Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'tracking'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 72 results

  1. I IN NO WAY TAKE ANY CREDIT FOR THIS IT WAS TAKEN FROM MDL FORUM AND SOME POSTS MY MEMBERS ON THIS FORUM! Manual: Tools: Windows 10 Lite v7.1 Destroy Windows Spying v1.7 Build 100 [Works with Win 7/8/8/1/10] Blackbird v6 v0.9.98 [Works with Win 7/8/8/1/10] O&O ShutUp10 v1.5.1390.1 Spybot Anti-Beacon v1.6.0.42 [Works with Win 7/8/8/1/10] W10Privacy v2.4.0.0 Win.Privacy v1.0.1.5 [Works with Win 7/8/8/1/10] Disable Windows 10 Tracking v3.0.1 iSpy Privacy-X v3.0.0.0
  2. I've noticed "client_test/0.16.15.0" appearing as a "client" on some of my seeds. It does not download anything, but hangs out for hours, so I did a lookup on the IP addresses, which vary a bit. All come back the same. Registrant Name: Legal Department Registrant Organization: Amazon.com, Inc. Registrant Street: PO BOX 81226 Registrant City: Seattle Registrant State/Province: WA I'm the sole seeder of some of these old media files. I'm surprised they even care. Does this mean Amazon loves me, or what ? Should I expect chocolates or a SWAT team ? :(
  3. Firefox: Always Open Site In Container Tab Mozilla added a much requested feature to Firefox's Container Tabs experiment recently that enables you to always open sites in a specific container. Container Tabs is an upcoming feature of the Firefox web browser that is available as a Test Pilot experiment, and in Firefox Nightly. Mozilla launched the Container Tabs experiment a couple of months ago as a Test Pilot experiment. We talked about the feature in 2016 before already when it was revealed for the first time. Called Containers back then, it allowed participants to load websites in containers. A container is a closed environment which uses custom storage for some data to separate it from the main Firefox data storage and other containers. This is useful for quite a few things, for instance to limit tracking, sign in to the same Web service at the same time in the same browser window, or to separate work from entertainment websites. Firefox: Always open site in Container Tab In the closing words under the original article here on Ghacks, I mentioned that I'd like to see Mozilla add features to Container Tabs that I think would improve the feature significantly. Among the features was a request to restrict sites to certain containers. This made sense in my opinion, as it would allow you to load bank websites in the security container, work related sites and services in the work container, and so on. Mozilla has added the functionality to the latest version of the Container Tabs experiment. Note that this feature has not landed yet in the Firefox Nightly implementation of Containers. A small informational panel is opened when you click on the Container Tabs icon in the Firefox toolbar after installation or update of the add-on in the browser. It highlights that the "always open sites in the containers you want" option is now available. To use it, you right-click inside a container tab to assign it to the loaded container. You may also right-click on the Container Tabs icon in the Firefox toolbar to check the option as well. A prompt is loaded next time you load the site in Firefox. In fact, this prompt is loaded each time you open the site, unless you check the "remember my decision for this site" option. If you check the box, the prompt is not displayed anymore. You can disable the loading of a site in a container tab by right-clicking either on the site or on the icon while the site is loaded in the active tab. Verdict Mozilla continues its work on the upcoming Container Tabs feature. While it is still possible that the feature won't land in Firefox, it seems very likely that it will land eventually. My hope is that Mozilla will address my other feature requests, especially the option to clear data only in a single container tab, as well in future updates. (via Sören Hentzschel) Now You: What is your take on the improvement and Container Tabs in general? Source
  4. Chrome: Sites May Record Audio/Video Without Indication Websites may abuse WebRTC in Google Chrome to record audio or video using the technology without any indication of that to the user. A security vulnerability was reported to Google on April 10, 2017 which allows an attacker to record audio or video using Chrome without indication. Most modern web browsers support WebRTC (Web Real-Time Communications). One of the benefits of WebRTC is that it supports real-time communication without the use of plugins. This includes options to create audio and video chat services, p2p data sharing, screen sharing, and more using the technology. There is also a downside to WebRTC, as it may leak local IP addresses in browsers that support WebRTC. You can protect the IP address from being revealed in Firefox, Chrome and Vivaldi, for instance. The reported vulnerability affects Chrome but it may affect other web browsers as well. For it to work, you'd have to visit a site and allow it to use WebRTC. The site that wants to record audio or video would spawn a JavaScript window then without header, a pop under or pop up window for instance. It can then record audio or video, without giving indications in Chrome that this is happening. Chrome displays recording indicators usually in the tab that uses the functionality, but since the JavaScript window is headerless, nothing is shown to the user. A proof of concept was created which you find linked on the Chromium Bugs website. All you need to do is click on two buttons, and allow the site to use WebRTC in the web browser. The proof of concept demo records audio for 20 seconds, and gives you an option afterwards to download the recording to the local system. A Chromium team member confirmed the existence of the issue, but did not want to call it vulnerability. The explanation does not make a whole lot of sense to me. Because Android does not show an indicator in first place, and Chrome on the desktop only if enough interface space is available, it is not a security vulnerability? At the very least, it is a privacy issue and something that users need to be aware of. While users do have to trust sites enough to give them permissions to use WebRTC, it and the fact that the site needs to launch a popup window are the only things needed to exploit this. Google may improve the situation in the future, but users are on their own right now when it comes to that. The best form of protection is to disable WebRTC which can be done easily if you don't require it, the second best to allow only trusted sites to use WebRTC. If you allow a site to use WebRTC, you may want to look out for any other windows that it may spawn afterwards on top of that. Now You: Do you use services or apps that use WebRTC? Source
  5. Both paid and unpaid apps can track your data. The apps pictured may not - but it’s hard to know which do and which don’t. Anyone who spends much time online knows the saying: “If you’re not paying, you’re the product”. That’s not exactly correct. On the internet, you’re nearly always the product. And while most internet users know that some of their personal data is being collected and monetised, few are aware of the sheer scale of the issue, particularly when it comes to apps. In fact, our research suggests a majority of the top 100 paid and free Google Play apps in Australia, Brazil, Germany and the US contain at least one tracker. This means data could be collected for advertising networks as well as for payment providers. This is just the beginning. As voice-activated intelligent assistants like Siri or Google Now evolve and replace the need for apps on our smartphones, the question of what is being done with our data will only grow more complicated. Nothing is free The difference between what apps actually do with user data and what users expect them to do was apparent in the recent Unroll.Me scandal. Unroll.me is a free online service that cleans email inboxes by unsubscribing the user from unnecessary emails. But many were dismayed when the company was recently discovered to be monetising their mail content. For example, UnRoll.me was reportedly looking for receipts of the ridesharing company Lyft in user emails and selling that information to Uber. Unroll.me’s CEO apologised, saying the company needed to do a better job of disclosing its use of data. But who is in the wrong? Consumers for thinking they were getting a service for free? Or the service provider, who should inform customers of what they’re collecting? The question is even more intriguing when it comes to mobile apps. In fact, compared to online services that usually access a few facets of a user’s personal profile, mobile apps can conveniently tap into a range of personal data such as location, message content, browser history and app installation logs. They do this using third-party libraries embedded in their code, and these libraries can be very intrusive. How libraries work Libraries are third-party trackers used by app developers so they can integrate their products with external services. These may include advertising networks, social media platforms and payment gateways such as Paypal, as well as tools for tracking bugs and crashes. In our study, carried out in 2015, we analysed tracking libraries in the top-100 free and top-100 paid apps in in Australia, Brazil, Germany and the US, revealing some concerning results. Approximately 90% of the top free apps and 60% of the top paid apps in Google Play Store had at least one embedded tracker. For both free and paid apps in the study, Google Ads and Flurry were the two most popular trackers and were integrated with more than 25% of the apps. Other frequently observed libraries include Chartboost, Millennial Media, Google Analytics and Tapjoy. The top trackers were also likely to be present in more than one app, meaning these libraries receive a rich dataset about the user. A summary of the study of top-100 free and paid apps in Google Play Store. NICTA, Author provided Of course, these numbers could have changed in the two years since our research was published, although recent studies suggest the trend has largely continued. It’s also possible these libraries are present without collecting data, but it’s nonetheless disturbing to see the presence of so many trackers in paid apps that have an alternative business model. What lies ahead? So what can you do if you don’t want to be tracked? Use your judgement when giving apps permission to access your data by first asking questions such as, “does this game really need to know my phone number?” Consider using mobile anti-virus and privacy advisory apps such as Lookout Security & Antivirus, Mobile Security and Antivirus, and PrivMetrics (this app is a beta release by Data61). Ultimately, however, these solutions barely touch the surface of a much larger issue. In the near future, apps may be replaced by built-in services that come with a smartphone’s operating system. The intelligent personal assistant by Google, Google Now, for example, could eliminate the need for individual transport, messenger, news and weather apps, as well as some financial apps. These services, otherwise known as aggregator platform services, could build extensive profiles that cover several aspects of our online and offline behaviour. When used, they have access to an incredibly broad range of our activities, not to mention our location. Still, app users have so far been willing to exchange their data for convenience. There’s little reason to believe that trend will not continue. Article source
