 Your new post is loading...
Your new post is loading...
|
Scooped by
Gust MEES
|
Big data is the lynchpin ofnew advances in cybersecurity. Unfortunately, predictive analytics and machine learning technology is a double-edged sword for cybersecurity. Hackers are also exploiting this technology, which means that there is a virtual arms race between cybersecurity companies and black hat cybercriminals.
Datanami has talked about the ways that hackers use big data to coordinate attacks. This should be a wakeup call to anybody that is not adequately prepared.
Black Hat Hackers Exploit Machine Learning to Avoid Detection
Jathan Sadowski wrote an article in The Guardian a couple years ago on the intersection between big data and cybersecurity. Sadowski said big data is to blame for a growing number of cyberattacks.
In the evolution of cybercrime, phishing and other email-borne menaces represent increasingly prevalent threats. FireEye claims that email is the launchpad for more than 90 percent of cyber attacks, while a multitude of other statistics confirm that email is the preferred vector for criminals.
This is largely because of their knowledge of machine learning. They use machine learning to get a better understanding of customers, choose them them more carefully and penetrate defenses more effectively. Learn more / En savoir plus / Mehr erfahren: https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/ https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy https://www.scoop.it/t/securite-pc-et-internet/?&tag=Big+Data
|
|
Scooped by
Gust MEES
|
The latest Facebook privacy SNAFU (Situation Normal, All Facebooked Up) is a bug that changed settings on some accounts, automatically suggesting that their updates be posted publicly, even though users had previously set their updates as “private”.
On Thursday, Facebook asked 14 million users to review posts made between 18 May and 22 May: that’s when the bug was changing account settings. Not all of the 14 million users affected by the bug necessarily had their information publicly, mistakenly shared, but best to check.
Facebook Chief Privacy Officer Erin Egan said in a post that as of Thursday, the company had started letting those 14 million people know about the situation. She stressed that the bug didn’t affect anything people had posted before that time, and even then, they could still have chosen their audience like they always have.
Normally, the audience selector is supposed to be sticky: every time you share something, you get to choose who sees it, and the suggestion is supposed to be based on who you shared stuff with the last time you posted. Friends only? Fine, that’s what should be automatically suggested for the next post, and the one after that, until you change it… or a weird little glitch like this pops up. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Facebook
|
|
Scooped by
Gust MEES
|
Spätestens seit dem Cambridge-Analytica-Skandal stehen viele Menschen Facebook skeptisch gegenüber. Wie Forscher nun herausgefunden haben können beim "Login mit Facebook" Skripte von Drittfirmen die Facebook-Identität des Besuchers nachverfolgen.
Wenn ein Internet-Nutzer auf einer Webseite die Funktion "Login mit Facebook" verwendet, gibt er der Webseite, auf der er sich befindet, unter Umständen Zugriff auf sein öffentliches Facebook-Konto. Forscher der Princeton-Universität in den USA warnen nun davor, dass auf dieser Webseite eingebettete Skripte von Dritten ebenfalls Zugriff auf diese Daten haben. Laut den Forschern sammeln Tracker so die Informationen der Webseitenbesucher – in den meisten Fällen wohl ohne dass die betroffene Webseite davon Kenntnis hat. Derartige Scripte fanden sie auf 434 der eine Million meistbesuchten Seiten im Netz.
Die meisten der Dritt-Skripte fragen den Facebook-Namen und die E-Mail-Adresse des Besuchers ab, der sich über Facebook auf der Seite anmeldet. Zwar ist die ID, welche die Skripte abgreifen, erst einmal auf die Anmelde-Routine der besuchten Webseite beschränkt; wie die Forscher zeigen, lassen sich darüber allerdings die öffentlichen Facebook-Informationen des Besuchers extrahieren. Dazu gehört dessen Facebook-Name und sein Profilbild. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Facebook https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/
|
|
Scooped by
Gust MEES
|
Millions of apps leak personal identifiable information such as name, age, income and possibly even phone numbers and email addresses. At fault are app developers who do not protect ad-targeting data transmitted to third-party advertisers. “The scale of what we first thought was just specific cases of careless application design is overwhelming,” said Roman Unuchek, security researcher, Kaspersky Lab, who introduced his research here at the RSA Conference on Tuesday. “Millions of applications include third party SDKs, exposing private data that can be easily intercepted and modified – leading to malware infections, blackmail and other highly effective attack vectors on your devices.” Data sent unencrypted over HTTP can be collected by cybercriminals that share the same Wi-Fi network, or by an ISP or even by malware installed on a target’s home router, researchers said. Not only can unprotected data be collected, but it can also be intercepted by a cybercriminal who can modify it to show malicious ads, enticing users to download a trojan application, which turn out to be malware, according to Unuchek. Learn more / En savoir plus / Mehr erfahren: https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/
|
|
Scooped by
Gust MEES
|
Dès mai prochain, les données personnelles seront mieux protégées en Europe. L'occasion pour de nombreux services de commencer à se poser des questions sur leurs pratiques. Mais comment informer l'internaute sur la réalité des choses ? Nous avons décidé de lancer la réflexion.
