Ransomware, botnets, surveillance, phishing and GDPR! [PODCAST]

Készült: 2017. június 26

In case you missed them, here are the podcast versions of last week’s Security SOS webinar series.

Each day last week, we covered a hot topic in computer security, from ransomware, through botnets, surveillance and phishing, all the way to GDPR.

If you missed out on the live events last week, you can catch up now:

Ransomware revisited – is it really the worst sort of malware?

Other ways to listen: download MP3, play directly on Soundcloud, or get it from iTunes.)

Botnets – the malware that makes you part of the problem

Other ways to listen: download MP3, play directly on Soundcloud, or get it from iTunes.)

When does security turn into snooping?

Other ways to listen: download MP3, play directly on Soundcloud, or get it from iTunes.)

Phishing – how this troublesome crime is evolving

Other ways to listen: download MP3, play directly on Soundcloud, or get it from iTunes.)

GDPR – Burden or opportunity? Cost or value?

Other ways to listen: download MP3, play directly on Soundcloud, or get it from iTunes.)

Enjoyed these podcasts?

Check out the other podcast playlists on our Soundcloud channel

Source: Naked Security


Snapchat starts sharing your (and your kids’) location. Turn it off.

Készült: 2017. június 26

Snapchat has introduced a “whole new way!” (maybe new to Snap: not to Facebook, Apple and Google) for you to “explore the world” and “meet up with friends”: a location-sharing “Snap Map” that shows when nearby friends are…

…at a dance party!

…or a magic show!

…or having their privacy breached and their location leaked because they didn’t realize that Snap posts their location on Snap Map every time they open the app.

Looking at the Snap Map walkthrough you get when you update Snapchat might lead you to believe that you actually have to opt in to having your location shared when you’re at home, say, or maybe walking down a nearby dark alley, or at a best friend’s apartment… even though… huh… didn’t you say you were going out with Cindy to see a movie tonight?

Image credit: Snap Map walkthrough courtesy of Snapchat

But Snapchat is actually posting your location to Snap Map every time you open the app, not just when you share Snaps to Our Story.

Now bear in mind that Snapchat is crazy popular with children and teens.

Users aren’t limited to a map of nearby friends. They can also search for specific locations, such as schools or playgrounds, with the map displaying any public photos or videos sent by students, as pointed out by The Telegraph.

Multiple police forces and child protection services have warned parents to turn off Snap Map on their children’s phones. In the UK, Preston Police had this to say on the department’s Facebook page:

For all the snapchat users on here, in the last few days they have released a new update which connects to your GPS, and automatically (unless activated ghost mode) shows where you are on a map to anyone who is on your friends list and posts can possibly seen publically depending on your settings!!

…Obviously this may cause concern for certain users, particularly those who have young children who use the app.

The Telegraph quoted a spokesperson for the National Society for the Protection of Children:

It’s worrying that Snapchat is allowing under 18s to broadcast their location on the app where it can potentially be accessed by everyone in their contact lists.

With public accounts, this will include those who are not known to the user. This highlights why it’s vital children are automatically offered safer accounts on social media to ensure they are protected from unnecessary risks.

…and this is what the UK Safer Internet Centre had to say:

It is important to be careful about who you share your location with, as it can allow people to build up a picture of where you live, go to school and spend your time.

Given how specific this new feature is on Snapchat – giving your location to a precise pinpoint on a map – we would encourage users not to share their location, especially with people they don’t know in person.

As Preston Police noted, Ghost Mode keeps your location private.

How to turn on Ghost Mode

To change settings, open Snapchat and pinch the screen. That will load Snap Map. When you do it for the first time it should ask you if you want to activate ghost mode. If it doesn’t, click on the icon in the top right-hand corner, where you’ll be able to tick a box to turn on ghost mode, like so:

What other apps are stalkery?

Two years ago, Facebook switched off default location tracking and gave users full control over when and how they share such information.

User choice? What a concept!

In March, Facebook Messenger did, though, enable live location sharing, taking a page from the way that Apple handles it in iOS and Google in Android. Namely, users can tap on the location icon within a message to begin sharing their location. They’ll get a map of their current position and the option to share it live.

Thankfully, you can’t leave that location sharing on indefinitely: a clock starts ticking, and you get 60 minutes to share location. Facebook also gives you an estimate of how long it would take you to meet your friends if going by car and shares that ETA with others.

In February, “Live Location Tracking” was also spotted in WhatsApp, apparently in beta mode.

It was apparently switched off by default, as it should be. WhatsApp also gave users the ability to control how long the sharing continued.

Twitter likes to follow us around, too. To turn that off, this is what you do:

Twitter for iOS

  1. Go to Settings and tap Privacy
  2. Tap Location Services
  3. Locate the Twitter app and tap to select Never

Twitter for Android

  1. Tap the navigation menu or profile icon
  2. Tap Settings and privacy
  3. Under General, tap Location and proxy
  4. Deselect the checkbox next to Location

Instagram? Ah, Instagram’s interesting. We’ve seen all sorts of abuse of its location data: there was the underwear thief who used Instagram location data to find victims’ homes, for example.

