Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'tracking'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 68 results

  1. I IN NO WAY TAKE ANY CREDIT FOR THIS IT WAS TAKEN FROM MDL FORUM AND SOME POSTS MY MEMBERS ON THIS FORUM! Manual: Tools: Windows 10 Lite v7.1 Destroy Windows Spying v1.6 Build 722 [Works with Win 7/8/8/1/10] Blackbird v6 v0.9.98 [Works with Win 7/8/8/1/10] O&O ShutUp10 v1.5.1390.1 Spybot Anti-Beacon v1.6.0.42 [Works with Win 7/8/8/1/10] W10Privacy v2.4.0.0 Win.Privacy v1.0.1.5 [Works with Win 7/8/8/1/10] Disable Windows 10 Tracking v3.0.1 iSpy Privacy-X v3.0.0.0
  2. New Vault 7 leaks show CIA can install persistent malware on OS X and iOS devices A new trove of documents belonging to Wikileak’s Vault 7 leaks, dubbed “Dark Matter” reveal that Apple devices including Macs and iPhones have been compromised by the CIA. They are affected by firmware malware meaning that even a re-installation of the operating system will not fix the device. The CIA’s Embedded Development Branch (EDB) have created several tools for exploiting Apple devices, these include: Sonic Screwdriver – allows an attacker to boot its malware from peripheral devices such as a USB stick. DarkSeaSkies – is an “implant” that persists in the EFI firmware of MacBook Air computers. It consists of “DarkMatter”, “SeaPea” and “NightSkies” which affect EFI, kernel-space, and user-space respectively. Triton – macOS malware. Dark Mallet – Triton infector. DerStake – EFI-persistent version of Triton. The documents show that DerStake was at version 1.4 as of 2013, but other documents show that as of 2016, the CIA was working on DerStake 2.0. According to Wikileaks, NightSkies can infect Apple iPhones, the organisation said what’s noteworthy is that NightSkies has been able to infect iPhones since 2008. The CIA documents say NightSkies is a “beacon/loader/implant tool”. It is “expressly designed” to be physically installed onto factory fresh iPhones meaning the CIA has been intercepting the iPhone supply chain of its targets since at least 2008. "Dark Matter" is just the latest release of documents from the wider Vault 7 leaks, more CIA documents are expected in the future. Main Source: Wikileaks Source
  3. Facebook Bans Devs From Creating Surveillance Tools With User Data Without a hint of irony, Facebook has told developers that they may not use data from Instagram and Facebook in surveillance tools. The social network says that the practice has long been a contravention of its policies, but it is now tidying up and clarifying the wording of its developer policies. American Civil Liberties Union, Color of Change and the Center for Media Justice put pressure on Facebook after it transpired that data from users' feeds was being gathered and sold on to law enforcement agencies. The re-written developer policy now explicitly states that developers are not allowed to "use data obtained from us to provide tools that are used for surveillance." It remains to be seen just how much of a difference this will make to the gathering and use of data, and there is nothing to say that Facebook's own developers will not continue to engage in the same practices. Deputy chief privacy officer at Facebook, Rob Sherman, says: Transparency reports published by Facebook show that the company has complied with government requests for data. The secrecy such requests and dealings are shrouded in means that there is no way of knowing whether Facebook is engaged in precisely the sort of activity it is banning others from performing. Source
  4. Security flaws smash worthless privacy protection Analysis To protect mobile devices from being tracked as they move through Wi-Fi-rich environments, there's a technique known as MAC address randomization. This replaces the number that uniquely identifies a device's wireless hardware with randomly generated values. In theory, this prevents scumbags from tracking devices from network to network, and by extension the individuals using them, because the devices in question call out to these nearby networks using different hardware identifiers. It's a real issue because stores can buy Wi-Fi equipment that logs smartphones' MAC addresses, so that shoppers are recognized by their handheld when they next walk in, or walk into affiliate shop with the same creepy system present. This could be used to alert assistants, or to follow people from department to department, store to store, and then sell that data to marketers and ad companies. Public wireless hotspots can do the same. Transport for London in the UK, for instance, used these techniques to study Tube passengers. Regularly changing a device's MAC address is supposed to defeat this tracking. But it turns out to be completely worthless, due to a combination of implementation flaws and vulnerabilities. That and the fact that MAC address randomization is not enabled on the majority of Android phones. In a paper published on Wednesday, US Naval Academy researchers report that they were able to "track 100 per cent of devices using randomization, regardless of manufacturer, by exploiting a previously unknown flaw in the way existing wireless chipsets handle low-level control frames." Beyond this one vulnerability, an active RTS (Request to Send) attack, the researchers also identify several alternative deanonymization techniques that work against certain types of devices. Cellular radio hardware has its own set of security and privacy issues; these are not considered in the Naval Academy study, which focuses on Android and iOS devices. Each 802.11 network interface in a mobile phone has a 48-bit MAC address layer-2 hardware identifier, one that's supposed to be persistent and globally unique. Hardware makers can register with the Institute of Electrical and Electronics Engineers (IEEE) to buy a block of MAC addresses for their networking products: the manufacturer is assigned a three-byte Organizationally Unique Identifier, or OUI, with is combined with an additional three-byte identifier that can be set to any value. Put those six bytes together, and you've got a 48-bit MAC address that should be globally unique for each device. The IEEE's registration system makes it easy to identify the maker of a particular piece of network hardware. The IEEE also provides the ability to purchase a private OUI that's not associated with a company name, but according to the researchers "this additional privacy feature is not currently used by any major manufacturers that we are aware of." Alternatively, the IEEE offers a Company Identifier, or CID, which is another three-byte prefix that can be combined with three additional bytes to form 48-bit MAC addresses. CID addresses can be used in situations where global uniqueness is not required. These CID numbers tend to be used for MAC address randomization and are usually transmitted when a device unassociated with a specific access point broadcasts 802.11 probe requests, the paper explains. The researchers focused on devices unassociated with a network access point – as might happen when walking down the street through various Wi-Fi networks – rather than those associated and authenticated with a specific access point, where the privacy concerns differ and unique global MAC addresses come into play. Unmasking Previous security research has shown that flaws in the Wi-Fi Protected Setup (WPS) protocol can be used to reverse engineer a device's globally unique MAC address through a technique called Universally Unique IDentifier-Enrollee (UUID-E) reversal. The US Naval Academy study builds upon that work by focusing on randomized MAC address implementations. The researchers found that "the overwhelming majority of Android devices are not implementing the available randomization capabilities built into the Android OS," which makes such Android devices trivial to track. It's not clear why this is the case, but the researchers speculate that 802.11 chipset and firmware incompatibilities might be part of it. Samsung v Apple Surprisingly, Samsung devices, which accounted for 23 per cent of the researcher's Android data set, show no evidence of implementing MAC address randomization. Apple, meanwhile, introduced MAC address randomization in iOS 8, only to break it in iOS 10. While the researchers were evaluating devices last year, Apple launched iOS 10 and changed its network probe broadcasts to include a distinct Information Element (IE), data added to Wi-Fi management frames to extend the Wi-Fi protocol. "Inexplicably the addition of an Apple vendor-specific IE was added to all transmitted probe requests," the paper explains. "This made identification of iOS 10 Apple devices trivial regardless of the use of MAC address randomization." This shortcoming aside, Apple handles randomization correctly, in the sense that it properly randomizes the full 48-bits available for MAC addresses (with the exception of the Universal/Local bit, set to distinguish between global MAC addresses and the local ones used for randomization, and the Unicast/Multicast Bit). The researchers find this interesting because the IEEE charges a fee for using the first three bytes of that space for CID prefixes, "meaning that Apple is freely making use of address space that other companies have paid for." In a phone interview with The Register, Travis Mayberry, assistant professor at the US Naval Academy and one of the paper's co-authors, expressed surprise that something like 70 per cent of Android phones tested did not implement MAC address randomization. "It's strange that Android was so vulnerable," he said. "It's just really bad at doing what it was supposed to do." 'Closest to being pretty good' Apple, meanwhile, fared better in terms of effort, though not results. "Apple is the closest to being pretty good," Mayberry said, but noted that Apple devices, despite the advantage of hardware consistency, are still vulnerable to an RTS (Request to Send) attack. Sending RTS frames to an Apple phone forces the device to reveal its global unique MAC address, rather than the randomized one normally presented to the hotspot. "No matter how hard you try, you can't defend against that because it's a property of the wireless chip itself," said Mayberry. There was single Android phone that fared well. "The one Android phone that was resistant to our passive attacks was the CAT S60 which is some kind of 'tough' phone used on construction sites and the like," Mayberry explained in an email. "It did not have a recognizable fingerprint and did not ever transmit its global MAC except when associating. It was still vulnerable to our active RTS attack though, since like I said, that is a problem with the actual chips and effects every phone." Mayberry was at a loss to explain why Apple shot itself in the foot by adding a trackable identifier to a system that previously worked well. "I initially thought it might be to support some of the 'continuity' features where multiple apple devices can discover and exchange stuff like open browser tabs and clipboard contents but that came out in earlier versions of iOS," he said. "It also might be linked to the HomeKit features that they added in iOS to control IoT devices. Basically it would have to be to purposefully identify and discover other Apple devices that are not associated, otherwise we wouldn't see it in probe requests. All of this is pure speculation though and we really don't have a strong reason for it." Mayberry said he hoped the research would help the industry understand the consequences of everyone doing things differently. There's no generally accepted way to handle MAC address randomization. "There are so many phones not using it," he said. "There should be a standard." By Thomas Claburn https://www.theregister.co.uk/2017/03/10/mac_address_randomization/