Il y a un peu plus de deux ans, nous nous posions une question : et si on dépolluait Internet ? Nous notions en effet depuis plusieurs années que les sites devenaient de plus en plus impraticables du fait d'abus publicitaires et de méthodes douteuses comme la lecture automatique des vidéos ou l'auto-refresh.
Mais cette gêne visuelle en cachait une autre : la collecte massive de données, mise en place à travers les services des géants du Net (Analytics, boutons J'aime, etc.) et d'espaces publicitaires toujours plus automatisés.
Quel avenir voulons-nous pour Internet ?
On le voit aujourd'hui, chaque site peut déposer des dizaines de cookies sans le moindre consentement de l'utilisateur, le tout à travers une centaine de domaines tiers. Pour le vérifier, il n'y a qu'à utiliser des outils comme Kimetrak et regarder les données du navigateur (voir notre dossier).
Ainsi, comme on pouvait le craindre, l'Internet que l'on connaissait il y a 20 ans s'est profondément modifié sur trois points principaux : les plateformes y ont progressivement pris le pouvoir, il y est plus souvent question de commerce que de partage libre des informations et des idées, le tout alimenté par une immense collecte de données personnelles.
Comme c'est le cas dans certaines industries, il existe néanmoins des zones de « résistance ». L'information s'y veut en libre accès, elle doit permettre au plus grand nombre de réfléchir au monde d'aujourd'hui plutôt que suivre les derniers buzz, l'entraide et le travail collaboratif y sont des valeurs centrales et le financement se fait à travers des dons ou des abonnements, l'accès aux données n'étant pas considéré comme un « pétrole à exploiter ».
Malheureusement il n'existe pas vraiment d'élément distinctif fort pour ces sites et services, qui constituent une alternative au tout commercial qui nous entoure désormais dans le World Wide Web.
Un label pour l'Internet propre ?
Faudrait-il créer une sorte d'annuaire ? De label « bio » des services et autres sites en ligne ? Sans doute. Tout du moins faciliter l'accès et la reconnaissance de ces initiatives en fonction d'éléments qui peuvent être facilement vérifiés : structure économique, modèle de financement, trackers, dispositions légales à travers des outils tels que ToS;DR, etc. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/luxembourg-europe/?&tag=GDPR
|
|
Scooped by
Gust MEES
|
Am Beispiel der Gesichtserkennung im neuen iPhone X illustriert der Whistleblower Edward Snowden die Gefahren, denen wir uns schon in naher Zukunft stellen müssen.
Im Rahmen einer Keynote auf der JBFOne, dem IT-Kongress der Fiducia & GAD, warnte Edward Snowden davor, dass Firmen immer mehr Daten anhäufen und ganz offensichtlich nicht in der Lage sind, diese zu schützen. Das zeige gerade aktuell das Beispiel des Fahrdienstes Uber, der erst jetzt zugab, dass ihm 2016 Kundendaten geklaut wurden. Auf der anderen Seite geben Endanwender immer mehr Daten über sich preis. Sie nutzen ganz freiwillig Überwachungs-Gerätschaften, wie sie sich selbst Orwell nicht hätte vorstellen können.
Als Beispiel führte der live aus seinem russischen Exil zugeschaltete Whistleblower das neue iPhone X an. Apples neues Smartphone verfügt über eine eingebaute Gesichtserkennung, die unter anderem zur Authentifizierung des Anwenders genutzt wird. Die sei zwar bereits umgangen worden, aber das sei gar nicht das eigentliche Problem. Das liege vielmehr darin, dass Apple auch Entwicklern von Fremd-Apps Zugriff auf die Daten der intelligenten Gesichtserfassung gewähren will. Und diese werden das missbrauchen, malt Snowden den Teufel an die Wand.
Werbung beobachtet den Anwender Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Cyberespionage https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/ https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking
|
|
Scooped by
Gust MEES
|
Mit einer Technik namens Session-Replay lassen sich Texteingaben auf Webseiten in Echtzeit erfassen, während sie passieren. Diese Daten werden oft an Drittwebseiten zum Zwecke der Besucheranalyse übermittelt.
Die meisten Webnutzer haben eine Vorstellung davon, dass besuchte Webseiten nachverfolgen, auf welche Links sie geklickt haben und welche Seiten geladen wurden. Viele wissen auch, dass eine große Anzahl an Webseiten diese Informationen mit Drittfirmen teilt – hauptsächlich zu Analyse- und Werbezwecken. Weniger bekannt ist, dass manche Webseiten auch alle Texteingaben speichern, selbst wenn der Nutzer die Daten gar nicht an die Webseite übermittelt. Mit einer Technik namens Session-Replay lassen sich so zum Beispiel auch die Eingaben in Textfeldern mitlesen, die der Nutzer überhaupt nicht abgeschickt hat.
