 Your new post is loading...
Your new post is loading...
|
Scooped by
Gust MEES
|
A company that collects the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent.
US cell carriers are selling access to your real-time phone location data
The company embroiled in a privacy row has "direct connections" to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint -- and Canadian cell networks, too.
Earlier this week, we reported that four of the largest cell giants in the US are selling your real-time location data to a company that you've probably never heard about before.
The company, LocationSmart, is a data aggregator and claims to have "direct connections" to cell carriers to obtain locations from nearby cell towers. The site had its own "try-before-you-buy" page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.
But that website had a bug that allowed anyone to track someone's location silently without their permission.
"Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call.
"The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here."
The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon.
Xiao said the bug may have exposed nearly every cell phone customer in the US and Canada, some 200 million customers. Learn more / En savoir plus / Mehr erfahren: https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/ https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy https://www.scoop.it/t/securite-pc-et-internet/?&tag=Big+Data
|
|
Scooped by
Gust MEES
|
As location-aware advertising goes mainstream—like that Jack in the Box ad that appears whenever you get near one, in whichever app you have open at the time—and as popular apps harvest your lucrative location data, the potential for leaking or exploiting this data has never been higher.
It’s true that your smartphone’s location-tracking capabilities can be helpful, whether it’s alerting you to traffic or inclement weather. That utility is why so many of us are giving away a great deal more location data than we probably realize. Every time you say “yes” to an app that asks to know your location, you are also potentially authorizing that app to sell your data.
Dozens of companies track location and/or serve ads based on this data. They aim to compile a complete record of where everyone in America spends their time, in order to chop those histories into market segments to sell to corporate advertisers.
Marketers spent $16 billion on location-targeted ads served to mobile devices like smartphones and tablets in 2017. That’s 40% of all mobile ad spending, research firm BIA/Kelsey estimates, and it expects spending on these ads to double by 2021.
The data required to serve you any single ad may pass through many companies’ systems in milliseconds—from data broker to ad marketplace to an agency’s custom system. In part, this is just how online advertising works, where massive marketplaces hold ongoing high-speed auctions for ad space. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/ https://gustmees.wordpress.com/2014/03/05/often-asked-questions-are-there-cyber-security-dangers-with-apps-and-whats-about-privacy/
|
|
Scooped by
Gust MEES
|
A secretive special air service base has been inadvertently revealed by a fitness app that has created a heatmap of running routes around the country.
A SAS base in Hereford, along with a nuclear deterrent naval base and the government's spy agency GCHQ has been placed on a heatmap of Strava's customers, including the profiles of several people who regularly run to-and-from the highly sensitive buildings.
The buildings appear on a global, interactive map created by Strava, which is an app that allows users to track cycling or running speeds and distances and share them with friends. But unbeknown to many of its users, Strava has used their location data to in a worldwide heatmap including three trillion coordinates, titled "Where We Play".
"When sensitive sites, such as the GCHQ, are quite literally highlighted by GPS activity, it raises concern not only for the individual connected to the device, but the institution as a whole. The UK’s security services must be hyper-aware of what they’re sharing – regardless of what may be labelled as ‘excluded’ within the device. If a device or application has the capability to share location in any respect, it signifies a breach in security protocols."
Learn more / En savoir plus / Mehr erfahren: https://gustmees.wordpress.com/2012/11/05/naivety-in-the-digital-age/ https://www.scoop.it/t/securite-pc-et-internet/?&tag=wearables
|
|
Scooped by
Gust MEES
|
Insbesondere durch Social Engineering sammeln Cyberkriminelle Informationen, mit deren Hilfe sie Unternehmen ausspähen können, Schadsoftware platzieren oder gleich direkt wie zum Beispiel bei Ransomware Attacken oder durch fälschlicherweise initiierte Geldüberweisungen Unternehmen massiv schädigen. Wir stellen in unseren Analysen immer mehr fest, dass für diverse Angriffsszenarien auch Trackinginformationen herangezogen werden.
Unter folgendem Link können Sie Ihren Browser testen, ob er genügend Schutz gegen unerwünschtes Tracking bietet.
https://datenschutz-agentur.de/ist-ihr-browser-sicher-vor-trackingtechnologien/
Sollte hier aufgezeigt werden, dass Sie identifizierbar sind, sollten Sie geeignete Schutzmaßnahmen gegen das Browser-Tracking ergreifen. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking
|
|
Scooped by
Gust MEES
|
|
|
Scooped by
Gust MEES
|
Google has confirmed it has been able to track the location of Android users via the addresses of local mobile phone masts, even when location services were turned off and the sim cards removed to protect privacy.