Instagram at one point was also providing access to its API to Geofeedia, an app used by police to monitor activists and protesters. Geofeedia was also tapping into APIs at Twitter and Facebook to create real-time maps of social media activity in protest areas. Those maps were used to identify, and in some cases arrest, protesters shortly after their posts became public, including in the Dakota pipeline protests in the US.

In March, Facebook and Instagram turned off the data faucet for that location-fueled surveillance.

For its part, Uber has its own stalker history. In December, with the update that brought us version 3.222.4, Uber began tracking users’ locations constantly when the app’s running in the background. It also asked users to always share their address books. Up until that point, it had only collected location data if a user had the app open.

Obviously, Snapchat’s recent debut into the location-sharing, privacy-jeopardizing realm is only the most recent of a long list of apps that have concerning privacy practices. They’re all a reminder that when there’s an app update, whether to the app or to a phone OS, we should review our settings in case there’s a brand new privacy option with a default you didn’t expect.

Remember: if in doubt, don’t give it out, be it your taxpayer ID, your birth date, or your geolocation. You don’t know who will do what with that information, but we do know that plenty of people do plenty of dangerous things.

Source: Naked Security


Google strips private medical data from searches

Készült: 2017. június 26

Google has quietly amended its search engine indexing to exclude past and present personal medical data for the first time.

It’s a deceptively straightforward change the company describes in its data removal policy homepage as relating to “confidential, personal medical records of private people.”

The shock of this – which perhaps also explains why it is being sneaked in as a single line of text on a help page very few people visit – is that Google’s search engine would index such a sensitive category of data in the first place.

Other data categories already excluded include social security, bank and credit card numbers, personal signatures and, from 2015 on, non-consenting “revenge porn”.

The move raises the question of why it’s taken so long to institute a change that’s been a pressing problem since stolen and inadvertently leaked medical data started finding its way onto the public internet as long as a decade ago.

Whether breached data ends up in a form that can be seen by search engines depends in part on how the breach occurred. If it’s lost on a stolen laptop or siphoned off from deep inside an organisation then the chances are it will remain within criminal circles. This isn’t secure, of course, but it’s something beyond the ken of a search engine.

By contrast, unsecured data left in an open state accidentally can by picked up by search engines pretty quickly. This is the problem Google is trying to fix. Equally, just stopping Google from displaying unsecured data in its search results doesn’t mean that data is gone from the internet. It may still visible in the results of other search engines and, even if it isn’t, it can still be found by more laborious means

For US citizens at least, this must seem like a paradoxical state of affairs. Medical providers are governed by the federal Health Insurance Portability and Accountability Act (HIPAA) which sets out strict rules about how private medical data should be handled and accessed.

Unfortunately, the minute that data is breached in some way it enters a netherworld where protection is assumed to have stopped in a practical if not a legal sense.

In 2015, the Office of Civil Rights (OCR) recorded that US providers alone were affected by 253 medical data breaches, equivalent to 112 million records.

The bulk of these were covered by only three large incidents: Anthem (78 million), Premera (11 million), and Excellus (10 million), all the result of hacking rather than accidental loss. The biggest of these, Anthem, was later deemed to have originated from a single malicious email opened by one person.

What Google doesn’t say is how it is going to scrub data from searches. Google search – indeed all search engines – operate as black boxes.

Monitoring suggests that Google’s algorithms are frequently tweaked and updated but getting the search giant to admit that its searching differently, let alone how or why, is almost as rare as unicorn dressage,

It’s possible to understand the crawling that happens at at one end and see what comes out the other, but what happens in the middle remains a trade secret.

Having spent years indexing every corner of the public web it thinks users and advertisers might be interested in, Google is gradually introducing exceptions. This is hardly the great retreat from Moscow, more an admission that searching and indexing everything has downsides after all:

We want to organize the world’s information and make it universally accessible, but there are a few instances where we will remove content from Search.

Thankfully that now includes your health records.

Source: Naked Security


News in brief: drone chiefs urge regulation; Microsoft drops SMB1; Virgin router warning

Készült: 2017. június 23

Your daily round-up of some of the other stories in the news

Drone chiefs call for regulations

Drone industry chiefs were due to meet President Trump at the White House this week – and were expected to call for more regulation.

The meetings, which were due to start on Thursday, are to focus on regulations for emerging technologies including 5G, artificial intelligence and drones. They include executives from organisations including AT&T, drone-maker PrecisionHawk and venture capitalist firms.

Michael Chasen, chief executive of PrecisionHawk, told Recode that “the drone industry is one of the few industries where we need more regulations, not less”. That’s because the FAA hasn’t yet produced rules that would make it legal to carry out commercial activities such as delivering packages.