  5. Microsoft’s Obscure ‘Self Service for Mobile’ Office Activation Microsoft requires a product activation after installing. Users of Microsoft Office currently are facing trouble during telephone activation. After dealing with this issue, I came across another obscure behavior, Microsoft’s ‘Self Service for Mobile’ solution to activate Microsoft Office via mobile devices. Microsoft describes how to activate Microsoft Office 2013, 2016 and Office 365 within this document. There are several possibilities to activate an installed product, via Internet or via Telephone for instance. Activation by phone is required, if the maximum Internet activation threshold is reached. But Office activation by phone fails Within my blog post Office Telephone activation is no longer supported error I’ve addressed the basis issue. If a user re-installs Office, the phone activation fails. The activation dialog box shows the message “Telephone activation is no longer supported for your product“. Microsoft has confirmed this issue for Office 2016 users having a non subscriber installation. But also users of Microsoft Office 2010 or Microsoft Office 2013 are affected. A blog reader posted a tip: Use Mobile devices activation… I’ve posted an article Office 2010: Telefonaktivierung eingestellt? – Merkwürdigkeit II about the Office 2010 telephone activation issue within my German blog, back in January 2017. Then a reader pointed me within a comment to a Self Service for Mobile website. The link http: // bit.ly/2cQPMCb, shortened by bit.ly, points to a website https: // microsoft.gointeract.io/mobileweb/… that provides an ability to activate Microsoft Office (see screenshot below). After selecting a 6 or 7 Digits entry, an activation window with numerical buttons to enter the installation id will be shown (see screenshots shown below). The user has to enter the installation id and receives the activation id – plain and simple. Some users commented within my German blog, that this feature works like a charm. Obscurity, conspiracy, oh my God, what have they done? I didn’t inspect the posted link until writing last Fridays blog post Office Telephone activation is no longer supported error. My idea was, to mention the “Self Service for Mobile” page within the new article. I managed to alter the link to direct it to the English Self Service for Mobile language service site. Suddenly I noticed, that both, the German and also the English “Self Service for Mobile” sites uses https, but are flagged as “unsecure” in Google Chrome (see the screenshot below, showing the German edition of this web page. The popup shown for the web site „Self Service for Mobile“ says, that there is mixed content (images) on the page, so it’s not secure. That catches my attention, and I started to investigate the details. Below are the details for the German version of the web site shown in Google Chrome (but the English web site has the same issues). First of all, I noticed, that the „Self Service for Mobile“ site doesn’t belongs to a microsoft.com domain – in my view a must for a Microsoft activation page. Inspecting the details, I found out, the site contains mixed content (an image contained within the site was delivered via http). The content of the site was also delivered by Cloudflare (I’ve never noticed that case for MS websites before). The image flagged in the mixed content issue was the Microsoft logo, shown within the sites header, transferred via http. The certificate was issued by Go Daddy (an US company) and ends on March 2017. I’ve never noticed, that Go Daddy belongs to Microsoft. I came across Go Daddy during analyzing a phishing campaign months ago. A compromised server, used as a relay by a phishing campaign, has been hosted (according to Whois records) by Go Daddy. But my take down notice send to Go Daddy has never been answered. That causes all alarm bells ringing in my head, because it’s a typical behavior used in phishing sites. Also my further findings didn’t calm the alarm bells in my head. The subdomain microsoft used above doesn’t belongs to a Microsoft domain, it points to a domain gointeract.io. Tying to obtain details about the owner of gointeract.io via WhoIs ended with the following record. Domain : gointeract.io Status : Live Expiry : 2021-03-14 NS 1 : ns-887.awsdns-46.net NS 2 : ns-1211.awsdns-23.org NS 3 : ns-127.awsdns-15.com NS 4 : ns-1980.awsdns-55.co.uk Owner OrgName : Jacada Check for 'gointeract.sh' --- http://www.nic.sh/go/whois/gointeract.sh Check for 'gointeract.ac' --- http://www.nic.ac/go/whois/gointeract.ac Pretty short, isn’t it? No Admin c, no contact person, and Microsoft isn’t mentioned at all, but the domain has been registered till 2021. The Owner OrgName Jacada was unknown to me. Searching the web didn’t gave me more insights at first. Overall, the whole site looks obscure to me. The tiny text, shown within the browser’s lower left corner, was a hyperlink. The German edition of the „Self Service for Mobile“ site opens a French Microsoft site – the English site opens an English Microsoft site. My first conclusion was: Hell, I was tricked by a phishing comment – somebody set up this site to grab installation ids of Office users. So I deactivated the link within the comment and I posted a warning within my German blog post, not to use this „Self Service for Mobile“ site. I also tried to contact the user, who has posted the comment, via e-mail. … but “Microsoft” provides these links … User JaDz responded immediately in an additional comment, and wrote, that the link shortened via bit.ly has been send from Microsoft via SMS – after he tried the telephone activation and selected the option to activate via a mobile device. I didn’t noticed that before – so my conclusion was: Hell, this obscure „Self Service for Mobile“ site is indeed related to Microsoft. Then I started again a web search, but this time with the keywords Jacada and Microsoft. Google showed several hits, pointing to the site jacada.com (see screenshot below). It seems that Jacada is a kind of service provider for several customers. I wasn’t able to find Microsoft within the customer reference. But I know, that Microsoft used external services for some activities. Now I suppose, that somebody from Jacada set up the „Self Service for Mobile“ activation site. The Ajax code used is obviously able to communicate with Microsoft’s activation servers and obtain an activation id. And Microsoft’s activation mechanism provides an option to send the bit.ly link via SMS. Closing words: Security by obscurity? At this point I was left really puzzled. We are not talking about a startup located within a garage. We are having dealing with Microsoft, a multi billion company, that claims to run highly secured and trustable cloud infrastructures world wide. But what’s left, after we wipe of the marketing stuff? The Office activation via telephone is broken (Microsoft confirmed that, after it was reported by customers!). As a customer in need to activate a legal owned, but re-installed, Microsoft Office is facing a nasty situation. Telephone activation is refused, the customers will be (wrongly) notified, that this option is no longer supported. Internet activation is refused due “to many online activations” – well done. But we are not finish yet. They set up a „Self Service for Mobile“ activation site in a way, that is frequently used by phishers. They are sending links via SMS to this site requesting to enter sensitive data like install ids. A site that is using mixed content via https, and is displaying an activation id. In my eyes a security night mare. But maybe I’ve overlooked or misinterpreted something. If you have more insights or an idea, or if my assumptions a wrong, feel free, to drop a comment. I will try to reach out and ask Microsoft for a comment about this issue. Article in German Source Alternate Source reading - AskWoody: Born: Office activation site controlled by a non-Microsoft company
  6. Four in Five Britons Fearful Trump Will Abuse their Data More than three-quarters of Britons believe incoming US President Donald Trump will use his surveillance powers for personal gain, and a similar number want reassurances from the government that data collected by GCHQ will be safeguarded against such misuse. These are the headline findings from a new Privacy International poll of over 1600 Brits on the day Trump is inaugurated as the 45th President of the most powerful nation on earth. With that role comes sweeping surveillance powers – the extent of which was only revealed after NSA whistleblower Edward Snowden went public in 2013. There are many now concerned that Trump, an eccentric reality TV star and gregarious property mogul, could abuse such powers for personal gain. That’s what 78% of UK adults polled by Privacy International believe, and 54% said they had no trust that Trump would use surveillance for legitimate purposes. Perhaps more important for those living in the United Kingdom is the extent of the information sharing partnership between the US and the UK. Some 73% of respondents said they wanted the government to explain what safeguards exist to ensure any data swept up by their domestic secret services doesn’t end up being abused by the new US administration. That fear has become even more marked since the passage of the Investigatory Powers Act or 'Snoopers’ Charter', which granted the British authorities unprecedented mass surveillance and hacking powers, as well as forcing ISPs to retain all web records for up to 12 months. Privacy International claimed that although it has privately been presented with documents detailing the info sharing partnership between the two nations, Downing Street has so far refused to make the information public. The rights group and nine others are currently appealing to the European Court of Human Rights to overturn a decision by the Investigatory Powers Tribunal (IPT) not to release information about the rules governing the US-UK agreement. “UK and the US spies have enjoyed a cosy secret relationship for a long time, sharing sensitive intelligence data with each other, without parliament knowing anything about it, and without any public consent. Slowly, we’re learning more about the staggering scale of this cooperation and a dangerous lack of sufficient oversight,” argued Privacy International research officer, Edin Omanovic. “Today, a new President will take charge of US intelligence agencies – a President whose appetite for surveillance powers and how they’re used put him at odds with British values, security, and its people… Given that our intelligence agencies are giving him unfettered access to massive troves of personal data, including potentially about British people, it is essential that the details behind all this are taken out of the shadows.” Source
