Privacy

Over 400 of the World's Most Popular Websites Record Your Every Keystroke (vice.com) 81

An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.
Security

Why Hackers Reuse Malware (helpnetsecurity.com) 16

Orome1 shares a report from Help Net Security: Software developers love to reuse code wherever possible, and hackers are no exception. While we often think of different malware strains as separate entities, the reality is that most new malware recycles large chunks of source code from existing malware with some changes and additions (possibly taken from other publicly released vulnerabilities and tools). This approach makes sense. Why reinvent the wheel when another author already created a working solution? While code reuse in malware can make signature-based detection methods more effective in certain cases, more often than not it frees up time for attackers to do additional work on detection avoidance and attack efficacy -- which can create a more dangerous final product.

There are multiple reasons why hackers reuse code when developing their own malware. First, it saves time. By copying code wherever possible, malware authors have more time to focus on other areas, like detection avoidance and attribution masking. In some cases, there may be only one way to successfully accomplish a task, such as exploiting a vulnerability. In these instances, code reuse is a no-brainer. Hacker also tend to reuse effective tactics such as social engineering, malicious macros and spear phishing whenever possible simply because they have a high rate of success.

Firefox

Another Tor Browser Feature Makes It Into Firefox: First-Party Isolation (bleepingcomputer.com) 83

An anonymous reader writes: Unbeknown to most users, Mozilla added a privacy-enhancing feature to the Firefox browser over the summer that can help users block online advertisers from tracking them across the Internet. The feature is named First-Party Isolation (FPI) and was silently added to the Firefox browser in August, with the release of Firefox 55. FPI works by separating cookies on a per-domain basis.

This is important because most online advertisers drop a cookie on the user's computer for each site the user visits and the advertisers loads an ad. With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing. This will force the ad tracker to create a new user profile for each site the user visits and the advertiser won't be able to aggregate these cookies and the user's browsing history into one big fat profile. This feature was first implemented in the Tor Browser, a privacy-focused fork of the Firefox browser managed by the Tor Project, where it is known as Cross-Origin Identifier Unlinkability. FPI was added to Firefox as part of the Tor Uplift project, an initiative to bolster the Firefox codebase with some of the Tor Browser's unique privacy-focused features. The feature is not enabled by default. Information on how to enable it is in the linked article.

Social Networks

We Can't Trust Facebook To Regulate Itself, Says Former Operations Manager (nytimes.com) 89

schwit1 shares an op-ed on the New York Times by Sandy Parakilas, a former operations manager on the platform team at Facebook: Sandy Parakilas led Facebook's efforts to fix privacy problems on its developer platform in advance of its 2012 initial public offering. What I saw from the inside was a company that prioritized data collection from its users over protecting them from abuse. As the world contemplates what to do about Facebook in the wake of its role in Russia's election meddling, it must consider this history. Lawmakers shouldn't allow Facebook to regulate itself. Because it won't (Editor's note: the link could be paywalled; alternative source). Facebook knows what you look like, your location, who your friends are, your interests, if you're in a relationship or not, and what other pages you look at on the web. This data allows advertisers to target the more than one billion Facebook visitors a day. It's no wonder the company has ballooned in size to a $500 billion behemoth in the five years since its I.P.O. The more data it has on offer, the more value it creates for advertisers. That means it has no incentive to police the collection or use of that data -- except when negative press or regulators are involved. Facebook is free to do almost whatever it wants with your personal information, and has no reason to put safeguards in place. The company just wanted negative stories to stop. It didn't really care how the data was used. Facebook took the same approach to this investigation as the one I observed during my tenure: react only when the press or regulators make something an issue, and avoid any changes that would hurt the business of collecting and selling data. This makes for a dangerous mix: a company that reaches most of the country every day and has the most detailed set of personal data ever assembled, but has no incentive to prevent abuse. Facebook needs to be regulated more tightly, or broken up so that no single entity controls all of its data. The company won't protect us by itself, and nothing less than our democracy is at stake.
Iphone

10-Year-Old Boy Cracks the Face ID On Both Parents' IPhone X (wired.com) 286

An anonymous reader writes: A 10-year-old boy discovered he could unlock his father's phone just by looking at it. And his mother's phone too. Both parents had just purchased a new $999 iPhone X, and apparently its Face ID couldn't tell his face from theirs. The unlocking happened immediately after the mother told the son that "There's no way you're getting access to this phone."