Greg McNeal of mapping software company AirMap told Recode: “We asked why autonomous cars weighing 3,500lb can drive next to hundreds of pedestrians, but a 3lb drone can’t fly over people. The FAA follows a legacy approach to regulating aviation that requires everyone to ask for permission.”

Microsoft to retire SMB1

The next version of Windows will not include SMB1, the protocol that facilitated the spread of the WannaCry ransomware outbreak in May.

The change is already rolling out to members of Microsoft’s Windows Insider programme – the shift will feature in Build 16226 of Windows 10.

In a Windows Insider blogpost, Dona Sarker said: “As part of a multi-year security plan, we are removing the SMB1 networking protocol from Windows by default. This build has this change, however the change only affects clean installations of Windows, not upgrades.”

Microsoft has been urging users to ditch that protocol since before the WannaCry outbreak: Ned Pyle said, loud and clear, back in September last year that “SMB1 isn’t safe”.

He added in his Technet post: “The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle.”

For users who aren’t early-adopter nerds on the Windows Insider programme, the change will come when the Redstone 3 – or Fall Creators’ Update – rolls out.

Virgin customers warned on routers

Are you a Virgin Media customer in the UK with the Super Hub 2 router? If so, you’re among the 800,000 or so users who probably needs to change both the Wi-Fi password and the password to access the router’s configuration pages.

The warning came after research by the consumer association Which? found that the router model’s default passwords were insecure: the Wi-Fi password is easily cracked, according to Which?, and once on the network, the default admin password is the same for all devices.

Which? criticised a number of devices that Naked Security has flagged up in the past, including the CloudPets teddy whose user accounts had been breached, and insecure IoT security cameras.

Virgin said it was offering affected customers the option to upgrade to a newer router – the Super Hub 3 – and added: “The security of our network and of our customers is of paramount importance to us.”

Catch up with all of today’s stories on Naked Security

Source: Naked Security


Russia ‘targeted 21 states’ during US election campaign, says official

Készült: 2017. június 23

What neither Manfra nor others testifying would share, in open session at least, was how the Russians targeted the election systems, nor how successful they were. She did, however, concede that there is no evidence that any attempt was made to penetrate state voting systems and alter results. In her opinion, the decentralized nature of the US elections would make it “virtually impossible” to do so without being detected.

The senators were not pleased with the reluctance of Manfra and others to reveal additional details – the who, what, where, why, and how of the targeting – beyond the declaration that the activity was owned by Russia. So we are left to pull back the covers ourselves.

We turn to the unauthorized leak of the top secret NSA analysis on the Russian General Staff Main Intelligence Directorate (GRU) and their activities targeting the US election. The existence of this report became known when Reality Winner provided it to The Intercept. The NSA analysis, taken at face value, called out how the Russians “targeted US election via phishing attacks”.

Now to be clear, the information in the analysis was not especially noteworthy from a technological standpoint. What is interesting is the finding on how the  information was used cumulatively to move on to the next target.  The analytic document contained a redacted image that outlined the spear-phishing campaign and made clear which information was known, and what is being deduced.

The analysis indicates a phish email that was sent from Ez az e-mail cím a spamrobotok elleni védelem alatt áll. Megtekintéséhez engedélyezned kell a JavaScript használatát. to 122 separate recipients, all associated with local government organizations, across up to 21 states. Last year, both Illinois and Arizona were told that their election offices or employees had been affected by a Russian effort.

The Arizona incident, in August 2016, at first seemed to be inconsequential. As the Washington Post reported at the time, Arizona’s secretary of state, Michele Reagan, shut down the voter registration system for nearly a week following a call from the FBI that a “credible” threat existed. It turned out that no compromise of the state’s systems had occurred, nor that of any Arizona county. A single election official in Gila County, Arizona, had had their username and password compromised when “a worker may have inadvertently downloaded a virus”. However, the username/password combination would only have provided access to the Gila County voting registration system.

The Illinois incident in July 2016, however, was more substantive. Thomas Kyle, director of voting and registration systems for the Illinois State Board of Elections, sent an email to all state election officials acknowledging that the breach had occurred on July 12 2016. Subsequently we learned the voter registration information for a “small percentage” of voters had indeed been accessed, but not altered or deleted.

Then, in August 2016, the FBI published an FBI Flash Alert, Targeting Activity Against State Board of Election Systems. The similarity between the FBI Flash Alert and the Illinois email? They both described how the actors could inject SQL database queries into state’s systems. Given the timing of the outreach by the FBI, the incidents in both states appear to be consistent with the “targeting” that both Manfra and the NSA describe in their analysis.

Add to this the contemporaneous activities that were going on at the Democratic National Committee, whose dirty laundry was put on show by the Fancy Bear hacker group, and it seems clear that the Russians were busy in the summer of 2016. Interestingly, we learned from homeland security secretary Jeh Johnson, during a separate hearing that the DNC had turned away both the FBI and Homeland Security, instead relying on a private company to get to the bottom of who had ravaged their systems.