  7. Mozilla: The Internet Is Unhealthy And Urgently Needs Your Help Mozilla argues that the internet's decentralized design is under threat by a few key players, including Google, Facebook, Apple, Tencent, Alibaba and Amazon, monopolizing messaging, commerce, and search. Can the internet as we know it survive the many efforts to dominate and control it, asks Firefox maker Mozilla. Much of the internet is in a perilous state, and we, its citizens, all need to help save it, says Mark Surman, executive director of Firefox maker the Mozilla Foundation. We may be in awe of the web's rise over the past 30 years, but Surman highlights numerous signs that the internet is dangerously unhealthy, from last year's Mirai botnet attacks, to market concentration, government surveillance and censorship, data breaches, and policies that smother innovation. "I wonder whether this precious public resource can remain safe, secure and dependable. Can it survive?" Surman asks. "These questions are even more critical now that we move into an age where the internet starts to wrap around us, quite literally," he adds, pointing to the Internet of Things, autonomous systems, and artificial intelligence. In this world, we don't use a computer, "we live inside it", he adds. "How [the internet] works -- and whether it's healthy -- has a direct impact on our happiness, our privacy, our pocketbooks, our economies and democracies." Surman's call to action coincides with nonprofit Mozilla's first 'prototype' of the Internet Health Report, which looks at healthy and unhealthy trends that are shaping the internet. Its five key areas include open innovation, digital inclusion, decentralization, privacy and security, and web literacy. Mozilla will launch the first report after October, once it has incorporated feedback on the prototype. That there are over 1.1 billion websites today, running on mostly open-source software, is a positive sign for open innovation. However, Mozilla says the internet is "constantly dodging bullets" from bad policy, such as outdated copyright laws, secretly negotiated trade agreements, and restrictive digital-rights management. Similarly, while mobile has helped put more than three billion people online today, there were 56 internet shutdowns last year, up from 15 shutdowns in 2015, it notes. Mozilla fears the internet's decentralized design, while flourishing and protected by laws, is under threat by a few key players, including Facebook, Google, Apple, Tencent, Alibaba and Amazon, monopolizing messaging, commerce and search. "While these companies provide hugely valuable services to billions of people, they are also consolidating control over human communication and wealth at a level never before seen in history," it says. Mozilla approves of the wider adoption of encryption today on the web and in communications but highlights the emergence of new surveillance laws, such as the UK's so-called Snooper's Charter. It also cites as a concern the Mirai malware behind last year's DDoS attacks, which abused unsecured webcams and other IoT devices, and is calling for safety standards, rules and accountability measures. The report also draws attention to the policy focus on web literacy in the context of learning how to code or use a computer, which ignores other literacy skills, such as the ability to spot fake news, and separate ads from search results. Source Alternate Source - 1: Mozilla’s First Internet Health Report Tackles Security, Privacy Alternate Source - 2: Mozilla Wants Infosec Activism To Be The Next Green Movement
  8. Chinese Citizens Can Be Tracked In Real Time A group of researchers have revealed that the Chinese government is collecting data on its citizens to an extent where their movements can even be tracked in real-time using their mobile devices. This discovery was made by The Citizen Lab at the University of Toronto's Munk School of Global Affairs who specialize in studying the ways in which information technology affects both personal and human rights worldwide. It has been known for some time that the Chinese government employs a number of invasive tactics to be fully aware of the lives of its citizens. Though Citizen Lab was able to discover that the government has begun to monitor its populace using apps and services designed and run by the private sector. The discovery was made when the researchers began exploring Tencent's popular chat app WeChat that is installed on the devices of almost every Chinese citizen with 800 million active users each month. Citizen Lab found that not only does the app help the government censor chats between users but that it is also being used as a state surveillance tool. WeChat's restrictions even remain active for Chinese students studying abroad. Ronald Deibert, a researcher at Citizen Lab, offered further insight on the team's discovery, saying: "What the government has managed to do, I think quite successfully, is download the controls to the private sector, to make it incumbent upon them to police their own networks". To make matters worse, the data collected by WeChat and other Chinese apps and services is currently being sold online. The Guangzhou Southern Metropolis Daily led an investigation that found that large amounts of personal data on nearly anyone could be purchased online for a little over a hundred US dollars. The newspaper also found another service that offered the ability to track users in real-time via their mobile devices. Users traveling to China anytime soon should be extra cautious as to their activities online and should think twice before installing WeChat during their stay. Published under license from ITProPortal.com, a Future plc Publication. All rights reserved. Source
  9. Anti-Tracking Extension Privacy Badger 2.0 Is Out The Electronic Frontier Foundation released their anti-tracking extension Privacy Badger 2.0 for Firefox, Chrome and Opera yesterday. The extension is designed to prevent online tracking which is fundamentally different from how ad blockers operate. Instead of blocking scripts outright, Privacy Badger 2.0 will only block trackers. This means that ads may still be displayed, but that the extension puts an end to techniques that sites use to "follow" users around the web. The add-on places an icon in the browser's main toolbar that you interact with. It highlights the number of trackers that it blocked on a site, and displays options to allow individual trackers, or block domains that the extension did not detect as trackers. Privacy Badger 2.0 You are probably wondering how Privacy Badger 2.0 differs from the initial Privacy Badger released in 2014, and Privacy Badger 1.0 released in 2015. To find out, we have to dig deep as the EFF's own press release does not shed details on that. We have to look at the add-on stores to find out about the changes. Support for Firefox's multi-process architecture E10s is probably the biggest improvement over previous versions. Mozilla is still rolling out the feature to devices running the stable version of the Firefox web browser. Compatibility means that you can run Privacy Badger 2.0 alongside multi-process Firefox without major issues. Privacy Badger 2.0 may also be installed on Firefox Mobile for Android. This goes hand in hand with Privacy Badger sharing a code base now. Existing users of the extension may also notice performance improvements, the EFF refers to them as "huge", but mileage may vary. At least on my system, it is still not super fast. But there is more. Privacy Badget 2.0 may block WebRTC from leaking local IP addresses. Please note that this feature appears to be only available in the Chrome / Opera version of Privacy Badget 2.0, and not in the Firefox version. You find the option under "general settings" in the Privacy Badger options. You find the new "manage data" option in the settings as well. This enables you to import or export user data that includes whitelisted domains and filter settings. Privacy Badger 2.0 blocks so-called HTML5 pings as well in the new version, and will break fewer sites according to the EFF. Last but not least, it will also forget data when private browsing mode or incognito mode are used by the user. Firefox users reported that the extension breaks Google Docs for them, and there specifically Google Sheets. Closing Words Privacy Badger 2.0 is a major release, but it has its issues right now on Firefox. Google Sheets crashing, and WebRTC missing are just two of the reported issues right now that plague the Firefox version of the privacy add-on. If you do use it on Firefox, you better wait until those issues are sorted out before you upgrade to the new version. Source Changelog: New features with 2.0 & 2.0.1: Version 2.0.1 - Firefox Extension: Sanitize origin and action in popup Version 2.0 of Privacy Badger includes many improvements for users and developers, including: Support for “incognito” or “private” browsing Import/export capabilities, so you can export a backup of what Privacy Badger has learned about your tracker-blocking needs and import that into another browser Fixes to “break” fewer websites, ensuring that you can both block trackers and enjoy rich content Improved user interface translation for non-English-speaking users Blocks to prevent WebRTC from leaking your IP address Blocks to prevent HTMLl5 "ping" tracking Notable speed improvements (Firefox only) Multiprocess Compatibility (E10S) (Firefox only) A single code base for both the Firefox and Chrome versions Downloads: Details & FAQ: https://www.eff.org/privacybadger Firefox: https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/ Firefox[Optional Direct]: https://www.eff.org/files/privacy-badger-latest.xpi Opera: https://addons.opera.com/en/extensions/details/privacy-badger/?display=ru or https://addons.opera.com/extensions/download/privacy-badger/ Chrome: https://chrome.google.com/webstore/detail/privacy-badger/pkehgijcmpdhfbdbbnkijodmdjhbjlgp Chromium browsers[Optional Direct]: https://www.eff.org/files/privacy_badger-chrome.crx
  10. Uber Knows Where You Go, Even After Ride Is Over Enlarge / Uber's iOS popup asking for new surveillance permissions. “We do this to improve pickups, drop-offs, customer service, and to enhance safety.” As promised, Uber is now tracking you even when your ride is over. The ride-hailing service said the surveillance—even when riders close the app—will improve its service. The company now tracks customers from when they request a ride until five minutes after the ride has ended. According to Uber, the move will help drivers locate riders without having to call them, and it will also allow Uber to analyze whether people are being dropped off and picked up properly—like on the correct side of the street. "We do this to improve pickups, drop-offs, customer service, and to enhance safety," Uber said. In a statement, the company said: Uber announced that it would make the change last year to allow surveillance in the app's background, prompting a Federal Trade Commission complaint. (PDF) The Electronic Privacy Information Center said at the time that "this collection of user's information far exceeds what customers expect from the transportation service. Users would not expect the company to collect location information when customers are not actively using the app." The complaint went nowhere. However, users must consent to the new surveillance. A popup—like the one shown at the top of this story—asks users to approve the tracking. Uber says on its site that riders "can disable location services through your device settings" and manually enter a pickup address. Uber and the New York Attorney General's office in January entered into an agreement to help protect users' location data. The deal requires Uber to encrypt location data and to protect it with multi-factor authentication. Source
