More on DataSpii: How extensions hide their data grabs—and how they’re discovered

More on DataSpii: How extensions hide their data grabs—and how they’re discovered

Enlarge / You can trust us! (credit: Irakli Kalandarishvili / EyeEm / Getty)

In our 5,000 word piece on “DataSpii,” we explained how researcher Sam Jadali spent tens of thousands of dollars investigating the murky Internet ecosystem of browser extensions that collect and share your Web history. Those histories could end up at sites like Nacho Analytics, where they can reveal personal or corporate data.

Here, we want to offer more detail for the technically curious reader on exactly how these browser extensions work—and how they were discovered.

Obscurity

Discovering which browser extensions were responsible for siphoning up this data was a months-long task. Why was it so difficult? In part because the browser extensions appeared to obscure exactly what they were doing. Both Hover Zoom and SpeakIt!, for instance, waited more than three weeks after installation on Jadali’s computers to begin collection. Then, once collection started, it was carried

Read the rest Continue Reading
My browser, the spy: How extensions slurped up browsing histories from 4M users

My browser, the spy: How extensions slurped up browsing histories from 4M users

Enlarge (credit: Aurich Lawson / Getty)

When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.

DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google’s account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visits. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line

Read the rest Continue Reading
Silent Mac update nukes dangerous webserver installed by Zoom

Silent Mac update nukes dangerous webserver installed by Zoom

Enlarge (credit: Kena Betancur/Getty Images)

Apple said it has pushed a silent macOS update that removes the undocumented webserver that was installed by the Zoom conferencing app for Mac.

The webserver accepts connections from any device connected to the same local network, a security researcher disclosed on Monday. The server continues to run even when a Mac user uninstalls Zoom. The researcher showed how the webserver can be abused by people on the same network to force Macs to reinstall the conferencing app. Zoom issued an emergency patch on Tuesday in response to blistering criticism from security researchers and end users.

Apple on Wednesday issued an update of its own, a company representative speaking on background told Ars. The update ensures the webserver is removed—even if users have uninstalled Zoom or haven’t installed Tuesday’s update. Apple delivered the silent update automatically, meaning there was no notification or action

Read the rest Continue Reading
Researchers crack open Facebook campaign that pushed malware for years

Zoom for Mac made it too easy for hackers to access webcams. Here’s what to do [Updated]

Enlarge / Artist’s impression of wireless hackers in your computer. (credit: TimeStopper / Getty Images)

Update 7:23pm ET: As this post was being reported, Zoom developers reversed their previous position and issued an update that changes the contested behavior.

“Initially, we did not see the Web server or video-on posture as significant risks to our customers and, in fact, felt that these were essential to our seamless join process,” Zoom’s Jonathan Farley wrote. “But in hearing the outcry from our users in the past 24 hours, we have decided to make the updates to our service.”

The update makes the following changes:

Read 18 remaining paragraphs | Comments

Source link Read the rest

Continue Reading
Norman Sadeh

Voices in AI – Episode 90: A Conversation with

[voices_in_ai_byline]

About this Episode

Episode 90 of Voices in AI features Byron speaking with Norman Sadeh from Carnegie Mellon University about the nature of intelligence and how AI effects our privacy.

Listen to this episode or read the full transcript at www.VoicesinAI.com

Transcript Excerpt

Byron Reese: This is Voices in AI brought to you by GigaOm I’m Byron Reese, today my guest is Norman Sadeh. He is a professor at Carnegie Mellon School of Computer Science. He’s affiliated with Cylab which is well known for their seminal work in AI planning and scheduling, and he is an authority on computer privacy. Welcome to the show.

Carnegie Mellon has this amazing reputation in the AI world. It’s arguably second to none. There are a few university campuses that seem to really… there’s Toronto and MIT, and in Carnegie Mellon’s case, how did AI become such a central focus?

Norman Sadeh: Well, … Read the rest

Continue Reading
Feds lose control of thousands of traveler photos in data breach

Feds lose control of thousands of traveler photos in data breach

Enlarge / Border crossing. (credit: Cole Burston/Bloomberg via Getty Images)

Hackers have stolen thousands of photos of travelers and their license plates from a subcontractor of Customs and Border Protection, the agency announced on Monday. A source told the Washington Post that the data was collected at a particular port of entry on the Canadian border.

CBP declined to identify the subcontractor, but the agency sent the Washington Post a document with the title “CBP Perceptics Public Statement.” Perceptics sells license plate reader technology, and the Register reported last month that the company’s network had been hacked.

CBP says it learned of the breach on May 31, and the organization stated that its own network was not compromised. The agency says that the subcontractor violated agency policies when it copied the photos to its own network, making them more vulnerable to hacking.

Read 3 remaining paragraphs | Comments

Source link Read the rest

Continue Reading
33 Linksys router models leak full historic record of every device ever connected

33 Linksys router models leak full historic record of every device ever connected

(credit: US Navy)

More than 20,000 Linksys wireless routers are regularly leaking full historic records of every device that has ever connected to them, including devices’ unique identifiers, names, and the operating systems they use. The data can be used by snoops or hackers in either targeted or opportunistic attacks.

(credit: Troy Mursch)

Independent researcher Troy Mursch said the leak is the result of a persistent flaw in almost three dozen models of Linksys routers. It took about 25 minutes for the Binary Edge search engine of Internet-connected devices to find 21,401 vulnerable devices on Friday. A scan earlier in the week found 25,617. They were leaking a total of 756,565 unique MAC addresses. Exploiting the flaw requires only a few lines of code that harvest every MAC address, device name, and operating system that has ever connected to each of them.

The flaw allows snoops or hackers to

Read the rest Continue Reading
Why a Republican senator wants the FTC to throw the book at Facebook

Why a Republican senator wants the FTC to throw the book at Facebook

Enlarge / Facebook co-founder, chairman, and CEO Mark Zuckerberg departs after testifying before a combined Senate Judiciary and Commerce Committee hearing in the Hart Senate Office Building on Capitol Hill, April 10, 2018, in Washington, DC. (credit: Win McNamee/Getty Images)

Two senators—one Republican and one Democrat—are urging the Federal Trade Commission to take a hard line against Facebook in its ongoing negotiations over a privacy settlement.

“The FTC must set a resounding precedent that is heard by Facebook and any other tech company that disregards the law in a rapacious quest for growth,” write Richard Blumenthal (D-Conn.) and Josh Hawley (R-Mo.). “The commission should pursue deterrent monetary penalties and impose forceful accountability measures on Facebook.”

Facebook stands accused of violating the terms of a 2012 privacy settlement. Prior to that settlement, the FTC had charged Facebook with deceiving customers by telling them their data would be private, then making

Read the rest Continue Reading
Google unveils auto-delete for location, Web activity, and app usage data

Google unveils auto-delete for location, Web activity, and app usage data

Enlarge / Mountain View, Calif.—May 21, 2018: Exterior view of a Googleplex building, the corporate headquarters of Google and parent company Alphabet. (credit: Getty Images | zphotos)

Google will soon let users automatically delete location history and other private data in rolling intervals of either three months or 18 months.

“Choose a time limit for how long you want your activity data to be saved—3- or 18-months—and any data older than that will be automatically deleted from your account on an ongoing basis,” Google announced yesterday. “These controls are coming first to Location History and Web & App Activity and will roll out in the coming weeks.”

Google location history saves locations reported from mobile devices that are logged into your Google account, while saved Web and app activity includes “searches and other things you do on Google products and services, like Maps; your location, language, IP address, referrer,

Read the rest Continue Reading