How to Clear Out Cookies, Flash Cookies and Local Storage
As per the article in Naked Security dated November 5th, 2014:
This quick fix will show you how to clear out cookies and the cookie-like things that can be used to track you online.
If you already know what cookies are all about then you can skip the next bit and go straight to the instructions.
Why cookies are important
Cookies are very small pieces of information given to your web browser by the sites you visit. Your browser will store the cookies until they expire and will include them in any messages it sends to the website they originally came from.
Cookies are a normal and extremely important part of the way the web operates because they enable a sort of short-term memory.
The HTTP protocol – the language used by web browsers to talk to websites – is stateless and no information is retained between any two HTTP events.
Simplistically, a basic website will behave as if it’s the first time you’ve ever been there every single time you ask it for a web page.
However, if the website gives you a unique cookie the first time you ask for a page, you’ll give it back every time you ask for another page. If all your page requests contain the same unique cookie the website can see that they’re all coming from the same source.
Being able to link individual, stateless actions together like this is a fundamental building block of the web.
Without this, short-term memory websites would just be brochures – there would be no Facebook, Twitter, Pinterest, LinkedIn, Amazon, eBay, Wikipedia, PayPal, WordPress, Gmail…
Of course, if anyone wants to track you, being able to identify two or more actions as coming from the same source is also the fundamental thing.
Third party cookies
A website can only read the cookies that it has created – it cannot read cookies created by other sites.
In order to track an individual from one website to another, the different sites all have to share some code from a third party website. The code that creates and reads the tracking cookie is hosted by the third party and it can keep reading its own cookies as you hop from site to site.
That’s how advertisers and tracking companies work, it’s how the same adverts can appear to follow you around the web and it’s how, for example, Twitter knows what websites you’ve visited.
‘Super’ cookies
Although cookies are the most well-known way to track somebody, there are other technologies that can be used for the same ends.
The most recent version of HTML, version 5, has a feature variously called web storage, DOM storage or local storage that allows websites to create small but significant databases on users’ machines.
Adobe’s Flash player has a similar feature that allows Flash content embedded in web pages to create and read locally shared objects (LSOs). LSOs are sometimes referred to as Flash cookies or super cookies.
Because LSOs are stored by your Flash player and not your browser they can be used to track all the web activity originating from one computer, not just from one browser.
ETags
When a web server sends you a web page, an image or any other kind of file, it sometimes sends a text string called an entity tag (ETag) with it. The ETag is a short ID that uniquely identifies a specific version of a specific file.
If your browser asks for the same file again it will send the ETag with the request. If you already have the latest version, the web server doesn’t need to send it to you all over again which saves bandwidth and speeds things up.
Unfortunately, it didn’t escape the notice of tracking companies like KISSmetrics that ETags are something that websites give to users that they give back again in later requests.
By embedding the same file, such as a transparent image, in every web page and ensuring each new visitor is given a different ETag they could be turned in to de facto cookies – or used as a sneaky way to recreate cookies that users have deleted.
Fingerprinting
Recent research suggests that many browsers have a profile so distinct that they can be individually fingerprinted. The fingerprint is made up of information that can be gathered passively from web browsers such as their version, user agent, screen resolution, language, installed plugins, and installed fonts.
I don’t know of any cases where fingerprinting has been used in the wild, but if it were it would be difficult to detect and it’s certainly accurate enough to be used as a cookie re-spawning technique, if not for tracking proper.
I’m sure it’s a technique we’ll be hearing more about.
Clearing cookies, web storage, and ETags
Thankfully modern browser vendors assume that you want to clear web storage when you delete your cookies so the procedure is the same for both.
Because ETags are used to manage which files are cached, they’re discarded when you delete your cache.
Before you ditch your cache, bear in mind that the cost of aggressively discarding your cache is, potentially, slower browsing.
Here’s how to clear out the cookies, web storage, and ETags that you already have and how to find the settings that allow you take a bit more control over what you’ll accept from now on.
Firefox
- Click Firefox and then Preferences (Mac), or Tools and then Options(Windows)
- Select the Privacy tab
- Click clear your recent history
- Tick Cookies
- Tick Cache to clear your cache
- Click Clear now
While you’re looking at the Privacy tab, a range of options for controlling cookies are available under History. You can configure these by choosing Use custom settings for history under Firefox will.
Chrome
- Click the Menu button
- Click Settings
- Click Show advanced settings
- Scroll to Privacy
- Click Clear browsing data…
- Tick Cookies and other site and plug-in data
- Tick Cached images and files to ditch your cache
- Click Clear browsing data
Under the Privacy heading, you’ll also find a range of options for controlling cookies if you click Content settings…
Safari
- Click Safari and then Preferences
- Select the Privacy tab
- Click Remove all website data
- Click Remove Now
While you’re looking at the Privacy tab you’ll see a few options for controlling cookies too.
