AMF0) were parsed using
Kristinn

Guidjonsson’s

SOLCAT tool.
Action Message Format (AMF)
is a compact binary format that is used to serialize ActionScript object graph
s. Once serialized
an AMF encoded object graph may be used to persist and retrieve the public state of an
application across sessions or allow two endpoints to communicate through the exchange of
strongly typed data
.
AMF was introduced in Flash Player 6 i
n 2001 and remained unchanged
with the introduction of ActionScript 2.0 in Flash Player 7. The version header of this format was
set to 0 and thus this version of the format is referred to as AMF 0.

NOTE: In Flash Player 9 a new version of AMF was introduc
ed to coincide with the release of
ActionScript 3.0 and a new ActionScript Virtual Machine (AVM+), namely AMF 3. AMF 0,
however, continues to be supported in all versions of the Flash Player from Flash Player 6
onwards.
25

This tool uses PERL to parse the co
ntents of a flash cookie.

The v
ersion of PERL
installed on test machine two is ActivePerl version 5.12.2 build 1203 (64
-
bit).
The tool was



24

h t t p://c o mp u t e r
-
f o r e n s i cs.s a n s.or g/b l og /2 0 0 9/0 8/2 8/f l a s h
-
c ook i e
-
f or e n s i c s/


25
http://opensource.adobe.com/wi ki/downl oad/attachments/1114283/amf0_spec_121207.pdf

Assessing privacy risks from flash cookies

Page |
17

SANS Technology Institute
-
Joint Writing Project, February 2011

unable
to parse AMF3 flash cookies and produced the following error message when run
against this type of cookie:


Figure 1
5
:

Results of parsing AMF 3 file via SOLCAT

When SOLCAT can successfully parse

a

flash cookie, the output is shown below:


Figure 16: Results of

p
arsing a flash cookie via SOLCAT

Future revision of the tool will include support for AMF 3.0 flash

cookies.

Another tool
used
to parse
raw flash cookie
was Edit Plus text editor by ES
-
Computing.
Edit Plus text editor converted the flash cookie into hexadecimal (Hex) format
.

Most flash
cookies that are stored on
the
computer

provide information on sett
ings applicable to
the multi
-
media component of
flash (
audio, video or game settings) and do not present a privacy concern.
A sample of a settings flash cookie is below:

Assessing privacy risks from flash cookies

Page |
18

SANS Technology Institute
-
Joint Writing Project, February 2011


Figure 17
:

Settings flash cookie


However, in the course of research the
re

were several cookies from different companies that
could raise privacy or system integrity concerns. One of the flash cookies traced the geographic
location of Internet protocol (IP) address used to visit the site and customize news articles
based on tha
t particular location.


Figure
1
8:

Cookie that detail
s

geographical information

Another flash cookie stored the actual computer IP address and some random numbers. Upon
further research on the Internet, this particular flash cookie relates to an online banking phishing
scam related to MBNA which was sold to Bank of America in 2005.
26


Figure 19
: Flash cookie with computer IP address





26
http://www.dsl reports.com/phi shtrack?pi d=41808&url s=1&
i=323306&content=1

Assessing privacy risks from flash cookies

Page |
19

SANS Technology Institute
-
Joint Writing Project, February 2011

Another set of interesting flash cookies came from MSN and SpicyNodes. These websites had
extensive data that provide information on how their specifics sites interact with flash.



Figure
20:
Spicy Nodes flash cookies




Figure
21:
MSN flash cookies


By far the most interesting cookies
came from two on
-
line radio services: Pandora and
Rhapsody
. These companies have different flash cookies that provide a variety of information
about the individual who is using their service.
Other
Information besides volume include,
Assessing privacy risks from flash cookies

Page |
20

SANS Technology Institute
-
Joint Writing Project, February 2011

station listened, total time on the service, password expiration setting and w
hether or not
computer or individual has an active or valid account.


Figure 22:

Pandora
’s

flash cookie #1


Figure 23:
Pandora’s flash cookie #2

Assessing privacy risks from flash cookies

Page |
2
1

SANS Technology Institute
-
Joint Writing Project, February 2011


Figure 24
:

Rhaposdy flash cookie

Like on
-
line (streaming) radio stations, video sites that use flash cookies have
interesting
information

as well.
The screenshot below is from viddler.com
-
a company that creates video
for personal and professional use:


Figure
2
5
: Contents of
viddler.com flash cookie

T
heir flash cookie provides information about user birthday, stream status, whether or not the
video is played in full screen and if autopopup has been enabled.

These tools can provide some basic analysis of flash cookies that can
start a more in
-
depth
forensic analysis. In Section 8, more advanced tools will be provided to help with forensic
analysis of flash cookies.
With all the information that can be stored in flash cookies, what are
the issues of that data being exposed and

released to unauthorized parties without permission?

Assessing privacy risks from flash cookies

Page |
22

SANS Technology Institute
-
Joint Writing Project, February 2011

6.