  6. New Vault 7 leaks show CIA can install persistent malware on OS X and iOS devices A new trove of documents belonging to Wikileak’s Vault 7 leaks, dubbed “Dark Matter” reveal that Apple devices including Macs and iPhones have been compromised by the CIA. They are affected by firmware malware meaning that even a re-installation of the operating system will not fix the device. The CIA’s Embedded Development Branch (EDB) have created several tools for exploiting Apple devices, these include: Sonic Screwdriver – allows an attacker to boot its malware from peripheral devices such as a USB stick. DarkSeaSkies – is an “implant” that persists in the EFI firmware of MacBook Air computers. It consists of “DarkMatter”, “SeaPea” and “NightSkies” which affect EFI, kernel-space, and user-space respectively. Triton – macOS malware. Dark Mallet – Triton infector. DerStake – EFI-persistent version of Triton. The documents show that DerStake was at version 1.4 as of 2013, but other documents show that as of 2016, the CIA was working on DerStake 2.0. According to Wikileaks, NightSkies can infect Apple iPhones, the organisation said what’s noteworthy is that NightSkies has been able to infect iPhones since 2008. The CIA documents say NightSkies is a “beacon/loader/implant tool”. It is “expressly designed” to be physically installed onto factory fresh iPhones meaning the CIA has been intercepting the iPhone supply chain of its targets since at least 2008. "Dark Matter" is just the latest release of documents from the wider Vault 7 leaks, more CIA documents are expected in the future. Main Source: Wikileaks Source
  7. Facebook Bans Devs From Creating Surveillance Tools With User Data Without a hint of irony, Facebook has told developers that they may not use data from Instagram and Facebook in surveillance tools. The social network says that the practice has long been a contravention of its policies, but it is now tidying up and clarifying the wording of its developer policies. American Civil Liberties Union, Color of Change and the Center for Media Justice put pressure on Facebook after it transpired that data from users' feeds was being gathered and sold on to law enforcement agencies. The re-written developer policy now explicitly states that developers are not allowed to "use data obtained from us to provide tools that are used for surveillance." It remains to be seen just how much of a difference this will make to the gathering and use of data, and there is nothing to say that Facebook's own developers will not continue to engage in the same practices. Deputy chief privacy officer at Facebook, Rob Sherman, says: Transparency reports published by Facebook show that the company has complied with government requests for data. The secrecy such requests and dealings are shrouded in means that there is no way of knowing whether Facebook is engaged in precisely the sort of activity it is banning others from performing. Source
  8. Security flaws smash worthless privacy protection Analysis To protect mobile devices from being tracked as they move through Wi-Fi-rich environments, there's a technique known as MAC address randomization. This replaces the number that uniquely identifies a device's wireless hardware with randomly generated values. In theory, this prevents scumbags from tracking devices from network to network, and by extension the individuals using them, because the devices in question call out to these nearby networks using different hardware identifiers. It's a real issue because stores can buy Wi-Fi equipment that logs smartphones' MAC addresses, so that shoppers are recognized by their handheld when they next walk in, or walk into affiliate shop with the same creepy system present. This could be used to alert assistants, or to follow people from department to department, store to store, and then sell that data to marketers and ad companies. Public wireless hotspots can do the same. Transport for London in the UK, for instance, used these techniques to study Tube passengers. Regularly changing a device's MAC address is supposed to defeat this tracking. But it turns out to be completely worthless, due to a combination of implementation flaws and vulnerabilities. That and the fact that MAC address randomization is not enabled on the majority of Android phones. In a paper published on Wednesday, US Naval Academy researchers report that they were able to "track 100 per cent of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames." Beyond this one vulnerability, an active RTS (Request to Send) attack, the researchers also identify several alternative deanonymization techniques that work against certain types of devices. Cellular radio hardware has its own set of security and privacy issues; these are not considered in the Naval Academy study, which focuses on Android and iOS devices. Each 802.11 network interface in a mobile phone has a 48-bit MAC address layer-2 hardware identifier, one that's supposed to be persistent and globally unique. Hardware makers can register with the Institute of Electrical and Electronics Engineers (IEEE) to buy a block of MAC addresses for their networking products: the manufacturer is assigned a three-byte Organizationally Unique Identifier, or OUI, with is combined with an additional three-byte identifier that can be set to any value. Put those six bytes together, and you've got a 48-bit MAC address that should be globally unique for each device. The IEEE's registration system makes it easy to identify the maker of a particular piece of network hardware. The IEEE also provides the ability to purchase a private OUI that's not associated with a company name, but according to the researchers "this additional privacy feature is not currently used by any major manufacturers that we are aware of." Alternatively, the IEEE offers a Company Identifier, or CID, which is another three-byte prefix that can be combined with three additional bytes to form 48-bit MAC addresses. CID addresses can be used in situations where global uniqueness is not required. These CID numbers tend to be used for MAC address randomization and are usually transmitted when a device unassociated with a specific access point broadcasts 802.11 probe requests, the paper explains. The researchers focused on devices unassociated with a network access point – as might happen when walking down the street through various Wi-Fi networks – rather than those associated and authenticated with a specific access point, where the privacy concerns differ and unique global MAC addresses come into play. Unmasking Previous security research has shown that flaws in the Wi-Fi Protected Setup (WPS) protocol can be used to reverse engineer a device's globally unique MAC address through a technique called Universally Unique IDentifier-Enrollee (UUID-E) reversal. The US Naval Academy study builds upon that work by focusing on randomized MAC address implementations. The researchers found that "the overwhelming majority of Android devices are not implementing the available randomization capabilities built into the Android OS," which makes such Android devices trivial to track. It's not clear why this is the case, but the researchers speculate that 802.11 chipset and firmware incompatibilities might be part of it. Samsung v Apple Surprisingly, Samsung devices, which accounted for 23 per cent of the researcher's Android data set, show no evidence of implementing MAC address randomization. Apple, meanwhile, introduced MAC address randomization in iOS 8, only to break it in iOS 10. While the researchers were evaluating devices last year, Apple launched iOS 10 and changed its network probe broadcasts to include a distinct Information Element (IE), data added to Wi-Fi management frames to extend the Wi-Fi protocol. "Inexplicably the addition of an Apple vendor-specific IE was added to all transmitted probe requests," the paper explains. "This made identification of iOS 10 Apple devices trivial regardless of the use of MAC address randomization." This shortcoming aside, Apple handles randomization correctly, in the sense that it properly randomizes the full 48-bits available for MAC addresses (with the exception of the Universal/Local bit, set to distinguish between global MAC addresses and the local ones used for randomization, and the Unicast/Multicast Bit). The researchers find this interesting because the IEEE charges a fee for using the first three bytes of that space for CID prefixes, "meaning that Apple is freely making use of address space that other companies have paid for." In a phone interview with The Register, Travis Mayberry, assistant professor at the US Naval Academy and one of the paper's co-authors, expressed surprise that something like 70 per cent of Android phones tested did not implement MAC address randomization. "It's strange that Android was so vulnerable," he said. "It's just really bad at doing what it was supposed to do." 'Closest to being pretty good' Apple, meanwhile, fared better in terms of effort, though not results. "Apple is the closest to being pretty good," Mayberry said, but noted that Apple devices, despite the advantage of hardware consistency, are still vulnerable to an RTS (Request to Send) attack. Sending RTS frames to an Apple phone forces the device to reveal its global unique MAC address, rather than the randomized one normally presented to the hotspot. "No matter how hard you try, you can't defend against that because it's a property of the wireless chip itself," said Mayberry. There was single Android phone that fared well. "The one Android phone that was resistant to our passive attacks was the CAT S60 which is some kind of 'tough' phone used on construction sites and the like," Mayberry explained in an email. "It did not have a recognizable fingerprint and did not ever transmit its global MAC except when associating. It was still vulnerable to our active RTS attack though, since like I said, that is a problem with the actual chips and effects every phone." Mayberry was at a loss to explain why Apple shot itself in the foot by adding a trackable identifier to a system that previously worked well. "I initially thought it might be to support some of the 'continuity' features where multiple apple devices can discover and exchange stuff like open browser tabs and clipboard contents but that came out in earlier versions of iOS," he said. "It also might be linked to the HomeKit features that they added in iOS to control IoT devices. Basically it would have to be to purposefully identify and discover other Apple devices that are not associated, otherwise we wouldn't see it in probe requests. All of this is pure speculation though and we really don't have a strong reason for it." Mayberry said he hoped the research would help the industry understand the consequences of everyone doing things differently. There's no generally accepted way to handle MAC address randomization. "There are so many phones not using it," he said. "There should be a standard." By Thomas Claburn https://www.theregister.co.uk/2017/03/10/mac_address_randomization/