Clearing the cache is far from an obvious process.
- Click Preferences
- Select the Advanced tab
- Tick Show Develop menu in menu bar
- Click Develop(it’ll have just appeared in the menu bar at the top)
- Click Empty caches
Internet Explorer
- Click the gear/cog icon in the top right
- Click Internet options
- Select the General tab
- Under Browsing history click ..
- Tick Cookies and website data
- Tick Temporary Internet files and website files for the cache
- Click Delete
Options for controlling cookies can be found under Browsing history and under the Privacy tab.
Clearing Flash cookies
Here’s how to clear out the LSOs that you already have and how to find the settings that allow you take a bit more control over them.
Windows
- Click Start(if you’re lucky enough to have one)
- Search for Control Panel
- Click System and Security
- Click Flash Player
- Select the Storage tab
- Click Delete All…
- Tick Delete All Site Data and Settings
- Click Delete Data
Mac
- Click System Preferences in the Apple menu
- Click Flash Player
- Select the Storage tab
- Click Delete All…
- Tick Delete All Site Data and Settings
- Click Delete Data
Private browsing and add-ons
All modern browsers come with a Private or Incognito mode that makes it much more difficult for websites to track you. Typically they’ll ditch your cache and cookies when your browser session is over, meaning that while you might be tracked during a session, you won’t be tracked across multiple sessions.
Private browsing works for Flash LSOs too. According to Adobe, Flash Player version 10.1 and later will clear out Flash cookies at the end of your browsing session if you use private browsing in the following browsers:
- Google Chrome
- Mozilla Firefox
- Microsoft Internet Explorer
- Apple Safari
There is also a range of add-ons for each major browser that can help you manage some or all of the tracking techniques I’ve mentioned.
5 tips to change your email
“Malware targeting Android devices has been found to be spreading through mobile advertisement networks. Many developers include advertising frameworks in their apps to help boost profits.
Advertisements in mobile apps are served by code that is part of the app itself. An attack scheme in Asia involved a rogue ad network pushing code onto devices. When users download and install legitimate apps, the malware prompts users to approve its installation, appearing to be part of the process for the app they have just downloaded.”
Watch out for Unsubscribe Emails
We all get emails we don’t want, and cleaning them up can be as easy as clicking ‘unsubscribe’ at the bottom of the email. However, some of those handy little links can cause more trouble than they solve.
You may end up giving the sender a lot of information about you, or even an opportunity to infect you with malware. Of course, not everyone who sends you mail is a spammer and if you know that a sender is trustworthy it’s safe to unsubscribe. Unfortunately, phishing attacks rely on the fact that it’s very, very easy to fake who and where an email has come from so it’s all but impossible to be 100% sure who has sent you an email.
5 REASONS WHY UNSUBSCRIBING CAN BE A BAD IDEA, WHETHER YOU DO IT BY SENDING A REPLY EMAIL OR OPENING AN “UNSUBSCRIBE” WEB LINK:
- You have confirmed to the sender that your email address is both valid and in active use.
If the sender is unscrupulous then the volume of email you receive will most likely go up, not down. Worse, now that you have validated your address the spammer can sell it to his friends. So you are probably going to hear from them too. - By responding to the email, you have positively confirmed that you have opened and read it and may be slightly interested in the subject matter, whether it’s getting money from a foreign prince, a penny stock tip or a diet supplement.
That’s wonderful information for the mailer and his pals. - If your response goes back via email – perhaps the process requires you to reply with the words “unsubscribe,” or the unsubscribe link in the message opens up an email window – then not only have you confirmed that your address is active, but your return email will leak information about your email software too.
Emails contain Meta information, known as email headers, and you can tell what kind of email software somebody is using (and imply something about their computer) from the contents and arrangement of the headers. - If your response opens up a browser window then you’re giving away even more about yourself. By visiting the spammer’s website you’re giving them information about your geographic location (calculated based on your IP address), your computer operating system and your browser.
The sender can also give you a cookie which means that if you visit any other websites they own (perhaps by clicking unsubscribe links in other emails) they’ll be able to identify you personally. - The scariest of all: if you visit a website owned by a spammer you’re giving them a chance to install malware on your computer, even if you don’t click anything.
These kinds of attacks, known as drive-by downloads, can be tailored to use exploits the spammer knows you are vulnerable to thanks to the information you’ve shared unwittingly about your operating system and browser.
