STE WILLIAMS

Hack was not politically motivated; no sign of third-party involvement, authorities say.

A 20-year old student living with his parents in the German state of Hesse has admitted to illegally accessing and publicly leaking personal data belonging to nearly 1,000 politicians, journalists, and other public figures in Germany.

A statement from the country’s Federal Criminal Police Office (BKA) did not identify the individual by name but said he had been provisionally arrested on charges related to spying and unauthorized disclosure of personal data. He was later released because there was no legal basis for detaining him. 

Germany’s Bild newspaper quoted local officials as saying the provisional arrest was lifted based on the hacker’s confession and the assessment that he possessed no flight risk. The hacker’s young age also contributed to the decision by German authorities to not detain him. The individual is expected to be tried as a juvenile and could end up with a relatively light sentence.

Police have recovered a computer and a storage device from the individual’s home and are currently analyzing them for evidence.

According to the BKA, the hacker claimed he had acted alone and had been motivated by a sense of anger over public statements by politicians and others. “The investigations have so far revealed no evidence of third party participation,” the statement noted.

The 20-year old, who used the online handles “G0d” and “0rbit,” began leaking the information via two Twitter accounts in early December. But the leaks weren’t noticed until last week.

One of the Twitter accounts he used was hijacked and belonged to an unidentified YouTube artist. The student used a VPN service to access the Twitter accounts in a bid to anonymize his connection, the BKS said. At least some of the leaked information – which included phone numbers, credit card data, addresses, photos and email communications – appears to have been obtained from public sources.

It remains unclear how he obtained the rest of the data. In comments to various media outlets last week, Germany’s Interior Minister Horst Seehofer said there was no evidence that any German government IT system or network had been compromised. Instead, the data appears to have been accessed by someone using stolen login credentials for email accounts, cloud services, and social media accounts containing victim data, Seehofer had noted.

The information leaks have garnered considerable attention both for its scope and for the fact that victims have included members of parliament and politicians from every major German party except the right wing Alternative for Germany (AfD).

Some had taken that as an indication that the leaks were politically and ideologically motivated. The data compromise had also evoked some comparisons to the cyber attacks on the Democratic Party and the subsequent data leaks in the run up to the 2016 U.S. Presidential Elections.

“It’s unsettling to think a single person pulled this off,” says Tom Goodman, director of international cyber business at Raytheon Intelligence, information and services. But it is not entirely unsurprising either, he says.

“Just like small bands of insurgents commit acts of asymmetric warfare and lone wolves can carry out devastating terror attacks, single cyberattackers can cause significant damage with an Internet connection and a little persistence,” Goodman says.

Security experts last week had theorized that the hacker would have had to break into multiple types of accounts to gather all of the information that was leaked.  It is currently not clear if that is indeed how the 20-year old obtained the data.

German authorities have merely noted they know how the theft was accomplished and have described the method used as “sophisticated.” But they are unwilling to disclose it in order to avoid imitators, Bild said. A German official speaking with the paper described the hacker as a “nerd” with no former computer training but being very savvy and technically capable all the same.

The data compromise—and the fact that it wasn’t discovered for several weeks—is prompting change. According to Bild, Seehofer has announced planned improvements to the German government’s cyber defense capabilities. One planned improvement is the addition of a 24/7 crew with an early warning system for quickly detecting and mitigating attacks, using the country’s anti-terrorist center as a model, Bild said.

Related Content:

• Data on Hundreds of German Politicians Published Online in Massive Compromise
• Russian Hackers Behind DNC Breach Wage Post-US Election Attacks
• Hackers Use Public Cloud Features to Breach, Persist In Business Networks
• 7 Ways Hackers Target Your Employees

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/20-year-old-student-admits-to-massive-data-leak-in-germany/d/d-id/1333610?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Los Angeles has sued The Weather Channel (TWC), claiming that it’s been posing as a “personalized local weather data, alerts and forecasts” app but in truth makes profits by tracking users “throughout the day and night” so as to sell their private, personal location data.

The lawsuit calls The Weather Company’s practices “fraudulent and deceptive” and says they violate California’s Unfair Competition Law. TWC fails to disclose that it collects users’ location data and sends it to third parties, the suit maintains.

It isn’t about analyzing the clouds above our heads for a personalized weather forecast, LA says. Rather, it’s about collecting location data for “advertising and other commercial purposes unrelated to weather data, alerts and forecasts.”

None of the marketing purposes of collecting geolocation data are disclosed on either Apple’s App Store or Google’s Android Play Store versions of the free app, which is also available in an ad-free version for $3.99, the lawsuit notes.