  11. When you visit a web site in your favorite web browser, it interacts with the web servers in a variety of ways. It sends data to the web server such as the browser name, operating system, browser locale and your geographical location. All this data is then used by the server to offer you the content suitable for your browser or locale. For example, if you visit the Bing or Yahoo search engine web site (e.g. yahoo.com) and you are not from the US, then it will redirect you to the relevant local search engine web site (e.g. yahoo.co.uk). Unfortunately, some of the web servers also monitor your web browsing habits across a multiple of sites. With your web browsing data or habits, they can then use it to analyze how what people look for and deliver them the advertisement of the products that they might be looking for. Such servers are called tracking servers or just trackers. Although it is pretty much harmless, some people take it as an invasion of their privacy. Firefox offers to block such tracking servers inside the private browsing mode (also called the incognito mode). You can open a private browsing window in Firefox using the hotkey Ctrl+Shift+P. By default, Firefox blocks only some trackers web bad reputation. But you can change the settings for blocking all the known tracking servers in Firefox. Here is how: Open Firefox browser, type about:preferences#privacy in the address bar and press the Enter key. Alternatively, you can also click on the menu icon (looks like three layered burger), choose Options and then select Privacy section from the left side of the screen. Click on the Change Block List button shown under the Tracking section. 3. You will be shown two options and you can select any of these. One is for blocking only some of the trackers and other is for blocking all of the known trackers. . 4. Click on the Save Changes button when done. Restart Firefox web browser for the changes to take effect. Note that even after you restart Firefox browser, tracking protection will not work in the regular mode unless you have changed some other settings. It will work only in the private browsing mode. Article source
  12. In a presentation today at BlackHat Europe, Oxford University Researchers Piers O’Hanlon and Ravishankar Borgaonkar report that they have discovered two significant privacy flaws in the currently deployed mobile networks, which would allow anyone to track a mobile phone with a minimum of cost and effort. The flaws relate to the International Mobile Subscriber Identity (IMSI), which is a globally unique identifier stored on the SIM card. It identifies and allows for authentication of a mobile subscriber on the mobile network, and so is a significant and important private identifier, designed to be seen only by the mobile operator, and stored in their subscriber database. An IMSI catcher is a piece of technology that allows for tracking of specific mobile subscribers based their IMSI - in a mobile phone, tablet, car or other mobile connected device. Previously, IMSI catchers have been built for specialist uses such as law enforcement. They operate in the highly-regulated licenced mobile spectrum. The new approach uses different techniques, operating in the WiFi bands, which do not need a licence, enabling anyone to make an IMSI catcher using nothing more complex than an ordinary laptop, or any other WiFi device. Using that laptop, and software based on an approach described by the researchers, someone could set up a ‘rogue access point’ masquerading as a well-known auto WiFi network (such as the WiFi available in tube stations), and so lure smartphones in range to connect. Once connected the rogue AP extracts their IMSI. The flaws exposed by the research are present in most of the current smartphones, but their exploitation depends upon their operator configuration. These flaws have now been reported to both the mobile OS companies (Apple, Google, Microsoft, and Blackberry) and the operators (GSMA). Researchers have been working with them to ensure the future protection of the IMSI, and as a result certain new features have been developed including the inclusion of enhanced privacy mechanisms (conservative peer mode for EAP-SIM/AKA) in Apple’s iOS10. More Technical Details The WiFi-based IMSI catcher developed by Piers and Ravishankar relies upon two flaws in the design and deployment of authentication protocols as specified by the 3GPP, which is the main mobile standards body. Specifically, these exist in two access methods specified in [TS 33.234], which both rely upon SIM-based authentication protocols, known as EAP-SIM and EAP-AKA. The first method is used for access to secured ’Automatic’ (or IEEE 802.1X) WiFi networks, which have become widely deployed by many mobile operators, for example on the London Underground. The problem is that the EAP-SIM interaction is not encrypted and during the course of the protocol exchange the IMSI is revealed when then device first connects to the network so it may be passively observed. The researchers have developed an active attack which allows the IMSI to be forcibly revealed. The automatic connection is facilitated by pre-configured profiles which either get installed automatically or manually. These automatic profiles are provided by the mobile operators for use on iOS, Android and Windows phones. The second method is utilised for the ’WiFi-Calling’ service which is deployed by a number of operators, and is growing in popularity. The issue with this method is that whilst the connection to the mobile operator’s edge packet data gateway (EPDG) is encrypted during the setup phase of the IP security (IPSec) protocol, unfortunately cryptographic certificates are not used to protect the IMSI exchange. This means that the exchange is susceptible to a man-in-the-middle attack and thus the IMSI may be revealed. The newly developed approach provides for a new way to track subscribers, but it does not allow for call or data interception as is possible with some conventional IMSI catcher devices. It should also be noted that it is not straightforward to convert an IMSI to the corresponding telephone number as it requires access to the operator subscriber database. Article source
  13. Dystopian corporate surveillance threats today come at us from all directions. Companies offer “always-on” devices that listen for our voice commands, and marketers follow us around the web to create personalized user profiles so they can (maybe) show us ads we’ll actually click. Now marketers have been experimenting with combining those web-based and audio approaches to track consumers in another disturbingly science fictional way: with audio signals your phone can hear, but you can’t. And though you probably have no idea that dog whistle marketing is going on, researchers are already offering ways to protect yourself. The technology, called ultrasonic cross-device tracking, embeds high-frequency tones that are inaudible to humans in advertisements, web pages, and even physical locations like retail stores. These ultrasound “beacons” emit their audio sequences with speakers, and almost any device microphone—like those accessed by an app on a smartphone or tablet—can detect the signal and start to put together a picture of what ads you’ve seen, what sites you’ve perused, and even where you’ve been. Now that you’re sufficiently concerned, the good news is that at the Black Hat Europe security conference on Thursday, a group based at University of California, Santa Barbara will present an Android patch and a Chrome extension that give consumers more control over the transmission and receipt of ultrasonic pitches on their devices. Beyond the abstract creep factor of ultrasonic tracking, the larger worry about the technology is that it requires giving an app the ability to listen to everything around you, says Vasilios Mavroudis, a privacy and security researcher at University College London who worked on the research being presented at Black Hat. “The bad thing is that if you’re a company that wants to provide ultrasound tracking there is no other way to do it currently, you have to use the microphone,” says Mavroudis. “So you will be what we call ‘over-privileged,’ because you don’t need access to audible sounds but you have to get them.” This type of tracking, which has been offered in some form by companies like Silverpush and Shopkick, has hardly exploded in adoption. But it’s persisted as more third party companies develop ultrasonic tools for a range of uses, like data transmission without Wi-Fi or other connectivity.1 The more the technology evolves, the easier it is to use in marketing. As a result, the researchers say that their goal is to help protect users from inadvertently leaking their personal information. “There are certain serious security shortcomings that need to be addressed before the technology becomes more widely used,” says Mavroudis. “And there is a lack of transparency. Users are basically clueless about what’s going on.” Currently, when Android or iOS do require apps to request permission to use a phone’s microphone. But most users likely aren’t aware that by granting that permission, apps that use ultrasonic tracking could access their microphone—and everything it’s picking up, not just ultrasonic frequencies—all the time, even while they’re running in the background. The researchers’ patch adjusts Android’s permission system so that apps have to make it clear that they’re asking for permission to receive inaudible inputs. It also allows users to choose to block anything the microphone picks up on the ultrasound spectrum. The patch isn’t an official Google release, but represents the researchers’ recommendations for a step mobile operating systems can take to offer more transparency. To block the other end of those high-pitched audio communications, the group’s Chrome extension preemptively screens websites’ audio components as they load to keep the ones that emit ultrasounds from executing, thus blocking pages from emitting them. There are a few old services that the extension can’t screen, like Flash, but overall the extension works much like an ad-blocker for ultrasonic tracking. The researchers plan to post their patch and their extension available for download later this month. Ultrasonic tracking has been evolving for the last couple of years, and it is relatively easy to deploy since it relies on basic speakers and microphones instead of specialized equipment. But from the start, the technology has encountered pushback about its privacy and security limitations. Currently there are no industry standards for legitimizing beacons or allowing them to interoperate the way there are with a protocol like Bluetooth. And ultrasonic tracking transmissions are difficult to secure because they need to happen quickly for the technology to work. Ideally the beacons would authenticate with the receiving apps each time they interact to reduce the possibility that a hacker could create phony beacons by manipulating the tones before sending them. But the beacons need to complete their transmissions in the time it takes someone to briefly check a website or pass a store, and it’s difficult to fit an