  9. Microsoft’s Obscure ‘Self Service for Mobile’ Office Activation Microsoft requires a product activation after installing. Users of Microsoft Office currently are facing trouble during telephone activation. After dealing with this issue, I came across another obscure behavior, Microsoft’s ‘Self Service for Mobile’ solution to activate Microsoft Office via mobile devices. Microsoft describes how to activate Microsoft Office 2013, 2016 and Office 365 within this document. There are several possibilities to activate an installed product, via Internet or via Telephone for instance. Activation by phone is required, if the maximum Internet activation threshold is reached. But Office activation by phone fails Within my blog post Office Telephone activation is no longer supported error I’ve addressed the basis issue. If a user re-installs Office, the phone activation fails. The activation dialog box shows the message “Telephone activation is no longer supported for your product“. Microsoft has confirmed this issue for Office 2016 users having a non subscriber installation. But also users of Microsoft Office 2010 or Microsoft Office 2013 are affected. A blog reader posted a tip: Use Mobile devices activation… I’ve posted an article Office 2010: Telefonaktivierung eingestellt? – Merkwürdigkeit II about the Office 2010 telephone activation issue within my German blog, back in January 2017. Then a reader pointed me within a comment to a Self Service for Mobile website. The link http: // bit.ly/2cQPMCb, shortened by bit.ly, points to a website https: // microsoft.gointeract.io/mobileweb/… that provides an ability to activate Microsoft Office (see screenshot below). After selecting a 6 or 7 Digits entry, an activation window with numerical buttons to enter the installation id will be shown (see screenshots shown below). The user has to enter the installation id and receives the activation id – plain and simple. Some users commented within my German blog, that this feature works like a charm. Obscurity, conspiracy, oh my God, what have they done? I didn’t inspect the posted link until writing last Fridays blog post Office Telephone activation is no longer supported error. My idea was, to mention the “Self Service for Mobile” page within the new article. I managed to alter the link to direct it to the English Self Service for Mobile language service site. Suddenly I noticed, that both, the German and also the English “Self Service for Mobile” sites uses https, but are flagged as “unsecure” in Google Chrome (see the screenshot below, showing the German edition of this web page. The popup shown for the web site „Self Service for Mobile“ says, that there is mixed content (images) on the page, so it’s not secure. That catches my attention, and I started to investigate the details. Below are the details for the German version of the web site shown in Google Chrome (but the English web site has the same issues). First of all, I noticed, that the „Self Service for Mobile“ site doesn’t belongs to a microsoft.com domain – in my view a must for a Microsoft activation page. Inspecting the details, I found out, the site contains mixed content (an image contained within the site was delivered via http). The content of the site was also delivered by Cloudflare (I’ve never noticed that case for MS websites before). The image flagged in the mixed content issue was the Microsoft logo, shown within the sites header, transferred via http. The certificate was issued by Go Daddy (an US company) and ends on March 2017. I’ve never noticed, that Go Daddy belongs to Microsoft. I came across Go Daddy during analyzing a phishing campaign months ago. A compromised server, used as a relay by a phishing campaign, has been hosted (according to Whois records) by Go Daddy. But my take down notice send to Go Daddy has never been answered. That causes all alarm bells ringing in my head, because it’s a typical behavior used in phishing sites. Also my further findings didn’t calm the alarm bells in my head. The subdomain microsoft used above doesn’t belongs to a Microsoft domain, it points to a domain gointeract.io. Tying to obtain details about the owner of gointeract.io via WhoIs ended with the following record. Domain : gointeract.io Status : Live Expiry : 2021-03-14 NS 1 : ns-887.awsdns-46.net NS 2 : ns-1211.awsdns-23.org NS 3 : ns-127.awsdns-15.com NS 4 : ns-1980.awsdns-55.co.uk Owner OrgName : Jacada Check for 'gointeract.sh' --- http://www.nic.sh/go/whois/gointeract.sh Check for 'gointeract.ac' --- http://www.nic.ac/go/whois/gointeract.ac Pretty short, isn’t it? No Admin c, no contact person, and Microsoft isn’t mentioned at all, but the domain has been registered till 2021. The Owner OrgName Jacada was unknown to me. Searching the web didn’t gave me more insights at first. Overall, the whole site looks obscure to me. The tiny text, shown within the browser’s lower left corner, was a hyperlink. The German edition of the „Self Service for Mobile“ site opens a French Microsoft site – the English site opens an English Microsoft site. My first conclusion was: Hell, I was tricked by a phishing comment – somebody set up this site to grab installation ids of Office users. So I deactivated the link within the comment and I posted a warning within my German blog post, not to use this „Self Service for Mobile“ site. I also tried to contact the user, who has posted the comment, via e-mail. … but “Microsoft” provides these links … User JaDz responded immediately in an additional comment, and wrote, that the link shortened via bit.ly has been send from Microsoft via SMS – after he tried the telephone activation and selected the option to activate via a mobile device. I didn’t noticed that before – so my conclusion was: Hell, this obscure „Self Service for Mobile“ site is indeed related to Microsoft. Then I started again a web search, but this time with the keywords Jacada and Microsoft. Google showed several hits, pointing to the site jacada.com (see screenshot below). It seems that Jacada is a kind of service provider for several customers. I wasn’t able to find Microsoft within the customer reference. But I know, that Microsoft used external services for some activities. Now I suppose, that somebody from Jacada set up the „Self Service for Mobile“ activation site. The Ajax code used is obviously able to communicate with Microsoft’s activation servers and obtain an activation id. And Microsoft’s activation mechanism provides an option to send the bit.ly link via SMS. Closing words: Security by obscurity? At this point I was left really puzzled. We are not talking about a startup located within a garage. We are having dealing with Microsoft, a multi billion company, that claims to run highly secured and trustable cloud infrastructures world wide. But what’s left, after we wipe of the marketing stuff? The Office activation via telephone is broken (Microsoft confirmed that, after it was reported by customers!). As a customer in need to activate a legal owned, but re-installed, Microsoft Office is facing a nasty situation. Telephone activation is refused, the customers will be (wrongly) notified, that this option is no longer supported. Internet activation is refused due “to many online activations” – well done. But we are not finish yet. They set up a „Self Service for Mobile“ activation site in a way, that is frequently used by phishers. They are sending links via SMS to this site requesting to enter sensitive data like install ids. A site that is using mixed content via https, and is displaying an activation id. In my eyes a security night mare. But maybe I’ve overlooked or misinterpreted something. If you have more insights or an idea, or if my assumptions a wrong, feel free, to drop a comment. I will try to reach out and ask Microsoft for a comment about this issue. Article in German Source Alternate Source reading - AskWoody: Born: Office activation site controlled by a non-Microsoft company
  10. Four in Five Britons Fearful Trump Will Abuse their Data More than three-quarters of Britons believe incoming US President Donald Trump will use his surveillance powers for personal gain, and a similar number want reassurances from the government that data collected by GCHQ will be safeguarded against such misuse. These are the headline findings from a new Privacy International poll of over 1600 Brits on the day Trump is inaugurated as the 45th President of the most powerful nation on earth. With that role comes sweeping surveillance powers – the extent of which was only revealed after NSA whistleblower Edward Snowden went public in 2013. There are many now concerned that Trump, an eccentric reality TV star and gregarious property mogul, could abuse such powers for personal gain. That’s what 78% of UK adults polled by Privacy International believe, and 54% said they had no trust that Trump would use surveillance for legitimate purposes. Perhaps more important for those living in the United Kingdom is the extent of the information sharing partnership between the US and the UK. Some 73% of respondents said they wanted the government to explain what safeguards exist to ensure any data swept up by their domestic secret services doesn’t end up being abused by the new US administration. That fear has become even more marked since the passage of the Investigatory Powers Act or 'Snoopers’ Charter', which granted the British authorities unprecedented mass surveillance and hacking powers, as well as forcing ISPs to retain all web records for up to 12 months. Privacy International claimed that although it has privately been presented with documents detailing the info sharing partnership between the two nations, Downing Street has so far refused to make the information public. The rights group and nine others are currently appealing to the European Court of Human Rights to overturn a decision by the Investigatory Powers Tribunal (IPT) not to release information about the rules governing the US-UK agreement. “UK and the US spies have enjoyed a cosy secret relationship for a long time, sharing sensitive intelligence data with each other, without parliament knowing anything about it, and without any public consent. Slowly, we’re learning more about the staggering scale of this cooperation and a dangerous lack of sufficient oversight,” argued Privacy International research officer, Edin Omanovic. “Today, a new President will take charge of US intelligence agencies – a President whose appetite for surveillance powers and how they’re used put him at odds with British values, security, and its people… Given that our intelligence agencies are giving him unfettered access to massive troves of personal data, including potentially about British people, it is essential that the details behind all this are taken out of the shadows.” Source
