• chevron_right

      Identifying People Using Cell Phone Location Data / Schneier · Monday, 9 January, 2023 - 04:50 · 1 minute

    The two people who shut down four Washington power stations in December were arrested . This is the interesting part:

    Investigators identified Greenwood and Crahan almost immediately after the attacks took place by using cell phone data that allegedly showed both men in the vicinity of all four substations, according to court documents.

    Nowadays, it seems like an obvious thing to do—although the search is probably unconstitutional . But way back in 2012, the Canadian CSEC—that’s their NSA—did some top-secret work on this kind of thing. The document is part of the Snowden archive, and I wrote about it:

    The second application suggested is to identify a particular person whom you know visited a particular geographical area on a series of dates/times. The example in the presentation is a kidnapper. He is based in a rural area, so he can’t risk making his ransom calls from that area. Instead, he drives to an urban area to make those calls. He either uses a burner phone or a pay phone, so he can’t be identified that way. But if you assume that he has some sort of smart phone in his pocket that identifies itself over the Internet, you might be able to find him in that dataset. That is, he might be the only ID that appears in that geographical location around the same time as the ransom calls and at no other times.

    There’s a whole lot of surveillance you can do if you can follow everyone, everywhere, all the time. I don’t even think turning your cell phone off would help in this instance. How many people in the Washington area turned their phones off during exactly the times of the Washington power station attacks? Probably a small enough number to investigate them all.

    • chevron_right

      Small businesses count cost of Apple’s privacy changes / ArsTechnica · Tuesday, 9 August, 2022 - 13:29

    Small businesses count cost of Apple’s privacy changes

    Enlarge (credit: Kentaroo Tryman | Getty Images )

    Small businesses are cutting back marketing spending due to Apple’s sweeping privacy changes that have made it harder to target new customers online, in a growing trend that has led to billions of dollars in lost revenues for platforms like Facebook.

    Apple last year began forcing app developers to get permission to track users and serve them personalized adverts on iPhones and iPads in changes that have transformed the online advertising sector.

    Many small companies which are reliant on online ads to attract new customers told the Financial Times they did not initially notice the full impact of Apple’s restrictions until recent months, when price inflation squeezed consumer demand in major markets worldwide.

    Read 21 remaining paragraphs | Comments

    • chevron_right

      Critical Vulnerabilities in GPS Trackers / Schneier · Thursday, 21 July, 2022 - 13:36 · 1 minute

    This is a dangerous vulnerability:

    An assessment from security firm BitSight found six vulnerabilities in the Micodus MV720 , a GPS tracker that sells for about $20 and is widely available. The researchers who performed the assessment believe the same critical vulnerabilities are present in other Micodus tracker models. The China-based manufacturer says 1.5 million of its tracking devices are deployed across 420,000 customers. BitSight found the device in use in 169 countries, with customers including governments, militaries, law enforcement agencies, and aerospace, shipping, and manufacturing companies.

    BitSight discovered what it said were six “severe” vulnerabilities in the device that allow for a host of possible attacks. One flaw is the use of unencrypted HTTP communications that makes it possible for remote hackers to conduct adversary-in-the-middle attacks that intercept or change requests sent between the mobile application and supporting servers. Other vulnerabilities include a flawed authentication mechanism in the mobile app that can allow attackers to access the hardcoded key for locking down the trackers and the ability to use a custom IP address that makes it possible for hackers to monitor and control all communications to and from the device.

    The security firm said it first contacted Micodus in September to notify company officials of the vulnerabilities. BitSight and CISA finally went public with the findings on Tuesday after trying for months to privately engage with the manufacturer. As of the time of writing, all of the vulnerabilities remain unpatched and unmitigated.

    These are computers and computer vulnerabilities, but because the computers are attached to cars, the vulnerabilities become potentially life-threatening. CISA writes :

    These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.

    I wouldn’t have buried “vehicle control” in the middle of that sentence.

    • chevron_right

      Facebook Is Now Encrypting Links to Prevent URL Stripping / Schneier · Monday, 18 July, 2022 - 14:49

    Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties.

    Mozilla introduced support for URL stripping in Firefox 102 , which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser’s Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes , but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well.

    Facebook has responded by encrypting the entire URL into a single ciphertext blob.

    Since it is no longer possible to identify the tracking part of the web address, it is no longer possible to remove it from the address automatically. In other words: Facebook has the upper hand in regards to URL-based tracking at the time, and there is little that can be done about it short of finding a way to decrypt the information.

    • chevron_right

      New browser-tracking hack works even when you flush caches or go incognito

      Dan Goodin · / ArsTechnica · Friday, 19 February, 2021 - 12:54

    New browser-tracking hack works even when you flush caches or go incognito

    Enlarge (credit: Getty Images)

    The prospect of Web users being tracked by the sites they visit has prompted several countermeasures over the years, including using Privacy Badger or an alternate anti-tracking extension, enabling private or incognito browsing sessions, or clearing cookies. Now, websites have a new way to defeat all three.

    The technique leverages the use of favicons, the tiny icons that websites display in users’ browser tabs and bookmarks lists. Researchers from the University of Chicago said in a new paper that most browsers cache the images in a location that’s separate from the ones used to store site data, browsing history, and cookies. Websites can abuse this arrangement by loading a series of favicons on visitors’ browsers that uniquely identify them over an extended period of time.

    Powerful tracking vector

    “Overall, while favicons have long been considered a simple decorative resource supported by browsers to facilitate websites’ branding, our research demonstrates that they introduce a powerful tracking vector that poses a significant privacy threat to users,” the researchers wrote. They continued:

    Read 10 remaining paragraphs | Comments

    • chevron_right

      App makers explore desperate measures to dodge Apple privacy rules

      Financial Times · / ArsTechnica · Wednesday, 6 January, 2021 - 16:50

    Social media applications are seen on an iPhone in this photo illustration in Warsaw, Poland on December 17, 2020. Facebook has disabled several features on it

    Enlarge / Social media applications are seen on an iPhone in this photo illustration in Warsaw, Poland on December 17, 2020. Facebook has disabled several features on it's Messenger app to comply with new data usage rules currently being put in place in the EU as aprt of the ePrivacy Directive. (Photo illustration by Jaap Arriens/NurPhoto via Getty Images) (credit: Getty Images)

    App developers are exploring surreptitious new forms of user tracking to evade Apple’s new privacy rules, which threaten to upend the mobile advertising industry in the coming months.

    Early in 2021, an iPhone update will prevent apps from using advertising identifiers known as IDFA without obtaining each user’s explicit consent for targeting. Developers expect more than two-thirds of users will block tracking when they see a pop-up appear within their apps.

    Some app makers say they plan to use invasive tracking techniques such as “device fingerprinting” to work around the new restrictions—even though doing so risks getting them thrown off the App Store if they are caught.

    Read 13 remaining paragraphs | Comments