Risk and p
rivacy concerns of using flash c
ookies

The use in recent years of cookies by advertising firms and E
-
tailers is well known and well
documented. The result has been heightened concern for the
risk that they presented. This
concern has been amplified by the lengths that these firms have gone to gather information and
their willingness to share this information with others in the name of profit. As awareness grew
so did interest in preventing o
r mitigating the use of cookies. Browser vend
o
rs
have
added or
upgraded features to better control cookies and third party software appeared that
supplemented browser controls and/or simplified the process of removing cookies.

In addition, a
dvertisers hav
e since turned to the Local Stored Object feature of the Adobe
Flash Pl
ayer as a way to get around
existing
privacy
controls. Since flash cookies are not
stored in the
same location

as http cookies,
few tools could find and control them. They could
hold
more information and a wider variety of information. Ever wonder why when a playing a
flash movie the volume on your PC is louder then what you had it set it at? How about when
you login to your favorite online game and your current player configuration
and status is readily
available. Flash cookies store that information on the local machine.

In 2009 a research group at the University of Berkley headed by Ashkan Soltani
performed first of its kind study of flash cookies. After evaluating the top 100 w
ebsites the group
found extensive use of flash cookies for identifying and tracking user’s browsing. One
particularly disturbing trend that was discovered was the use of flash cookies to “re
-
spawn”
HTTP
cookies.

There

are significant privacy concerns wit
h regard to Flash cookies. They can
store more information than a HTTP cookie. The default size limit is 100K but can be changed
to hold more data. What kind of data?

One company, Disney has been accused of using flash cookies to obtain information on

visitors,
l
argely children, to its website such as
viewing choices, gender, age, race, number of
children, educational level, geographic location, household
income, what

the user looked at,
what the user bought, the materials the user read, details about
financial situation, sexual
preference, name, home address, email address, telephone number, health conditions
etc.
27
.

Another company,
Rap Leaf
, openly admits to collecting information in 400 different categories
such as household income range, age range, political leaning, and gender and age of children
in the household, as well as interests in topics including religion, the Bible, gambling, to
bacco,



27
.
http://blog.techprognosis.com/2010/08/18/disney
-
sued
-
for
-
spying
-
with
-
flash
-
cookies.html

Assessing privacy risks from flash cookies

Page |
23

SANS Technology Institute
-
Joint Writing Project, February 2011

adult entertainment and "get rich quick"
.

They also admit to retaining user names in their
databases. While the company insists that it does not hand out those names, only related,
generic “ID numbers”. It is known that the customers of several u
sers of RapLeaf’s services
were singled out by name for targeted marketing and online advertising
28
.

An
other issue deals with how retailers protect
the

collected personal information.
For
advertising companies they have to have the data stored somewhere fo
r easy access. This
means a computer database
is
somewhere on their network. What protections are in place? Is
the network secure? How about the database? How are they transmitting the data securely to
their customers? Are they auditing their security?

Are they complying with security
requirements or standards like PCI for credit card data or HIPPA if the data is medical related?
Except for a couple of exceptions it is not generally known what information is being stored by
advertising companies.

Whic
h lends itself to the question, have any of these companies been breached by
hackers? If they are reluctant to share information on what they are routinely doing would they
share information if they were hacked and lost personal information? After all m
any of the
various categories of information that are known to be collected might not be covered by the
various bre
a
ch laws. So,
if

a breach occurred, the company might try to justify not disclosing it.

The concerns about privacy and information extend to
the user system and the
information stored in the flash cookies used by advertising companies. Since flash cookies
have no expiration date the data they contain can reside indefinitely on the user’s computer
unbeknownst to the user. But a hacker with know
ledge of where they are stored can access
them and retrieve the information. There
are also the risks

that flash cookies can be used
maliciously.

Some flash cookies can record keystrokes according to research supported by the
Wall Street Journal
29
.

A
nother

researcher has shown that http session cloning is possible when user session
information is included in a flash cookie
.
30

Another researcher, Billy Rios, demonstrated how to
bypass The Flash Player’s sandbox feature to transfer stolen information to anot
her system. In
his research he discovered that Adobe uses protocol handler blacklists to prevent network



28
http://online.wsj.com/article/SB10001424052702304410504575560243259416072.html

29
http://online.wsj.com/article/SB1000 1424052748703977004575393173432219064.html

30
http://bl og.di sdefenders.com/2010/11/http
-
sessi on
-
cl oni ng
-
via
-
lo
cal
-
shared.html

Assessing privacy risks from flash cookies

Page |
24

SANS Technology Institute
-
Joint Writing Project, February 2011

access. By finding a protocol a handler that is not blacklisted (ex:
MHTML :)
, information

can be
passed in a flash cookie across the networ
k to the
attacker’s server.
31

The ability to invoke commands in flash cookies that can change the settings and
behavior of operating system components borders on Trojan
like. The

behavior of flash cookies
and the way companies are using them to gather information on

users is at the center of a
number of lawsuits filed against online advertising companies and websit
es like Quantcast,
Clearspring and
Disney
. T
he Disney suit in particular detailed significant and specific
information and referred to the cookies as “Zom
bie” cookies. In response several companies
defended their use of flash cookies and the information they collected, claiming that users
wanted the enhanced browsing experience.
One of the advertising companies named in the
lawsuits, Quantcast, immediatel
y stopped using flash cookies and “re
-
spawning
.