  11. Mozilla: The Internet Is Unhealthy And Urgently Needs Your Help Mozilla argues that the internet's decentralized design is under threat by a few key players, including Google, Facebook, Apple, Tencent, Alibaba and Amazon, monopolizing messaging, commerce, and search. Can the internet as we know it survive the many efforts to dominate and control it, asks Firefox maker Mozilla. Much of the internet is in a perilous state, and we, its citizens, all need to help save it, says Mark Surman, executive director of Firefox maker the Mozilla Foundation. We may be in awe of the web's rise over the past 30 years, but Surman highlights numerous signs that the internet is dangerously unhealthy, from last year's Mirai botnet attacks, to market concentration, government surveillance and censorship, data breaches, and policies that smother innovation. "I wonder whether this precious public resource can remain safe, secure and dependable. Can it survive?" Surman asks. "These questions are even more critical now that we move into an age where the internet starts to wrap around us, quite literally," he adds, pointing to the Internet of Things, autonomous systems, and artificial intelligence. In this world, we don't use a computer, "we live inside it", he adds. "How [the internet] works -- and whether it's healthy -- has a direct impact on our happiness, our privacy, our pocketbooks, our economies and democracies." Surman's call to action coincides with nonprofit Mozilla's first 'prototype' of the Internet Health Report, which looks at healthy and unhealthy trends that are shaping the internet. Its five key areas include open innovation, digital inclusion, decentralization, privacy and security, and web literacy. Mozilla will launch the first report after October, once it has incorporated feedback on the prototype. That there are over 1.1 billion websites today, running on mostly open-source software, is a positive sign for open innovation. However, Mozilla says the internet is "constantly dodging bullets" from bad policy, such as outdated copyright laws, secretly negotiated trade agreements, and restrictive digital-rights management. Similarly, while mobile has helped put more than three billion people online today, there were 56 internet shutdowns last year, up from 15 shutdowns in 2015, it notes. Mozilla fears the internet's decentralized design, while flourishing and protected by laws, is under threat by a few key players, including Facebook, Google, Apple, Tencent, Alibaba and Amazon, monopolizing messaging, commerce and search. "While these companies provide hugely valuable services to billions of people, they are also consolidating control over human communication and wealth at a level never before seen in history," it says. Mozilla approves of the wider adoption of encryption today on the web and in communications but highlights the emergence of new surveillance laws, such as the UK's so-called Snooper's Charter. It also cites as a concern the Mirai malware behind last year's DDoS attacks, which abused unsecured webcams and other IoT devices, and is calling for safety standards, rules and accountability measures. The report also draws attention to the policy focus on web literacy in the context of learning how to code or use a computer, which ignores other literacy skills, such as the ability to spot fake news, and separate ads from search results. Source Alternate Source - 1: Mozilla’s First Internet Health Report Tackles Security, Privacy Alternate Source - 2: Mozilla Wants Infosec Activism To Be The Next Green Movement
  12. Chinese Citizens Can Be Tracked In Real Time A group of researchers have revealed that the Chinese government is collecting data on its citizens to an extent where their movements can even be tracked in real-time using their mobile devices. This discovery was made by The Citizen Lab at the University of Toronto's Munk School of Global Affairs who specialize in studying the ways in which information technology affects both personal and human rights worldwide. It has been known for some time that the Chinese government employs a number of invasive tactics to be fully aware of the lives of its citizens. Though Citizen Lab was able to discover that the government has begun to monitor its populace using apps and services designed and run by the private sector. The discovery was made when the researchers began exploring Tencent's popular chat app WeChat that is installed on the devices of almost every Chinese citizen with 800 million active users each month. Citizen Lab found that not only does the app help the government censor chats between users but that it is also being used as a state surveillance tool. WeChat's restrictions even remain active for Chinese students studying abroad. Ronald Deibert, a researcher at Citizen Lab, offered further insight on the team's discovery, saying: "What the government has managed to do, I think quite successfully, is download the controls to the private sector, to make it incumbent upon them to police their own networks". To make matters worse, the data collected by WeChat and other Chinese apps and services is currently being sold online. The Guangzhou Southern Metropolis Daily led an investigation that found that large amounts of personal data on nearly anyone could be purchased online for a little over a hundred US dollars. The newspaper also found another service that offered the ability to track users in real-time via their mobile devices. Users traveling to China anytime soon should be extra cautious as to their activities online and should think twice before installing WeChat during their stay. Published under license from ITProPortal.com, a Future plc Publication. All rights reserved. Source
  13. Anti-Tracking Extension Privacy Badger 2.0 Is Out The Electronic Frontier Foundation released their anti-tracking extension Privacy Badger 2.0 for Firefox, Chrome and Opera yesterday. The extension is designed to prevent online tracking which is fundamentally different from how ad blockers operate. Instead of blocking scripts outright, Privacy Badger 2.0 will only block trackers. This means that ads may still be displayed, but that the extension puts an end to techniques that sites use to "follow" users around the web. The add-on places an icon in the browser's main toolbar that you interact with. It highlights the number of trackers that it blocked on a site, and displays options to allow individual trackers, or block domains that the extension did not detect as trackers. Privacy Badger 2.0 You are probably wondering how Privacy Badger 2.0 differs from the initial Privacy Badger released in 2014, and Privacy Badger 1.0 released in 2015. To find out, we have to dig deep as the EFF's own press release does not shed details on that. We have to look at the add-on stores to find out about the changes. Support for Firefox's multi-process architecture E10s is probably the biggest improvement over previous versions. Mozilla is still rolling out the feature to devices running the stable version of the Firefox web browser. Compatibility means that you can run Privacy Badger 2.0 alongside multi-process Firefox without major issues. Privacy Badger 2.0 may also be installed on Firefox Mobile for Android. This goes hand in hand with Privacy Badger sharing a code base now. Existing users of the extension may also notice performance improvements, the EFF refers to them as "huge", but mileage may vary. At least on my system, it is still not super fast. But there is more. Privacy Badget 2.0 may block WebRTC from leaking local IP addresses. Please note that this feature appears to be only available in the Chrome / Opera version of Privacy Badget 2.0, and not in the Firefox version. You find the option under "general settings" in the Privacy Badger options. You find the new "manage data" option in the settings as well. This enables you to import or export user data that includes whitelisted domains and filter settings. Privacy Badger 2.0 blocks so-called HTML5 pings as well in the new version, and will break fewer sites according to the EFF. Last but not least, it will also forget data when private browsing mode or incognito mode are used by the user. Firefox users reported that the extension breaks Google Docs for them, and there specifically Google Sheets. Closing Words Privacy Badger 2.0 is a major release, but it has its issues right now on Firefox. Google Sheets crashing, and WebRTC missing are just two of the reported issues right now that plague the Firefox version of the privacy add-on. If you do use it on Firefox, you better wait until those issues are sorted out before you upgrade to the new version. Source Changelog: New features with 2.0 & 2.0.1: Version 2.0.1 - Firefox Extension: Sanitize origin and action in popup Version 2.0 of Privacy Badger includes many improvements for users and developers, including: Support for “incognito” or “private” browsing Import/export capabilities, so you can export a backup of what Privacy Badger has learned about your tracker-blocking needs and import that into another browser Fixes to “break” fewer websites, ensuring that you can both block trackers and enjoy rich content Improved user interface translation for non-English-speaking users Blocks to prevent WebRTC from leaking your IP address Blocks to prevent HTMLl5 "ping" tracking Notable speed improvements (Firefox only) Multiprocess Compatibility (E10S) (Firefox only) A single code base for both the Firefox and Chrome versions Downloads: Details & FAQ: https://www.eff.org/privacybadger Firefox: https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/ Firefox[Optional Direct]: https://www.eff.org/files/privacy-badger-latest.xpi Opera: https://addons.opera.com/en/extensions/details/privacy-badger/?display=ru or https://addons.opera.com/extensions/download/privacy-badger/ Chrome: https://chrome.google.com/webstore/detail/privacy-badger/pkehgijcmpdhfbdbbnkijodmdjhbjlgp Chromium browsers[Optional Direct]: https://www.eff.org/files/privacy_badger-chrome.crx
