Wednesday, August 3, 2016

Beware ! Advertisers are Tracking you via Mobile Battery Status



Is my smartphone battery leaking details about me?


Unfortunately, YES!


Forget about supercookies, apps, and malware; your smartphone battery status is enough to monitor your online activity, according to a new report.


In 2015, researchers from Stanford University demonstrated a way to track users' locations – with up to 90 percent accuracy – by measuring the battery usage of the phone over a certain time.


The latest threat is much worse.


Two security researchers, Steve Engelhard and Arvind Narayanan, from Princeton University, have published a paper describing how phone's battery status has already been used to track users across different websites.


The issue is due to the Battery Status API (application programming interface).


How Does Battery Status API Help Advertisers Track You?


The battery status API was first introduced in HTML5 and had already shipped in browsers including Firefox, Chrome, and Opera by August last year.


The API is intended to allow site owners to see the percentage of battery life left on a laptop, tablet, or smartphone in an effort to deliver an energy-efficient version of their sites.


However, researchers warned last year about the API’s potential threat that could turn your battery level into a "fingerprintable" tracking identifier.

The researchers found that a combination of battery life loss in seconds and battery life as a percentage offers 14 Million different combinations, potentially providing a pseudo-unique identifier for each device that can be used to pinpoint specific devices between sites they visit.


Now, the last year's research has grown into a proper threat.



Advertisers Are Tracking You via your Battery Status


One of those researchers named Lukasz Olejnik has published a blog post this week, saying that companies are currently leveraging the potential of this battery status information.

"Some companies may be analyzing the possibility of monetising the access to battery levels," he writes. "When a battery is running low, people might be prone to some - otherwise different - decisions. In such circumstances, users will agree to pay more for a service."
Olejnik underlined the latest research by Engelhard and Narayanan, who discovered two tracking scripts of shady code running on the Internet at large scale, which take advantage of battery status API and currently tracking users.


The duo explains that they observed the behavior of two actual scripts and suggested the companies and other entities are perhaps leveraging this technique for their own purposes.

"These features are combined with other identifying features used to fingerprint a device," the researchers write in their paper titled, "Online Tracking: A 1-million-site measurement and analysis."
For in-depth information, you can head on to the research paper [PDF].


Here's come the worst part of this attack:


There's hardly any way to mitigate against this attack. Nothing works: Deleting browser cookies or using VPNs and AdBlockers will not solve your problem.


The only option is to plug your smartphone into the mains.

"Some companies may be analyzing the possibility of monetising the access to battery levels," Olejnik writes.
Over two months ago, Uber's head of economic research Keith Chen said the company had been monitoring the battery life of its users, as it knows users are more likely to pay a much higher price to hire a cab when their phone's battery is close to dying.

Tuesday, July 26, 2016

FRANCE Warns Microsoft to stop collecting Windows 10 users Personal data



We have heard a lot about privacy concerns surrounding Windows 10 and accusations on Microsoft ofcollecting too much data about users without their consent.


Now, the French data protection authority has ordered Microsoft to stop it.


France's National Data Protection Commission (CNIL) issued a formal notice on Wednesday, asking Microsoft to "stop collecting excessive data" as well as "tracking browsing by users without their consent."


The CNIL, Commission Nationale de l’Informatique et des Libertés, ordered Microsoft to comply with the French Data Protection Act within 3 months, and if fails, the commission will issue a sanction against the company.


Moreover, the CNIL notified Microsoft that the company must also take "satisfactory measures to ensure the security and confidentiality" of its users' personal data.


The notice comes after a series of investigations between April and June 2016 by French authorities, revealing that Microsoft was still transferring data to the United States under the "Safe Harbor" agreement that a European Court court invalidated in October last year.



Allegations on Windows 10


The CNIL's list of complaints about Windows 10 does not end there, as it goes on to read:




  • Microsoft is collecting data on "Windows app and Windows Store usage data," along with monitoring apps its user's download and time spent on each app, which according to the CNIL, is irrelevant and "excessive" data collection.
  • Microsoft is also criticized for its lack of security, since there is no limit set on the number of guesses for entering the four-digit PIN used to protect your Microsoft account.
  • After Windows 10 installation, Microsoft also activates a user's advertising ID by default, which enables Windows apps as well as other third-party apps to monitor user browsing history and to offer targeted ads "without obtaining users' consent."
  • Windows 10 does not give you any option to block cookies.
  • And as I mentioned above, Microsoft is transferring its users' personal data to the United States under the "Safe Harbor" agreement.
 In a statement, the CNIL said: "It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory)."