Despite all this, we would expect Russian president Vladimir Putin to deny the Russian hand has been involved. And yes, he he did not disappoint.

Hackers are free people. They are like artists. If they are in a good mood, they get up in the morning and begin painting their pictures. Hackers are the same. They wake up in the morning, they read about some developments in international affairs, and if they have a patriotic mindset, then they try to make their own contribution the way they consider right into the fight against those who have bad things to say about Russia.

Whether it is acknowledged or not, what the Russians have demonstrated is their active campaign to sow doubt and uncertainty in the US election (and those of other nations) has been successful. And one thing’s for sure: this is not the last we’ve heard about the Russian meddling in the US election process, and if predictions are correct, it isn’t the last we’ve seen of their meddling either.

Source: Naked Security


Ransomware revisited – is it really the worst sort of malware? [Security SOS Week]

Készült: 2017. június 23

Today’s Security SOS webinar is:

Ransomware revisited – is it really the worst sort of malware ever?

The event takes place at 2pm UK time (13:00 UTC, 15:00 CEST, 09:00 EDT), and consists of about 30 minutes of live interview, podcast-style, followed by 10 minutes of questions and answers.

(No slides to watch or diagrams to digest – think of it as an interactive radio programmme on NPR or BBC Radio 4.)

Here’s what we’re covering today:

Recent stories suggest that ransomware is the worst sort of cyberattack you could experience. In truth, however, ransomware is more of a “worst among equals,” given all the other sorts of malware also out there.

Sophos security expert James Burchell is here to explain what to do when faced with a multitude of cyberthreats.

James has the enviable knack not only of explaining tricky problems in a way you can easily understand, but also of getting you fired up to go out and fix them!

Register now!


Missed Monday’s webinar?

Listen to Sophos VP John Shaw on the thorny issue of GDPR.

Missed Tuesday’s webinar?

Learn from Sophos expert Peter Mackenzie how to deal with phishing.

Missed Wednesday’s webinar?

Luke Groves explains how to take charge of security inside your organisation.

Missed Thursday’s webinar?

Fraser Howard tells you how to get rid of bots and zombies.

Source: Naked Security


Dating app boss sees ‘no problem’ on face-matching without consent

Készült: 2017. június 23

A new “dating” — or maybe stalking — app is using facial recognition to help you date people who look like, say, your ex, or perhaps a celebrity, or then again, a random stranger you might have breathed at on the subway.

Why waste time with tedious swiping? Just upload a photo of someone you want to date — including yourself, as BuzzFeed suggests, à la Narcissus — and the app will use facial recognition to scan thousands of profile photos sourced from dating sites and apps to find people whose faces are similar to what you’re after.

Clicking on photos of the face matches will take you to their profiles on Tinder, Match, Plenty of Fish, and other dating apps. The app references don’t specify all the sites it checks against.

But Tinder, for one, doesn’t allow this kind of automated scraping of its API. Tinder told BuzzFeed that the company had “contacted the developer to inform them that the app is violating our terms, and we have been told that they will address the issue”.

Plenty of Fish, which, like Tinder, is owned by Match Group, said that the company is trying to get Dating.ai removed from the iTunes app store.

Heath Ahrens, the founder of Dating.ai, told BuzzFeed that it was “news to me” and that he didn’t see a problem:

If you’re on a dating app, you want to be found.

Ahrens also said that he and his team are “having … a [very] productive conversation with [Tinder]”. He compared the app to the airline industry-disrupting Expedia or Priceline. Instead of “name your own price,” it’s “name your own face”.

Ahrens said the idea for the app came when he and his team were looking around for ways to use facial recognition software they’d developed. After reading about another app that used Tinder’s API — called SwipeBuster, which promises to find out if your partner’s cheating on you with Tinder — they were inspired to use their technology on dating apps.

BuzzFeed quoted Aherns:

When you have a bunch of single guys in the office, it goes in that direction. You wanna try your own dog food.

My, how very Uber of you.

According to the app listing on the Google Play store, the app comes from Haystack AI, which describes itself as focused on Artificial Intelligence Deep Learning Entertainment.

AI. Ah. That’s good to know. For a while there, I assumed it had something to do with Anguilla, the British territory in the Caribbean whose internet country code top-level domain is .ai, which led me to think that maybe Anguilla has different laws about facial recognition technology than here in the US.

As we’ve reported in the past, the Electronic Privacy Information Center (EPIC) considers the strongest relevant US law to be the Illinois Biometric Information Privacy Act, which prohibits the use of biometric recognition technologies without consent.

In fact, much of the world has banned face recognition software, EPIC points out. In one instance, under pressure from Ireland’s Data Protection Commissioner, Facebook disabled facial recognition in Europe: recognition that it was doing so without user consent.

So yes, depending on where you live, there are laws against facial recognition without consent. It’s not clear whether Dating.ai is breaking any of those laws … just as it wasn’t clear whether an app called Pornstar.ID, which promised to identify porn stars through reverse image lookup, fell foul of these laws.

