Telecom and Logistics Associates 

new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  publication: Christian ALT 
  Save Time and Money

TLAnews: Security NEWs Service

 updated 25.7.2000 original on 24.7.2000 SecurityBig Brother invented the WebBug
The technology, often called Web bugs or 1-pixel gifs, is prompting further concern that the once-freewheeling Web is becoming more like an Orwellian Big Browser. Every time you hit a Web page containing a web bug, it sends a ping or call-back to the server telling where it is and who it is.

En français: Big Brother a inventé le WebBug
La technologie, souvent appelée "webbugs" ou gif de 1-pixel, accroît le souci de voir la libeté du "web" devenir comme le monde Orwellien de "Big Browser". Chaque fois que vous accèder une page contenant un "webbug", il rappelle le serveur en lui disant où et qui il est.

Home
Consulting
Tech Doc
FW-1 FAQ
Training
Products
TLAnews
Archive
Advertising
 

TLAnews.com
Information for security concerned people

 
Register to TLAnews letter
 

 

 



English version
Cookies are placed on a person's hard drive when a banner ad is displayed or a person signs up for an online service. Savvy Web surfers know they are being tracked when they see a banner ad. But people can't see Web bugs, and anti-cookie filters won't catch them. So the Web bugs wind up tracking surfers in areas online where banner ads are not present or on sites where people may not expect to be trailed.

For this reason White House ordered its drug policy office to stop using Web bugs on the government's anti-drug site Freevibe.com

Cookies and other tracking devices are used to help both consumers and Web sites, is what are saying ad networks and agencies. The Internet advertising community prefers the more sanitized term "clear GIF". Web Bugs are also known as "1-by-1 GIFs" and "invisible GIFs".
Résumé en français
Les "cookise" sont placés sur le disque dur d'uen personne lorsqu'une bannière publicitaire est affichée ou que l'on effectue une inscription sur un site. Parmis les surfeurs, les connaisseurs savent que leur profile est suivit lorsqu'une bannière publicitaire s'affiche. Mais les gens ne peuvent pas voir les "webbug", petit outil qui pousuit les surferus où les bannières ne sont pas présentes.

Il s'agit de petits gifs qui sont de dimension invisible à l'oeil, mas qui se trouvent présent dans la page web que vous lisez ou dansle message publicitaire que vous venez de recevoir. 

Microsoft a annoncé sont intention d'ameliorer les prochaines versions de son naviguateur avec la possibilité d'avertir l'utilisateur chaque fois qu'une action de type "cookie" ou "webbug" serait détectée.

A la suite de l'annonce de Microsoft quelques critiques se font entendre.

Now you know that if you go to a site on yeast infections, the second it loads up, before the screen loads, somewhere in the world the fact that you visited the site is now registered. Isn't it  evil?

Be aware that web bug can also be used in email. For example, companies can send a bulk HTML email newsletter that has Web bugs, which will determine how many people read the letter, how often they read it, and whether they forward it to anyone. The email could include your email address in the URL or include a coded ID or encrypted email address to track when you opened it. Since banner ad companies entered the Email servicing business they are in a very good position to also know the identity of people who are surfing to Web sites. Using this technique  the Email servicing side of the business can easily provide Email addresses to the banner ad side of the business.

In spite of all those situations Microsoft announced that it will test a change to its Web browser that alerts surfers when they visit Web pages that are being monitored by third parties. Microsoft has started an important correction to his trend by its decision to make its Web browser stop and ask users before reporting data about them. Microsoft's move is only a start in the extensive effort that will be needed to repair the damage done to consumer privacy by software that collects and transmits excessive data. 

Some critics disagree on Microsoft New Policy

A good reference on that subject is Richard Smith, a computer security expert, web site. His Web site will help you searche for Web bugs.Among some information extracted from his web site y ou will find an FAQ explaining how bugs are technically constructed and how they work.