Experiments suggest the iPhone X was confused by the indoor/nighttime lighting when the couple first registered their faces. Apple's only response was to point to their support page, which states that "the statistical probability is different...among children under the age of 13, because their distinct facial features may not have fully developed. If you're concerned about this, we recommend using a passcode to authenticate." The boy's father is now offering this advice to other parents. "You should probably try it with every member of your family and see who can access it."

And his son just "thought it was hilarious."

Crime

Apple Is Served A Search Warrant To Unlock Texas Church Gunman's iPhone (nydailynews.com) 435

An anonymous reader quotes the New York Daily News: Authorities in Texas served Apple with a search warrant in order to gain access to the Sutherland Springs church shooter's cellphone files. Texas Ranger Kevin Wright obtained the warrant last week, according to San Antonio Express-News.

Investigators are hoping to gain access to gunman Devin Patrick Kelley's digital photos, messages, calls, videos, social media passwords, address book and data since January 2016. Authorities also want to know what files Kelley stored in his iCloud account.

Fast Company writes that "it's very likely that Apple will give the Rangers the same answer it gave the FBI in 2016 (in effect, hell no!)... That may be why, in the Texas case, the FBI and the Rangers didn't even bother calling Apple, but rather went straight to court."
The Military

Massive US Military Social Media Spying Archive Left Wide Open In AWS S3 Buckets (theregister.co.uk) 84

An anonymous reader quotes a report from The Register: Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing "dozens of terabytes" of social media posts and similar pages -- all scraped from around the world by the U.S. military to identify and profile persons of interest. The archives were found by veteran security breach hunter UpGuard's Chris Vickery during a routine scan of open Amazon-hosted data silos, and these ones weren't exactly hidden. The buckets were named centcom-backup, centcom-archive, and pacom-archive. CENTCOM is the common abbreviation for the U.S. Central Command, which controls army operations in the Middle East, North Africa and Central Asia. PACOM is the name for U.S. Pacific Command, covering the rest of southern Asia, China and Australasia.

"For the research I downloaded 400GB of samples but there were many terabytes of data up there," he said. "It's mainly compressed text files that can expand out by a factor of ten so there's dozens and dozens of terabytes out there and that's a conservative estimate." Just one of the buckets contained 1.8 billion social media posts automatically fetched over the past eight years up to today. It mainly contains postings made in central Asia, however Vickery noted that some of the material is taken from comments made by American citizens. The databases also reveal some interesting clues as to what this information is being used for. Documents make reference to the fact that the archive was collected as part of the U.S. government's Outpost program, which is a social media monitoring and influencing campaign designed to target overseas youths and steer them away from terrorism.

Television

FCC Approves Next-Gen ATSC 3.0 TV Standard (reuters.com) 153

New submitter mikeebbbd writes: "U.S. regulators on Thursday approved the use of new technology that will improve picture quality on mobile phones, tablets and television, but also raises significant privacy concerns by giving advertisers dramatically more data about viewing habits," reports Reuters. ATSC3.0 will apparently make personal data collection and targeted ads possible. New TVs will be necessary, and broadcasters will need to transmit both ATSC 2.0 (the current standard) for 3 to 5 years before turning off the older system. For now, the conversion is voluntary. There appears to be no requirement (as there was when ATSC 2.0 came out) for low-cost adapter boxes to make older TVs work; once a channel goes ATSC 3.0-only, your old TV will not display it any more.
Privacy

Germany Bans Children's Smartwatches (bbc.com) 44

A German regulator has banned the sale of smartwatches aimed at children, describing them as spying devices. From a report: It had previously banned an internet-connected doll called, My Friend Cayla, for similar reasons. Telecoms regulator the Federal Network Agency urged parents who had such watches to destroy them. One expert said the decision could be a "game-changer" for internet-connected devices. "Poorly secured smart devices often allow for privacy invasion. That is really concerning when it comes to kids' GPS tracking watches - the very watches that are supposed to help keep them safe," said Ken Munro, a security expert at Pen Test Partners.
Privacy

