Re: LUDD: Neb. Pipe bomb spree the work of luddites?

From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Thu May 09 2002 - 08:42:22 MDT


On Thursday, May 9, 2002, at 09:48 am, Mike Lorrey wrote:
> Of all the security issues to be worried about, cookies are a non-issue,
> a relic of the myth, spread by computer illiterate ebay users, that
> cookies were a form of virus.

As a security professional, I must disagree with this!

A cookie can be used to store any data, not just logins. Even when they
are used for logins, they are the equivalent of a login and password.
Storing a cookie is the equivalent of stealing your password and writing
it down for later use. This is dangerous. The cookie system is
extremely flawed, such that most websites can read cookies they
shouldn't read. That is, they can get your login and password for other
sites. I have personally hack-tested many online banks that had cookie
flaws where I could get other people's money! This is not a theoretical
issue. This is my professional career, and I make money by doing this
stuff. Cookies are extremely unsafe and should not be used to store
sensitive data such as logins.

Besides the insecurity of logins, cookies are also used by spammers and
spyware to monitor users without their knowledge. Every cookies is
storing information about you. Why does the newspaper need to record a
semi-permanent record about what you read? Why does an advertiser
upload more information about you than you download about their
product? Why do remote companies and users think they have a right to
record my actions and store the log on my computer for their future use?

I run Opera as my browser. I have it set to accept all cookies and then
delete them upon exit. This means that I have to manually type my login
data every time, because it is not kept on my harddrive. It also means
that they let me in and think their cookies are working, but later they
can't get the information they tried to record. This scheme lets sites
"require" cookies, while satisfy my desire not to store them.

--
Harvey Newstrom, CISSP <www.HarveyNewstrom.com>
Principal Security Consultant <www.Newstaff.com>


This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:13:56 MST