Monthly Archives: April 2021

Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof

Posted on by

We updated our personal data leak checker database with more than 780,000 email addresses associated with this leak. Use it to find out if your LinkedIn profile has been scraped by the threat actors.

Days after a massive Facebook data leak made the headlines, it seems like we’re in for another one, this time involving LinkedIn.

An archive containing data purportedly scraped from 500 million LinkedIn profiles has been put for sale on a popular hacker forum, with another 2 million records leaked as a proof-of-concept sample by the post author.

The four leaked files contain information about the LinkedIn users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more.

To see if your email address has been exposed in this data leak or other security breaches, use our personal data leak checker with a library of 15+ billion breached records.

While users on the hacker forum can view the leaked samples for about $2 worth of forum credits, the threat actor appears to be auctioning the much-larger 500 million user database for at least a 4-digit sum, presumably in bitcoin.

The author of the post claims that the data was scraped from LinkedIn. Our investigation team was able to confirm this by looking at the samples provided on the hacker forum. However, it’s unclear whether the threat actor is selling up-to-date LinkedIn profiles, or if the data has been taken or aggregated from a previous breach suffered by LinkedIn or other companies.

We asked LinkedIn if they could confirm that the leak was genuine, and whether they have alerted their users and clients, but we have received no reply from the company at the time of writing this report.

What was leaked?

Based on the samples we saw from the leaked files, they appear to contain a variety of mostly professional information from LinkedIn profiles, including:

  • LinkedIn IDs
  • Full names
  • Email addresses
  • Phone numbers
  • Genders
  • Links to LinkedIn profiles
  • Links to other social media profiles
  • Professional titles and other work-related data

[…]

Source: Scraped data of 500 million LinkedIn users being sold online, 2 million records leaked as proof | CyberNews

damnit, this happend in 2012 and 2016 too!

Facebook Says It’s Your Fault That Hackers Got Half a Billion User Phone Numbers

Posted on by

A database containing the phone numbers of more than half a billion Facebook users is being freely traded online, and Facebook is trying to pin the blame on everyone but themselves.

A blog post titled “The Facts on News Reports About Facebook Data,” published Tuesday evening, is designed to silence the growing criticism the company is facing for failing to protect the phone numbers and other personal information of 533 million users after a database containing that information was shared for free in low level hacking forums over the weekend, as first reported by Business Insider.

Facebook initially dismissed the reports as irrelevant, claiming the data was leaked years ago and so the fact it had all been collected into one uber database containing one in every 15 people on the planet—and was now being given away for free—didn’t really matter.

[…]

But, instead of owning up to its latest failure to protect user data, Facebook is pulling from a familiar playbook: just like it did during the Cambridge Analytica scandal in 2018, it’s attempting to reframe the security failure as merely a breach of its terms of service.

So instead of apologizing for failing to keep users’ data secure, Facebook’s product management director Mike Clark began his blog post by making a semantic point about how the data was leaked.

“It is important to understand that malicious actors obtained this data not through hacking our systems but by scraping it from our platform prior to September 2019,” Clark wrote.

This is the identical excuse given in 2018, when it was revealed that Facebook had given Cambridge Analytica the data of 87 million users without their permission, for use in political ads.

Clark goes on to explain that the people who collected this data—sorry, “scraped” this data—did so by using a feature designed to help new users find their friends on the platform.

“This feature was designed to help people easily find their friends to connect with on our services using their contact lists,” Clark explains.

The contact importer feature allowed new users to upload their contact lists and match those numbers against the numbers stored on people’s profiles. But like most of Facebook’s best features, the company left it wide open to abuse by hackers.

“Effectively, the attacker created an address book with every phone number on the planet and then asked Facebook if his ’friends’ are on Facebook,” security expert Mikko Hypponen explained in a tweet.

Clark’s blog post doesn’t say when the “scraping” took place or how many times the vulnerability was exploited, just that Facebook fixed the issue in August 2019. Clark also failed to mention that Facebook was informed of this vulnerability way back in 2017, when Inti De Ceukelaire, an ethical hacker from Belgium, disclosed the problem to the company.