  14. Uber Knows Where You Go, Even After Ride Is Over Enlarge / Uber's iOS popup asking for new surveillance permissions. “We do this to improve pickups, drop-offs, customer service, and to enhance safety.” As promised, Uber is now tracking you even when your ride is over. The ride-hailing service said the surveillance—even when riders close the app—will improve its service. The company now tracks customers from when they request a ride until five minutes after the ride has ended. According to Uber, the move will help drivers locate riders without having to call them, and it will also allow Uber to analyze whether people are being dropped off and picked up properly—like on the correct side of the street. "We do this to improve pickups, drop-offs, customer service, and to enhance safety," Uber said. In a statement, the company said: Uber announced that it would make the change last year to allow surveillance in the app's background, prompting a Federal Trade Commission complaint. (PDF) The Electronic Privacy Information Center said at the time that "this collection of user's information far exceeds what customers expect from the transportation service. Users would not expect the company to collect location information when customers are not actively using the app." The complaint went nowhere. However, users must consent to the new surveillance. A popup—like the one shown at the top of this story—asks users to approve the tracking. Uber says on its site that riders "can disable location services through your device settings" and manually enter a pickup address. Uber and the New York Attorney General's office in January entered into an agreement to help protect users' location data. The deal requires Uber to encrypt location data and to protect it with multi-factor authentication. Source
  15. When you visit a web site in your favorite web browser, it interacts with the web servers in a variety of ways. It sends data to the web server such as the browser name, operating system, browser locale and your geographical location. All this data is then used by the server to offer you the content suitable for your browser or locale. For example, if you visit the Bing or Yahoo search engine web site (e.g. yahoo.com) and you are not from the US, then it will redirect you to the relevant local search engine web site (e.g. yahoo.co.uk). Unfortunately, some of the web servers also monitor your web browsing habits across a multiple of sites. With your web browsing data or habits, they can then use it to analyze how what people look for and deliver them the advertisement of the products that they might be looking for. Such servers are called tracking servers or just trackers. Although it is pretty much harmless, some people take it as an invasion of their privacy. Firefox offers to block such tracking servers inside the private browsing mode (also called the incognito mode). You can open a private browsing window in Firefox using the hotkey Ctrl+Shift+P. By default, Firefox blocks only some trackers web bad reputation. But you can change the settings for blocking all the known tracking servers in Firefox. Here is how: Open Firefox browser, type about:preferences#privacy in the address bar and press the Enter key. Alternatively, you can also click on the menu icon (looks like three layered burger), choose Options and then select Privacy section from the left side of the screen. Click on the Change Block List button shown under the Tracking section. 3. You will be shown two options and you can select any of these. One is for blocking only some of the trackers and other is for blocking all of the known trackers. . 4. Click on the Save Changes button when done. Restart Firefox web browser for the changes to take effect. Note that even after you restart Firefox browser, tracking protection will not work in the regular mode unless you have changed some other settings. It will work only in the private browsing mode. Article source
  16. In a presentation today at BlackHat Europe, Oxford University Researchers Piers O’Hanlon and Ravishankar Borgaonkar report that they have discovered two significant privacy flaws in the currently deployed mobile networks, which would allow anyone to track a mobile phone with a minimum of cost and effort. The flaws relate to the International Mobile Subscriber Identity (IMSI), which is a globally unique identifier stored on the SIM card. It identifies and allows for authentication of a mobile subscriber on the mobile network, and so is a significant and important private identifier, designed to be seen only by the mobile operator, and stored in their subscriber database. An IMSI catcher is a piece of technology that allows for tracking of specific mobile subscribers based their IMSI - in a mobile phone, tablet, car or other mobile connected device. Previously, IMSI catchers have been built for specialist uses such as law enforcement. They operate in the highly-regulated licenced mobile spectrum. The new approach uses different techniques, operating in the WiFi bands, which do not need a licence, enabling anyone to make an IMSI catcher using nothing more complex than an ordinary laptop, or any other WiFi device. Using that laptop, and software based on an approach described by the researchers, someone could set up a ‘rogue access point’ masquerading as a well-known auto WiFi network (such as the WiFi available in tube stations), and so lure smartphones in range to connect. Once connected the rogue AP extracts their IMSI. The flaws exposed by the research are present in most of the current smartphones, but their exploitation depends upon their operator configuration. These flaws have now been reported to both the mobile OS companies (Apple, Google, Microsoft, and Blackberry) and the operators (GSMA). Researchers have been working with them to ensure the future protection of the IMSI, and as a result certain new features have been developed including the inclusion of enhanced privacy mechanisms (conservative peer mode for EAP-SIM/AKA) in Apple’s iOS10. More Technical Details The WiFi-based IMSI catcher developed by Piers and Ravishankar relies upon two flaws in the design and deployment of authentication protocols as specified by the 3GPP, which is the main mobile standards body. Specifically, these exist in two access methods specified in [TS 33.234], which both rely upon SIM-based authentication protocols, known as EAP-SIM and EAP-AKA. The first method is used for access to secured ’Automatic’ (or IEEE 802.1X) WiFi networks, which have become widely deployed by many mobile operators, for example on the London Underground. The problem is that the EAP-SIM interaction is not encrypted and during the course of the protocol exchange the IMSI is revealed when then device first connects to the network so it may be passively observed. The researchers have developed an active attack which allows the IMSI to be forcibly revealed. The automatic connection is facilitated by pre-configured profiles which either get installed automatically or manually. These automatic profiles are provided by the mobile operators for use on iOS, Android and Windows phones. The second method is utilised for the ’WiFi-Calling’ service which is deployed by a number of operators, and is growing in popularity. The issue with this method is that whilst the connection to the mobile operator’s edge packet data gateway (EPDG) is encrypted during the setup phase of the IP security (IPSec) protocol, unfortunately cryptographic certificates are not used to protect the IMSI exchange. This means that the exchange is susceptible to a man-in-the-middle attack and thus the IMSI may be revealed. The newly developed approach provides for a new way to track subscribers, but it does not allow for call or data interception as is possible with some conventional IMSI catcher devices. It should also be noted that it is not straightforward to convert an IMSI to the corresponding telephone number as it requires access to the operator subscriber database. Article source
  17. Dystopian corporate surveillance threats today come at us from all directions. Companies offer “always-on” devices that listen for our voice commands, and marketers follow us around the web to create personalized user profiles so they can (maybe) show us ads we’ll actually click. Now marketers have been experimenting with combining those web-based and audio approaches to track consumers in another disturbingly science fictional way: with audio signals your phone can hear, but you can’t. And though you probably have no idea that dog whistle marketing is going on, researchers are already offering ways to protect yourself. The technology, called ultrasonic cross-device tracking, embeds high-frequency tones that are inaudible to humans in advertisements, web pages, and even physical locations like retail stores. These ultrasound “beacons” emit their audio sequences with speakers, and almost any device microphone—like those accessed by an app on a smartphone or tablet—can detect the signal and start to put together a picture of what ads you’ve seen, what sites you’ve perused, and even where you’ve been. Now that you’re sufficiently concerned, the good news is that at the Black Hat Europe security conference on Thursday, a group based at University of California, Santa Barbara will present an Android patch and a Chrome extension that give consumers more control over the transmission and receipt of ultrasonic pitches on their devices. Beyond the abstract creep factor of ultrasonic tracking, the larger worry about the technology is that it requires giving an app the ability to listen to everything around you, says Vasilios Mavroudis, a privacy and security researcher at University College London who worked on the research being presented at Black Hat. “The bad thing is that if you’re a company that wants to provide ultrasound tracking there is no other way to do it currently, you have to use the microphone,” says Mavroudis. “So you will be what we call ‘over-privileged,’ because you don’t need access to audible sounds but you have to get them.” This type of tracking, which has been offered in some form by companies like Silverpush and Shopkick, has hardly exploded in adoption. But it’s persisted as more third party companies develop ultrasonic tools for a range of uses, like data transmission without Wi-Fi or other connectivity.1 The more the technology evolves, the easier it is to use in marketing. As a result, the researchers say that their goal is to help protect users from inadvertently leaking their personal information. “There are certain serious security shortcomings that need to be addressed before the technology becomes more widely used,” says Mavroudis. “And there is a lack of transparency. Users are basically clueless about what’s going on.” Currently, when Android or iOS do require apps to request permission to use a phone’s microphone. But most users likely aren’t aware that by granting that permission, apps that use ultrasonic tracking could access their microphone—and everything it’s picking up, not just ultrasonic frequencies—all the time, even while they’re running in the background. The researchers’ patch adjusts Android’s permission system so that apps have to make it clear that they’re asking for permission to receive inaudible inputs. It also allows users