authentication process into those few seconds. The researchers say they’ve already observed one type of real-world attack in which hackers replay a beacon over and over to skew analytics data or alter the reported behavior of a user. The team also developed other types of theoretical attacks that take advantage of the lack of encryption and authentication on beacons. The Federal Trade Commission evaluated ultrasonic tracking technology at the end of 2015, and the privacy-focused non-profit Center for Democracy and Technology wrote to the agency at the time that “the best solution is increased transparency and a robust and meaningful opt-out system. If cross-device tracking companies cannot give users these types of notice and control, they should not engage in cross-device tracking.” By March the FTC had drafted a warning letter to developers about a certain brand of audio beacon that could potentially track all of a users’ television viewing without their knowledge. That company, called Silverpush, has since ceased working on ultrasonic tracking in the United States, though the firm said at the time that its decision to drop the tech wasn’t related to the FTC probe. More recently, two lawsuits filed this fall—each about the Android app of an NBA team—allege that the apps activated user microphones improperly to listen for beacons, capturing lots of other audio in the process without user knowledge. Two defendants in those lawsuits, YinzCam and Signal360, both told WIRED that they aren’t beacon developers themselves and don’t collect or store any audio in the spectrum that’s audible to humans. But the researchers presenting at Black Hat argue that controversy over just how much audio ultrasonic tracking tools collect is all the more reason to create industry standards, so that consumers don’t need to rely on companies to make privacy-minded choices independently. “I don’t believe that companies are malicious, but currently the way this whole thing is implemented seems very shady to users,” says Mavroudis. Once there are standards in place, the researchers propose that mobile operating systems like Android and iOS could provide application program interfaces that restrict microphone access so ultrasonic tracking apps can only receive relevant data, instead of everything the microphone is picking up. “Then we get rid of this overprivileged problem where apps need to have access to the microphone, because they will just need to have access to this API,” Mavroudis says. For anyone who’s not waiting for companies to rein in what kinds of audio they collect to track us, however, the UCSB and UCL researchers software offers a temporary fix. And that may be more appealing than the notion of your phone talking to advertisers behind your back—or beyond your audible spectrum. 1Correction 11/3/2016 6:20pm EST: An earlier version of this article stated that the cross-device tracking companies 4Info and Tapad use ultrasonic tracking. Both companies say they don’t use the form of tracking the researchers describe. Article source
  14. Yahoo's Spying Billboard: It Would ID You, Watch And Listen To Your Reactions To Ads Yahoo's idea is for the billboard's ad content to be based on real-time information about a crowd of people, who could be commuters on a train platform. Yahoo is exploring a smart billboard that would use microphones, cameras and other sensors to bring targeted advertising to outdoor displays. Hacked web giant Yahoo has filed a patent application for the ultimate ad-targeting system: a billboard that uses sensors to watch, listen and capture biometric data from the passing public. Yahoo, still in damage control from this week's claims that it helped the government spy on its email users, has filed a patent for smart technology that brings online ad-targeting capabilities to public billboards. The billboards would have cameras, microphones, motion-proximity sensors, and biometric sensors, such as fingerprint or retinal scanning, or facial recognition, according to the patent, which was filed last year but published on Thursday. The sensors would be used to measure engagement of passers-by. "For example, image data or motion-proximity sensor data may be processed to determine whether any members of the audience paused or slowed down near the advertising content, from which it may be inferred that the pause or slowing was in response to the advertising content (eg, a measurement of 'dwell time')," Yahoo writes. It could also use image or video data to determine whether any individuals looked directly at the advertising content. Alternatively, "Audio data captured by one or more microphones may be processed using speech-recognition techniques to identify keywords relating to the advertising that are spoken by members of the audience." As Yahoo explains, the ability to personalize ads for smartphones has made mobile the most efficient place to use marketing budgets, whereas digital displays in public spaces, which still attract ad dollars, remain stuck on old technology. But instead of individualizing ads, Yahoo's idea would be to 'grouplize', where ad content is based on real-time information about a crowd of people, who could be commuters on a train platform or cars passing by a freeway billboard. In the freeway scenario, the billboard would be placed near traffic sensors that detect the number of vehicles passing, their speed, and time of day. It might also use video to capture images of vehicles, and use image recognition to determine the maker and model of vehicles to distill demographic data. The billboard may also use cell-tower data, mobile app location data, or image data to "identify specific individuals in the target audience, the demographic data (eg, as obtained from a marketing or user database) which can then be aggregated to represent all or a portion of the target audience". Alternatively, it could use vehicle GPS systems to identify specific vehicles and vehicle owners. "Those of skill in the art will appreciate from the diversity of these examples the great variety of ways in which an aggregate audience profile may be determined or generated using real-time information representing the context of the electronic public advertising display and/or additional information from a wide variety of sources," Yahoo notes. It sees potential for the system to be integrated with existing online ad exchanges, allowing advertisers to reach across devices with the same ads. It also envisages extending the online ad model of auctioning billboard space to the highest bidder, with content determined by the group's characteristics. However, if the smart billboards did their job of "grouplizing" a group of young adult males, it might display a risqué dating site ad, Yahoo says. This approach might be acceptable to some on a phone, but dangerous on the freeway. Yahoo says it has an answer for this issue: "Any advertising content including video could, for example, be eliminated from the pool of available content or modified to remove video components." In May, New York Senator Charles Schumer called on the Federal Trade Commission to investigate the use of 'spying billboards', which he described as popping up in cities across the country. He warned that such technology may represent a violation of privacy rights, because of the way it tracks the individual's cell phone data, and constitute a deceptive trade practice. Source
  15. Swiss Vote to Give Their Government More Spying Powers Swiss approve new surveillance law with 66.5% majority Last year, the country's parliament passed a law that allowed its secret service, FIS (Federal Intelligence Service), more powers to snoop on emails, tap phones, or use hidden cameras and microphones. Such technologies and investigative procedures are common practice in other countries, but they have been outlawed by the strict Swiss government. New surveillance law passed in 2015, implementation delayed The law, which the government argued it was needed after the devastating Paris ISIS attacks, was contested by privacy groups and the Swiss leftist political parties, which delayed its implementation and forced it into a country-wide referendum that took place this Sunday. The Swiss population made their voice heard over the weekend and concerned with the ever-increasing threat from terrorist groups have voted to sacrifice some of their privacy for the sake of security. Switzerland, next to Germany and the northern Scandinavian countries, has some of the strictest privacy laws in Europe. So much so that it took Google years to get permission to map out the country via its Street View service. Swiss secret service will need special authorization on a per-case basis FIS, who handles both internal and external cyber-espionage operations, will need special authorization from a court, the defense ministry, and the cabinet if they are to launch internal surveillance operations. According to SwissInfo, opponents of this law struggled in winning the older generation on their side, who mostly voted for the new surveillance laws. The publication also noted the little attention the campaign got in the media, with most of the attention focusing on another topic included in the three-vote referendum, related to a 10 percent boost to the country's old age pension fund. The population voted against an increase of the pension fund just because it would add an extra strain on the state's budget. The third issue was related to Switzerland increasing its green economy, which citizens also voted down. Source
  16. Delete Google Maps? Go Ahead, Says Google, We'll Still Track You Google Play services need constant location info Google, it seems, is very, very interested in knowing where you are at all times. Users have reported battery life issues with the latest Android build, with many pointing the finger at Google Play – Google's app store – and its persistent, almost obsessive need to check where you are. Amid complaints that Google Play is always switching on GPS, it appears Google has made it impossible to prevent the app store from tracking your whereabouts unless you completely kill off location tracking for all applications. You can try to deny Google Play access to your handheld's location by opening the Settings app and digging through Apps -> Google Play Store -> Permissions, and flipping the switch for "location." But you'll be told you can't just shut out Google Play services: you have to switch off location services for all apps if you want to block the store from knowing your whereabouts. It's all or nothing, which isn't particularly nice. This is because Google Play services pass on your location to installed apps via an API. The store also sends your whereabouts to Google to process. Google doesn't want you to turn this off. It also encourages applications to become dependent on Google's closed-source Play services, rather than use the interfaces in the open-source Android, thus ensuring that people continue to run Google Play on their devices. It's a similar story over at Google Maps. Although it makes far more sense for Maps to have access to your location, the latest build doesn't give you a decent option of turning it off. If you do cut off Maps' access to your location, "basic features of your device may no longer function as intended," the operating system warns. Needless to say, this is not making some users very happy. Security researcher Mustafa Al-Bassam reported on Twitter that he "almost had a heart attack" when he walked into a McDonald's and was prompted on his phone to download the fast food restaurant's app. Al-Bassam dug into his phone's apps to figure out how that had happened, and was amazed to find that his suspected culprit – Google Maps – was not responsible. It was Google Play that had monitored his location thousands of times. So, the options are not great: you can either delete both Google Maps and Google Play, or you have to repeatedly turn your phone's location services on and off as required throughout the day, which is extremely irritating. "Kind of defeats the purpose of fine-grained privacy controls," Al-Bassam noted, adding: "Google is encouraging developers to use the Play location API instead of the native Android API, making an open OS dependent on proprietary software." Google was not available for comment. Source