And, the company hasn’t explained why a number of users who have deleted their accounts long before 2018 have seen their phone numbers turn up in this database.

[…]

“While we addressed the issue identified in 2019, it’s always good for everyone to make sure that their settings align with what they want to be sharing publicly,” Clark wrote.

“In this case, updating the ‘How People Find and Contact You’ control could be helpful. We also recommend people do regular privacy checkups to make sure that their settings are in the right place, including who can see certain information on their profile and enabling two-factor authentication.”

It’s an audacious move for a company worth over $300 billion, with $61 billion cash on hand, to ask its users to secure their own information, especially considering how byzantine and complex the company’s settings menus can be.

Thankfully for the half a billion Facebook users who’ve been impacted by the breach, there’s a more practical way to get help. Troy Hunt, a cyber security consultant and founder of Have I Been Pwned has uploaded the entire leaked database to his website that allows anyone to check whether their phone number is listed in the leaked database.

[…]

 

Source: Facebook Says It’s Your Fault That Hackers Got Half a Billion User Phone Numbers

Google illegally tracking Android users, according to new complaint by Max Schrems

Posted on by

Austrian privacy activist Max Schrems has filed a complaint against Google in France alleging that the US tech giant is illegally tracking users on Android phones without their consent.

Android phones generate unique advertising codes, similar to Apple’s Identifier for Advertisers (IDFA), that allow Google and third parties to track users’ browsing behavior in order to better target them with advertising.

In a complaint filed on Wednesday, Schrems’ campaign group Noyb argued that in creating and storing these codes without first obtaining explicit permission from users, Google was engaging in “illegal operations” that violate EU privacy laws.

Noyb urged France’s data privacy regulator to launch a probe into Google’s tracking practices and to force the company to comply with privacy rules. It argued that fines should be imposed on the tech giant if the watchdog finds evidence of wrongdoing.

“Through these hidden identifiers on your phone, Google and third parties can track users without their consent,” said Stefano Rossetti, privacy lawyer at Noyb. “It is like having powder on your hands and feet, leaving a trace of everything you do on your phone—from whether you swiped right or left to the song you downloaded.”

[…]

Last year, Schrems won a landmark case at Europe’s highest court that ruled a transatlantic agreement on transferring data between the bloc and the US used by thousands of corporations did not protect EU citizens’ privacy.

Source: Google illegally tracking Android users, according to new complaint | Ars Technica

Mixed Reactions to New Nirvana Song Generated by Google’s AI

Posted on by

On the 27th anniversary of Kurt Cobain’s death, Engadget reports: Were he still alive today, Nirvana frontman Kurt Cobain would be 52 years old. Every February 20th, on the day of his birthday, fans wonder what songs he would write if he hadn’t died of suicide nearly 30 years ago. While we’ll never know the answer to that question, an AI is attempting to fill the gap.

A mental health organization called Over the Bridge used Google’s Magenta AI and a generic neural network to examine more than two dozen songs by Nirvana to create a ‘new’ track from the band. “Drowned in the Sun” opens with reverb-soaked plucking before turning into an assault of distorted power chords. “I don’t care/I feel as one, drowned in the sun,” Nirvana tribute band frontman Eric Hogan sings in the chorus. In execution, it sounds not all that dissimilar from “You Know You’re Right,” one of the last songs Nirvana recorded before Cobain’s death in 1994.

Other than the voice of Hogan, everything you hear in the song was generated by the two AI programs Over the Bridge used. The organization first fed Magenta songs as MIDI files so that the software could learn the specific notes and harmonies that made the band’s tunes so iconic. Humorously, Cobain’s loose and aggressive guitar playing style gave Magenta some trouble, with the AI mostly outputting a wall of distortion instead of something akin to his signature melodies. “It was a lot of trial and error,” Over the Bridge board member Sean O’Connor told Rolling Stone. Once they had some musical and lyrical samples, the creative team picked the best bits to record. Most of the instrumentation you hear are MIDI tracks with different effects layered on top.
Some thoughts from The Daily Dot: Rolling Stone also highlighted lyrics like, “The sun shines on you but I don’t know how,” and what is called “a surprisingly anthemic chorus” including the lines, “I don’t care/I feel as one, drowned in the sun,” remarking that they “bear evocative, Cobain-esque qualities….”