A few months ago, we reported that Pornstar.ID had trained its neural network on upwards of 650,000 images of more than 7,000 female adult performers. We never did find out if those performers had agreed to having their biometrics scanned so as to train a neural network.

Dating.ai, for its part, lists these selling points on its Google Play listing:

  • First Dating App with Face Search
  • Don’t Waste Time Swiping
  • Find Your Type Fast
  • Free Celeb Search
  • Upload a Photo of Your Ex
  • Take a Photo of a Friend
  • See if You’re Being Catfished
  • Find Your Look-Alike
  • See if they’re on the Prowl

That last selling point is pretty much identical to those pushed by anti-cheating apps  – such as Swipebuster, FlexiSPY and mSpy — which the courts on multiple occasions have interpreted as illegal surveillance technologies. Some users have been charged with wiretapping over their use. The head of at least one such app, StealthGenie, was indicted for selling spyware in October 2014.

I reached out to Dating.ai to ask if the developers are aware of laws that criminalize facial recognition without consent; what steps, if any, they’ve taken or could take to ensure that their app isn’t used by abusers to stalk current or ex partners; and for a comment on the need to protect people’s privacy and their right to freely associate without being surveilled.

I’ll update the article if I hear back.

Source: Naked Security


News in brief: AI comes to Mars; WannaCry hits speed cameras; Edge bounty program extended

Készült: 2017. június 22

Your daily round-up of some of the other stories in the news

There’s (AI) life on Mars

We are increasingly used to self-driving vehicles and machine learning here on Earth, but now AI is helping an autonomous vehicle on Mars, too.

Curiosity Rover, the exploratory robot that landed on the Red Planet back in 2012, has been getting on with its mission of analysing rocks with direction from back on Earth – but now it’s increasingly choosing which rocks to analyse without any input from the home planet.

The AI software – Autonomous Exploration For Gathering Increased Science, or Aegis – has been rolling out for the past year, and has helped the robot pick which rocks to zap with its lasers for analysis. That “allows the rover to get more science done while Curiosity’s human controllers are out of contact”, said NASA on Wednesday.

The software means that if Curiosity gets to a new area before it can receive instructions from its humans, it can choose which rocks to zap for the scientists to examine later.

“Time is precious on Mars. Aegis allows us to make use of time that otherwise wasn’t available because we were waiting for someone on Earth to make a decision,” said Raymond Francis of NASA.

WannaCry hits Australian speed cameras

WannaCry, the ransomware that paralysed the UK’s National Health Service, among other organisations, last month, is still causing grief, with the latest outbreak hitting traffic cameras in the Australian state of Victoria.

Australia’s 3AW693 radio network reported that some 55 cameras had been infected, with local law enforcement authorities responding that “a system patch has been applied, which prevents the spread of the virus”, and added that the outbreak had apparently been caused by connecting “infected hardware” to the cameras.

Local authorities added that the accuracy of the cameras hadn’t been hit, but said that if any motorists had been wrongly fined because of the outbreak, their fines would be withdrawn.

Microsoft extends Edge bug bounty program

Bug hunters, Microsoft has extended its bug bounty program for its Edge browser, having paid out more than $200,000 over the past 10 months.

Microsoft said in a blog post that the “collaboration with the research community has resulted in significant improvements in Edge security” and as a result, they are changing the Edge on Windows Insider Preview bounty scheme “from a time-bound to a sustained bounty program”.

Any vulnerabilities found must be reproducible on the most recent slow track of the Windows Insider Preview version of the browser, and critical remote code executions or important design issues that hit privacy or security could get a bounty, which range from $500 up to $15,000 – or possibly even more.

Catch up with all of today’s stories on Naked Security

Source: Naked Security


What does looking under the hood of your browser reveal about you?

Készült: 2017. június 22

Imagine you’re running a nonprofit site dedicated to keeping seniors safe online. You write articles about conmen bilking people out of their life savings, romance scams, identity theft and the like.

One day, somebody recommends a chat app called Tawk that enables you to respond in real time when your visitors write in with questions. The price is right, particularly for a nonprofit: it is, in fact, free.

All you have to do is copy a simple line of JavaScript into the HTML of your website, and you’re off and running: the chat widget starts working instantly.

…as does your ability to see, in real time, everything your visitors type, even when they hit backspace and delete-delete-delete whatever thoughts first popped into their heads and which never made it into the fully baked, eventually sent message. “Whoa!” you well might think, if, in fact, you haven’t previously encountered how easy it is to set up a site to harvest form data before a user hits “submit.”

That’s precisely what happened to fellow Naked Security writer Christopher Burgess, who recently set up Tawk to work with Senior Online Security.