  17. We are pleased to announce the release of Ghostery 7, the long-awaited and newest edition of our free browser extension. Ghostery gives you the tools to see, understand, and block/unblock tracking technologies (called trackers) on the sites you visit, giving you a cleaner, faster, and safer browsing experience. Ghostery 7 was designed and developed using the tremendous feedback we have received from our vibrant community, including months of user testing, hundreds of emails to our support desk, and thousands of survey responses. All sorts of users - from first time users to casual users to experts - wanted a browser extension that fit their individual needs and levels of use. Well, we heard you loud and clear! The result is an extension that combines a cleaner, simpler, and easier-to-understand interface with powerful new and enhanced features, the best of both worlds. The browser extension provides greater insight into trackers and the websites that host them. If you’d like to try Ghostery 7 for yourself, it is available for Chrome, Firefox, and Opera today and will be coming soon to Edge. If you’d like to learn more, let’s break down what is new in Ghostery 7. Improved UI With Ghostery 7, we created a user interface that is simple and easy to understand for beginners, but that still offers advanced functionality and data points for more knowledgeable users. To achieve this, we did two things. First, we increased the size of the panel to give us more real estate to show information, while still keeping the interface clean. Second, we divided the extension into a right-side information pane, with our granular list of trackers, and a collapsable left-side summary pane, with high-level information and functionality. The information pane shows a cleaner, more compact version of our classic tracker list. This groups the trackers into high-level categories such as Advertising and Site Analytics, making it easier for a user to quickly learn about the different trackers on a page. In this list, users can block and unblock trackers across the web or on specific pages, as well as get additional detail and information for each tracker. Additionally, users can collapse the information panel if they want to hide this information. The summary panel features a colored tracker donut that gives a visual overview of how many trackers are in each category, while also doubling as a click-to-select filter for the tracker list. It also includes page-level actions such as Trust Site (unblock all on site) and Restrict Site (block all on site), as well as Pause Ghostery, which disables all blocking. The summary view makes it easier for beginners and more casual users to manage their preferences from one site to the next. Enhanced Features for Account Holders If you’re keen on getting a little more juice out of Ghostery 7, you can access enhanced features and functionality by creating an account. These features include: The ability to sync settings across browsers and devices Alerts for slow and non-secure trackers Detected URLs for each tracker, a feature that provides additional intelligence and insight for the power user A sneak peek at our Trackermap product; with one free scan a month, users can visually map all the tracker relationships on a page for greater insight Tracker Alerts Time and time again, we heard from our users that they needed help deciding what to block and when. To provide this much-needed help, we are proud to introduce alerts for broken-pages, and slow and non-secure trackers. Broken page alerts will let users know when they’re blocking a tracker that might be necessary for the website to work properly. Slow and non-secure tracker alerts (available to account holders) will let users know when a tracker is either slowing a site down or making a nonsecure call from a secure page. These alerts allow users to make informed decisions about what to block and when. Improved Purple Box Nothing polarizes our user base like the purple box, the real-time list of trackers that populates on the lower right-hand corner of the screen. A lot of users love it and a lot of users hate it. With Ghostery 7, we think the purple box is now easier to love and harder to hate, with a new UI that lets a user quickly collapse it or hide it when they don’t want it and expand it when they want to dig in and get additional information. For those that never want to see it, it’s easy to disable the purple box from the settings within the extension itself. Other Features Additional features that we think some users will find helpful - and don’t want to get lost in the flurry of new stuff - include: Local settings directly in the extension itself, which means that users no longer have to navigate to a web UI if they want to change their preferences. Links in the menu to submit new trackers and report broken pages with just one click, making it easier for our community of passionate users to help us make Ghostery even better. Send Us Your Feedback If you try Ghostery 7 and have thoughts or ideas, we’d love to hear from you (no, really, we would). If you experience a problem or a defect (e.g., Ghostery is making my computer explode) please email us immediately at [email protected] If you have general feedback about stuff you like or don’t like, you can share those thoughts with us at [email protected] Article source
  18. BBC Vans Are Coming For You Pinch, punch: The license change requiring you to have actually shelled out the £145.50 for colour television (only £49 for monochrome) to watch BBC programmes on demand comes into effect today. As we reported earlier this month, claims that the BBC would be sending vans about the UK to sniff Britons' wireless networks for infringing viewers may be somewhat overstated. Keep it legal, guys. Source
  19. Opera VPN Launches For Android Opera Software released its free VPN application for Android today after making it available to iOS devices earlier this year. The company's journey as a VPN provider started with its acquisition of SurfEasy VPN. Opera Software promoted services of SurfEasy shortly thereafter in the Opera desktop browser, and launched a free browser proxy back in April 2016. The iOS application followed in May, and today saw the release of the Android application. Opera VPN for Android is a VPN client that is free to use. It is provided by SurfEasy, an Opera company. Tip: Check out the privacy policy and terms of use before you start using the service. Basically, what it states is that you may not use it to break the law or the rights of others, that the service may be limited, modified or discontinued at any time, and that you may be contacted for limited marketing purposes. Opera VPN for Android Installation of the application is straightforward. Since it is a VPN, you will receive a request to set up a VPN connection on the device. You must accept it or won't be able to use the service at all. The app displays a short introduction to the features that it makes available. Basically, it offers three features that you may activate from within the app: Connect to the VPN network. Opera VPN connects to the closest region automatically, but displays options to switch the region once connected. Regions that were available during the test were Canada, USA, Netherlands, Germany, and Singapore. Wi-Fi Security. You may use this feature to test the security of the wireless network your Android device is connected to. Opera VPN displays the name of the WLAN and its ID, and whether it is protected or not on the screen. The test performs additional look ups and awards a security score at the end (one when connected regularly, and one when connected to Opera VPN). Guardian. Guardian can be activated to block ad trackers when you are online. The connection speed was quite good during tests but mileage may vary based on the location you connect to the service, the region you connect to, load at that time and other factors. A quick test playing videos on YouTube and other services showed that playback was fluent and without buffering issues or other issues. Since it is a VPN app that runs in the background, all applications you use tunnel their traffic through it. Closing Words Opera VPN is a free VPN app for Android that does not look that different than other free VPN apps for Android. The inclusion of the WiFi security test -- with the foreseeable result that the connection is more secure when you use Opera VPN -- and the system-wide tracker blocker are nice to have features. If you trust Opera Software, there is little reason not to use the company's VPN applications as well. Paid solutions on the other hand offer better privacy, whereas other free solutions usually don't. Source
  20. Browser-Based Fingerprinting: Implications And Mitigations Malware authors will leverage every tool and trick they can to keep their operations in complete stealth mode. Fingerprinting gives them this extra edge to hide from security researchers and run large campaigns almost completely undetected. To describe it succinctly, fingerprinting makes use of an information disclosure flaw in the browser that allows an attacker to read the user’s file system and look for predefined names. There are plenty of examples on how successful fingerprinting can be; we covered some in our research whitepaper back in March 2016, Operation Fingerprinting, but even that was just the tip of the iceberg. More recently, researchers at Proofpoint uncovered a massive malvertising campaign that ran for at least a year and probably more, which allowed for a very large number of malware infections. It heavily relied on fingerprinting to go unnoticed by carefully targeting genuine users, running bona fide OEM computers. Figure 1: Fingerprinting used in a malvertising campaign, hidden as a GIF image Certainly, this is a lesson to learn for the defense side to up our game in the face of increased sophistication in online attacks. At the same time, we could easily remove a powerful weapon from the bad guy’s toolsets, which would lead to more rapid identification of their campaigns, at least until they come up with another trick. There are also privacy implications as fingerprinting could be used to profile users, based on a list of programs present on their machines. We can imagine marketing folks from company A being interested to know if visitors to their website are running product from company B. Figure 2: A simple iframe can check if Norton Antivirus is installed This is