Neil Turkewitz went full Comic Book Guy, opining, “A perfect illustration of the injustice of developing AI through the ingestion of cultural works without the authorization of [its] creator, and how it forces creators to be indentured servants in the production of a future out of their control,” adding, “That it’s for a good cause is irrelevant.”

Source: Mixed Reactions to New Nirvana Song Generated by Google’s AI – Slashdot

Google Asked to Hide TorrentFreak Article Reporting that ‘The Mandalorian’ Was Widely Pirated

Posted on by

Google was asked to remove a TorrentFreak article from its search results this week. The article in question reported that “The Mandalorian” was the most pirated TV show of 2020.

This notice claims to identify several problematic URLs that allegedly infringe the copyrights of Disney’s hit series The Mandalorian. This is not unexpected, as The Mandalorian was the most pirated TV show of last year, as we reported in late December. However, we didn’t expect to see our article as one of the targeted links in the notice. Apparently, the news that The Mandalorian is widely pirated — which was repeated by dozens of other publications — is seen as copyright infringement?

Needless to say, we wholeheartedly disagree. This is not the way.
TorrentFreak specifies that the article in question “didn’t host or link to any infringing content.” (TorrentFreak’s article was even linked to by major sites including CNET, Forbes, Variety, and even Slashdot.)

TorrentFreak also reports that it wasn’t Disney who filed the takedown request, but GFM Films… At first, we thought that the German camera company GFM could have something to do with it, as they worked on The Mandalorian. However, earlier takedown notices from the same sender protected the film “The Last Witness,” which is linked to the UK company GFM Film Sales. Since we obviously don’t want to falsely accuse anyone, we’re not pointing fingers.
So what happens next? We will certainly put up a fight if Google decides to remove the page. At the time of writing, this has yet to happen. The search engine currently lists the takedown request as ‘pending,’ which likely means that there will be a manual review. The good news is that Google is usually pretty good at catching overbroad takedown requests. This is also true for TorrentFreak articles that were targeted previously, including our coverage on the Green Book screener leak.

Source: Google Asked to Hide TorrentFreak Article Reporting that ‘The Mandalorian’ Was Widely Pirated – Slashdot

Stolen Data of 533 Million Facebook Users Leaked Online

Posted on by

A user in a low level hacking forum on Saturday published the phone numbers and personal data of hundreds of millions of Facebook users for free online.

The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and — in some cases — email addresses.

Insider reviewed a sample of the leaked data and verified several records by matching known Facebook users’ phone numbers with the IDs listed in the data set. We also verified records by testing email addresses from the data set in Facebook’s password reset feature, which can be used to partially reveal a user’s phone number.

A Facebook spokesperson told Insider that the data was scraped due to a vulnerability that the company patched in 2019.

[…]

This is not the first time that a huge number of Facebook users’ phone numbers have been found exposed online. The vulnerability that was uncovered in 2019 allowed millions of people’s phone numbers to be scraped from Facebook’s servers in violation of its terms of service. Facebook said that vulnerability was patched in August 2019.

Facebook previously vowed to crack down on mass data-scraping after Cambridge Analytica scraped the data of 80 million users in violation of Facebook’s terms of service to target voters with political ads in the 2016 election.

[…]

 

Source: Stolen Data of 533 Million Facebook Users Leaked Online

Yes, this is one of the risks of centralised databases

Sierra Nevada Corporation resurrects plans for crewed Dream Chaser spaceplane, inflatable space station

Posted on by

Sierra Nevada Corporation (SNC) has unveiled plans for an enormous inflatable space station tended by cargo and crew carrying versions of its Dream Chaser spaceplane.

“There is no scalable space travel industry without a spaceplane,” said SNC chair and owner Eren Ozmen.