Richard Smith'FAQ
What exactly is a Web Bug?
    A Web Bug is a graphics on a Web page or in an Email message that is designed to monitor who is reading the Web page or Email message. Web Bugs are often invisible because they are typically only 1-by-1 pixel in size. They are represented as HTML IMG tags. For example, here are two Web Bugs recently found on Quicken's home page (www.quicken.com):

      <img src="http://ad.doubleclick.net/ad/pixel.quicken/NEW" width=1 height=1 border=0>

      <IMG WIDTH=1 HEIGHT=1 border=0 SRC="http://media.preferences.com/ping?ML_SD=IntuitTE_Intuit_1x1_RunOfSite_A ny&db_afcr=4B31-C2FB-10E2C&event=reghome&group=register&time=1999.10.27.20.5 6.37">

    The two Web Bugs were placed on the home page by Quicken to provide "hit" information about visitors to DoubleClick and MatchLogic (AKA, preferences.com), two Internet advertising companies.
Why are Web Bugs invisible on a page?
    To hide the fact that monitoring is taking place.
How can I see a Web Bug on a page?
    A Web Bug can be found by viewing the HTML source code of a Web page and searching for IMG tags. A Web Bug will typically have its HEIGHT and WIDTH parameters in the IMG tag set to 1. Also for the tag to be a bug, the image should be loaded from a different server then the rest of the Web page.
What do Web Bugs in Email messages look lile?
    Email Web Bugs are represented as 1-by-1 pixel IMG tags just like Web Bugs for Web pages. However, because the sender of the message already knows your Email address, they also include the Email address in the Web Bug URL. The Email address can be in plain text or encrypted. For example, here are two Web Bugs sent to me in junk Email messages:

      <img width='1' height='1' src="http://www.m0.net/m/logopen02.asp? vid=3&catid=370153037&email=SMITHS%40tiac.net" alt=" ">

      <IMG SRC="http://email.bn.com/cgi-bin/flosensing?x=ABYoAEhouX">

 


E-mail bugs

Once a banner ad company has an Email address tied to a profile, they can provide a service to advertisers of customized ads in "junk" Email message. First off, the syncing of an cookie to an Email address must be done in an Email message. It addition, it requires the message to be formatted as an HTML message and therefore the person receiving the message must be using an HTML-enabled Email reader.

Outlook, Outlook Express, Netscape Messenger, and Eudora are HTML-enabled. Also, Web-based Email systems such as Hotmail and Yahoo Mail are HTML-enabled.

The query string of the URL for the WEBBUG.GIF file can contain the Email address as a parameter: For example: 

   <img src="http://www.adsfomail.com/webbug.gif?email=paul@iii.com>
The key thing here is that the company sending out the Email message knows your Email address. They have to in order to send out the message. In addition, it is easy for them to create custom mail messages for each person that they send mail to.

The final HTTP GET request then to fetch WEBBUG.GIF will look something like the following in Outlook: 

GET /webbug.gif?email=paul@iii.com HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Host: www.adsfomail.com
Connection: Keep-Alive
Cookie: id=ads-943977050
In Netscape Messenger, the GET request looks like: 
GET /webbug.gif?email=paul@iii.com HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.7 [en] (Win98; I)
Host: www.adsfomail.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Cookie: id=ads-c643640a

When the GET request is processed by the MyBannerAds server. It first extracts the customer id number from the cookie and looks it up its database of "anonymous" profiles of Web surfers. Once it has located the profile, it then extracts the Email address from the URL query string, turning a once "anonymous" profile into an "identified" profile.

Now to get E-mail addresses it is easy by renting ad space in already existing mailing lists.

All those techinics represent another step in the erosion of privacy on the Internet. Microsoft and Netscape should fix the security holes in their respective Web browser products that allow cookies to be sent out from HTML Email messages.

 

Updated on 25.7.2000
A group that has long been critical of Microsoft says the problem is that only some "cookies" are targeted. Others, including those set by Microsoft sites, are excluded from the new regime, it says.

Microsoft, which runs a number of large Web sites covering everything from banking to travel, will be able to have its own cookies set without notice.

Related information



more security information with TLAnews ...

Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: juillet 25, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.