Why is this Company Tracking Where You Are on Thanksgiving? (theoutline.com) 97

Earlier this week, several publications published a holiday-themed data study about how families that voted for opposite parties spent less time together on Thanksgiving, especially in areas that saw heavy political advertising. The data came from a company called SafeGraph that supplied publications with 17 trillion location markets for 10 million smartphones. A report looks at the bigger picture: The data wasn't just staggering in sheer quantity. It also appears to be extremely granular. Researchers "used this data to identify individuals' home locations, which they defined as the places people were most often located between the hours of 1 and 4 a.m.," wrote The Washington Post. The researchers also looked at where people were between 1 p.m. and 5 p.m. on Thanksgiving Day in order to see if they spent that time at home or traveled, presumably to be with friends or family. "Even better, the cellphone data shows you exactly when those travelers arrived at a Thanksgiving location and when they left," the Post story says. To be clear: This means SafeGraph is looking at an individual device and tracking where its owner is going throughout their day. A common defense from companies that creepily collect massive amounts of data is that the data is only analyzed in aggregate; for example, Google's database BigQuery, which allows organizations to upload big data sets and then query them quickly, promises that all its public data sets are "fully anonymized" and "contain no personally-identifying information." In multiple press releases from SafeGraph's partners, the company's location data is referred to as "anonymized," but in this case they seem to be interpreting the concept of anonymity quite liberally given the specificity of the data.
Social Networks

Report Claims That 18 Nation's Elections Were Impacted By Social Engineering Last Year (bbc.com) 233

sqorbit writes: Independent watchdog group Freedom House released a report that claims that 18 nation's elections were "hacked." Of the 65 countries that Freedom House monitors, 30 appear to be using social media in order to affect elections by attempting to control online discussions. The report covers fake news posts, paid online opinion writers and trolling tactics. Other items in the report speak to online censorship and VPN blocking that blocks information within countries to interfere with elections. The report says net freedom could be aided by: large-scale programs that showed people how to spot fake news; putting tight controls on political adverts; and making social media giants do more to remove bots and tune algorithms to be more objective.
Security

Bluetooth Hack Affects 20 Million Amazon Echo, Google Home Devices (thehackernews.com) 40

In September, security researchers discovered eight vulnerabilities -- codenamed collectively as BlueBorne -- in the Bluetooth implementations used by over 5.3 billion devices. We have now learned that an estimated 20 million Amazon Echo and Google Home devices are also vulnerable to attacks leveraging the BlueBorne vulnerabilities. The Hacker News reports: Amazon Echo is affected by the following two vulnerabilities: a remote code execution vulnerability in the Linux kernel (CVE-2017-1000251); and an information disclosure flaw in the SDP server (CVE-2017-1000250). Since different Echo's variants use different operating systems, other Echo devices are affected by either the vulnerabilities found in Linux or Android. Whereas, Google Home devices are affected by one vulnerability: information disclosure vulnerability in Android's Bluetooth stack (CVE-2017-0785). This Android flaw can also be exploited to cause a denial-of-service (DoS) condition. Since Bluetooth cannot be disabled on either of the voice-activated personal assistants, attackers within the range of the affected device can easily launch an attack. The security firm [Armis, who disclosed the issue] notified both Amazon and Google about its findings, and both companies have released patches and issued automatic updates for the Amazon Echo and Google Home that fixes the BlueBorne attacks.
Privacy

Federal Extreme Vetting Plan Castigated By Tech Experts (apnews.com) 160

An anonymous reader shares an Associated Press report: Leading researchers castigated a federal plan that would use artificial intelligence methods to scrutinize immigrants and visa applicants, saying it is unworkable as written and likely to be "inaccurate and biased" if deployed. The experts, a group of more than 50 computer and data scientists, mathematicians and other specialists in automated decision-making, urged the Department of Homeland Security to abandon the project, dubbed the "Extreme Vetting Initiative." That plan has its roots in President Donald Trump's repeated pledge during the 2016 campaign to subject immigrants seeking admission to the United States to more intense ideological scrutiny -- or, as he put it, "extreme vetting." Over the summer, DHS published a "statement of objectives" for a system that would use computer algorithms to scan social media and other material in order to automatically flag undesirable entrants -- and to continuously scan the activities of those allowed into the U.S.
Firefox