Twitter Security
How to Improve Your Twitter Security and Privacy
You will find the privacy settings at twitter.com under the gear icon, then Settings.
Then click Security And Privacy over on the menu to the left of the screen
Twitter’s Security Settings
The first section is about Security and how you access your Twitter account.
Login Verification
This is set by default to off. Make it harder for an unauthorized person to login to your account, by choosing to receive login verification requests via a text message on your phone or the Twitter mobile app.
Password Reset
Set by default to off, you only need to enter your Twitter username (available to absolutely anyone) to request a password reset email.
Check the Require personal information to reset my password box. This means that if someone wanted to request a reset of your Twitter password, they would also need to enter your email address or phone number too.
It’s not foolproof, but it’s an additional level of security.
Twitter’s Privacy Settings
The second section is about how private you choose to make your Twitter account.
Photo tagging
Like Facebook, others can tag you in a photo, which is just like a ‘mention’ on Twitter – you get ‘mentioned’ in the uploaded photo.
This is set by default to on, meaning anyone can tag you in a photo. Use the radio buttons to restrict tagging to people you follow back or disable photo tagging altogether.
Tweet privacy
By default, Protect my Tweets is off, and anyone on Twitter, all your followers, and anyone searching Google can see your tweets. If you check the box to protect your Tweets, it locks down your visibility. A lot.
It’s not really in the spirit of the whole Twitter thing, but if you do find yourself in a position where you want to communicate through Twitter with just a select group of people, hide all your previous tweets – and future ones – from the rest of the world, and manually accept follow requests – this is the place to do it.
However, it’s all or nothing. So checking the box will also prevent people retweeting anything you say and you can’t share links to your Tweets.
If you choose to keep your tweets public, remember to be very careful about what you write. Anyone can see it, and that means you should never say anything you want to keep private.
Tweet Location
This is set as ‘off’ by default and you have to opt-in to use it. You can also specify before you tweet whether you want the location information on or off.
Why would you enable it? Well, sometimes it’s nice to show people where you are, especially if you’re at a poncy art gallery or at a show that anyone who is anyone wants to be at.
But if you’re at home, for example, you wouldn’t really want the world knowing where your house is. And if you’re not at home, well, you’re somewhere else and you wouldn’t want them knowing that either.
Keep locations off, there are too many unintended consequences, and delete all past location information to be on the safe side.
Discoverability
Let others find me by my email address is on by default and enables people who may not know your Twitter handle, but do know your email address, to find you.
Apply the ‘principle of least privilege’ here. If you can think of a really good reason why you want to be discoverable by your email address (we can’t) then switch it on, otherwise turn it off.
Personalization is about tailoring suggestions of which accounts to follow, based on information that Twitter gathers about you around the internet.
Using the cookies sent to Twitter when you see a Tweet button Twitter can record which sites you’ve visited and use this information to provide a “Twitter experience that’s relevant to you”: We determine the people you might enjoy following based on your recent visits to websites in the Twitter ecosystem (sites that have integrated Twitter buttons or widgets).
Specifically, our feature works by suggesting people who are frequently followed by other Twitter users that visit the same websites.
If you’re based in Europe, this option is greyed out as the feature is not available yet, but if you are part of the Personalization experiment, this setting is on by default.
You can turn it off by unchecking the box next to Tailor Twitter based on my recent website visits.
Promoted content
Ah ha! Here we go – Twitter’s foray into the data collection arena already ruled by the likes of Google and Facebook.
Twitter has ads. These are in the form of paid-for sponsored tweets, Twitter Cards, and promoted accounts. If you want Twitter to “bring you more useful and interesting advertising content”, you won’t uncheck this box.
Twitter has partnered with third-party ‘behavioral advertising’ companies (behavioral ads are the ones that follow you around from website to website). If you visit a website that’s in of those advertisers’ networks then their ads can now follow you on to Twitter too.
The setting Tailor ads based on information shared by ad partners is on by default. Switch it off by unchecking the box.
You can also disable personalization and promoted content by switching on Do Not Track in your browser. As we mentioned, Twitter has been honoring Do Not Track for a long time, and it says in a support article, “When you have DNT enabled in your browser, Twitter would not receive browser-related information from our ads partners for tailoring ads.”
You can also throw a spanner in Twitter’s personalization and promoted content works using anti-tracking browser plugins like Ghostery or Lightbeam.
Hopefully, this article helps you to understand what the Twitter privacy and security settings mean, and know what’s on and what’s off by default.
Don’t rely on social networks to have your privacy tuned to your benefit – check them regularly.