Christopher recorded a sample of the JavaScript wizardry that caught him by surprise. The video below captures what he saw when I stopped by the site, engaged him in chat, forgot that undercover investigative reporters aren’t supposed to tell anybody that they’re undercover and so backspaced over that detail (though obviously not before he saw me type it and captured the entry), and then threatened to report him to the FBI before changing my mind about entering that “just kidding!” notion into the form.

I come in around minute 1:10:

Note that Christopher recorded this chat just for the purposes of providing a demo. He normally wouldn’t be screen-capturing chats with site visitors. Nor does the Tawk app have an option of recording all keystrokes. But it’s worth keeping in mind that, clearly, Christopher, or anybody else at either end of an online chat, could record conversations if they chose… just as everything we type while in a browser can be tracked and logged, even if the characters are never displayed on screen.

We write about cursor tracking a fair amount, likely because people are often taken aback when they’re reminded that they’re being tracked online. In fact, one of the designers behind a site created to show users how tracking happens said that in spite of being “quite internet-aware”, she’s still very often “surprised that after I watched something on a website, a second later I get instantly personalized ads”.

That site, called ClickClickClick, was set up in November to track visitors and to show them exactly how they’re being tracked, including each and every pointer movement, x/y coordinates of where they moved, whether they zigzagged or moved straight, how many pixels their pointer traveled, how long they were inactive/active, what browser they’re using, when they leave the site, the time zone they’re in, whether they should actually be at work, and more. The designers’ intent: to remind people about the serious themes of big data and privacy.

There’s nothing unique about ClickClickClick’s tracking, just as there’s nothing unique about Tawk’s ability to track everything I enter into a form. Well, ok, there is one unique characteristic of ClickClickClick’s tracking: it’s upfront about it, displaying its tracking in an ongoing log that streams on-screen.

As for Tawk, there’s a unique slant there too – the app was from Christopher’s perspective. He hadn’t before gotten a glimpse into the tracking power typically tucked away from us as site visitors, but that power is evident to those who code sites. JavaScript makes it pretty easy with “events” with names like onkeydown, onkeypress and onkeyup, which you can “hook” (ie connect to a JavaScript function of your choice) in order to allow precise control of the keyboard, such as for games and interactive browser apps.

What’s typically tucked away is the fact that capturing the X and Y coordinates of a mouse pointer is a simple task in JavaScript, and it has been for a very long time.

Back in 2013, Facebook was mulling silently tracking users’ mouse movements to see which ads we like. Some reacted to the possibility by swearing off Facebook entirely.

It’s not just Facebook, though: any site can do it. It’s very easy and it’s very useful.

It’s the job of user interface designers to understand how people interact with web interfaces. Their job is to figure out where users have problems and how to improve their overall experience.

Collecting user behavior on sites enables those designers to work on issues such as where and why users drop off at a checkout page on an e-commerce site, for example.

They do it through mouse tracking, heat maps, click tracking, or eye tracking, among other techniques.

When we write about these subjects, readers often react with outrage. Fellow Naked Security writer Mark Stockley notes that people have a mental model of how the web works, and (incorrectly, but understandably) it doesn’t encompass voices, keystrokes, mouse movements and incomplete forms being harvested. They are shocked to find out that it’s possible at all, never mind that it’s easy.

Beyond that, the power of a single site’s tracking is multiplied exponentially, given that websites often include third-party code like AdWords or Facebook Like buttons, as well as content delivery networks (CDNs) for fast, local delivery of content. That means tens or hundreds of millions of websites share common elements served from a handful of domains. That handful of domains can set cookies on one site and read them on any other, thus tracking you across any site you visit that includes their code.

Mark has actually detailed how Twitter, for one, tracks the websites we visit and thus figures out how to target promoted tweets at individuals.

Do we have to worry about any one of the ad networks or trackers deciding to deploy “slurp your form data before you’ve finished” code that it then winds up disseminating on many millions of sites in the blink of an eye?

Fortunately, the big analytics players like Google provide aggregate views of where users click on pages, keeping the personally identifiable information (PII) out of it so that individual user sessions are anonymized. To do otherwise would be illegal, at least in the US. The Telecommunications Act prohibits sharing or selling “individually identifiable” customer information except under special circumstances, such as to enable your carrier to bill you or to help emergency services to locate you. Sorry, GoFundMe campaigns, no porn-surfing lists of named politicians or ISP industry leaders for you!

It’s worth noting, however, that Big Data can make anonymous data not all that anonymous after all. And Sarah Jamie Lewis, the doyen of .onion privacy, has concluded, after analyzing maps showing the centralization of the web via ad brokers, that “web privacy is dead”.

Should we worry about being tracked online?

Absolutely. There have already been outfits like AddThis that come up with exotic tracking techniques that do things like come up with invisible cookies that track us and which users can’t even delete.

Should we worry about an app like Tawk letting sites see what we enter into forms, even if it’s text we delete?

Yes, of course, particularly if we’re really paranoid. But if we’re that paranoid, we have no business touching a keyboard that’s attached to an internet-connected device.