Firefox Will Block Navigational Data URIs as Part of an Anti-Phishing Feature (bleepingcomputer.com) 64

Catalin Cimpanu, writing for BleepingComputer: Mozilla will soon block the loading of data URIs in the Firefox navigation bar as part of a crackdown on phishing sites that abuse this protocol. The data: URI scheme (RFC 2397) was deployed in 1998 when developers were looking for ways to embed files in other files. What they came up with was the data: URI scheme that allows a developer to load a file represented as an ASCII-encoded octet stream inside another document. Since then, the URI scheme has become very popular with website developers as it allows them to embed text-based (CSS or JS) files or image (PNG, JPEG) files inside HTML documents instead of loading each resource via a separate HTTP request. This practice became hugely popular because search engines started ranking websites based on their page loading speed and the more HTTP requests a website made, the slower it loaded, and the more it affected a site's SERP position.
Security

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera (wired.com) 106

Security researchers claim to have discovered a flaw in Amazon's Key Service, which if exploited, could let a driver re-enter your house after dropping off a delivery. From a report: When Amazon launched its Amazon Key service last month, it also offered a remedy for anyone who might be creeped out that the service gives random strangers unfettered access to your home. That security antidote? An internet-enabled camera called Cloud Cam, designed to sit opposite your door and reassuringly record every Amazon Key delivery. Security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that camera can be not only disabled, but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened and someone slips inside. That attack would potentially enable rogue delivery people to stealthily steal from Amazon customers, or otherwise invade their inner sanctum. And while the threat of a camera-hacking courier seems an unlikely way for your house to be burgled, the researchers argue it potentially strips away a key safeguard in Amazon's security system. When WIRED brought the research to Amazon's attention, the company responded that it plans to send out an automatic software update to address the issue later this week.
Businesses

The Brutal Fight To Mine Your Data and Sell It To Your Boss (bloomberg.com) 75

An anonymous reader shares a report from Bloomberg, explaining how Silicon Valley makes billions of dollars peddling personal information, supported by an ecosystem of bit players. Editor Drake Bennett highlights the battle between an upstart called HiQ and LinkedIn, who are fighting for your lucrative professional identity. Here's an excerpt from the report: A small number of the world's most valuable companies collect, control, parse, and sell billions of dollars' worth of personal information voluntarily surrendered by their users. Google, Facebook, Amazon, and Microsoft -- which bought LinkedIn for $26.2 billion in 2016 -- have in turn spawned dependent economies consisting of advertising and marketing companies, designers, consultants, and app developers. Some operate on the tech giants' platforms; some customize special digital tools; some help people attract more friends and likes and followers. Some, including HiQ, feed off the torrents of information that social networks produce, using software bots to scrape data from profiles. The services of the smaller companies can augment the offerings of the bigger ones, but the power dynamic is deeply asymmetrical, reminiscent of pilot fish picking food from between the teeth of sharks. The terms of that relationship are set by technology, economics, and the vagaries of consumer choice, but also by the law. LinkedIn's May 23 letter to HiQ wasn't the first time the company had taken legal action to prevent the perceived hijacking of its data, and Facebook and Craigslist, among others, have brought similar actions. But even more than its predecessors, this case, because of who's involved and how it's unfolded, has spoken to the thorniest issues surrounding speech and competition on the internet.
Privacy

Consumers Are Holding Off On Buying Smart-Home Gadgets Due To Security, Privacy Fears (businessinsider.com) 143

According to a new survey from consulting firm Deloitte, consumers are uneasy about being watched, listened to, or tracked by devices they place in their homes. The firm found that consumer interest in connected home technology lags behind their interest in other types of IoT devices. Business Insider reports: "Consumers are more open to, and interested in, the connected world," the firm said in its report. Noting the concerns about smart home devices, it added: "But not all IoT is created equal." Nearly 40% of those who participated in the survey said they were concerned about connected-home devices tracking their usage. More than 40% said they were worried that such gadgets would expose too much about their daily lives. Meanwhile, the vast majority of consumers think gadget makers weren't doing a good job of telling them about security risks. Fewer than 20% of survey respondents said they were very well informed about such risks and almost 40% said they weren't informed at all.
Security