That’s handy, because with the retirement of the Space Shuttle, the Dream Chaser is nearasdammit the last spaceplane standing. NASA, however, disagreed and selected Boeing’s Calamity Capsule and SpaceX’s Crew Dragon for transportation purposes to and from the International Space Station (ISS).

The space agency did, however, pop SNC into the second round of ISS Commercial Resupply Services (CRS-2), meaning the reusable cargo version of the spaceplane will see orbital action once assembly is complete (due this summer with launch expected late in 2022), but the crew version was not to be troubling the old Space Shuttle runway at Kennedy Space Center.

SNC’s proposal for a space station as an alternative for the ageing ISS is the LIFE habitat: a 27-foot-long, three-storey inflatable module that launches on a conventional rocket and inflates once in orbit. A full-sized prototype is currently being transferred from Johnson Space Center in Texas to Kennedy Space Center in Florida.

The crewed version of the Dream Chaser has also been resurrected and is planned to be used to both “shuttle” private astronauts (we see what you did there, SNC) as well as “rescuing astronauts from space destinations and returning them to Earth via a safe and speedy runway landing.”

[…]

Source: Sierra Nevada Corporation resurrects plans for crewed Dream Chaser spaceplane • The Register

SCO Linux FUD Returns From the Dead

Posted on by
The Courts IBM Red Hat Software Linux

SCO Linux FUD Returns From the Dead (zdnet.com) 115

Posted by msmash from the how-about-that dept.
wiredog shares a ZDNet report: I have literally been covering SCO’s legal attempts to prove that IBM illegally copied Unix’s source code into Linux for over 17 years. I’ve written well over 500 stories on this lawsuit and its variants. I really thought it was dead, done, and buried. I was wrong. Xinuos, which bought SCO’s Unix products and intellectual property (IP) in 2011, like a bad zombie movie, is now suing IBM and Red Hat [for] “illegally Copying Xinuos’ software code for its server operating systems.” For those of you who haven’t been around for this epic IP lawsuit, you can get the full story with “27 eight-by-ten color glossy photographs and circles and arrows and a paragraph on the back of each one” from Groklaw. If you’d rather not spend a couple of weeks going over the cases, here’s my shortened version. Back in 2001, SCO, a Unix company, joined forces with Caldera, a Linux company, to form what should have been a major Red Hat rival. Instead, two years later, SCO sued IBM in an all-out legal attack against Linux.

The fact that most of you don’t know either company’s name gives you an idea of how well that lawsuit went. SCO’s Linux lawsuit made no sense and no one at the time gave it much of a chance of succeeding. Over time it was revealed that Microsoft had been using SCO as a sock puppet against Linux. Unfortunately for Microsoft and SCO, it soon became abundantly clear that SCO didn’t have a real case against Linux and its allies. SCO lost battle after battle. The fatal blow came in 2007 when SCO was proven to have never owned the copyrights to Unix. So, by 2011, the only thing of value left in SCO, its Unix operating systems, was sold to UnXis. This acquisition, which puzzled most, actually made some sense. SCO’s Unix products, OpenServer and Unixware, still had a small, but real market. At the time, UnXis now under the name, Xinuos, stated it had no interest in SCO’s worthless lawsuits. In 2016, CEO Sean Synder said, “We are not SCO. We are investors who bought the products. We did not buy the ability to pursue litigation against IBM, and we have absolutely no interest in that.” So, what changed? The company appears to have fallen on hard times. As Synder stated: “systems, like our FreeBSD-based OpenServer 10, have been pushed out of the market.” Officially, in his statement, Snyder now says, “While this case is about Xinuos and the theft of our intellectual property, it is also about market manipulation that has harmed consumers, competitors, the open-source community, and innovation itself.”

Source: SCO Linux FUD Returns From the Dead – Slashdot

Unlock your DJI’s FPV Drone and Crank Up The Power

Posted on by

Apparently, if the GPS on your shiny new DJI FPV Drone detects that it’s not in the United States, it will turn down its transmitter power so as not to run afoul of the more restrictive radio limits elsewhere around the globe. So while all the countries that have put boots on the Moon get to enjoy the full 1,412 mW of power the hardware is capable of, the drone’s software limits everyone else to a paltry 25 mW. As you can imagine, that leads to a considerable performance penalty in terms of range.