to choose to block anything the microphone picks up on the ultrasound spectrum. The patch isn’t an official Google release, but represents the researchers’ recommendations for a step mobile operating systems can take to offer more transparency. To block the other end of those high-pitched audio communications, the group’s Chrome extension preemptively screens websites’ audio components as they load to keep the ones that emit ultrasounds from executing, thus blocking pages from emitting them. There are a few old services that the extension can’t screen, like Flash, but overall the extension works much like an ad-blocker for ultrasonic tracking. The researchers plan to post their patch and their extension available for download later this month. Ultrasonic tracking has been evolving for the last couple of years, and it is relatively easy to deploy since it relies on basic speakers and microphones instead of specialized equipment. But from the start, the technology has encountered pushback about its privacy and security limitations. Currently there are no industry standards for legitimizing beacons or allowing them to interoperate the way there are with a protocol like Bluetooth. And ultrasonic tracking transmissions are difficult to secure because they need to happen quickly for the technology to work. Ideally the beacons would authenticate with the receiving apps each time they interact to reduce the possibility that a hacker could create phony beacons by manipulating the tones before sending them. But the beacons need to complete their transmissions in the time it takes someone to briefly check a website or pass a store, and it’s difficult to fit an authentication process into those few seconds. The researchers say they’ve already observed one type of real-world attack in which hackers replay a beacon over and over to skew analytics data or alter the reported behavior of a user. The team also developed other types of theoretical attacks that take advantage of the lack of encryption and authentication on beacons. The Federal Trade Commission evaluated ultrasonic tracking technology at the end of 2015, and the privacy-focused non-profit Center for Democracy and Technology wrote to the agency at the time that “the best solution is increased transparency and a robust and meaningful opt-out system. If cross-device tracking companies cannot give users these types of notice and control, they should not engage in cross-device tracking.” By March the FTC had drafted a warning letter to developers about a certain brand of audio beacon that could potentially track all of a users’ television viewing without their knowledge. That company, called Silverpush, has since ceased working on ultrasonic tracking in the United States, though the firm said at the time that its decision to drop the tech wasn’t related to the FTC probe. More recently, two lawsuits filed this fall—each about the Android app of an NBA team—allege that the apps activated user microphones improperly to listen for beacons, capturing lots of other audio in the process without user knowledge. Two defendants in those lawsuits, YinzCam and Signal360, both told WIRED that they aren’t beacon developers themselves and don’t collect or store any audio in the spectrum that’s audible to humans. But the researchers presenting at Black Hat argue that controversy over just how much audio ultrasonic tracking tools collect is all the more reason to create industry standards, so that consumers don’t need to rely on companies to make privacy-minded choices independently. “I don’t believe that companies are malicious, but currently the way this whole thing is implemented seems very shady to users,” says Mavroudis. Once there are standards in place, the researchers propose that mobile operating systems like Android and iOS could provide application program interfaces that restrict microphone access so ultrasonic tracking apps can only receive relevant data, instead of everything the microphone is picking up. “Then we get rid of this overprivileged problem where apps need to have access to the microphone, because they will just need to have access to this API,” Mavroudis says. For anyone who’s not waiting for companies to rein in what kinds of audio they collect to track us, however, the UCSB and UCL researchers software offers a temporary fix. And that may be more appealing than the notion of your phone talking to advertisers behind your back—or beyond your audible spectrum. 1Correction 11/3/2016 6:20pm EST: An earlier version of this article stated that the cross-device tracking companies 4Info and Tapad use ultrasonic tracking. Both companies say they don’t use the form of tracking the researchers describe. Article source
  18. Yahoo's Spying Billboard: It Would ID You, Watch And Listen To Your Reactions To Ads Yahoo's idea is for the billboard's ad content to be based on real-time information about a crowd of people, who could be commuters on a train platform. Yahoo is exploring a smart billboard that would use microphones, cameras and other sensors to bring targeted advertising to outdoor displays. Hacked web giant Yahoo has filed a patent application for the ultimate ad-targeting system: a billboard that uses sensors to watch, listen and capture biometric data from the passing public. Yahoo, still in damage control from this week's claims that it helped the government spy on its email users, has filed a patent for smart technology that brings online ad-targeting capabilities to public billboards. The billboards would have cameras, microphones, motion-proximity sensors, and biometric sensors, such as fingerprint or retinal scanning, or facial recognition, according to the patent, which was filed last year but published on Thursday. The sensors would be used to measure engagement of passers-by. "For example, image data or motion-proximity sensor data may be processed to determine whether any members of the audience paused or slowed down near the advertising content, from which it may be inferred that the pause or slowing was in response to the advertising content (eg, a measurement of 'dwell time')," Yahoo writes. It could also use image or video data to determine whether any individuals looked directly at the advertising content. Alternatively, "Audio data captured by one or more microphones may be processed using speech-recognition techniques to identify keywords relating to the advertising that are spoken by members of the audience." As Yahoo explains, the ability to personalize ads for smartphones has made mobile the most efficient place to use marketing budgets, whereas digital displays in public spaces, which still attract ad dollars, remain stuck on old technology. But instead of individualizing ads, Yahoo's idea would be to 'grouplize', where ad content is based on real-time information about a crowd of people, who could be commuters on a train platform or cars passing by a freeway billboard. In the freeway scenario, the billboard would be placed near traffic sensors that detect the number of vehicles passing, their speed, and time of day. It might also use video to capture images of vehicles, and use image recognition to determine the maker and model of vehicles to distill demographic data. The billboard may also use cell-tower data, mobile app location data, or image data to "identify specific individuals in the target audience, the demographic data (eg, as obtained from a marketing or user database) which can then be aggregated to represent all or a portion of the target audience". Alternatively, it could use vehicle GPS systems to identify specific vehicles and vehicle owners. "Those of skill in the art will appreciate from the diversity of these examples the great variety of ways in which an aggregate audience profile may be determined or generated using real-time information representing the context of the electronic public advertising display and/or additional information from a wide variety of sources," Yahoo notes. It sees potential for the system to be integrated with existing online ad exchanges, allowing advertisers to reach across devices with the same ads. It also envisages extending the online ad model of auctioning billboard space to the highest bidder, with content determined by the group's characteristics. However, if the smart billboards did their job of "grouplizing" a group of young adult males, it might display a risqué dating site ad, Yahoo says. This approach might be acceptable to some on a phone, but dangerous on the freeway. Yahoo says it has an answer for this issue: "Any advertising content including video could, for example, be eliminated from the pool of available content or modified to remove video components." In May, New York Senator Charles Schumer called on the Federal Trade Commission to investigate the use of 'spying billboards', which he described as popping up in cities across the country. He warned that such technology may represent a violation of privacy rights, because of the way it tracks the individual's cell phone data, and constitute a deceptive trade practice. Source
  19. Swiss Vote to Give Their Government More Spying Powers Swiss approve new surveillance law with 66.5% majority Last year, the country's parliament passed a law that allowed its secret service, FIS (Federal Intelligence Service), more powers to snoop on emails, tap phones, or use hidden cameras and microphones. Such technologies and investigative procedures are common practice in other countries, but they have been outlawed by the strict Swiss government. New surveillance law passed in 2015, implementation delayed The law, which the government argued it was needed after the devastating Paris ISIS attacks, was contested by privacy groups and the Swiss leftist political parties, which delayed its implementation and forced it into a country-wide referendum that took place this Sunday. The Swiss population made their voice heard over the weekend and concerned with the ever-increasing threat from terrorist groups have voted to sacrifice some of their privacy for the sake of security. Switzerland, next to Germany and the northern Scandinavian countries, has some of the strictest privacy laws in Europe. So much so that it took Google years to get permission to map out the country via its Street View service. Swiss secret service will need special authorization on a per-case basis FIS, who handles both internal and external cyber-espionage operations, will need special authorization from a court, the defense ministry, and the cabinet if they are to launch internal surveillance operations. According to SwissInfo, opponents of this law struggled in winning the older generation on their side, who mostly voted for the new surveillance laws. The publication also noted the little attention the campaign got in the media, with most of the attention focusing on another topic included in the three-vote referendum, related to a 10 percent boost to the country's old age pension fund. The population voted against an increase of the pension fund just because it would add an extra strain on the state's budget. The third issue was related to Switzerland increasing its green economy, which citizens also voted down. Source
