What is Cookiejacking?

“Cookiejacking” may sound like someone taking a bite out of that delicious chocolate chip cookie you were planning to have after lunch, but it is actually an online security risk that could lead to your personal information falling into the hands of a cybercriminal.

2DBut to understand this risk, you first need to know about Internet cookies. An Internet cookie is a small text file that gets stored on your computer or mobile hard disk from a website that you have previously visited, so the next time you’re on that site, it alerts the site that you’re back.

The cookie holds information such as an identifier the site assigns to you, and any preferences or personal information you may have shared with that website, such as your name and email address. Cookies are the reason why you may see a message that says “Welcome back, John” when you revisit a website.

Now that you know what an Internet cookie is, you can better understand cookiejacking. This is when your device’s cookies are stolen, potentially giving thieves access to the information they hold.

This can be problematic when the cookies stored on your computer contain sensitive and personal data, such as your bank login information and social media account passwords. A cybercriminal could use the stolen information to access your accounts or impersonate you.

Of course, clicking on links in malicious emails or on risky websites increases the odds that you could fall victim to cookiejacking, so the more dangerous clicking you do, the more at risk you are.

How do you avoid cookiejacking?

Here are a few simple tips to help you avoid falling victim to this security concern:

  • Be careful where you click—Especially when playing games on social networks since this could be a trap set by a cookiejacker; all of your clicking will enable the thief to steal your cookies. Also be wary of links in emails, text messages and instant messages, especially if they’re from people you don’t know personally.
  • Use a safe search tool—Utilize a free browser plug-in, like McAfee® SiteAdvisor® that warns you if you are going to a risky site. For Android users, this feature is available as part of the free McAfee Mobile Security.
  • Consider using private browsing mode—The private browsing mode prevents access to cookie files already saved on your device, but more importantly, it stores cookies for the active session in memory. This means that a page crafted for cookiejacking cannot access older cookies nor active ones, because there is no path to them.
  • Install comprehensive security on all your devices—Make sure you protect all your devices with security like McAfee LiveSafe™ service that includes anti-malware, anti-spam, anti-phishing and a firewall so that you are less likely to be a click-jacking victim.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Are Cookies An Invason Of Privacy Or Identity Theft Concern?

Robert Siciliano Identity Theft Expert

Ive taken lots of heat for my comments on a Fox News report that the Office of Management and Budget is considering reversing a nine year ban on using “cookies” to track users’ preferences and interests on federal websites. The shift in policy is being billed as a way for government to enter the 21st century and for federal agencies to use the same technology utilized on news sites, retail sites and social media networks.

My comments under fire involve some “scaremongering” and potential inaccuracies in relation to cookies and what they do.

“Without explaining this reversal of policy, the OMB is seeking to allow the mass collection of personal information of every user of a federal government website,” said Michael Macleod-Ball, acting director of the American Civil Liberties Union’s Washington Legislative office. “Until OMB answers the multitude of questions surrounding this policy shift, we will continue to raise our strenuous objections.”

A cookie is a small piece of text or code that is stored on your computer in order to track data. Cookies contains bits of information such as user preferences, shopping cart contents and sometimes user names and passwords. Cookies allow your web browser to communicate with a website. Cookies are not the same as spyware or viruses, although they are related. Many anti-spyware products will detect cookies from certain sites, but while cookies have the potential to be malicious, most are not.

A colleague sent me a note after reviewing my comments regarding cookies and stated:  “Cookies have been around since the mid-to-late ’90’s, and most people still don’t understand what they are or what they do. If you go to http://osvdb.org and do a search for “cookies”, you’ll see there have traditionally been tons of vulnerabilities surrounding them. From a privacy standpoint, they’re also a potential issue depending on how they’re used, but that really depends on a site’s environment. Saying that “cookies store passwords” isn’t really true in most cases based on evidence I’ve seen over the last several years. They might store session IDs or be manipulated to allow admin access to a site, sure… but that’s not true across the board for every (or even most) sites.”

However Informationweek reports Internet users are revealing information that identifies them through the use of social networking sites cookies.

What was said in the video in relation to what cookies do was more of an analogy than stating fact. I was trying to simply give a bit of perspective and explain what the privacy concerns may be. Its a complicated issue that has the ACLU and others up in arms.

The government tracks criminals using specially developed spyware that gathers a wide range of information, including IP and MAC addresses, operating systems, Internet browsers, open ports, running programs, user names, and recently visited URLs. This scares privacy advocates, for good reason.

But cookies are generally not invasive. They are typically used to produce usage statistics within a single site, or to produce anonymous user profiles across multiple sites, in order to determine which advertisements would be most relevant. Many websites become unusable if your browser does not accept cookies. Social networking sites are particularly dependent on cookies.

Federal government agencies have banned cookies in their own sites since 2000 in response to demands from privacy advocates. Some claim that the proposal to reverse the ban comes in response to Google’s recent lobbying efforts. Whitehouse.gov posts YouTube videos that contain Google’s third party cookies. The entire issue requires a bit more transparency for all those involved.

Advertisers have long known that cookies are useful for customizing the user experience. The government seems interested in taking advantage of this benefit as well. If that is the real motivation, it’s great. But privacy advocates aren’t happy, since the government tends to take a mile when given an inch.

There are a few fundamental ways to keep yourself secure. Browsers all give you the option of simply turning cookies off.  Make sure that yourInternet security software is updated, and install spyware removal software if it isn’t included in your basic security suite. Lock down your wireless connection. Use strong passwords that include upper and lowercase letters as well as numbers, and never share them. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. In most cases, this prevents new accounts from being opened in your name. Download CCleaner, a free system optimization, privacy and cleaning tool that removes unused files including cookies from your system, which frees up disk space and allows Windows to run faster. It also cleans traces of your online activities. And invest in Intelius identity theft protection. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses a proposal to allow the use of cookies on federal websites on Fox News, and again on Breitbart.tv.