Privacy groups have applauded the suits. The Federal Trade Commission, currently the
primary
Federal government
enforcement agency for privacy, recently released a draft report
calling for a privacy frame w
ork to be implemented. Amongst the various recommendations is
the ability of users to opt
-
out of online tracking much like the do not call registry for
telemarketing.
While the framework offers some significant progress towards offering privacy
protectio
n, it is still not mandated and is offered as a voluntary option.

It is generally felt that as
long as
self
-
regulation

is the norm it will be difficult to reign in online collection of Internet user’s
information.

However there are signs of change. One ad
vertising industry group is Network
Advertising
Initiative
. Their goal is to promote consumer privacy education to that end they
have developed an Opt Out tool which functions
to provide

users the ability to opt out of
member advertising networks tracking
. While not reviewed for this paper the main limitation on
the tool is that
it
only works with
NAI member companies.

Public backlash over flash cookies
appears to have had an effect in other ways.
Research released this February by researchers at
Carnegie Mellon revisited the original work by the University of Berkley.

The team evaluated the same top 100 websites and included randomly selected
websites from an additional group of 500. They evalua
ted routine flash cookies and also
focused on flash cookie re
-
spawning. While their methodology was different than the Berkley



31
http://xs
-
sni per.com/bl og /2011/01/04/bypassing
-
fl ash%e2%80%99s
-
l ocal
-
wi th
-
filesystem
-
sandbox/

Assessing privacy risks from flash cookies

Page |
25

SANS Technology Institute
-
Joint Writing Project, February 2011

team they showed a marked reduction in the number of sites using flash cookies and a general
reduction in the number of sites usi
ng re
-
spawning
.
32

Private browsing mode


Even though the practice of flash cookie “respawning” has decrease
d
, privacy ad
vocates

and Internet
users’

complaints
have
gr
own

over the use of tracking cookies. In the past two
years, each major browser
has

create
d private browsing modes to their user interfaces. This
feature is called InPrivate (Internet Explorer), Private Browsing (Firefox and Safari) and
Incognito (Chrome).
33

Support for private browsing feature is
in Internet Explorer version 8.0 or
higher,
Firefox 3.5, Safari version 4 and Google Chrome 5 or later
.

Loosely speaking, private browsing mode has
two goals. First and foremost, sites visited
while browsing in private mode should leave no trace on the user’s computer. Second, users
may want to h
ide their identity from web sites they visit by, for example, making it difficult for
web sites to link the user’s activities in private mode to the user’s activities in public mode.
34

While all major browsers support private browsing, there is a great dea
l of
inconsistency

in the
type of privacy
provided

by the different browsers. Firefox and Chrome, for example attempt to
protect against a local attacker and take some steps to protect
against

a web attacker, while
Safari

browser
only protects against a l
ocal attacker. In addition, each
browser

has

varying
support of
plugins (add
-
ons)

and extensions

that could break the security provided in private
browsing mode.
35

Later

in the paper,

browser plug
-
ins and the

results of forensic analysis of
Microsoft’s In
-
Private Browsing will be provided.


7.

Use of DOS commands to find and delete cookies


Microsoft has by default hidden the browser cookie directory location.

Internet Explorer
stores browser cookies as a text file which has the file extension of *.txt.
In order to view the
presence of browser cookies on your computer without needing local administrator rights, an
individual can execute the following command from a DOS (command) prompt:




32
Cranor, Lorri e and McDonal d, A
l eeci a “The survey of the use of adobe fl ash l ocal shared obj ects to respawn http
cooki es”
http://www.cyl ab.cmu.edu/fi l es/pdfs/tech_reports/CMUCyLab11001.pdf

33
http://crypto.stanford.edu/~dabo/pubs/papers/pri vatebrowsi ng.pdf

34
Di tto


35

Di tto

Assessing privacy risks from flash cookies

Page |
26

SANS Technology Institute
-
Joint Writing Project, February 2011








Figure
26
-
listing of http cookies

Results can be piped to a
file by executing the following command:







Figure
27:
Piping command example

Because cookies are linked to each individual who login to a particular computer, you can
further refine the command in this matter:


Figure 28
: results of refined search

Assessing privacy risks from flash cookies

Page |
27

SANS Technology Institute
-
Joint Writing Project, February 2011

O
n Windows computers, the Macromedia folder which stores flash cookies may not be marked
hidden by default
.
Flash cookies are files that have *.sol file extension. To view all flash
cookies on your computer, perform the following command: dir *
.
sol /A:H

/A:S /A
-
H /A
-
S /S








Figure
29:
Listing of LSO files outside “regular” location


Figure
30:

Listing of LSO files in “traditional” location


As you can see from the above screenshots, Flash cookies are not just stored in the traditional
location but can be located elsewhere. In this case, Wild Tangent stores their flash cookies in
separate directories for each on
-
line game the user downloads
to their computer. In response
to the fact that flash cookies are not easily deleted, several individuals who responded to Bruce
Assessing privacy risks from flash cookies

Page |
28

SANS Technology Institute
-
Joint Writing Project, February 2011

S
chneier’s blog post on flash cookies, documented ways to automate the process of deleting
flash cookies in a variety of situa
tions
36

