Daily Archives: November 5, 2019

A network of ‘camgirl’ sites exposed millions of users and sex workers data

Posted on by

A number of popular “camgirl” sites have exposed millions of sex workers and users after the company running the sites left the back-end database unprotected.

The sites, run by Barcelona-based VTS Media, include amateur.tv, webcampornoxxx.net, and placercams.com. Most of the sites’ users are based in Spain and Europe, but we found evidence of users across the world, including the United States.

According to Alexa traffic rankings, amateur.tv is one of the most popular in Spain.

The database, containing months-worth of daily logs of the site activities, was left without a password for weeks. Those logs included detailed records of when users logged in — including usernames and sometimes their user-agents and IP addresses, which can be used to identify users. The logs also included users’ private chat messages with other users, as well as promotional emails they were receiving from the various sites. The logs even included failed login attempts, storing usernames and passwords in plaintext. We did not test the credentials as doing so would be unlawful.

None of the data was encrypted.

The exposed data also revealed which videos users were watching and renting, exposing kinks and private sexual preferences.

In all, the logs were detailed enough to see which users were logging in, from where, and often their email addresses or other identifiable information — which in some cases we could match to real-world identities.

Not only were users affected, the “camgirls” — who broadcast sexual content to viewers — also had some of their account information exposed.

Source: A network of ‘camgirl’ sites exposed millions of users and sex workers | TechCrunch

NL ISP Ziggo doesn’t have to share customer details of downloaders

Posted on by

Dutch Filmworks demanded the subscriber data linked to 377 IP adresses they determined illegally downloaded a movie. The judge said no, due to a complete lack of transparency by DFW on how their decision tree works and the amount of money they want to fine the suspects.

Source: Ziggo hoeft geen klantgegevens downloaders te delen – Emerce

Hooray for someone not letting the movie mafia take the law into their own hands!

Thousands of Scientists Declare a Climate Emergency

Posted on by

It only Tuesday, but more than 11,000 scientists around the world have come together to declare a climate emergency. Their paper, published Tuesday in the journal Bioscience, lays out the science behind this emergency and solutions for how we can deal with it.

Scientists aren’t the first people to make this declaration. A tribal nation in the Canadian Yukon, the U.K., and parts of Australia have all come to the same grim conclusion. In the U.S., members of Congress have pushed the federal government to do the same, but y’know, we got Donald Trump. Ain’t shit happening with this fool in office. Anyway, this proclamation from scientists is significant because they’re not doing it out of a political agenda or as an emotional outcry. They’re declaring a climate emergency because the science supports it.

The signatories, who come from 153 countries, note that societies have taken little action to prevent climate disaster. It’s been business as usual, despite scientific consensus that burning fossil fuels and driving cars is gravely harming the environment—you know, the environment we all have to live in for the foreseeable future. Greenhouse gas emissions continue to enter the atmosphere, and if we don’t stop quickly, we’re doomed.

Source: Thousands of Scientists Declare a Climate Emergency

How to Automatically Delete some of Your Google Data

Posted on by

How to auto-delete your Google data

This process is almost identical on both mobile and web. We’ll focus on the latter, but the former is easy to figure out, too:

  1. Go to your Google activity dashboard (you’ll need to sign in to your Google account first).
  2. Click “Activity controls” from the left-hand sidebar.
  3. Scroll down to the data type you wish to manage, then select “Manage Activity.”
  4. On this next page, click on “Choose how long to keep” under the calendar icon.
  5. Select the auto-deletion time you wish (three or 18 months), or you can choose to delete your data manually.
  6. Click “Next” to save your changes.
  7. Repeat these steps for each of the types of data you want to be auto-deleted. For your Location History in particular, you’ll need to click on “Today” in the upper-left corner first, and then click on the gear icon in the lower-right corner of your screen. Then, select “Automatically delete Location History,” and pick a time.

Source: How to Automatically Delete Your Google Data, and Why You Should

Tech and mobile companies want to monetise your data … but are scared of GDPR  – good, that means GDPR works!

Posted on by

The vast majority of technology, media and telecom (TMT) companies want to monetise customer data, but are concerned about regulations such as Europe’s GDPR, according to research from law firm Simmons & Simmons.

The outfit surveyed 350 global business leaders in the TMT sector to understand their approach to data commercialisation. It found that 78 per cent of companies have some form of data commercialisation in place but only 20 per cent have an overarching plan for its use.