Revealed by a report by Quartz, Google’s Android system, which handles messaging services to ensure delivery of push notifications, began requesting the unique addresses of mobile phone masts (called Cell ID) at the beginning of 2017.
The information was captured by the phone and routinely sent to Google by any modern Android device, even when location services were turned off and the sim card was removed. As a result Google could in theory track the location of the Android device and therefore the user, despite a reasonable expectation of privacy.
A Google spokesperson said: “In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery.
“However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.” Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Cyberespionage https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/ https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking
|
|
Scooped by
Gust MEES
|
|
|
|
Scooped by
Gust MEES
|
Spätestens seit dem Cambridge-Analytica-Skandal stehen viele Menschen Facebook skeptisch gegenüber. Wie Forscher nun herausgefunden haben können beim "Login mit Facebook" Skripte von Drittfirmen die Facebook-Identität des Besuchers nachverfolgen.
Wenn ein Internet-Nutzer auf einer Webseite die Funktion "Login mit Facebook" verwendet, gibt er der Webseite, auf der er sich befindet, unter Umständen Zugriff auf sein öffentliches Facebook-Konto. Forscher der Princeton-Universität in den USA warnen nun davor, dass auf dieser Webseite eingebettete Skripte von Dritten ebenfalls Zugriff auf diese Daten haben. Laut den Forschern sammeln Tracker so die Informationen der Webseitenbesucher – in den meisten Fällen wohl ohne dass die betroffene Webseite davon Kenntnis hat. Derartige Scripte fanden sie auf 434 der eine Million meistbesuchten Seiten im Netz.
Die meisten der Dritt-Skripte fragen den Facebook-Namen und die E-Mail-Adresse des Besuchers ab, der sich über Facebook auf der Seite anmeldet. Zwar ist die ID, welche die Skripte abgreifen, erst einmal auf die Anmelde-Routine der besuchten Webseite beschränkt; wie die Forscher zeigen, lassen sich darüber allerdings die öffentlichen Facebook-Informationen des Besuchers extrahieren. Dazu gehört dessen Facebook-Name und sein Profilbild. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Facebook https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/
|
|
Scooped by
Gust MEES
|
Google has removed 89 malicious extensions from the Chrome Web Store that have been installed on over 420,000 browsers, turning them into Monero-mining slaves and loading a tool to record and replay what their owners do on every website they visit.
Researchers at Trend Micro dubbed the family of malicious extensions Droidclub and discovered they included a software library with so-called "session-replay scripts" used by online analytics firms.
Princeton's Center for Information Technology in November drew attention to the increasing use of session-replay scripts by third-party analytics firms on high-traffic websites.
The study looked at replay services from Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam, which were found on nearly 500 popular sites.
The scripts allow a site owner to essentially shoulder-surf their visitors by recording and replaying your "keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit".
But instead of allowing a site owner to record and play back what users do on one site, Droidclub extensions allow the attacker to see what victims do on every single site they visit. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Cyberespionage https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/ https://www.scoop.it/t/securite-pc-et-internet/?&tag=Session-Replay+Scripts
|
|
Scooped by
Gust MEES
|
Die Seiten erfassen einfach alles: was Sie eingeben, wo Sie draufklicken und sogar wohin Sie Ihre Maus bewegen; ähnlich wie ein Keylogger. Für eine Leistungsdiagnose macht vieles davon Sinn: wenn Sie eine Webseite betreiben, die über unzählige Seiten verfügt, müssen Sie herausfinden, was genau die Besucher machen und ob Seiten beschädigt sind oder nicht wie gewollt funktionieren.
Probleme treten allerdings auf, weil die Software in der Lage ist, eine große Informationsmenge zu tracken, die nicht unbedingt nützlich für die Entwickler der Webseite ist und weil Drittparteien Zugriff auf diese Information haben. Eine Forschergruppe der Princeton University berichtete wie folgt über das Phänomen: „Die Sammlung der Seiteninhalte mithilfe von Replay-Skripten von Drittparteien kann dazu führen, dass sensible Informationen wie der Gesundheitszustand des Nutzers, Kreditkartendetails und andere persönliche Informationen als Teil der Erfassung in die Hände von Drittparteien geraten. Das kann dazu führen, dass User zum Beispiel Opfer von Identitätsdiebstahl oder Online-Betrug werden.„
Um mehr über die Funktionsweise derartiger Software zu erfahren, sollten Sie sich folgendes Video ansehen:
Durch diese Art von Aufzeichung werden zusätzliche Informationen offenbart, die den Nutzer im Falle eines Datenlecks gefährden könnten. Der Untersuchung zufolge, kann die Software:
Passwörter aufzeichnen. Obwohl die Entwickler versucht haben, alle Passwörter nach Eingabe sofort zu entfernen, funktionierte dies im Falle der mobilen Version der Seite nur bedingt.