Microsoft Response on the CNIL Notice


Microsoft has responded to the notice, saying the company is happy to work with the CNIL to"understand the agency's concerns fully and to work toward solutions that it will find acceptable." 


What's more interesting is that Microsoft does not deny the allegations set against it and does nothing to defend Windows 10 excessive data collection, as well as fails to address the privacy concerns the CNIL raises.


However, the tech giant does address concerns about the transfer of its users' personal data to the U.S. under the "Safe Harbor" agreement, saying that "the Safe Harbor framework is no longer valid for transferring data from European Union to the United States."


The company says it still complies with the Safe Harbor agreement up until the adoption of Privacy Shield.


"Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and US representatives worked toward the new Privacy Shield," says Microsoft. "We're working now toward meeting the requirements of the Privacy Shield."

Windows 10 Privacy concerns seem to be a never ending topic. Over the last year, Microsoft has annoyed users with a number of weird practices around Windows 10, including aggressive upgrades and transferring too much information about users back to Redmond.


Since there is the promise of a statement about privacy next week, let's see what happens next. You can read Microsoft's full statement, courtesy of David Heiner, vice president and deputy general counsel, on VentureBeat.

Edward Snowden Designed IPHONE case to Detect and Block Wireless Snooping




We just cannot imagine our lives without smartphones, even for a short while, and NSA whistleblowerEdward Snowden had not owned a smartphone since 2013 when he began leaking NSA documents that exposed the government's global surveillance program.


Snowden fears that cellular signals of the smartphone could be used to locate him, but now, to combat this, he has designed an iPhone case that would detect and fight against government snooping.

With help from renowned hardware hacker Andrew "Bunnie" Huang, Snowden has devised the design, which they refer to as an "Introspection Engine," that would keep journalists, activists, and human rights workers from being tracked by their own devices leaking their location details.


"This work aims to give journalists the tools to know when their smartphones are tracking or disclosing their location when the devices are supposed to be in airplane mode," Huang and Snowden wrote in a blog post published Thursday. "We propose to accomplish this via direct introspection of signals controlling the phone’s radio hardware."



For now, the design is aimed only at iPhone 6 models, but the duo hopes to create specifications for a large number of devices.


Snowden, together with Huang, presented on Thursday at the MIT Media Lab the design for a case-like add-on device that could modify an iPhone, allowing you to monitor various radio signals inside the phone to confirm they're not transmitting data when they’re meant to be off.



Here’s How the Introspection Engine Works:


Once built, the hardware case will be a separate minicomputer - work independent from your phone - made up entirely of open source hardware, containing its own battery and a small mono-color screen to provide a real-time status of your phone.


The case will have tiny probe wires to attach to a modified iPhone that physically wires into the phone’s antennas used by its radios, including cellular connectivity, GPS, Bluetooth, and Wi-Fi, through the SIM card slot.

The Introspection Engine will then be able to monitor radio transmissions and alert users to any unauthorized output signals it isn't supposed to.


In addition to alerting users, the case will even be able to shut down all radio signals on a phone to prevent governments as well as hackers from finding your location.


Since this case is designed to be independent of your phone, it would prevent your device from malware that activates radios without your knowledge.

"Malware packages, peddled by hackers at a price accessible to private individuals, can activate radios without any indication from the user interface," the duo wrote. "Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive."

Instead, Snowden and Huang suggest the beauty of using external hardware as a shield is that it would not be affected if malware has infected your phone. "The core principle is simple: if the reporter expects radios to be off, alert the user when they are turned on," they added.


The Introspection Engine’s mission is to warn users when malware or technical glitches are causing your phone to rat out your location.


However, the hardware case is still nothing more than a design for now.


Supported by the Freedom of the Press Foundation, Snowden and Huang are hoping to build a real-world prototype device over the next year in the hopes of making the case available to journalists as soon as possible.

Verizon set to Buy Yahoo. .! for $5 Billion



Finally, Someone has come forward to buy Yahoo! Guess Who?


