NSA Follows Cookie Trail to Track Surveillance Targets on Web

NEWS ANALYSIS: Is anyone surprised that the U.S. National Security Agency is using Google cookies to track people? Can Web users do anything to defend their privacy?

The U.S National Security Agency (NSA) is using Google cookies in order to track potential targets, according to a new report published Dec. 10 in The Washington Post.

The report is based on material leaked by whistleblower Edward Snowden and explains how the NSA uses cookies for their own purposes. Cookies are widely used on the Internet today by advertisers in order to track users, in a bid to customize ads and deliver more personalized user experiences.

Security experts contacted by eWEEK were not surprised by the latest NSA spying technique.

Robert Hansen, security researcher and director of product management at WhiteHat Security told eWEEK that Google's tracking has become so prolific and so accurate that the government can and does now leverage this information for exploitation.

"We have long advocated that Google should not be tracking users in this way for exactly these kinds of reasons; if tracking occurs, it can be leveraged by adversaries," Hansen said. "Really, Google can't help but break people's privacy. It is the foundation of their $40 billion dollar a year advertising business despite the fact that we now know for certain that it can and is being leveraged by at least one set of government actors."

Hansen added that from his perspective, this is the sort of nightmare scenario he and others in the security community have been warning about for years. If you track users at all, it will be used against them at some point.

According to the report, the NSA is leveraging a specific type of Google cookie known as the PREF ID used to maintain Web-browser sessions and preferences. Lucas Zaichkowsky, enterprise defense architect at AccessData, explained to eWEEK that there’s a lot of information about a potential target that can be gleaned from the PREF cookie information.

"The really interesting part is they say it’s being used to enable remote exploitation," Zaichkowsky said. "A common example of this is that some Web pages will put sensitive log-in information directly into a cookie or rely solely on the cookie to validate the user's identity so they don’t have to log back in to a Web page."

Zaichkowsky added that if this kind of a cookie is stolen, the NSA or whoever is doing the hacking can use your cookie to get on a Web page logged in with your identity without using a password.

Allan Foster, vice president of technology and standards with identity management software company ForgeRock, is also among those that isn't surprised that the NSA is using cookies to track targets.

"As we have seen from the revelations from Snowden about the breadth and scope of the surveillance being performed by the NSA, it is obvious that almost all of the so called theoretical vulnerabilities we know about are being actively exploited by the eye of Sauron," Foster said.

What Should Users and Enterprises Do?

Cookies are a well-known and understood technology and there are a variety of tools and techniques that can be leveraged by enterprises and individuals that want to avoid being tracked.

Carl Livitt, managing security associate for security consulting company Bishop Fox told eWEEK that individuals can use browser plug-ins to manage cookies and place Google's tracking cookies on a white list. He added that enterprises can use perimeter defenses to modify HTTP traffic to remove the offending cookies.

"However, that's a very narrow tactical defense and I'm sure the NSA uses far more than just the Google cookies," Livitt said. "The real defense is to push for a change in the law to prevent carte-blanche wiretaps of civilian communications; good luck with that."

Earlier this week, a group of top U.S. Internet companies, including AOL, Facebook, Google, LinkedIn, Microsoft and Yahoo, issued an open letter asking for just that—widespread reforms of government surveillance.

Tal Klein, vice president of marketing at cloud application security company Adallom told eWEEK that in general, the majority of Web users are foregoing a great deal of privacy.

"Personally identifiable information is the bitcoin of the commercial Internet, and by that I mean, it's easier to think about it in the context of currency," Klein said. "The amount of effort required to opt out of being part of this currency is akin to physically dropping off the grid, which as we know is harder and harder in the digital age."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.