Post by
Angus S
-
F at
August 17, 2009 3:24 PM

In Windows XP, the following lines saved to a batch file will kill Flash Cookies:

======================

:: nu
ke any existing cookies and subdirectories

rd /q/s "%APPDATA%
\
Macromedia
\
Flash Player
\
#SharedObjects
\
"

md "%APPDATA%
\
Macromedia
\
Flash Player
\
#SharedObjects
\
"

rd /q/s "%APPDATA%
\
Macromedia
\
Flash Player
\
macromedia.com
\
support
\
flashplayer
\
sys"

md "%APPDATA%
\
M
acromedia
\
Flash Player
\
macromedia.com
\
support
\
flashplayer
\
sys"

======================

After creating the file "KillFlashCookies.cmd,"
goes

into Windows and
creates

a "scheduled
task” to delete flash cookies on a regular basis.

Posted by: Psuedo at
August 17, 2009 9:23 AM

Under Linux, something akin to the following
and run at login can be used as a partial solution (at your own risk,etc.):

#!/bin/bash

DEBUG
="/bin/echo "

#DEBUG=""

RM="/bin/rm"

SHRED="/usr/bin/shred"

FIND="/usr/bin/find"

function shred_dir {

DIR="${1}"

nice ${FIND} "${DIR}"
-
type f
-
exec ${DEBUG}${SHRED}
-
n3
-
fzu {} +

nice ${DEBUG} ${RM}
-
rf "${DIR}"

}

shred_dir "${HOME}/.macromedia"

shred_dir

"${HOME}/.adobe"


To illustrate that flash cookies can be deleted from a DOS prompt, the following command was
run: del *.sol /S




36
http://www.sc
hnei er.com/bl og/archi ves/2009/08/fl ash_cooki es.html

Assessing privacy risks from flash cookies

Page |
29

SANS Technology Institute
-
Joint Writing Project, February 2011


Figure
31:


Results of delete command on LSO

To verify that flash cookies were deleted from the system, the following command was run: dir
*.sol /s


Figure
32
:
Results of search after LSO files were deleted


8.

Tools to Address Flash Cookies

As the issue of flash cookies becomes more
common
-
place
, more and more software
tools were created and existing ones modified to address detecting and managing flash cookies.
For the purpose of this paper we have grouped these tools
into
three general categories
:
detection, management and
evaluation. This

lis
t is by no means all
-
ex
clusive. Due to time
constraints, the

most popular tools in
these

categories were selected for
review
.
Appendix A

will provide a listing of
tools that
were discovered during the research phase that
are available to
delete,
manage
and

analyze flash cookies.



Assessing privacy risks from flash cookies

Page |
30

SANS Technology Institute
-
Joint Writing Project, February 2011

Testing Methodology

The first test bed system is an AMD X2 laptop with 4 GB of memory. A fresh install of
Windows 7 and Office 2007 was done and the only added software was Microsoft Security
Essentials Antivirus and Mobile
stream’s Easytether Lite software to facilitate Internet
connectivity through an Android cell phone. Additionally, the latest versions of Mozilla Firefox
and Google Chrome were installed to support testing browser add
-
ons and plugins
.

The second test bed

system is

a
Windows 7 professional running full suite of application
using Windows Internet Explorer as the primary browser. Additionally testing was performed
using Microsoft Virtual PC (running XP Mode) and running Google Chrome and Firefox
browsers. T
hese

systems were geographically located in opposite sides of the country so it was
decided to review the flash cookies that were presented from the websites to see if there were
any differences due to geographic location
.

A system restore point was set in

Windows prior to the installation or, in the case of
standalone software, use of each software package. If a virtual machine is utilized a snapshot
was created.

As the software was installed and/or used

on test system #1
,
Microsoft

SysInternals Process Mo
nitor was run to monitor background activity. Of particular interest was
what, if any attempts were made by websites to place flash cookies or other content in areas
other than the known and designated ones or make changes to the registry
.

Depending on the

tool category the methodology for collecting Flash cookies varied.
While browsing websites HTTP Analyzer by IE Inspector was run. HTTP Analyzer functions as
an HTTP/HTTPS sniffer, parsing and displaying only HTTP/HTTPS packets. The packet capture
was sa
ved for later review after each tool was tested
.
Once testing with a product was complete
the product was uninstalled, the HTTP and flash cookies were removed and the system was
reset to a pristine state by invoking the system restore point or the snapshot

previously set. The
packet capture and files generated by the SysInternal tools were saved for later review after
each tool was tested.

In the case of the detection tools, most were detect and delete. The goals were to see if
they could effectively find
and remove all flash cookies. A random set of websites were browsed
by the researchers and no less than 5 pages were accessed from each site. After the browsing
was completed a copy was made of a randomly selected Flash Player domain in C:
\
Documents
and S
ettings
\
%User%
\
Application Data
\
Macromedia
\
Flash Player
\
#SharedObjects and was
Assessing privacy risks from flash cookies

Page |
31

SANS Technology Institute
-
Joint Writing Project, February 2011

copied with its flash cookies and settings cookie from there to the user’s My Documents folder
and the Windows
\
System folder. An additional copy was placed on the D drive on the

testbed
system 1.