But not anymore. A web-based tool called B3YOND promises to reinstate the full power of your DJI FPV Drone no matter where you live by tricking it into believing it’s in the USA. Developed by the team at [D3VL], the unlocking tool uses the new Web Serial API to send the appropriate “FCC Mode” command to the drone’s FPV goggles over USB. Everything is automated, so this hack is available to anyone who’s running a recent version of Chrome or Edge and can click a button a few times.

[..]

Source: Web Tool Cranks Up The Power On DJI’s FPV Drone | Hackaday

Tesla customers say they’ve been double-charged for their cars

Posted on by

Finding an extra $10 charge on your groceries is enough to make most people angry, but what if you paid twice for a a $56,000 car? Tesla buyers have been reporting that they’ve been double-charged on cars for recent purchases and have had trouble contacting the company and getting their money back, according to a report from CNBC and posts on Twitter and the Tesla Motors Club forum.

[…]

As of yesterday, the customers mentioned in the CNBC report have yet to receive their refunds and all have refused to take delivery until the problem is resolved. “This was not some operator error,” Peterson said. “And for a company that has so much technology skill, to have this happening to multiple people really raises questions.” Engadget has reached out for comment.

Source: Tesla customers say they’ve been double-charged for their cars | Engadget

Virgin Galactic’s VSS Imagine is its shiny, next-gen spaceship

Posted on by

Virgin Galactic took to YouTube to reveal, briefly, its first SpaceShip III, which will start ground tests and “glide flights” later this year. It’s an eye-catching vessel, channeling that Star Wars: The Phantom Menace Naboo starship look in a wonderful way. It’s finished with a mirror-like material that’s meant to reflect its surroundings, whether that’s the blackness of space or the blueness of Earth’s atmosphere. It’s not all about aesthetics: it also offers thermal protection.

Source: Virgin Galactic’s VSS Imagine is its shiny, next-gen spaceship | Engadget

Scientists Implant and Then Reverse False Memories in People

Posted on by

now, for the first time ever, scientists have evidence showing they can reverse false memories, according to a study published in the journal Proceedings of the National Academy of Sciences.

“The same way that you can suggest false memories, you can reverse them by giving people a different framing,” the lead researcher of the paper, Aileen Oeberst, head of the Department of Media Psychology at the University of Hagen, told Gizmodo. “It’s interesting, scary even.”

[…]

“As the field of memory research has developed, it’s become very clear that our memories are not ‘recordings’ of the past that can be played back but rather are reconstructions, closer to imaginings informed by seeds of true experiences,” Christopher Madan, a memory researcher at the University of Nottingham who was not involved in the new study, told Gizmodo

[…]

Building off of that, Oeberst’s lab recently implanted false memories in 52 people by using suggestive interviewing techniques. First, they had the participants’ parents privately answer a questionnaire and come up with some real childhood memories and two plausible, but fake, ones—all negative in nature, such as how their pet died or when they lost their toy. Then they had researchers ask the participants to recall these made-up events in a detailed manner, including specifics about what happened. For example, “Your parents told us that when you were 12 years old during a holiday in Italy with your family you got lost. Can you tell me more about it?”

The test subjects met their interviewer three times, once every two weeks, and by the third session most participants believed these anecdotes were true, and over half (56%) developed and recollected actual false memories—a significantly higher percentage than most studies in this area of research.

These findings reveal the depth of false memory and fit closely with prior research in the field, according to Robert Nash, a psychologist at Aston University who was not involved in the study. “Such as the fact that some of the false memories arose almost immediately, even in the first interview, the fact that they increased in richness and frequency with each successive interview, and the fact that more suggestive techniques led to much higher levels of false remembering and believing,” Nash told Gizmodo.