  20. Delete Google Maps? Go Ahead, Says Google, We'll Still Track You Google Play services need constant location info Google, it seems, is very, very interested in knowing where you are at all times. Users have reported battery life issues with the latest Android build, with many pointing the finger at Google Play – Google's app store – and its persistent, almost obsessive need to check where you are. Amid complaints that Google Play is always switching on GPS, it appears Google has made it impossible to prevent the app store from tracking your whereabouts unless you completely kill off location tracking for all applications. You can try to deny Google Play access to your handheld's location by opening the Settings app and digging through Apps -> Google Play Store -> Permissions, and flipping the switch for "location." But you'll be told you can't just shut out Google Play services: you have to switch off location services for all apps if you want to block the store from knowing your whereabouts. It's all or nothing, which isn't particularly nice. This is because Google Play services pass on your location to installed apps via an API. The store also sends your whereabouts to Google to process. Google doesn't want you to turn this off. It also encourages applications to become dependent on Google's closed-source Play services, rather than use the interfaces in the open-source Android, thus ensuring that people continue to run Google Play on their devices. It's a similar story over at Google Maps. Although it makes far more sense for Maps to have access to your location, the latest build doesn't give you a decent option of turning it off. If you do cut off Maps' access to your location, "basic features of your device may no longer function as intended," the operating system warns. Needless to say, this is not making some users very happy. Security researcher Mustafa Al-Bassam reported on Twitter that he "almost had a heart attack" when he walked into a McDonald's and was prompted on his phone to download the fast food restaurant's app. Al-Bassam dug into his phone's apps to figure out how that had happened, and was amazed to find that his suspected culprit – Google Maps – was not responsible. It was Google Play that had monitored his location thousands of times. So, the options are not great: you can either delete both Google Maps and Google Play, or you have to repeatedly turn your phone's location services on and off as required throughout the day, which is extremely irritating. "Kind of defeats the purpose of fine-grained privacy controls," Al-Bassam noted, adding: "Google is encouraging developers to use the Play location API instead of the native Android API, making an open OS dependent on proprietary software." Google was not available for comment. Source
  21. We are pleased to announce the release of Ghostery 7, the long-awaited and newest edition of our free browser extension. Ghostery gives you the tools to see, understand, and block/unblock tracking technologies (called trackers) on the sites you visit, giving you a cleaner, faster, and safer browsing experience. Ghostery 7 was designed and developed using the tremendous feedback we have received from our vibrant community, including months of user testing, hundreds of emails to our support desk, and thousands of survey responses. All sorts of users - from first time users to casual users to experts - wanted a browser extension that fit their individual needs and levels of use. Well, we heard you loud and clear! The result is an extension that combines a cleaner, simpler, and easier-to-understand interface with powerful new and enhanced features, the best of both worlds. The browser extension provides greater insight into trackers and the websites that host them. If you’d like to try Ghostery 7 for yourself, it is available for Chrome, Firefox, and Opera today and will be coming soon to Edge. If you’d like to learn more, let’s break down what is new in Ghostery 7. Improved UI With Ghostery 7, we created a user interface that is simple and easy to understand for beginners, but that still offers advanced functionality and data points for more knowledgeable users. To achieve this, we did two things. First, we increased the size of the panel to give us more real estate to show information, while still keeping the interface clean. Second, we divided the extension into a right-side information pane, with our granular list of trackers, and a collapsable left-side summary pane, with high-level information and functionality. The information pane shows a cleaner, more compact version of our classic tracker list. This groups the trackers into high-level categories such as Advertising and Site Analytics, making it easier for a user to quickly learn about the different trackers on a page. In this list, users can block and unblock trackers across the web or on specific pages, as well as get additional detail and information for each tracker. Additionally, users can collapse the information panel if they want to hide this information. The summary panel features a colored tracker donut that gives a visual overview of how many trackers are in each category, while also doubling as a click-to-select filter for the tracker list. It also includes page-level actions such as Trust Site (unblock all on site) and Restrict Site (block all on site), as well as Pause Ghostery, which disables all blocking. The summary view makes it easier for beginners and more casual users to manage their preferences from one site to the next. Enhanced Features for Account Holders If you’re keen on getting a little more juice out of Ghostery 7, you can access enhanced features and functionality by creating an account. These features include: The ability to sync settings across browsers and devices Alerts for slow and non-secure trackers Detected URLs for each tracker, a feature that provides additional intelligence and insight for the power user A sneak peek at our Trackermap product; with one free scan a month, users can visually map all the tracker relationships on a page for greater insight Tracker Alerts Time and time again, we heard from our users that they needed help deciding what to block and when. To provide this much-needed help, we are proud to introduce alerts for broken-pages, and slow and non-secure trackers. Broken page alerts will let users know when they’re blocking a tracker that might be necessary for the website to work properly. Slow and non-secure tracker alerts (available to account holders) will let users know when a tracker is either slowing a site down or making a nonsecure call from a secure page. These alerts allow users to make informed decisions about what to block and when. Improved Purple Box Nothing polarizes our user base like the purple box, the real-time list of trackers that populates on the lower right-hand corner of the screen. A lot of users love it and a lot of users hate it. With Ghostery 7, we think the purple box is now easier to love and harder to hate, with a new UI that lets a user quickly collapse it or hide it when they don’t want it and expand it when they want to dig in and get additional information. For those that never want to see it, it’s easy to disable the purple box from the settings within the extension itself. Other Features Additional features that we think some users will find helpful - and don’t want to get lost in the flurry of new stuff - include: Local settings directly in the extension itself, which means that users no longer have to navigate to a web UI if they want to change their preferences. Links in the menu to submit new trackers and report broken pages with just one click, making it easier for our community of passionate users to help us make Ghostery even better. Send Us Your Feedback If you try Ghostery 7 and have thoughts or ideas, we’d love to hear from you (no, really, we would). If you experience a problem or a defect (e.g., Ghostery is making my computer explode) please email us immediately at support@ghostery.com. If you have general feedback about stuff you like or don’t like, you can share those thoughts with us at ghostery@ghostery.com. Article source
  22. BBC Vans Are Coming For You Pinch, punch: The license change requiring you to have actually shelled out the £145.50 for colour television (only £49 for monochrome) to watch BBC programmes on demand comes into effect today. As we reported earlier this month, claims that the BBC would be sending vans about the UK to sniff Britons' wireless networks for infringing viewers may be somewhat overstated. Keep it legal, guys. Source
  23. Opera VPN Launches For Android Opera Software released its free VPN application for Android today after making it available to iOS devices earlier this year. The company's journey as a VPN provider started with its acquisition of SurfEasy VPN. Opera Software promoted services of SurfEasy shortly thereafter in the Opera desktop browser, and launched a free browser proxy back in April 2016. The iOS application followed in May, and today saw the release of the Android application. Opera VPN for Android is a VPN client that is free to use. It is provided by SurfEasy, an Opera company. Tip: Check out the privacy policy and terms of use before you start using the service. Basically, what it states is that you may not use it to break the law or the rights of others, that the service may be limited, modified or discontinued at any time, and that you may be contacted for limited marketing purposes. Opera VPN for Android Installation of the application is straightforward. Since it is a VPN, you will receive a request to set up a VPN connection on the device. You must accept it or won't be able to use the service at all. The app displays a short introduction to the features that it makes available. Basically, it offers three features that you may activate from within the app: Connect to the VPN network. Opera VPN connects to the closest region automatically, but displays options to switch the region once connected. Regions that were available during the test were Canada, USA, Netherlands, Germany, and Singapore. Wi-Fi Security. You may use this feature to test the security of the wireless network your Android device is connected to. Opera VPN displays the name of the WLAN and its ID, and whether it is protected or not on the screen. The test performs additional look ups and awards a security score at the end (one when connected regularly, and one when connected to Opera VPN). Guardian. Guardian can be activated to block ad trackers when you are online. The connection speed was quite good during tests but mileage may vary based on the location you connect to the service, the region you connect to, load at that time and other factors. A quick test playing videos on YouTube and other services showed that playback was fluent and without buffering issues or other issues. Since it is a VPN app that runs in the background, all applications you use tunnel their traffic through it. Closing Words Opera VPN is a free VPN app for Android that does not look that different than other free VPN apps for Android. The inclusion of the WiFi security test -- with the foreseeable result that the connection is more secure when you use Opera VPN -- and the system-wide tracker blocker are nice to have features. If you trust Opera Software, there is little reason not to use the company's VPN applications as well. Paid solutions on the other hand offer better privacy, whereas other free solutions usually don't. Source