The detection tool was then run to see if it could first find all the cookies files that were located
on the system drive and , when applicable, the D: drive. If the delete ability was available the
tool was tested to see if it could com
pletely delete all discovered cookies. If the ability to
manually delete was available it was also tested.

For the second test machine, two new directories were created called httpcooies2 and
sol2 to copy http and flash cookies respectively. On both mach
ines, http cookies were saved by
the operating system in a hidden directory (cookies) and only visible by changing the attribute to
the main (primary) user profile within Microsoft Windows. These directories where then copied
over to the host operating sy
stem for analysis. To ensure “clean” results, cookies were deleted
by using one specific tool
-
Piriform’s CCleaner.


Detection tools
:

Tools in this category are designed to detect the presence of flash cookies. Most include the
ability to arbitrarily
delete discovered cookies
.

Our paper will document the use of the follo
wing
tools:
Flash Cookie Cleaner,
Cookienator, Flash
Cookie
sView

and Clear all History.


Flash Cookie Cleaner


Flash Cookie Cleaner is a flash cookie utility created in 2009 by
ConsumerSoft
. The
company builds utility applications for PCs and
mobile devices
. The program is
simple and easy
to use and
is
a
good option for an average user.

The software is a self
-
contained executable and
does not need to be installed in Windows.

It does
detect and

it will delete flash cookies, persistent
internet cookies (PIE) and other local shared
objects (DOM,
Silverlight
,
etc.
). When the

Figure 33
: Main Screen

Assessing privacy risks from flash cookies

Page |
32

SANS Technology Institute
-
Joint Writing Project, February 2011


program is executed, it does an initial scan and let
s

you know how

many cookies and domains
were found.

When started it displays
its

main screen. It has three buttons on the
screen. The
S
can

button
when clicked will scan for flash cookies. When the software starts up it scans
the hard drive
and lists out its finding
s so the button is only useful for re
-
scanning.

Selecting the
View Cookies

button

will
open a Windows Explorer window to
the
#
SharedObjects folder containing the
content cookies
. The user can view
and delete individual flash cookie
folders from this window.


Figure 34
: #Shared Objects Folder

Selecting the
Delete Cookies

button will
produce

a
popup asking to co
nfirm the deletion and
then delete

all
flash cookies from the #Shared
Objects folder and the
flash cookies

from the ...flashplayer
\
sys folder

when
the
Yes

button is pushed
.

Figure 35
: Delete popup window

The

software cannot find cookies in folders other than the default folders.

Cookienator

As the name implies, it will detect cookies stored on your local computer. Original
program was created in 2007 and current version is2.6.41
.
Cookienator is lightweight;
it's a
single executable that you install on your computer. When run, it will tell you how many cookies
it would like to remove.
37

Not only will the program detect but it will also clean as well. It is not
limited to just flash cookies but has detect an
d delete capability for http cookies along with
specific browser
s

as well.

Cookienator will only locate cookies in the default storage location
and does not provide the option to change it.




37
http://codefromthe70s.org/cooki enator.aspx

Assessing privacy risks from flash cookies

Page |
33

SANS Technology Institute
-
Joint Writing Project, February 2011

Initial screen

provides the menu of items that can be done with the tool: 1)
show

Details

of the
cookie search, 2)
Clean
now

w/o reviewing, 3) Options which list the cookies that you would to
detect and then delete from the system.









Figure 36
:








Figure 37
:

Discovered cookies




Assessing privacy risks from flash cookies

Page |
34

SANS Technology Institute
-
Joint Writing Project, February 2011








Figure 38
: configuration page

Cookienator also provide
s

the option to delete cookies automatically. This can be done on a
daily, weekly and monthly basis and the longest time between deletions is 30 weeks.

Figure 39

FlashCookiesView

This tool was created as freeware by Nir Softer and the program is a small utility that
displays the list of cookie files created by Flash component (Local Shared Object) in your Web
browser. For each cookie file, the lower pane of FlashCo
okiesView displays the content of the
Assessing privacy risks from flash cookies

Page |
35

SANS Technology Institute
-
Joint Writing Project, February 2011

file in readable format or as Hex dump. You can also select one or more cookie files, and then
copy them to the clipboard, save them to text/html/xml file or delete them.
38

Figure below

FlashCookiesView also provid
e
s

a

way to change the base directory for flash cookies. This
way, the program would be able to find flash cookies in non
-
traditional locations. The figures
below show how to change the flash cookie location and the results after it was changed.



Figure
41



Figure 40









Figure 42

Figure 43





38
http://www.ni rsoft.net/web_browser_too
l s.html

Assessing privacy risks from flash cookies

Page |
36

SANS Technology Institute
-
Joint Writing Project, February 2011


Clear A
ll
H
istory

This program was created by MoRun.net and it can be downloaded separately or as a
part of their Privacy Suite. Privacy Suite other application is Delete Files Permanently. Clean
All History has the ability to detect and clean cookies along with other Int
ernet artifacts as well.
Program will run on 32
-
bit and 64
-
bits operating system starting with Windows 98 and also
supports Windows 7 as well. Browser support includes, FireFox, Chrome, AOL Explorer and
Internet Explorer among others.