We are all fish, and that kind of tracking is simply the water we swim in.

Source: Naked Security


Phishing campaign spoofs online auto brand, exposes stolen passwords

Készült: 2017. június 22

Falling for a phishing scam is bad enough. When the bad guys keep your stolen account on a site so riddled with security holes that anyone can peek through, it’s like rubbing salt into the wound.

Researchers from SophosLabs found just such a site when investigating a phishing campaign that spoofed the site of mobile.de – the largest online vehicle marketplace in Germany.

Those managing the phishing site in question left its directory open for browsing,  allowing anyone who gets there to see the usernames and passwords of phished accounts. The result is that the passwords stolen by the first group of thieves could have already been stolen again by someone else.

RELATED PODCAST: Phishing – How this troublesome crime is evolving

What happened

The campaign SophosLabs investigated was a classic case of phishing by SMS, the text messaging service component of most mobile phones. Though people have gotten better at not falling for traditional phishing scams that come by way of email on laptops and desktops, they remain susceptible to SMS phishing. Phones come with little or no security for anti-phishing except for what is provided by the vendor, like Safe Browsing in Chrome. And messages arrive on smaller screens, which makes it harder to spot forgeries.

In the case of this campaign, users who clicked the link in the SMS message were taken to a fake log-in page that looked like this:

User who entered their credentials were moved along to the real site:

When SophosLabs researchers traced the activity back to the phishing site where stolen credentials were stored, they discovered that its root directory was open for all to see.

At one point the directory contained 210 accounts. That could have been the tip of the iceberg, because it was one of what was probably several sites used in the attack.

What to do?

The key to not ending up on one of these exposed sites if to avoid getting phished in the first place. The first step in defending one’s self is to be more aware that mobile malware is a growing danger and that everything we’ve learned about phishing protection must be applied to these smaller devices.

Sophos is now protecting customers from this campaign. But some additional advice is in order:

  • Don’t be misled by domain names because they start with the text you expect – it’s the right-hand end of the URL that counts.

For example, Sophos owns sophos.com, which means we can use any and all subdomain names that end with that text string, such as partners.sophos.com, nakedsecurity.sophos.com, and so on. Many browsers deliberately highlight the text at the right-hand end, to remind you to look there first.

  • If you’re asked for personal data like your address and credit card number on an unencrypted web page, don’t enter it.

Crooks can easily get certificates for HTTPS these days, so just the presence of a padlock in the address bar doesn’t confirm you are at the right site. But the absence of a padlock on a page that wants a credit card is always wrong, even if it’s the right site. (Why trust a company that clearly doesn’t take even the most basic precautions with your personal data?)

  • Report scams and dodgy SMSs like this to your mobile operator.

Having real reports and genuine complaints “from the wild” makes it possible for the regulator to take action against scammers who might otherwise get away with it. Some scams are on the grey edge of legality, and it’s community consensus that helps the regulators redefine the boundaries of acceptable text messaging behavior.

Source: Naked Security


Coming soon (maybe) to toyshops – AI doll that can read kids’ emotions

Készült: 2017. június 22

There’s a new contestant in the competition to see what kind of Hell-spawn, technologically enhanced doll can freak us out the most.

As New Scientist reports, this one’s fitted with a camera and an artificial intelligence (AI) chip that can interpret children’s emotions. Eight of them, to be precise, including surprise and happiness, which it gleans from a camera in the doll’s head.


The doll is just one of a host of devices equipped with computer vision that are described in a paper titled Eyes of Things from a team at the University of Castilla-La Mancha, in Ciudad Real, Spain.

New Scientist quotes project leader Oscar Deniz:

In the near future, we will see a myriad of eyes everywhere that will not just be watching us, but trying to help us. [As AI chips get cheaper], we will have wearable devices, toys, drones, small robots, and things we can’t even imagine yet that will all have basic artificial intelligence.

The paper describes a new computer vision platform called Eyes of Things that could enable new applications and technologies such as deep learning, drones, home robotics, intelligent surveillance, wearable cameras, and yes, intelligent toys.

The emotion-reading doll described in the paper differs from its progenitor Hell-spawns in that it doesn’t need to send data off for processing in the cloud, where the privacy of children comes into play and breaches threaten exposure of things like children’s data and voices.

We saw that happen with CloudPets teddy toys around Christmas, with all user accounts and potentially up to 2.2m voice messages compromised by hackers who found the data, unprotected, using nothing more complicated than the Shodan IoT search engine.

A doll called Cayla suffered from noxious cloud syndrome, too: for one thing, it had a software vulnerability that allowed Cayla to be programmed to say anything – from Hannibal Lecter quotes to lines from 50 Shades Of Grey. In addition, according to security researcher Ken Munro, any device could connect with the doll via Bluetooth and therefore communicate with your child.

Good times, good times. Germany’s Bundesnetzagentur, the telecoms watchdog, called Cayla an “illegal espionage apparatus” that parents should destroy.