According to Henry Otgaar, a false memory researcher at Maastricht University who was a reviewer of this study, there’s been an increase in people thinking that it’s difficult to implant false memories. This work is important in showing the relative ease by which people can form such false memories, he told Gizmodo.

“Actually, what we see in lab experiments is highly likely underestimation of what we see in real-world cases, in which, for example, a police officer or a therapist, suggestively is dredging for people’s memories that perhaps are not there for weeks, for months, in a highly suggestive fashion,” he said, suggesting this is what happens in some cases of false confessions.

But researchers, to some extent, already knew how easy it is to trick our memories. Oeberst’s study is innovative in suggesting that it’s equally as easy to reverse those false memories. And knowing the base truth about what actually happened isn’t even necessary to revert the fake recollections.

In the experiment, Oeberst had another interviewer ask participants to identify whether any of their memories could be false, by simply thinking critically about them. The scientists used two “sensitization” techniques: One, source sensitization, where they asked participants to recall the exact source of the memory (what is leading you to remember this; what specific recollection do you, yourself, have?). And two, false memory sensitization, where they explained to the subjects that sometimes being pressured to recall something can elicit false memories.

“And they worked, they worked!” Oeberst said, adding that of course not every single participant was persuaded that their memory was false.

Particularly with the false memory sensitization strategy, participants seemed to regain their trust in their initial gut feeling of what they did and didn’t remember, as if empowered to trust their own recollection more. “I don’t recollect this and maybe it’s not my fault, maybe it’s actually my parents who made something up or they were wrong,” Oeberst said, mimicking the participants’ thought process. “Basically, it’s a different solution to the same riddle.” According to Oeberst, the technique by which false memories are implanted is the same used to reverse them, “just from a different angle, the opposite angle.”

The memories didn’t completely vanish for everybody; 15% to 25% of the participants still believed their false memories were real, and this is roughly the same amount of people who accepted false memories right after the first interview. A year later, 74% of all participants still recognized which were false memories or didn’t remember them at all.

“Up until now, we didn’t have any way to reject or reverse false memory formation,” said Otgaar, who has published over 100 studies on false memory. “But it’s very simple, and with such a simple manipulation that this can already lead to quite strong effects. That’s really interesting.”

The researchers also suggest reframing thinking about false memories in terms of “false remembering,” an action determined by information and context, rather than “false memories,” as if memories were stable files in a computer.

“This is especially important, I think, insofar that remembering is always contextual. It’s less helpful for us to think about whether or not people ‘have’ a false memory and more helpful to think of the circumstances in which people are more or less likely to believe they are remembering,” said Nash.

[…]

Source: Scientists Implant and Then Reverse False Memories in People

Another successful flight for SpaceX’s Starship apart from the landing-in-one-piece thing

Posted on by

SpaceX continued its rich tradition of destroying Starship prototypes with SN11 succumbing to an explosive end during a high-altitude flight test.

Originally planned for 29 March, the test flight from the company’s facility in Boca Chica, Texas, had been postponed until this morning because a Federal Aviation Administrator (FAA) had been unable reach the site in time to observe the test.

The inspector was present today to witness another demonstration of Tesla Technoking Elon Musk’s prowess at blowing up big, shiny rockets.

The test was a repeat of the Serial Number 10 prototype vehicle flight earlier in March. SN10 broke the heart of SpaceX fanbois around the globe by coming so close to complete success. That vehicle managed to return from its high-altitude test in one piece, landing upright. However, seconds later it exploded spectacularly, leaving the way clear (except for some bits of twisted metal) for SN11.

With SN10 almost succeeding, hopes were high for SN11.

The silver rocket, obscured by mist, launched on time. The three Raptor engines appeared to burn normally during the flight, with one shutting down just after the two-minute mark as planned. A second engine was then shut down before the vehicle reached the desired 10km point and the last engine was cut off.

Despite spotty video, the signature “belly flop” of the vehicle was visible as SN11 flipped over for its return to Earth. As it passed through 1km in altitude (according to the SpaceX announcer) the Raptors could be seen gimballing into position and at least one igniting.