trivial to do with a single line of code (currently unpatched, keep reading for additional details), although it would certainly raise eyebrows in how it’s done. Less scrupulous actors might be interested in spying on persons of interests and check if they are running specific tools such as VPNs or encryption software. A little bit of history on some troublesome protocols Abusing Internet Explorer protocols has allowed malware authors to either run malicious code or gain information about their victims. Here we review some past and present techniques including one that is currently unpatched and used in exploit kits and malvertising attacks. File:// protocol If we go back in time, before XP’s Service Pack 2, the local machine zone (LMZ) allowed you to run binaries without restrictions via another protocol, the file:// protocol. Figure 3: Microsoft fixed a flaw that allowed to run binaries in IE6 and earlier. The file:// protocol was literally running in the local machine zone, with full privileges. From your evil webpage you could do: <iframe src="file://c:/downloads/malicious.html"></iframe> and after instantiating a WScript.Shell, you could do a full remote code execution. XMLDOM loadXML (CVE-2013-7331) Back in 2013, a researcher revealed how Microsoft XMLDOM in IE can divulge information of local drive/network in error messages – XXE. This technique was/is used in the wild by various exploit kits as well as in some malvertising campaigns. The XMLDOM technique is the most powerful one for fingerprinting purposes as it allows for any type of file (not just binaries) to be checked for. Microsoft fixed the issue with XMLDOM checks. See tweet and following discussion here. For a proof of concept code: https://pastebin.com/raw/Femy8HtG. Onload res:// CVE-2015-2413 res:// is an internal IE protocol running in the Internet Zone (even for local files) that allows webpages to load resources from local files (from the resource section). At the same time, IE considers many of this res: URLs “special” and it allows them to do things like opening the Internet Connection Dialog (and much more). Microsoft allows res:// URLs to be loaded by normal HTTP webpages because IE/Edge need them for various parts of the browser’s functionality, like default error or information pages. It was added to the Magnitude EK, as a pre-check on its gate, but is now patched as well. The res technique isn’t as good as the XMLDOM one as it can only check for binaries, as it needs their resource section. Figure 4: Image created from a script using onload to detect if the resource was loaded Iframe res:// variant (unpatched) Affected software: Operating System: Windows 7, Windows 10 (both fully patched). Browsers: Internet Explorer 10, 11. Microsoft Edge (38.14393.0.0) & Microsoft EdgeHTML (14.14393). Note: For Microsoft Edge, fingerprinting will only work in the Windows and Program Files folders, as the AppContainer doesn’t allow read access to other parts of the system. Figure 5: Determining the presence of calc.exe under %system32% from a website. Current use in exploit kits: We studied the way Neutrino EK filters security researchers via the same Flash exploit it uses to exploit and infect a system (Neutrino EK: fingerprinting in a Flash) as well as one of its pre-gate checks (Neutrino EK: more Flash trickery). Figure 6: iframes checking for local files Using ActionScript within the Flash exploit, Neutrino EK can check on those loadable resources and guess via JavaScript and DOM events if those files exist. Disclaimer: we are not sharing our proof of concept publicly as Microsoft is currently working on a patch. While it’s true that it is in the wild, the PoC we wrote is derived from Neutrino’s Flash-based fingerprinting and a lot easier to copy/paste for other bad guys to reuse. If you are interested, please contact us privately. Mitigations A good mitigation to the abuse of this problem would be to allow IE to load resource files that are used only by IE such as mshtml.dll, ieframe.dll, and a few more. All the other ones should be blocked! In other words, iexplore.exe (or any other binary using the WebBrowser Control) should be allowed to load only the resources that are really needed by the WebBrowser engine, and no more. The only legitimate uses of the res: protocol are IE internal pages/dialogs and maybe old toolbars. DevTools (F12) also uses it. Figure 7: Some res:// calls in Microsoft Edge Some old toolbars that are relying on res:// might stop working but they can whitelist those particular DLLs or even better, let the developers update their code. Conclusion Information disclosure bugs seem to linger and resurface quickly after they have been patched. This is probably due to the core issue not being fundamentally addressed perhaps because of compatibility risk in making any drastic change. While these flaws are not critical compared to, let’s say remote code execution, they can help bad guys to save those RCEs for genuine victims and hide them from the security community much longer. Acknowledgements I would like to say a big thank you to Manuel Caballero for inspiring me to dig deeper into this issue. Thanks to Eric Lawrence for additional checks in Edge and affected paths. Source
  21. Google Does Not Give Up: YouTube Next Social Network? If rumors are to be believed, Google plans to introduce a feature called Backstage on YouTube that adds social networking features to the site. Google tried to establish a social networking site several times in the past to complete with the almighty Facebook. But even the company's latest endeavor in the social space, Google Plus, did not work out as planned. If you consider that Google went all in that time, forcefully integrating Google Plus in many of the company services, and pushing it on its prime properties such as Google Search, it is not far-off to call Google Plus a failure. One of the properties graced with forceful Google Plus integration was YouTube. Google made the decision to replace YouTube's commenting system with Google Plus, angering millions of YouTube users in the process. Google decided to abandon the Google Plus project some time ago. While it is still available, traces of Google Plus on other Google properties are slowly being removed again. The company has not given up yet on conquering the social networking space though. Its latest plan? Use a billion user site that already exists for that. That site is YouTube, and if reports are correct, it could soon get a lot more social on the site. YouTube Backstage VentureBeat reports that Google may plan to introduce an internal feature called Backstage to YouTube that lets users share photos, links, text posts, videos, and polls with their subscribers. Google may launch this as a limited trial for select YouTube accounts first and may go from there. According to VentureBeat, Backstage will be visible next to the Home and Videos tabs on YouTube, and posts made to channels will appear in subscriber feeds and notifications. Subscribers may reply to posts through various means including posting videos of their own, but also by text or images. Backstage will introduce new types of posts to YouTube. Google plans to differentiate between regular videos and Backstage videos. The latter allows channels to push videos only to subscribers and not to users discovering the channel through search or other means. Backstage is an internal project currently and it is unclear if and when it will be made available. While YouTube is highly popular when it comes to video publishing and watching, it lacks in the social department. While users may post comments under videos or channels, there is little in terms of communication going elsewhere. There is a send message option when you open the about page of a channel, but it is almost hidden from sight. Closing Words Adding more social components to YouTube, even if only for a limited number of channels and publishers in the beginning, may improve interaction on the site. It is unclear how the move will impact Google Plus, but seeing the service being reduced to a crumble, it would not surprise me one bit if Google would announce its retirement in the near future. As far as I'm concerned, I go to YouTube to watch videos, not to communicate. That's my personal preference though, and judging from the large number of comments on the site, others see it differently. Now You: What's your take on this? Source
  22. The number of third parties sending information to and receiving data from popular websites each time you visit them has increased dramatically in the past 20 years, which means that visitors to those sites may be more closely watched by major corporations and advertisers than ever before, according to a new analysis of Web tracking. A team from the University of Washington reviewed two decades of third-party requests by using Internet Archive’s Wayback Machine. They found a four-fold increase in the number of requests logged on the average website from 1996 to 2016, and say that companies may be using these requests to more frequently track the behavior of individual users. They presented their findings at the USENIX Security Conference in Austin, Texas, earlier this month. The authors—Adam Lerner and Anna Kornfeld Simpson, who are both PhD candidates, along with collaborators Tadayoshi Kohno and Franziska Roesner—found that popular websites make an average of four third-party requests in 2016, up from less than one in 1996. However, those figures likely underestimate of the prevalence of such requests because of limitations of the data contained within the Wayback Machine. Roesner calls their findings “conservative.” For comparison, a study by Princeton computer science researcher Arvind Narayanan and colleagues that was released in January looked at one million websites and found that top websites host an average of 25 to 30 third parties. Chris Jay Hoofnagle, a privacy and law scholar at UC Berkeley, says his own research has found that 36 of the 100 most popular sites send more than 150 requests each, with one site logging more than 300. The definition of a tracker or a third-party request, and the methods used to identify them, may also vary between analyses. “It’s not so much that I would invest a lot of confidence in the idea that there were X number of trackers on any given site,” Hoofnagle says of the University of Washington team’s results. “Rather, it’s the trend that’s important.” Most third party requests are made through cookies, which are snippets of information that are stored in a user’s browser. Those snippets enable users to automatically log in or add items to a virtual shopping cart, but they can also be recognized by a third party as the user navigates to other sites. For example, a national news site called todaysnews.com might send a request to a local realtor to load an advertisement on its home page. Along with the ad, the realtor can send a cookie with a unique identifier for that user, and then read that cookie from the user’s browser when the user navigates to another site where the realtor also advertises. In addition to following the evolution of third party requests, the team also revealed the dominance of players such as Google Analytics, which was present on nearly one-third of the sites analyzed in the University of Washington study. In the early 2000s, no third party appeared on more than 10 percent of