Alex Brown, global head of TMT Sector at Simmons & Simmons, observed that the firm’s clients are increasingly seeking advice on the legal ways they can monetise data. He said that can either be for internal use, how to use insights into customer behaviour to improve services, or ways to sell anonymised data to third parties.

One example of data monetisation within the sector is Telefónica’s Smart Steps business, which uses “fully anonymised and aggregated mobile network data to measure and compare the number of people visiting an area at any time”.

That information is then sold on to businesses to provide insight into their customer base.

Brown said: “All mobile network operators know your location because the phone is talking to the network, so through that they know a lot about people’s movement. That aggregated data could be used by town planners, transport networks, retailers work out best place to site new store.”

However, he added: “There is a bit of a data paralysis at the moment. GDPR and what we’ve seen recently in terms of enforcement – albeit related to breaches – and the Google fine in France… has definitely dampened some innovation.”

Earlier this year France’s data protection watchdog fined Google €50m for breaching European Union online privacy rules, the biggest penalty levied against a US tech giant. It said Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalised ads.

But Brown pointed out that as long as privacy policies are properly laid out and the data is fully anonymised, companies wanting to make money off data should not fall foul of GDPR.

Source: Tech and mobile companies want to monetise your data … but are scared of GDPR • The Register

Use a laser to command voice assistants such as lexa, google assistant, siri

Posted on by

Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light.

In our paper we demonstrate this effect, successfully using light to inject malicious commands into several voice controlled devices such as smart speakers, tablets, and phones across large distances and through glass windows.

The implications of injecting unauthorized voice commands vary in severity based on the type of commands that can be executed through voice. As an example, in our paper we show how an attacker can use light-injected voice commands to unlock the victim’s smart-lock protected home doors, or even locate, unlock and start various vehicles.

Read the Paper Cite

Source: Light Commands

Android bug lets hackers plant malware via NFC beaming

Posted on by

Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming.

NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even apps, to another nearby device using NFC (Near-Field Communication) radio waves, as an alternative to WiFi or Bluetooth.

Typically, apps (APK files) sent via NFC beaming are stored on disk and a notification is shown on screen. The notification asks the device owner if he wants to allow the NFC service to install an app from an unknown source.

But, in January this year, a security researcher named Y. Shafranovich discovered that apps sent via NFC beaming on Android 8 (Oreo) or later versions would not show this prompt. Instead, the notification would allow the user to install the app with one tap, without any security warning.

While the lack of one prompt sounds unimportant, this is a major issue in Android’s security model. Android devices aren’t allowed to install apps from “unknown sources” — as anything installed from outside the official Play Store is considered untrusted and unverified.

Source: Android bug lets hackers plant malware via NFC beaming | ZDNet

Best Buy’s Insignia ‘smart’ home gear will become very dumb this Wednesday – showing you why ‘cloud’ products are not a great plan

Posted on by

US mega-retailer Best Buy will switch off the “smart” portion of its Insignia-branded smart home gadgets this coming Wednesday, rendering them just plain old dumb gear.

Folks who’ve bought these soon-to-be-internet-less Internet-of-Things gizmos can apply for some money back in the form of a gift card, though a full refund is off the cards, literally.

“As the Insignia Connect platform will be discontinued on November 6, 2019, this process will determine your eligibility for compensation for your eligible Insignia Connect products,” Best Buy stated on its webpage about the shutdown. An FAQ with more details is here.

“The compensation will not be a full refund of your product, and will be determined by product type.”

The affected Insigna Connect line includes smart power plugs, in-wall light switches, security cameras, and a God-damn freezer. Yes, a freezer. Being Wi-Fi-connected, these devices can be remote-controlled via an iOS or Android smartphone app, allowing you to turn lights off and on, monitor power usage, schedule stuff to turn on, view camera footage, and so on, wherever you are. They can also be directed via Amazon’s voice-powered assistant Alexa or Google Assistant.

However, when the Insigna line’s backend systems are shut down for good, and the phone apps withdrawn, on Wednesday, this gear will degrade to normal non-smart stuff. Crucially, though, the camera will be completely useless – and the footage inaccessible from the apps by the time you read this – and while the NS-SP1XM8 smart plug with metering will work with Apple’s Home app, via HomeKit, the other plugs will just be normal plugs.

Source: Heads up from Internet of S*!# land: Best Buy’s Insignia ‘smart’ home gear will become very dumb this Wednesday • The Register