And then the video froze again.

However, the audio continued for a few more seconds before a very audible bang was heard. Shortly after, SpaceX’s announcer returned to the air to confirm “another exciting test.”

Exciting for those on the ground, perhaps, as the rocket exploded in the mist.

[…]

 

Source: Another successful flight for SpaceX’s Starship apart from the landing-in-one-piece thing • The Register

Oh dear mr Musk. I’m not going up on that

Wi-Fi devices set to become object sensors by 2024 under planned 802.11bf standard – no, they haven’t thought of security and privacy

Posted on by

In three years or so, the Wi-Fi specification is scheduled to get an upgrade that will turn wireless devices into sensors capable of gathering data about the people and objects bathed in their signals.

“When 802.11bf will be finalized and introduced as an IEEE standard in September 2024, Wi-Fi will cease to be a communication-only standard and will legitimately become a full-fledged sensing paradigm,” explains Francesco Restuccia, assistant professor of electrical and computer engineering at Northeastern University, in a paper summarizing the state of the Wi-Fi Sensing project (SENS) currently being developed by the Institute of Electrical and Electronics Engineers (IEEE).

SENS is envisioned as a way for devices capable of sending and receiving wireless data to use Wi-Fi signal interference differences to measure the range, velocity, direction, motion, presence, and proximity of people and objects.

It may come as no surprise that the security and privacy considerations of Wi-Fi-based sensing have not received much attention.

As Restuccia warns in his paper, “As yet, research and development efforts have been focused on improving the classification accuracy of the phenomena being monitored, with little regard to S&P [security and privacy] issues. While this could be acceptable from a research perspective, we point out that to allow widespread adoption of 802.11bf, ordinary people need to trust its underlying technologies. Therefore, S&P guarantees must be provided to the end users.”

[…]

“Indeed, it has been shown that SENS-based classifiers can infer privacy-critical information such as keyboard typing, gesture recognition and activity tracking,” Restuccia explains. “Given the broadcast nature of the wireless channel, a malicious eavesdropper could easily ‘listen’ to CSI [Channel State Information] reports and track the user’s activity without authorization.”

And worse still, he argues, such tracking can be done surreptitiously because Wi-Fi signals can penetrate walls, don’t require light, and don’t offer any visible indicator of their presence.

Restuccia suggests there needs to be a way to opt-out of SENS-based surveillance; a more privacy-friendly stance would be to opt-in, but there’s not much precedent for seeking permission in the technology industry.

[…]

Source: Wi-Fi devices set to become object sensors by 2024 under planned 802.11bf standard • The Register

Android, iOS beam telemetry to Google, Apple even when you tell them not to

Posted on by

In a recent released research paper, titled “Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google” [PDF], Douglas Leith, chairman of computer systems in the school of computer science and statistics at Trinity College Dublin, Ireland, documents how iPhones and Android devices phone home regardless of the wishes of their owners.

According to Leith, Android and iOS handsets share data about their salient characteristics with their makers every 4.5 minutes on average.

“The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number etc are shared with Apple and Google,” the paper says. “Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this.”

These transmissions occur even when the iOS Analytics & Improvements option is turned off and the Android Usage & Diagnostics option is turned off.

Such data may be considered personal information under privacy rules, depending upon the applicable laws and whether they can be associated with an individual. It can also have legitimate uses.

Of the two mobile operating systems, Android is claimed to be the more chatty: According to Leith, “Google collects a notably larger volume of handset data than Apple.”

Within 10 minutes of starting up, a Google Pixel handset sent about 1MB of data to Google, compared to 42KB of data sent to Apple in a similar startup scenario. And when the handsets sit idle, the Pixel will send about 1MB every 12 hours, about 20x more than the 52KB sent over the same period by an idle iPhone.

[…]

Leith’s tests excluded data related to services selected by device users, like those related to search, cloud storage, maps, and the like. Instead, they focused on the transmission of data shared when there’s no logged in user, including IMEI number, hardware serial number, SIM serial number, phone number, device ids (UDID, Ad ID, RDID, etc), location, telemetry, cookies, local IP address, device Wi-Fi MAC address, and nearby Wi-Fi MAC addresses.