From its website,

Clear All History completely clears all history traces of your Internet
activity including browsing history, cache, cookies, form AutoComplete, Address Bar history,
search history and index.dat files. Supports Internet Explorer, MSN Explorer, Firefox, Saf
ari,
AOL Explorer (AOL browser), Maxthon (MyIE2), Opera, Netscape, Mozilla and Google
Chrome.
39


Management tools

Tools in this category can detect flash cookies but also have included functions to manage them
such as blocking and allowing cookie placement
on the user’s system or selectively deleting
them.

Adobe Flash Player Settings Manager

Created

by Adobe the Flash Player Settings Manager provides an easy interface whereby what
the flash player is able to do can be managed by the end user.

The Settings M
anager has an
un
usual configuration. While the utility is installed locally
, access

to the interface can only be achieved while on the Internet. While on a website flash object a
user can right click and access the Adobe
webpage
containing the Settings Manager interface.
The user
can also

access the Adobe interface webpage directly.




39
http://www.cl earal l hi story.com/

Assessing privacy risks from flash cookies

Page |
37

SANS Technology Institute
-
Joint Writing Project, February 2011



Figure 44
: Opening Page

The
interface
tabs are

shown
below

and the
re

are a total of eight tab
s in the

i
nterface
.

They
cover a wide variety of settings that control how flash player
; f
our are considered Global
settings
.






Figure 45
: Global Privacy Settings



Figure 46
: Global Storage Settings

The Global Privacy Settings

a
ffect how flash
objects can interface and control your camera

and
microphone.

The

Global Storage Settings

are where the ability to control the setting of flash
cookies by websites. Setting the slider to 0Kb is the same as blocking website flash cookies from
being written to the local system.

Assessing privacy risks from flash cookies

Page |
38

SANS Technology Institute
-
Joint Writing Project, February 2011


Figure 47:

Global Security Settings





Figure 48
:


Gl
obal Notification Settings

The
Global Security Settings
address
the cross
-
domain policy. A

cookie normally can only be
accessed by the website domain

that created it. However the policy can be set to allow other
domains to access cookies that they did not

create
.



Figure 49
:

Website Privacy Settings



Figure 50
: Website Storage Settings


These two tabs
(above)
appear to duplicate the same settings

as the first two tabs and can
confuse users trying to manage their privacy. The settings here are on a per website basis a
nd
are where the user can set
the camera and microphone
settings and

create a blacklist or
whitelist for

website caching
.





Assessing privacy risks from flash cookies

Page |
39

SANS Technology Institute
-
Joint Writing Project, February 2011








Figure 51
: Peer Assisted Networking Settings




Figure 52
: Protect Content Playback



While the Adobe Flash Player Settings Manager has a comprehensive
group of

privacy settings
,

it tends to be confusing to an average user. Even the online
instructions
are

a

little vague
.
With
this in mind
Adobe recently announced plans to upgrade the Interface to make it easier to
understand and integrating into the flash player client rather than using a web page to access
it
.
40

MAXA Cookie Manager

The tool is developed and maintained
by the Maxa

Research Internation
al
, Inc.

in 2007
to
address flash cookies and HTTP cookies.

Additionally,
it

can also manage DOM and Silverlight

super cookies
”.

The utility can manage the
cookies,

history and browser cache for a wide
variety of popular browsers. It looks
for cookies

in
their

default locations and cannot change the
search
directories.

After the software is installed the user is presented with a first time setup
wizard that

walks
through an initial setup.

Figure

53
:
Websites



Figure 54
: Browsers

Figure 55
:
Additional Settings





40
http://pai dcontent.org/arti cl e/419
-
adobe
-
to
-
si mpl i fy
-
fl ash
-
players
-
privacy
-
controls

Assessing privacy risks from flash cookies

Page |
40

SANS Technology Institute
-
Joint Writing Project, February 2011

On the first screen the user selects from the displayed websites those that they access
regularly. On the second screen Co
okie Manager determines which browsers are installed and
configures
it

to manage their cookies. On the third screen it prompts the user on using sounds
and running automatically. When running automatically is selected then the software creates a
registry

entry so that it can startup as a terminate and stay resident (TSR) program. This
enables it to monitor cookie activity in the background on the user’s system.

This feature will
periodically generate popups when Cookie
Manager discovers

new cookies and webbugs.


Figure

56
: Initial Findings




Figure

57
: Web bug domains


After the setup
,

Cookie Manager goes through an initial scan for cookies and
displays the

results. Clicking on the
Show web

bug domains

opens up a window in the popup allowing the
user to review installed cookie domains. The user then can use the
Delete
,
Delete
and
Block
and

Ignore and investigate manually

buttons to take action on their web bugs.

After making the selection t
he user is presented with the main screen of Cookie Manager














Figure 58
: Main Screen

Assessing privacy risks from flash cookies

Page |
41

SANS Technology Institute
-
Joint Writing Project, February 2011

Working from this screen the user can manage and evaluate all cookies discovered by Cookie
Manager.