Datenschutz-Funktionen der Dienste mangelhaft
Drei Forscher der Universität Princeton in den USA haben nun versucht, zu quantifizieren, auf wie vielen Webseiten diese Technik im Einsatz ist. Dazu testeten Sie mit den Skripten der beliebtesten Tracking-Firmen, die Session-Replay anbieten. Dabei kam heraus, dass von den laut Alexa meistbesuchten 50.000 Webseiten mindestens 482 ein oder mehr Skripte der Fimen Clicktale, FullStory, Hotjar, UserReplay, SessionCam, Smartlook oder der großen russischen Suchmaschine Yandex einsetzen. Sie schätzen, dass die Dunkelziffer viel höher ist, ihnen aber nicht alle Seiten ins Netz gingen weil Session-Replay oft nicht bei jedem Besucher aktiv ist.
Zwar bieten die meisten dieser Firmen Möglichkeiten an, private Daten von der Erfassung auszuschließen, dabei kommt es aber immer wieder zu Fehlern. Die Forscher fanden zum Beispiel oft Passwörter, obwohl diese explizit nicht erfasst werden sollten. Dazu kommt, dass Nutzer ab und zu Dinge aus ihrer Zwischenablage aus Versehen in Textfelder kopieren. Ist Session-Replay im Einsatz, werden diese Daten erfasst, auch wenn der Nutzer sie sofort wieder löscht. Und auch Daten, die der Nutzer nicht eingegeben hat, aber von der Webseite angezeigt werden, landen in den Händen der Datensammler. Fazit der Forscher: Laufen entsprechende Skripte, kann man sich nicht darauf verlassen, dass Daten nicht aufgezeichnet werden.
Dienstanbieter untergraben SSL-Verschlüsselung Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Session-Replay+Scripts https://www.scoop.it/t/securite-pc-et-internet/?&tag=Cyberespionage https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/
|
|
Scooped by
Gust MEES
|
|
|
|
Scooped by
Gust MEES
|
A New York Times investigation has found that apps such as GasBuddy and The Weather Channel are among at least 75 companies getting purportedly “anonymous” but pinpoint-precise location data from about 200 million smartphones across the US.
They’re often sharing it or selling it to advertisers, retailers or even hedge funds that are seeking valuable insights into consumer behavior. One example: Tell All Digital, a Long Island advertising firm, buys location data, then uses it to run ad campaigns for personal injury lawyers that it markets to people who wind up in emergency rooms.
The Times reviewed a database holding location data gathered in 2017 and held by one company, finding that it held “startling detail” about people’s travels, accurate to within a few yards and in some cases updated more than 14,000 times a day. Several of the businesses whose practices were analyzed by the Times claim to track up to 200 million mobile devices in the US.
The data being sold is supposedly anonymous, as in, not tied to a phone number. The Times could still easily figure out who mobile device owners were through their daily routines, including where they live, where they work, or what businesses they frequent. Learn more / En savoir plus / Mehr erfahren: https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/ https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy https://www.scoop.it/t/securite-pc-et-internet/?&tag=Big+Data
|
|
Scooped by
Gust MEES
|
A company that collects the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent.
US cell carriers are selling access to your real-time phone location data
The company embroiled in a privacy row has "direct connections" to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint -- and Canadian cell networks, too.
Earlier this week, we reported that four of the largest cell giants in the US are selling your real-time location data to a company that you've probably never heard about before.
The company, LocationSmart, is a data aggregator and claims to have "direct connections" to cell carriers to obtain locations from nearby cell towers. The site had its own "try-before-you-buy" page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.
But that website had a bug that allowed anyone to track someone's location silently without their permission.
"Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call.
"The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here."
The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon.
Xiao said the bug may have exposed nearly every cell phone customer in the US and Canada, some 200 million customers. Learn more / En savoir plus / Mehr erfahren: https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/ https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy https://www.scoop.it/t/securite-pc-et-internet/?&tag=Big+Data
|
|
Scooped by
Gust MEES
|
A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others -- without the users' knowledge or consent.
Localblox, a Bellevue, Wash.-based firm, says it "automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks." Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.
But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents.
The bucket, labeled "lbdumps," contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together. Learn more / En savoir plus / Mehr erfahren: https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/
|
|
Scooped by
Gust MEES
|
Facebook appears to be getting tougher on people who break its rules.
Hot on the heels of banning the Britain First group from its network, Facebook has announced it has suspended political data analytics firm Cambridge Analytica, and its parent company Strategic Communication Laboratories (SCL).