sites. And back then, only about 5 percent of sites sent five or more third party requests. Today, nearly 40 percent do. But there’s good news, too: pop-up browser windows seem to have peaked in the mid-2000s. Narayanan says he has noticed another trend in his own work: consolidation within the tracking industry, with only a few entities such as Facebook or Google’s DoubleClick advertising service appearing across a high percentage of sites. “Maybe the world we’re heading toward is that there’s a relatively small number of trackers that are present on a majority of sites, and then a long tail,” he says. Many privacy experts consider Web tracking to be problematic, because trackers can monitor a user’s behavior as they move from site to site. Combined with publicly-available information from personal websites or social media profiles, this behavior can enable retailers or other entities create identity profiles without a user’s permission. “Because we don’t know what companies are doing on the server side with that information, for any entity that your browser talks to that you didn’t specifically ask it to talk to, you should be asking, ‘What are they doing?’” Roesner says. But while every Web tracker requires a third-party request, not every third-party request is a tracker. Sites that use Google Analytics (including IEEE Spectrum) make third-party requests to monitor how content is being used. Other news sites send requests to Facebook so the social media site can display its “Like” button next to articles and permit users to comment with their accounts. That means it’s hard to tell from this study whether tracking itself has increased, or if the number of third-party requests has simply gone up. Modern ad blockers can prevent sites from installing cookies and have become popular with users in recent years. Perhaps due in part to this shift, the authors also found that the behaviors that third parties exhibit have become more sophisitcated and wider in scope. For example, a new tactic avoids the use of cookies by recording a users’ device fingerprints, or identifiable characteristics such as screen size of their smartphone, laptop, or tablet. When they began their analysis, the University of Washington researchers were pleased to find that the Wayback Machine could be used to track cookies and device fingerprinting through its storage of the original JavaScript code, which allows them to determine which JavaScript APIs are called on each website. Therefore, a user who is perusing the archived version of a site in the Wayback Machine winds up making all the same requests that the site was programmed to make at the time. The researchers embedded their tool, which they call TrackingExcavator, in a Chrome browser extension and configured it to allow pop-ups and cookies. They instructed the tool to inspect the 500 most popular sites, as ranked by Amazon’s Web analytics subsidiary Alexa, for each year of the analysis. As it browsed the sites, the system recorded third-party requests and cookies, and the use of particular JavaScript APIs known to assist with device fingerprinting. The tool visited each site twice, once to “prime” the site and again to analyze whether requests were sent. Until now, the team says academic researchers hadn’t found a way to study Web tracking as it existed before 2005. Hoofnagle of UC Berkeley says that using the Wayback Machine was a clever approach and could inspire other scholars to mine archival sites for other reasons. “I wish I had thought of this,” he says. “I’m totally kicking myself.” Still, there are plenty of holes in the archive that limit its usefulness. For example, some sites prohibit automated bots such as those used by the Wayback Machine from perusing them. Article source
  23. Kickass Torrents’ owner Artem Vaulin has been arrested but the way Apple, Facebook and Coinbase helped the US authorities to track Vaulin back to Europe sounds like some script from a James Bond movie! Kickass Torrents fans should already know that its 30-year-old alleged owner, Artem Vaulting, has been arrested in Poland by the US authorities on suspicions of reproducing and distributing copyrighted content worth $1 billion. Vaulin, who is a Ukranian national was supposedly running Kickass Torrents platform behind the scene for last 8years leaving no trace marks whatsoever. However, there are some more details about his arrest that are coming to the fore and they are shocking. They include both tech giant Apple Inc. and social media giant Facebook. It all started when an undercover agent from Internal Revenue Service (IRS) disguising as an advertiser contacted Kickass Torrents to put an advert on the site, after a while the agent was successful in placing an ad on the site allowing him to have access to a Latvia-based bank account linked with the Kickass website. Upon further investigations, the US authorities discovered an email address that was linked to the Kickass Torrents domain plus its social media accounts including Mark Zuckerberg’s very own Facebook. Later on, Apple provided complete records of Vaulin’s purchase activities on iTunes store from an email hosting on @me.com. The records provided by Apple showed that someone made a legal purchase from iTunes using the same email address using the same IP address that was also being used to login on to Facebook in order to handle Kickass Torrents’ official Facebook page. But, that’s not all, the authorities also tracked Bitcoin donation process of KAT which was linked to Coinbase, a Bitcoin exchange company headquartered in San Francisco, California. The records provided by Coinbase revealed further information about Vaulin such as: After receiving further information from different sources the US authorities were able to arrest the man behind the mask Artem Vaulin in Poland. For the time being several other Kickass Torrents domains are popping up online but it’s a matter of time before authorities shut them down as well. Currently, KAT fans have ThePirateBay.org to enjoy and in case you want to read the 50-page criminal complaint on Vaulin’s arrest filed by the U.S Attorney’s Office click here. Article source
  24. Why Surfing Porn in Browser’s Incognito Mode Is Not Safe Browsing for porn in your browser’s Incognito mode might not be as private as you think Last week we had reported why logging out of Facebook while surfing porn websites is good because Facebook trackers users through the ‘Like’ and ‘Share’ buttons on those webpages. Carrying on the research a little further, we present another fact you didn't know. Surfing porn in any browser’s Incognito Mode doesn't make your porn habits private. It is a fact that Incognito mode doesn't save history but that's the only protection it grants you. 99 out of 100 Google Chrome user think surfing porn in Incognito users. Admit it, you use your browsers Incognito window to surf porn yourself. Why surfing in Incognito is not private? Opening a private or incognito browser in your app of choice – either Google Chrome, Mozilla Firefox, Apple Safari or Microsoft Edge and Internet Explorer – only ensures your computer does not remember your online activity. As said above, any web browser will make sure your web searches and online history are not visible the next time you log in. However that doesn't mean that Incognito surfing is private or anonymous. You Incognito browsing is stored by your ISP, your company and eventually your browser company. Your internet service provider – or ISP – is able to monitor every webpages and search made from your house. Try opening your bank account or email webpage in Incognito mode. You will find that the data like your user name and password are filled up despite the Incognito mode not saving your data. It is fact that most browsers pull data from local machine to fill such details in both normal as well as Incognito mode. Google has been very up-front about surfing in Chrome browser Incognito mode. “Going incognito doesn’t hide your browsing from your employer, your internet service provider or the websites that you visit.” Google has warned. Actually signing into your Gmail account in Incognito mode makes Google’s job of tracking your porn surfing habits that more easier. If you haven’t disabled or paused your account’s Google Web History – you are able to log-in and track your activity there, too. What about other browser? Most browsers do the same thing what Google does. Like Google, Mozilla Firefox uses an almost-identical disclaimer on its private browsing mode. But again, “while this computer won’t have a record of your browsing history, your employer or internet service provider can still track the pages you visit.” Then there is something called Super Cookies. Some porn websites uses something called Super Cookies which are able to track your movements across the web even when you are browsing in private mode. Super Cookies are like the regular, a lightweight software sits on a website and fingerprints users who visit the page. When you return to that particular page again at a later date, the website is able to track the entirety of the users’ activity between the two visits. Considering the above facts, it is unwise to think that your Incognito mode porn surfing habits are either private or anonymous. If you really want to be anonymous, use VPN but don't be under the impression that your Incognito browsing records are private. Source
  25. Photo Reveals Even Zuckerberg Tapes His Webcam And Microphone For Privacy What do you do to protect your 'Privacy' and keep yourself safe from potential hackers? Well, Facebook CEO Mark Zuckerberg just need a bit of tape to cover his laptop webcam and mic jack in order to protect his privacy. Yes, Zuck also does the same as the FBI Director James Comey. Zuckerberg posted a photo on Tuesday to celebrate Instagram's 500 Million monthly user milestone, but the picture end up revealing about another security measure he takes to ensure that nobody is spying on him – and it's surprisingly simple. Some eagle-eyed observers quickly noticed that the MacBook Pro on Zuckerberg's desk in the background of the image has the tape covering not only the webcam, but also the laptop's dual microphones. While some tried to argue that it was not Zuckerberg's desk, Gizmodo pointed out that Zuckerberg has posted videos, live streams and images from there before, so it seems like a safe assumption. So, Zuckerberg joins FBI director James Comey and NSA whistleblower Edward Snowden, who admitted that they tape their webcams. Although some called this move paranoid, taping up your webcam is a simple and excellent precaution that cost nothing and has appeared many times in the past. Keeping aside the controversies over Zuck's move, tapping your laptop's webcam is a good take away for you to adopt, because we know the ability of spy agencies, including the FBI and NSA (National Security Agency), to turn on webcam to spy on targets. Edward Snowden leaks revealed Optic Nerve - the NSA's project to capture webcam images every five minutes from random Yahoo users. In just 6 months, 1.8 Million users' images were captured and stored on the government servers in 2008. However, putting a tape over your webcam would not stop hackers or government spying agencies from recording your voice, but, at least, this would prevent them watching or capturing your live visual feeds. Source Alternate Source