Forbes '30 Under 30' Conference Website Exposed Attendees' Personal Information (vice.com) 12

An anonymous reader shares a Motherboard report: Every year, Forbes' 30 Under 30 list recognizes people blessed with both youth and exceptional talent in their field -- including celebrities, startup founders, doctors, and artists. These are smart, savvy professionals -- and when some of them include information security pros, they're bound to go poking around for vulnerabilities. That's what Yan Zhu, a privacy engineer who made the 2015 list, was doing when she found a gaping privacy hole in the way Forbes handles recipients' personal information. Once you make the list, Yan told me in a Twitter direct message, Forbes asks you to register for its annual Under 30 Summit conference. "They send you a link for conference registration, but it's not tied to your email address," she said. "So you can literally enter anyone's email address who is also a 30 Under 30 member and it shows you their personal info." That information carries over into all future years, she said.
Transportation

Boeing 757 Testing Shows Airplanes Vulnerable To Hacking, DHS Says (aviationtoday.com) 140

schwit1 shares a report from Aviation Today: A team of government, industry and academic officials successfully demonstrated that a commercial aircraft could be remotely hacked in a non-laboratory setting last year, a DHS official said Wednesday at the 2017 CyberSat Summit in Tysons Corner, Virginia. "We got the airplane on Sept. 19, 2016. Two days later, I was successful in accomplishing a remote, non-cooperative, penetration. [Which] means I didn't have anybody touching the airplane, I didn't have an insider threat. I stood off using typical stuff that could get through security and we were able to establish a presence on the systems of the aircraft." Hickey said the details of the hack and the work his team are doing are classified, but said they accessed the aircraft's systems through radio frequency communications, adding that, based on the RF configuration of most aircraft, "you can come to grips pretty quickly where we went" on the aircraft. Patching avionics subsystem on every aircraft when a vulnerability is discovered is cost prohibitive, Hickey said. The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing's 737, it would "bankrupt" them. Hickey said newer models of 737s and other aircraft, like Boeing's 787 and the Airbus Group A350, have been designed with security in mind, but that legacy aircraft, which make up more than 90% of the commercial planes in the sky, don't have these protections.
Google

Why Google Should Be Afraid of a Missouri Republican's Google Probe (arstechnica.com) 231

An anonymous reader quotes a report from Ars Technica: The Republican attorney general of Missouri has launched an investigation into Google's business practices. Josh Hawley wants to know how Google handles user data. And he plans to look into whether Google is using its dominance in the search business to harm companies in other markets where Google competes. It's another sign of growing pressure Google is facing from the political right. Grassroots conservatives increasingly see Google as falling on the wrong side of the culture wars. So far that hasn't had a big impact in Washington policymaking. But with Hawley planning to run for the U.S. Senate next year, we could see more Republican hostility toward Google -- and perhaps other big technology companies -- in the coming years. The Hawley investigation will dig into whether Google violated Missouri's consumer-protection and antitrust laws. Specifically, Hawley will investigate: "Google's collection, use, and disclosure of information about Google users and their online activities," "Google's alleged misappropriation of online content from the websites of its competitors," and "Google's alleged manipulation of search results to preference websites owned by Google and to demote websites that compete with Google." States like Missouri have their own antitrust laws and the power to investigate company business conduct independently of the feds. So Hawley seems to be taking yet another look at those same issues to see if Google's conduct runs afoul of Missouri law.

We don't know if Hawley will get the Republican nomination or win his challenge to Sen. Claire McCaskill (D-Mo.) next year, but people like him will surely be elected to the Senate in the coming decade. Hawley's decision to go after Google suggests that he sees some upside in being seen as an antagonist to a company that conservatives increasingly view with suspicion. More than that, it suggests that Hawley believes it's worth the risk of alienating the GOP's pro-business wing, which takes a dim view of strict antitrust enforcement even if it targets a company with close ties to Democrats.

Slashdot Top Deals