  24. Browser-Based Fingerprinting: Implications And Mitigations Malware authors will leverage every tool and trick they can to keep their operations in complete stealth mode. Fingerprinting gives them this extra edge to hide from security researchers and run large campaigns almost completely undetected. To describe it succinctly, fingerprinting makes use of an information disclosure flaw in the browser that allows an attacker to read the user’s file system and look for predefined names. There are plenty of examples on how successful fingerprinting can be; we covered some in our research whitepaper back in March 2016, Operation Fingerprinting, but even that was just the tip of the iceberg. More recently, researchers at Proofpoint uncovered a massive malvertising campaign that ran for at least a year and probably more, which allowed for a very large number of malware infections. It heavily relied on fingerprinting to go unnoticed by carefully targeting genuine users, running bona fide OEM computers. Figure 1: Fingerprinting used in a malvertising campaign, hidden as a GIF image Certainly, this is a lesson to learn for the defense side to up our game in the face of increased sophistication in online attacks. At the same time, we could easily remove a powerful weapon from the bad guy’s toolsets, which would lead to more rapid identification of their campaigns, at least until they come up with another trick. There are also privacy implications as fingerprinting could be used to profile users, based on a list of programs present on their machines. We can imagine marketing folks from company A being interested to know if visitors to their website are running product from company B. Figure 2: A simple iframe can check if Norton Antivirus is installed This is trivial to do with a single line of code (currently unpatched, keep reading for additional details), although it would certainly raise eyebrows in how it’s done. Less scrupulous actors might be interested in spying on persons of interests and check if they are running specific tools such as VPNs or encryption software. A little bit of history on some troublesome protocols Abusing Internet Explorer protocols has allowed malware authors to either run malicious code or gain information about their victims. Here we review some past and present techniques including one that is currently unpatched and used in exploit kits and malvertising attacks. File:// protocol If we go back in time, before XP’s Service Pack 2, the local machine zone (LMZ) allowed you to run binaries without restrictions via another protocol, the file:// protocol. Figure 3: Microsoft fixed a flaw that allowed to run binaries in IE6 and earlier. The file:// protocol was literally running in the local machine zone, with full privileges. From your evil webpage you could do: <iframe src="file://c:/downloads/malicious.html"></iframe> and after instantiating a WScript.Shell, you could do a full remote code execution. XMLDOM loadXML (CVE-2013-7331) Back in 2013, a researcher revealed how Microsoft XMLDOM in IE can divulge information of local drive/network in error messages – XXE. This technique was/is used in the wild by various exploit kits as well as in some malvertising campaigns. The XMLDOM technique is the most powerful one for fingerprinting purposes as it allows for any type of file (not just binaries) to be checked for. Microsoft fixed the issue with XMLDOM checks. See tweet and following discussion here. For a proof of concept code: https://pastebin.com/raw/Femy8HtG. Onload res:// CVE-2015-2413 res:// is an internal IE protocol running in the Internet Zone (even for local files) that allows webpages to load resources from local files (from the resource section). At the same time, IE considers many of this res: URLs “special” and it allows them to do things like opening the Internet Connection Dialog (and much more). Microsoft allows res:// URLs to be loaded by normal HTTP webpages because IE/Edge need them for various parts of the browser’s functionality, like default error or information pages. It was added to the Magnitude EK, as a pre-check on its gate, but is now patched as well. The res technique isn’t as good as the XMLDOM one as it can only check for binaries, as it needs their resource section. Figure 4: Image created from a script using onload to detect if the resource was loaded Iframe res:// variant (unpatched) Affected software: Operating System: Windows 7, Windows 10 (both fully patched). Browsers: Internet Explorer 10, 11. Microsoft Edge (38.14393.0.0) & Microsoft EdgeHTML (14.14393). Note: For Microsoft Edge, fingerprinting will only work in the Windows and Program Files folders, as the AppContainer doesn’t allow read access to other parts of the system. Figure 5: Determining the presence of calc.exe under %system32% from a website. Current use in exploit kits: We studied the way Neutrino EK filters security researchers via the same Flash exploit it uses to exploit and infect a system (Neutrino EK: fingerprinting in a Flash) as well as one of its pre-gate checks (Neutrino EK: more Flash trickery). Figure 6: iframes checking for local files Using ActionScript within the Flash exploit, Neutrino EK can check on those loadable resources and guess via JavaScript and DOM events if those files exist. Disclaimer: we are not sharing our proof of concept publicly as Microsoft is currently working on a patch. While it’s true that it is in the wild, the PoC we wrote is derived from Neutrino’s Flash-based fingerprinting and a lot easier to copy/paste for other bad guys to reuse. If you are interested, please contact us privately. Mitigations A good mitigation to the abuse of this problem would be to allow IE to load resource files that are used only by IE such as mshtml.dll, ieframe.dll, and a few more. All the other ones should be blocked! In other words, iexplore.exe (or any other binary using the WebBrowser Control) should be allowed to load only the resources that are really needed by the WebBrowser engine, and no more. The only legitimate uses of the res: protocol are IE internal pages/dialogs and maybe old toolbars. DevTools (F12) also uses it. Figure 7: Some res:// calls in Microsoft Edge Some old toolbars that are relying on res:// might stop working but they can whitelist those particular DLLs or even better, let the developers update their code. Conclusion Information disclosure bugs seem to linger and resurface quickly after they have been patched. This is probably due to the core issue not being fundamentally addressed perhaps because of compatibility risk in making any drastic change. While these flaws are not critical compared to, let’s say remote code execution, they can help bad guys to save those RCEs for genuine victims and hide them from the security community much longer. Acknowledgements I would like to say a big thank you to Manuel Caballero for inspiring me to dig deeper into this issue. Thanks to Eric Lawrence for additional checks in Edge and affected paths. Source
  25. Google Does Not Give Up: YouTube Next Social Network? If rumors are to be believed, Google plans to introduce a feature called Backstage on YouTube that adds social networking features to the site. Google tried to establish a social networking site several times in the past to complete with the almighty Facebook. But even the company's latest endeavor in the social space, Google Plus, did not work out as planned. If you consider that Google went all in that time, forcefully integrating Google Plus in many of the company services, and pushing it on its prime properties such as Google Search, it is not far-off to call Google Plus a failure. One of the properties graced with forceful Google Plus integration was YouTube. Google made the decision to replace YouTube's commenting system with Google Plus, angering millions of YouTube users in the process. Google decided to abandon the Google Plus project some time ago. While it is still available, traces of Google Plus on other Google properties are slowly being removed again. The company has not given up yet on conquering the social networking space though. Its latest plan? Use a billion user site that already exists for that. That site is YouTube, and if reports are correct, it could soon get a lot more social on the site. YouTube Backstage VentureBeat reports that Google may plan to introduce an internal feature called Backstage to YouTube that lets users share photos, links, text posts, videos, and polls with their subscribers. Google may launch this as a limited trial for select YouTube accounts first and may go from there. According to VentureBeat, Backstage will be visible next to the Home and Videos tabs on YouTube, and posts made to channels will appear in subscriber feeds and notifications. Subscribers may reply to posts through various means including posting videos of their own, but also by text or images. Backstage will introduce new types of posts to YouTube. Google plans to differentiate between regular videos and Backstage videos. The latter allows channels to push videos only to subscribers and not to users discovering the channel through search or other means. Backstage is an internal project currently and it is unclear if and when it will be made available. While YouTube is highly popular when it comes to video publishing and watching, it lacks in the social department. While users may post comments under videos or channels, there is little in terms of communication going elsewhere. There is a send message option when you open the about page of a channel, but it is almost hidden from sight. Closing Words Adding more social components to YouTube, even if only for a limited number of channels and publishers in the beginning, may improve interaction on the site. It is unclear how the move will impact Google Plus, but seeing the service being reduced to a crumble, it would not surprise me one bit if Google would announce its retirement in the near future. As far as I'm concerned, I go to YouTube to watch videos, not to communicate. That's my personal preference though, and judging from the large number of comments on the site, others see it differently. Now You: What's your take on this? Source