Other dolls that have raised privacy concerns include the internet-enabled, speech recognizing, joke-telling Barbie.

“Hello Barbie,” it was dubbed. That was followed by “Hell No Barbie”: the social media campaign that called Hello Barbie an “eavesdropping doll” that raised privacy concerns because recordings of children’s conversations are stored by the company – ToyTalk – that makes the voice recognition technology.

The emotion-reading doll would focus on data from cameras, rather than microphones. But as New Scientist notes, many of the issues around data privacy would be the same.

Just because emotions aren’t being analyzed in the cloud doesn’t mean that the relevant data couldn’t wind up being intercepted. The team’s paper doesn’t go into detail about how such a doll would work – they came up with a chip and put it into a doll, but that doll apparently hasn’t been turned into a retail toy yet – but it does mention low-power Wi-Fi technologies such as Bluetooth.

Bluetooth, as in, the way that you could pwn Cayla and get her to talk about a nice Chianti and fava beans.

The paper also mentions a series of API-based activities, including examples such as IF Angry face from EoT-1 email to my_address@my_company.com.

Oh? Meaning that the app/doll/platform/whatever device equipped with Eyes of Things computer vision chips can be set to recognize an angry face and trigger an email about it? Interesting!

The emotion-recognizing doll isn’t on shelves yet. It’s just a glint in the eye of its AI-programming parents at this point. Let’s hope that if and when it gets turned into a Christmas best-seller, all potential privacy and security issues have been ironed out beforehand.

We do not need another seed of Chucky or Twin Sister of Cayla!

Source: Naked Security


Botnets – malware that makes you part of the problem [Security SOS Week]

Készült: 2017. június 22

Today’s Security SOS webinar is:

Botnets – the malware that makes you part of the problem

The event takes place at 2pm UK time (13:00 UTC, 15:00 CEST, 09:00 EDT), and consists of about 30 minutes of live interview, podcast-style, followed by 10 minutes of questions and answers.

(No slides to watch or diagrams to digest – think of it as an interactive radio programmme on NPR or BBC Radio 4.)

Here’s what we’re covering today:

Unlike ransomware, which punches you straight in the digital face, “bots” or “zombies” work undercover in the background. Zombie malware quietly downloads instructions from cybercriminals on what to do next, such as grabbing passwords, stealing files, sending spam, and delivering malware.

Becoming infected with a bot therefore makes you part of the problem, not part of the solution. You’re giving the crooks a free hosting and content delivery service.

Learn from Fraser Howard, one of the world’s leading anti-malware researchers, how to dezombify your world.

If you haven’t heard Fraser in action before, you’ve really missed out: he doesn’t just understand his specialist subject inside out, he’s also brilliant at explaining it in plain words – security made genuinely interesting!

Register now!


Missed Monday’s webinar?

Listen to Sophos VP John Shaw on the thorny issue of GDPR.

Missed Tuesday’s webinar?

Learn from Sophos expert Peter Mackenzie how to deal with phishing.

Missed Wednesday’s webinar?

Luke Groves explains how to take charge of security inside your organisation.

Source: Naked Security


1. oldal / 696

<< Első < Előző 1 2 3 4 5 6 7 8 9 10 Következő > Utolsó >>


Hacktivity 2014


Nincs esemény létrehozva még.

mySec talk #7 (ITBN)

A frissítés nélkül hagyott szoftverek magas aránya még mindig aggodalomra ad okot

A Secunia biztonsági cég jelentése azt mutatja, hogy az Egyesült Államokban rengeteg frissítés nélküli szoftver

Új titkosítási szabvány kerül bevezetésre az Apple-nél és a Google-nél

Az Apple azon bejelentésének nyomán, miszerint egy olyan fejlesztést eszközölnek az iOS8 operációs rendszerükön,

Hackerek támadták meg az EKB-t

Hackertámadás érte az Európai Központi Bankot (EKB), érzékeny adatok nem kerültek veszélybe – írja az MTI. A tá

Hagyományos vírus VS. JavaScript kártevő

Egy érdekes kérdést tettek fel a minap egy biztonsági fórumon: vajon mi a veszélyesebb, egy klassz

Sérülékeny wifi hálózatokról hozott hírt egy macska

Gene Bransfield biztonsági kutató készített egy „wardriving” eszközt, majd felcsatolta egy macskára, hogy wifi h

Alig egy hét múlva Hacktivity

Október 21–22-én, immáron 13. alkalommal gyűlnek össze az etikus

Az Index.hu újságírója lett az „Év információbiztonsági újságírója”

A Hétpecsét Információbiztonsági Egyesület 2006-ban alap&iac

Boldog Új Évet Kívánunk! - 2016.

Az Antivirus.blog nevében Minden Kedves Olvasónknak Egészségben, siker

Ez történt 2015-ben

Nem volt eseménytelen esztendő a 2015. - sem. A legizgalmasabb incidense

mySec Információ

Cron Job Starts