The telecommunication giant Verizon.


Yes, Verizon Communications Inc. is reportedly closing in on a deal to acquire Yahoo’s core business for about $5 Billion, according to a report from Bloomberg.


Since the agreement between the companies has not been finalized, it is unclear at this moment that which Yahoo's assets the deal would include.

"In order to preserve the integrity of the process, we're not going to comment on the issue until we've finalized an agreement," a Yahoo spokeswoman said in a statement provided to CNNMoney.



You might be wondering Why Verizon is buying Yahoo! Well, I’ll come to it in the second half of my article, because before discussing this point, let’s first focus on why Yahoo! wants to get acquired.



Why Yahoo Was Up For Sale?


Founded in 1995, Yahoo! was once the brightest star of the Web. But when its rivals including Google, Facebook and even few-years-old companies like Snapchat and WhatsApp have won over users, Yahoo! has not been able to maintain that glory.


Yahoo! CEO Marissa Mayer - formerly a Google executive - has spent billions on acquisitions so far to improve Yahoo's mobile products, expanding its audience by acquiring Tumblr and doubling down on premium media content.


But Mayer struggled to slow the overall ad sales decline of Yahoo! and failed.


Last Monday, the company accepted that its revenue fell 15% in the second quarter, after excluding accounting adjustments, and its operating profit fell 64%.


So, after keeping investors at bay for years, Mayer said Yahoo! would explore strategic alternatives, including selling its core assets.


Verizon has long been considered a suitable buyer for Yahoo’s Internet assets, which the telecom giant wants to combine with AOL - the American global mass media corporation bought by Verizon last year for $4.4 Billion.


Now, the two companies are in one-on-one discussions, and Verizon will reportedly acquire Yahoo! for about $5 Billion.



Here's Why Verizon Wants to Buy Yahoo!


So, why does a mobile telecom provider want to acquire the core editorial business of a failed Internet portal?


The sure short answer is:


Advertising!


With the success in the wireless industry, Verizon has been buying up Internet and ad technology companies, like AOL, to compete in a mobile advertising market dominated by two big players, Google and Facebook.


And for this same reason, it is now buying Yahoo!’s ad and content businesses.


Yahoo! has millions of users, and a collection of websites like Flickr, Tumblr, Yahoo Finance, and Yahoo Sports, including some digital-ad technology like Flurry and BrightRoll.


Since the growth of Verizon’s traditional telecom business has been decreased, companies like Yahoo! and AOL would necessarily help Verizon make money from digital advertising on mobile devices.


The deal would not only give Verizon a powerful collection of content and revenue from ad related to that content but also give the telecom company a considerable amount of user data to provide target advertisements to users by the telecom as well as others.


So, this is the kind of deal Verizon was interested in when it acquired Yahoo!

Hacker Downloaded VINE entire Source Code



Vine is a short-form video sharing service where people can share 6-second-long looping video clips. Twitter acquired the service in October 2012.



Indian Bug bounty hunter Avinash discovered a loophole in Vine that allowed him to download a Docker image containing complete source code of Vine without any hassle



Launched in June 2014, Docker is a new open-source container technology that makes it possible to get more apps running on the same old servers and also very easy to package and ship programs. Nowadays, companies are adopting Docker at a remarkable rate.



However, the Docker images used by the Vine, which was supposed to be private, but actually was available publically online.



While searching for the vulnerabilities in Vine, Avinash used Censys.io – an all new Hacker’s Search Engine similar to Shodan – that daily scans the whole Internet for all the vulnerable devices.



Using Censys, Avinash found over 80 docker images, but he specifically downloaded 'vinewww', due to the fact that the naming convention of this image resembles www folder, which is generally used for the website on a web server.


After the download was complete, he ran the docker image vinewww, and Bingo!

The bug hunter was able to see the entire source code of Vine, its API keys as well as third-party keys and secrets. "Even running the image without any parameter, was letting me host a replica of VINE locally," He wrote.



The 23-year-old reported this blunder and demonstrated full exploitation to Twitter on 31 March and the company rewarded him with $10,080 Bounty award and fixed the issue within 5 minutes.



Avinash has been an active bug bounty hunter since 2015 and until now has reported 19 vulnerabilities to Twitter.