But the reason for the organisations being blocked from Facebook are very different. Britain First is accused of spreading vile hateful messages about Muslims, but Cambridge Analytica is accused of acquiring the data of more than 50 million Facebook users via an illegitimate route.
Cambridge Analytica is the shady data analytics firm that specialises in “psychographic” profiling. In short, they scoop up data online and use it to create personality profiles for voters.
That knowledge could be extremely useful, as individuals can then be targeted with content targeted to appeal to them, and perhaps influence their behaviour. Maybe even change their likelihood to vote in a particular direction.
Cambridge Analytica is widely credited for helping Donald Trump’s successful campaign on social media to be elected President of the United States. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Big+Data https://www.scoop.it/t/securite-pc-et-internet/?&tag=Ethics
|
|
Scooped by
Gust MEES
|
Insbesondere durch Social Engineering sammeln Cyberkriminelle Informationen, mit deren Hilfe sie Unternehmen ausspähen können, Schadsoftware platzieren oder gleich direkt wie zum Beispiel bei Ransomware Attacken oder durch fälschlicherweise initiierte Geldüberweisungen Unternehmen massiv schädigen. Wir stellen in unseren Analysen immer mehr fest, dass für diverse Angriffsszenarien auch Trackinginformationen herangezogen werden.
Unter folgendem Link können Sie Ihren Browser testen, ob er genügend Schutz gegen unerwünschtes Tracking bietet.
https://datenschutz-agentur.de/ist-ihr-browser-sicher-vor-trackingtechnologien/
Sollte hier aufgezeigt werden, dass Sie identifizierbar sind, sollten Sie geeignete Schutzmaßnahmen gegen das Browser-Tracking ergreifen. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking
|
|
Scooped by
Gust MEES
|
Hundreds of websites record your scrolling behavior, clicks and movements according to a study recently carried out at Princeton University. Among these are The Guardian, Reuters, Samsung, AlJazeera and WordPress.com.
Most of us are aware that our searches, page views and even page scrolls are documented, but the report sheds light on how intricate that tracking can be. Using something called “session replays,” they record keystrokes and movements a user makes while they navigate a page — basically “looking over your shoulder,” but virtually.
The study, carried out by Princeton’s Center for Information Technology Policy, focused on some of the main companies that offer session replay services: SessionCam, UserReplay, FullStory, Clicktale, Yandex, Smartlook, and Hotjar.
It’s important to understand why this is dangerous — apart from straight-up invading your privacy. The report pointed out that most of these services directly exclude password input fields from recordings, but a lot of the time mobile-friendly forms are not redacted on the recordings, and end up revealing sensitive information, including passwords, credit card numbers, and even credit card security codes.
The report explains, “All of the companies studied offer some mitigation through automated redaction, but the coverage offered varies greatly by provider. UserReplay and SessionCam replace all user input with an equivalent length masking text, while FullStory, Hotjar, and Smartlook exclude specific input fields by type.”
This kind of information is usually shared when a user is signing up for a service or making a payment, and is expected to be completely confidential. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Session-Replay+Scripts https://www.scoop.it/t/securite-pc-et-internet/?&tag=Cyberespionage https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/
|
|
Scooped by
Gust MEES
|
Websites Use Session-Replay Scripts to Eavesdrop on Every Keystroke and Mouse Movement
The security researchers at Princeton are posting
You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.
The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can't reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user's real identity.
The researchers will post more details on their blog; I'll link to them when they're published.
Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Cyberespionage https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/
|
|
Scooped by
Gust MEES
|
|
Big data is the lynchpin ofnew advances in cybersecurity. Unfortunately, predictive analytics and machine learning technology is a double-edged sword for cybersecurity. Hackers are also exploiting this technology, which means that there is a virtual arms race between cybersecurity companies and black hat cybercriminals.
Datanami has talked about the ways that hackers use big data to coordinate attacks. This should be a wakeup call to anybody that is not adequately prepared.
Black Hat Hackers Exploit Machine Learning to Avoid Detection
Jathan Sadowski wrote an article in The Guardian a couple years ago on the intersection between big data and cybersecurity. Sadowski said big data is to blame for a growing number of cyberattacks.
In the evolution of cybercrime, phishing and other email-borne menaces represent increasingly prevalent threats. FireEye claims that email is the launchpad for more than 90 percent of cyber attacks, while a multitude of other statistics confirm that email is the preferred vector for criminals.
This is largely because of their knowledge of machine learning. They use machine learning to get a better understanding of customers, choose them them more carefully and penetrate defenses more effectively.
Learn more / En savoir plus / Mehr erfahren:
https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/
https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking
https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy
https://www.scoop.it/t/securite-pc-et-internet/?&tag=Big+Data