The
Online Privacy Test
and the
Cookie diagnostics

buttons will connect back to
the Maxa website to evaluate the user’s system. The Online Privacy Test evaluates the data
that can be extracted from the system


The Cookie diagnostics will connect to the website and it
will attempt to set various cookies on the user’s system.
The cookies will then show up in the main screen of
Cookie Manager. This feature is
useful for

confirming the
functionality of Cookie
Ma
nager and

testing its
ability to

block and allow specific
cookies.


This function is accessed by the block website
Icon on the
main page. This brings up the
configuration
window where specific websites
can be blocked and the different cookies can be
conf
igured to be denied or allowed,

including browser



Figure 59
: Cookie Diagnostics


specific cookies. In testing, the
block lists

configured
effectively prevented the setting of cookies from


The configured websites and the cookies types when th
e

cookie manager was running.


Using the
E
valuate

button on the main page Cookie Manager
will rate the cookies based on their privacy risk. This can give
the user an eas
y way to identify which cookies to be concerned
with.









Figure

60
: Blocked Sites





Assessing privacy risks from flash cookies

Page |
42

SANS Technology Institute
-
Joint Writing Project, February 2011















Figure 61
:
Cookie Evaluation Results


Individual cookies can be selected from the main window.
Doing


so will highlight the
View Details

and
Delete

buttons.
Selecting the
View Details

button brings up a popup window
highlighting detailed information on and in the cookie. The

Delete

button is used to

delete the

selected

cookies.


The
Clean history and cache

button opens an interface
where the browsing history of all in installed browse
rs and Flash
Player.

The
Settings

brings up a settings popup window which
includes a tab for configuring automatic deletion.


Figure 62
: Cookie Details


CCLeaner

This tool is the “Swiss army” knife of the computer management world. CCLeaner not
only detects all types of cookies it will manage them as well. The user can configure the
program to delete all cookies or specify which flash cookies to keep

on the system as well. As
one of the most popular tool
s

used today, it not only detects / cleans

flash cookies but h
as

the
capability to manage the operating system as well. (E.g. repair issues with computer registry
Assessing privacy risks from flash cookies

Page |
43

SANS Technology Institute
-
Joint Writing Project, February 2011

and manage Windows start
-
up programs
.) CCLeaner is a product from Piriform and has been

detecting flash cookies since version 2.19.901 (May 2009).Unfortunately, the program cannot
be configured to detect flash cookies outside the standard location.

When the program is started, it has defau
lt options that will show runs when the
Analyze

button
is selected. If you want the program to run other options, that option will need to be checked.
For the purpose of checking for flash cookies, the default program options are sufficient.


Figure 63
:

Main Screen

Once the
Analyze

button is pressed, the program performs a scan for all data that meets the
criteria selected but this does not delete the items until the
Run Cleaner
” button is pressed.
Below is showing complete results but the system by
default is set for summary.

Assessing privacy risks from flash cookies

Page |
44

SANS Technology Institute
-
Joint Writing Project, February 2011


Figure 64
:



Figure 65
:

After the
Run Cleaner

but
ton

has been selected, the system will show that cleaning has been
complete and details of the files deleted.

Assessing privacy risks from flash cookies

Page |
45

SANS Technology Institute
-
Joint Writing Project, February 2011


Figure 6
6
:

CCleaner

provides the ability to select which cookies the system saves or delete. By default,
CCleaner will delete all cookies found on the system.


Figure 67
:

Assessing privacy risks from flash cookies

Page |
46

SANS Technology Institute
-
Joint Writing Project, February 2011



Forensic
analysis of

flash cookies


There

are
not
m
any
tools that are geared
specifically
towards
performing forensic
analysis on flash cookies.

Research has found that forensic analysis tools are geared towards
http cookies instead of flash cookies.
Forensic specialists
use cookies as an important artifact

to
determine
visited w
ebsites

on the compute
r. The majority of the tools
are g
e
ared towards
examining Internet history files (index.dat) or recovering deleted temporary internet files.

Depending on the tool,

information can be exported into commercial forensic software (Encase).
To perform
advanc
ed
analysis of flash cookies, a mixture of t
ools created for
other purposes

were

utilized to determine their usefulness on flash cookies
:
SOLCAT,
Galleta, SoLve and
NetAnalysis.

Tools in this category are designed to convert the binary format of the diffe
rent
Adobe Action Message Format versions into a readable format

and using specific fields within
the file to parse data into graphical user interface (GUI).

Galleta

Keith Jones
,

while
an employee at Foundstone now owned by Mcafee created
Galleta,
a
tool for cookie analysis.
The tool was created to provide c
omputer crime investigations
with the
ability to recreate
a subject's Internet Explorer Cookie files.

Because
this analysis technique is
executed regularly, we researched the structure of the dat
a found in the cookie files.

Galleta,
the Spanish word meaning "cookie", was developed to examine the contents of
a
cookie file.
Galleta will parse the information in a Cookie file and output the results in a field delimited
manner so that it may be impor
ted into your favorite spreadsheet program. Galleta is built to
work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux,
and *BSD platforms.
41


Because the analysis machine is Windows
-
based, Galleta tool was used under Cygwi
n.

Cygwin

is a collection of tools which provides
a Linux look and feel environment for Windows.

