Security Advisor

Microsoft Cuts 'Supercookies' out of its Diet

The company provides a comprehensive breakdown of the Internet irritant. Plus: Anonymous releases defense information; Famous individuals go to the front of the line with Google+

• By Jabulani Leffall
• 08/23/2011

The term "supercookie" has nothing to do with a large, gooey chocolate chip monstrosity straight out of the oven but instead, in IT parlance, is something you really don't want during a Web browsing session.

Redmond doesn't want it either.

Put simply, a "cookie" is the nickname for a process where an origin or destination Web site connects with a browser for identity, Web-form population and authentication, and leaves behind a digital signature in its wake.

The origin of the name comes from an older term "magic cookie," where packets of data send, receive and leave a digital signature that remains unchanged.

Now the problem with supercookies, is that not only do they not remain unchanged but they don't refresh or drop off -- allowing hackers to track activity, search malicious code or follow a user's browsing pattern.

Microsoft breaks down the different type of cookies further, addressing concerns that these supercookies tend not to expire after a user quits a browser session and even enable themselves after deletion.

What's ironic here, as in most IT security issues today, is that Microsoft once had a taste for the supercookie.

However, Mike Hintze, Microsoft's Associate General Counsel for Regulatory Affairs, stated publicly that the code for "supercookies" was only in older iterations of Internet Explorer and that such code is slated for removal.

What sparked this bizarre blogosphere thread and controversial crumbling cookie metaphor overdose is a blog post based on recent Stanford University research.

Anonymous Earning its Name Again.
The hacker collective Anonymous is at it again. The group, which is being called in some circles, the hipper, more mischievous younger cousin of Wikileaks, released about 1GB of what it claims are private e-mails and documents from an executive of a U.S. defense company that sells unmanned aerial vehicles to the military and select U.S. police departments.

Heavy stuff -- you may recall from last week's security watch that the group has been tied to Turkish and Syrian hacks, and claimed responsibility for stealing personal information of Bay Area Rapid Transit passengers a few weeks ago.

Anonymous released its info in a post on Pastebin, although links to the pertinent documents are hosted on an alternate site.

It'll be interesting to see how long Anonymous remains so... anonymous.

Google+ Adds New ID System for Famous People
Google official Wen-Ai Yu said in a Google+ post that after early false starts around social media security integrity, the search engine and now telecom giant, pending deal approval, will add badges for individual users of its Google+ social networking site.

The first badges, which will authenticate whether -- to paraphrase Yu's words -- Dolly Parton is actually Dolly Parton, will go to public figures and stars with a lot of followers and friends.

Everyone else, including mere mortals, will get a badge later.