Vertrauliche Daten wie Kreditkartennummern und Geburtsdaten erfassen.
Daten erfassen, die in Textfelder eingegeben werden, auch wenn diese nicht abgeschickt werden – in anderen Worten: selbst dann, wenn Sie nicht auf „Suchen“ oder „Abschicken“ klicken oder die Eingabetaste drücken. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Session-Replay+Scripts
|
|
Scooped by
Gust MEES
|
Des dizaines de sociétés s’insèrent dans des applications banales pour collecter des données, amassant des informations sur des millions de Français.
Par dizaines, ils se nichent dans des applications mobiles utilisées quotidiennement par des millions de Français. Ils capturent discrètement des données, souvent personnelles, sans que les utilisateurs n’en soient nécessairement conscients, alimentant au passage une industrie opaque et méconnue. Certains de ses acteurs disposent de données sur des millions de Français.
Il s’agit de trackers, de petits logiciels incorporés dans des applications mobiles du quotidien (réseaux sociaux, médias, banques, sites de rencontre). Chaque application en compte 2,5 en moyenne, selon une analyse de plus de 350 applications, réalisée par un groupe d’activistes, rassemblés depuis octobre en association, et publiée vendredi 24 novembre sur leur plate-forme baptisée Exodus. Rares sont les applications qui en sont dépourvues et certaines vont jusqu’à en intégrer une quinzaine. Ce paysage n’est pas exhaustif : la plate-forme ne cherche que les trackers qu’elle a préalablement identifiés, soit une quarantaine. Learn more / En savoir plus / Mehr erfahren: https://www.scoop.it/t/securite-pc-et-internet/?&tag=Cyberespionage https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/ https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking
|
|
Scooped by
Gust MEES
|
|
|
Scooped by
Gust MEES
|
Malware
Bürgerrechtler haben bereits vor der Silverpush-Software gewarnt, Anti-Viren-Dienstleister sie als Malware eingestuft. Das Entwickler-Kit wird inzwischen von San Francisco aus weiter verbreitet.
Die Forscher haben zudem vergleichbar funktionierende, auf den Handelsbereich ausgerichtete uBeacons von Anbietern wie Lisnr oder Shopkick ausfindig gemacht, aber in deutlich geringerer Anzahl. Ultraschall-Signale von Shopkick konnten sie etwa in vier von 35 untersuchten Läden in zwei europäischen Städten aufzeichnen. Der Unterschied zu Silverpush sei, dass der Nutzer die einschlägige Anwendung absichtlich starte, um sich etwa Einkaufsvorteile vor Ort zu verschaffen. Learn more / En savoir plus / Mehr erfahren: http://www.scoop.it/t/securite-pc-et-internet/?&tag=Android http://www.scoop.it/t/securite-pc-et-internet/?&tag=Apps http://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking
|
A company that collects the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located -- without obtaining their consent.
US cell carriers are selling access to your real-time phone location data
The company embroiled in a privacy row has "direct connections" to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint -- and Canadian cell networks, too.
Earlier this week, we reported that four of the largest cell giants in the US are selling your real-time location data to a company that you've probably never heard about before.
The company, LocationSmart, is a data aggregator and claims to have "direct connections" to cell carriers to obtain locations from nearby cell towers. The site had its own "try-before-you-buy" page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.
But that website had a bug that allowed anyone to track someone's location silently without their permission.
"Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location," said Robert Xiao, a PhD student at the Human-Computer Interaction Institute at Carnegie Mellon University, in a phone call.
"The implication of this is that LocationSmart never required consent in the first place," he said. "There seems to be no security oversight here."
The "try" website was pulled offline after Xiao privately disclosed the bug to the company, with help from CERT, a public vulnerability database, also at Carnegie Mellon.
Xiao said the bug may have exposed nearly every cell phone customer in the US and Canada, some 200 million customers.
Learn more / En savoir plus / Mehr erfahren:
https://gustmees.wordpress.com/2013/12/21/privacy-in-the-digital-world-shouldnt-we-talk-about-it/
https://www.scoop.it/t/securite-pc-et-internet/?&tag=tracking
https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy
https://www.scoop.it/t/securite-pc-et-internet/?&tag=Big+Data