This document provides an overview of how personal data is tracked online through third party cookies and discusses some options for protecting privacy. It begins with an introduction of the presenter and their company, SecureState. It then explains how advertising companies use third party cookies to track browsing habits across many websites to display targeted ads. The document reviews some browser configuration and add-on options for blocking cookies and tracking, as well as opt-out services that can remove your information from certain advertiser databases. It concludes by emphasizing the need to understand one's own risk tolerance and the limitations of privacy protections.
2. Agenda
• Intro
– About Your Presenter
– About SecureState
• Who is Tracking You
• Legality
• How to (try to) Protect Yourself
– Browser Configurations
– Browser Add-ons
– Opt-Out Services
• Closing
– Q&A
2
3. About Your Presenter
• Jake Garlie
• Security Consultant at SecureState
• Specializes in External, Internal and Wireless Penetration
Tests, Web Application Security Assessments
3
4. SecureState Overview
A Management Consulting Firm Specializing in Information Security
• Founded in September 2001
• Payment Card Industry Certified (PCI)
• Qualified Security Assessor (QSA)
• Approved Scanning Vendor
• Qualified Payment Application
Security Company
• Largest dedicated security company
in the Great Lakes
• Number of Employees 47
4
5. The Company We Keep We Keep
The Company
Key Industries: Retail , Financial Services, Healthcare, Critical Infrastructure, Professional Services,
Service Providers, Education, Food Service, Entertainment and Government
6. SecureState Overview
Audit and Compliance
•PCI (Payment Card Industry)
•ISO 27001/SAS 70
•SOX, GLBA, HIPAA, TR-39, NERC/CIP etc.
•INFOSEC (Information System Security Risk Assessment)
Profiling and Attack
• Web Application Security (WAS)
• Attack and Penetration Services (internal, external, client, physical, wireless)
• Wireless Audits
• Training
Risk Management
• Security Program Manager (SPM)
• StateScan
• SecureTime
• Architecture Reviews
Business Preservation Services
• Data Forensics/Incident Response
• Business Impact Analysis
Advisory Services
• CISO Advisement
• Risk Management
• Special Projects
6
7. Terminology
• Cookie
– Piece of data (usually a text file) stored in the browser
– Can be used for authentication, shopping carts, and more
• First-Party cookie
– Cookie issued by Yahoo.com while viewing Yahoo.com
• Third-Party cookie
– Cookie issued by SecureState.com while viewing Yahoo.com
• Flash Cookies
– Can be first or third-party cookies
– Outside of browser’s control
– Remain after “clearing cookies”
7
8. Who is Tracking You?
8
http://onlinehomebusinessidea.com/wp-content/uploads/2010/02/targeted-visitors-with-niche-blueprint-300x225.jpg
11. How it Works
• Advertising companies contract with businesses
• Businesses allow advertisers to place content on
their web sites
• Your browsing habits and search criteria can be
tracked and sent to these advertising companies
• Next time you go to a website with the same
advertising scripts, they will display relevant ads
11
13. Legality
EU Safe Harbor law governs European Union nations
1. Notice
2. Purpose
3. Consent
4. Security
5. Disclosure
6. Access
7. Accountability
13
14. Legality (cont.)
• U.S. has no law enforcing online privacy policies
• FTC has the “Do Not Track” initiative
• Companies can be reported/fined if not abiding to
their policy
14
15. Privacy Policies
• Not required in the U.S.
• Many large sites/organizations have them
• Adding “/privacy” or “/policy” to find policies quickly
• Explain what information is stored, tracked and
transferred
15
27. Private Browsing (cont.)
• Can also be referred to as Incognito or InPrivate
• Prevents history, cache files, searches and cookies
from being stored after exiting Private Browsing, or
closing your browser
• Does not prevent websites from storing on their end
• Prevents many add-ons from functioning
• Meant to protect against other users on a system
27
29. Ghostery
• http://www.ghostery.com/
• Created by the folks at Evidon
• Pros:
– Cross Platform
– Easy to Install/Configure
– Blocks Flash/Silverlight
Cookies
– White-listing of sites
• Cons:
– Advanced Settings may be
confusing
29
32. Ghostery (cont.)
Deleting Flash/Silverlight
Cookies Provides Extra
Security
32
33. BetterPrivacy
Pros:
• Cleans up Flash Cookies
(Local Shared Objects, LSO)
• Can alert when LSOs are created
• Can schedule deletion while
browsing
Cons:
• Firefox only
• Functionality is also in Ghostery
33
36. Tor (The Onion Router) Project
• https://www.torproject.org/
• "Tor is a network of virtual tunnels that
allows people and groups to improve
their privacy and security on the
Internet." Pros:
•Very Anonymous
•Exit node changes often
Cons:
•Slower Browsing
•Confidentiality goes out the
window
•Technical to configure
36
39. NoScript
Pros:
• Blocks untrusted JavaScript, Java,
Flash
• Can prevent attacks
• Highly configurable
Cons:
• Firefox only
• Takes time and patience to tune
effectively
• Easy to become desensitized
39
41. AdBlock Plus
Pros:
• Can block Iframes, scripts, and Flash.
• Uses Filter Subscriptions to block content
• “EasyList” filter has over 4 million subscribers
• Replaces advertisements with whitespace
Cons:
• Firefox and Chrome only
41
43. TrackerBlock
Pros:
• Blocks cookies and deletes Flash cookies
• Based on privacy preferences with PrivacyChoice
• Blocks 300+ advertising companies
Cons:
• May conflict with other browser add-ons
43
45. Advertising Cookie Opt-Out
• Available for Firefox, Chrome, and IE at
http://www.google.com/ads/preferences/plugin/
• Permanently opts-out of Google’s DoubleClick
Cookie
45
47. AboutAds.info
• Collaboration of many organizations in media and
marketing industry
• Self-Regulatory Program for Online Behavioral
Advertising
• Consumer Opt-Out Page
47
49. Network Advertising Initiative
Self-regulatory principles set stage for
FTC’s “Do Not Track” initiative
•Opts-Out of 73 Advertising Companies
•Requires Third-Party Cookies
•Has to be reset every time Cookies are
cleared
•Can be white-listed by Browser Add-Ons
49
52. Evidon
•Selected by the Digital Advertising Alliance (DAA) to power the
Self-Regulatory Program for online behavioral advertising
•Searchable Opt-Out Page
52
54. Conclusion
• Determine your own level of acceptable risk
• Don't browse to sites you don't trust
• Read the company's privacy policy
• Web-Browser Protections
54
55. Thank you for your time!
Jake Garlie jgarlie@securestate.com
QUESTIONS
ANSWERS
55