The program’s
dynamic

link library (DLL),
acts as a Linux API layer providing substantial Linux



41
http://www.mcafee.com/us/downl oads/free
-
tool s/gal l eta.aspx

Assessing privacy risks from flash cookies

Page |
47

SANS Technology Institute
-
Joint Writing Project, February 2011

API functionality
. The Cygwin DLL (cygwin1.dll) currently
works with all recent, commercially
released 32
-
bit and 64
-
bit versions of Windows except Windows CE.
42

Galleta was created to parse http cookies but it is useful for flash cookies as well.

The program
is run under a DOS
-
like command prompt and use
s

Linux
commands. If you are un
-
sure how
the program is run, type ./galleta and usage instruction is provided.

Figure 68
:

Galleta command


Since the tool was not created for analysis of flash cookies, b
elow is a screenshot
when the tool
is not able to analy
ze

the flash cookie file
:


Figure 69
:

Galleta unable to run flash cookie

When the tool is able to successfully parse a cookie, the information is displayed on the screen
in this ma
nn
er:




42
h
ttp://cygwi n.com/

Assessing privacy risks from flash cookies

Page |
48

SANS Technology Institute
-
Joint Writing Project, February 2011


Figure 70
:

Gallenta success

Galleta
provides the ability to send its results to a text file and
the data can be viewed in a text
editor.


Figure 71
:

Gallenta sending results to text file

When adding the

d switch, it allows the data to be imported into Microsoft Excel as a comma
separated value (CSV). Below
shows the results of Galleta

when the

d switch has been used.


Figure 72
:

Results of using

d command


SoLve

Another tool that is helpful in performing forensic analysis on a flash cookie is SoLve.
The tool was created in 2004 by Darron Schall and
is open
-
sourced executable using Java.
Outside of having Java on the computer, no additional software besides the e
xecutable is
required. Only limitation of the tool is that it will only open flash cookies that have the following
data types
:

Number, Boolean, String, Object, Null, Undefined and Array.

Assessing privacy risks from flash cookies

Page |
49

SANS Technology Institute
-
Joint Writing Project, February 2011

When a file can not be opened, the following error message is gener
ated on the screen:






Figure 73
:

The figures
below shows the
information that can be obtained from the program:




Figure 74
:






Figure 75
:

NetAnalysis version 1.5


The final tool in this section is from Digital Detective and it is called NetAnalysis.
According to their website,
NetAnalysis has become the industry standard software for the
recovery and analysis of Internet browser
artifacts.

It was developed in 2001
by a digital
forensics practitioner working for a police Digital Forensics Unit in the United Kingdom.

This tool has many different
functions that can be performed including, internet history
extracting, and cookie analysis. Additionally, a separate tool called HstEx3 (history extractor)
to be used to extract deleted data.

Assessing privacy risks from flash cookies

Page |
50

SANS Technology Institute
-
Joint Writing Project, February 2011

Figure 76
:

NetAnalysis cookie viewer

This window shows the

Cookie Viewer activated, with the examiner selecting a cookie record in
the main grid. If the cookie records are exported from your main forensic tool, along with the
index files, NetAnalysis will be able to show the content of those files as well.
43


For
ensic Analysis of

Microsoft Internet
In
-
Private Browsing


As mentioned earlier in the paper, all major browser
s

(Internet Explorer, Firefox, Chrome
and Safari) have some type of private mode browsing. This feature was added recently to
address privacy concerns that surrounds the use of flash cookies. Microsoft’s implementation is
called
In
-
Private Browsing

and it

was selected to find out how “private” the browsing session
was for the user.
S
everal websites were visited to determine what files if any ended up on the
local computer. Sites that were visited are:
www.tsp.gov
,
www.washingtonpost.com
,
www.macys.com
,
www.etrade.com
,
www.jcp.com
,
www.whitehouse.gov
,
www.drudgereport.com
and
www.politico.com

.


In some respect,
Microsoft
’s
version of private browsing
did offer some level of privacy
as
flash cookies

(*.sol) f
rom

th
e websites

visited did not get saved to the local computer.
However, that does not mean that other files are not saved on the computer that can be used by
forensic investigators to reconstruct Internet activity. Files that are saved whi
le using Internet
Explorer In
-
Private browsing include the following file extensions: *.gif, *.png, *.jpg, *.js, *.swf,
*.css, *.xml, *.aspx, and *.htm.

T
wo tools were used to verify that files were saved to the local
computer while using In
-
Private Brows
ing mode: CCLeaner and NetAnalysis v1.52.




43
http://www.di gi tal
-
detecti ve.co.uk/netanal ysi s.asp

Assessing privacy risks from flash cookies

Page |
51

SANS Technology Institute
-
Joint Writing Project, February 2011


CCLeaner showed through its tool that files have been saved and can be deleted off the
system.The figure below show
s

a snapshot of the files that CCleaner would be able to clean if
the “Run cleaner” option was e
xecuted.









Figure 77
: CCLeaner Scan Results


NetAnalysis was used to see if the local computer had the necessary files to reconstruct Internet
history while using In
-
Private Browsing.

Th
ere

were enough files present on the local computer that the program was able to recreate
Internet activity for the specific timeframe that In
-
Private browsing was conducted.