This last category is noteworthy because it has privacy implications for other people on the same network. As the paper explains, iOS shares additional data: the handset Bluetooth UniqueChipID, the Secure Element ID (used for Apple Pay), and the Wi-Fi MAC addresses of nearby devices, specifically other devices using the same network gateway.

“When the handset location setting is enabled, these MAC addresses are also tagged with the GPS location,” the paper says. “Note that it takes only one device to tag the home gateway MAC address with its GPS location and thereafter the location of all other devices reporting that MAC address to Apple is revealed.”

[…]

Google also has a plausible fine-print justification: Leith notes that Google’s analytics options menu includes the text, “Turning off this feature doesn’t affect your device’s ability to send the information needed for essential services such as system updates and security.” However, Leith argues that this “essential” data is extensive and beyond reasonable user expectations.

As for Apple, you might think a company that proclaims “What happens on your iPhone stays on your iPhone” on billboards, and “Your data. Your choice,” on its website would want to explain its permission-defying telemetry. Yet the iPhone maker did not respond to a request for comment.

Source: Android, iOS beam telemetry to Google, Apple even when you tell them not to – study • The Register

Wi-Fi slinger Ubiquiti hints at source code leak after claim of ‘catastrophic’ cloud intrusion emerges

Posted on by

News that Ubiquiti’s cloud servers had been breached emerged on January 11, 2021, when the company emailed customers the text found in this support forum post. That missive stated: “We recently became aware of unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.”

That announcement continued, “We have no indication that there has been unauthorized activity with respect to any user’s account,” but also recommended customers change their passwords because if their records had been accessed, hashed and salted passwords, email addresses, and even physical addresses and phone numbers could be at risk.

An update on Wednesday this week stated an investigation by outside experts “identified no evidence that customer information was accessed, or even targeted,” however.

Crucially, the update also revealed that someone “unsuccessfully attempted to extort the company by threatening to release stolen source code and specific IT credentials.” The update does not suggest the extortion attempt was fanciful.

Ubiquiti has not said when the external experts decided customer data was untouched. Which leaves the company in the interesting position of perhaps knowing its core IP has leaked, and not disclosing that, while also knowing that customer data is safe and not disclosing that, either.

The update contains another scary nugget in this sentence: “Please note that nothing has changed with respect to our analysis of customer data and the security of our products since our notification on January 11.”

But the January 11 notification makes no mention of “the security of our products.”

The update on Wednesday was published two days after Krebs On Security reported that it has seen a letter from a whistleblower to the European Data Protection Supervisor that alleges Ubiquiti has not told the whole truth about the incident.

Krebs said the letter described the attack on Ubiquiti as “catastrophically worse than reported.”

“The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk,” the letter reportedly claimed, adding that Ubiquiti’s legal team “silenced and overruled efforts to decisively protect customers.”

The whistleblower separately claimed that whoever was able to break into Ubiquiti’s Amazon-hosted servers, they could have swiped cryptographic secrets for customers’ single sign-on cookies and remote device access, internal source code, and signing keys – far more than the Wi-Fi box maker disclosed in January. The intruder, it is said, obtained a Ubiquiti IT worker’s privileged credentials, got root access to the business’s AWS systems, and thus had a potential free run of its cloud-hosted storage and databases.

Backdoors were apparently stashed in the servers, too, and, as Ubiquiti acknowledged this week, a ransom was demanded to keep quiet about the break-in.

[…]

The update ends with another call for customers to refresh their passwords and enable two-factor authentication. The Register fancies some readers may also consider refreshing their Wi-Fi supplier. ®

PS: It’s not been a great week for Ubiquiti: it just promised to remove house ads it added to the web-based user interface of its UniFi gear.

Source: Wi-Fi slinger Ubiquiti hints at source code leak after claim of ‘catastrophic’ cloud intrusion emerges • The Register

Security has never been one of their strong points so this is not really surprising…