When users download the app, TWC prompts them to allow it to access their location data, but it doesn’t say anything about sharing that data, the lawsuit says:

The permission prompt also fails to reference or link to any other source containing more detailed information about what users’ geolocation information will be used for.

Granted, the app’s privacy policy does note that data could be used for targeted advertising and might be shared with “partners,” the lawsuit says. But why would users even think to look at the policy, given that the prompt doesn’t mention that their data will be used in those ways?

As it is, “unbeknownst to users,” TWC’s core business is “amassing and profiting from user location data,” the suit says. The lawsuit refers to a 2016 article that describes it as a “location data company powered by weather.”

The lawsuit asserts that TWC’s failure to alert users that their personal information is being sold is “no mere oversight.” It quoted Domenic Venuto, General Manager, Consumer Division at TWC, who admitted in an interview that…

[If] a consumer is using your product and says ‘Hey, wait a minute, why do they want to know where I am?’ because it isn’t an organic fit with the app, you are going to have some problems.

Last month, a New York Times investigation found The Weather Channel was just one of at least 75 companies getting purportedly “anonymous” but pinpoint-precise location data from about 200 million smartphones across the US.

They’re often sharing it or selling it to advertisers, retailers or even hedge funds that are seeking valuable insights into consumer behavior. One example: Tell All Digital, a Long Island advertising firm, buys location data, then uses it to run ad campaigns for personal injury lawyers that it markets to people who wind up in emergency rooms.

The Times reviewed a database holding location data gathered in 2017 and held by one company, finding that it held “startling detail” about people’s travels, accurate to within a few yards and in some cases updated more than 14,000 times a day. Several of the businesses whose practices were analyzed by the Times claim to track up to 200 million mobile devices in the US.

Sales of location-targeted advertising are hot-hot-hot: they reached an estimated $21 billion in 2018. But there’s more to it than advertising: IBM got into the industry in 2015, when it purchased the digital side of TWC, with an eye to helping industries “operationalize their understanding of the impact of weather on business outcomes.”

Are retail sales really off because of unseasonably warm weather around the holidays, for example, as some executives would have us believe? You can see how valuable it would be for stock market watchers to be able to suss out, given highly personalized consumer location data, whether El Niño was really keeping people from heading to the shopping malls or whether a given company was actually experiencing deeper, less transient issues.

At any rate, whatever’s being done with our location data, be it related to the Polar Vortex or to marketing personal liability lawyers to us as we sit in the emergency room, we have a right to know about it, according to what Los Angeles City Attorney Michael N. Feuer told the Times:

If the price of getting a weather report is going to be the sacrifice of your most personal information about where you spend your time day and night, you sure as heck ought to be told clearly in advance.

An IBM spokesman, Saswato Das, told the Times that TWC plans to fight the suit:

The Weather Company has always been transparent with use of location data; the disclosures are fully appropriate, and we will defend them vigorously.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/jbJqT1mFCA4/

Australians got scary texts, emails and phone calls from a trusted emergency warning service late last week after a hacker broke into its systems and used it to send fake messages.

On 5 January, the intruder compromised systems operated by the Early Warning Network, an Australian company that provides early warning information about severe weather events and bushfires to clients across the country. Started in 2007, the company provides emergency warning services to federal, state and municipal government clients to help protect their citizens.

The hacker used EWN’s systems to send messages to citizens via email, landline phone calls, and SMS. The messages, sent from [email protected], were titled “EWM Hacked – Privacy Alert” and read:

EWM has been hacked. Your personal data stored with us is not safe. We are trying to fix the security issues. Please email [email protected] if you wish to subscribe. ewn.com.au ASX AER

The company moved quickly to fix the problem, catching the attack and shutting off the system. Nevertheless, a “small proportion” of its database received the alert, it said in a Facebook notice. Reports indicated that tens of thousands of people had been affected.

On Monday the company updated its post, adding that the hacker had hijacked a legitimate account to login and post the nuisance spam. It also dismissed fears that the link in the nuisance message could have been a phishing attempt, adding:

The link used in this alert were [sic] non-harmful and your personal information was not compromised in this event.

Luckily, Aussies are a savvy bunch. Comments on the Facebook post came mostly from people who said they had received the message and deleted it as suspicious, although a handful said that they had clicked on the link and were now worried. To its credit, EWN answered these comments – along with direct emails – reassuring concerned citizens that the message wasn’t a threat and their personal information was safe.

Some municipal councils in Australia that subscribe to EWN services and distribute alerts to their citizens also reposted the company’s warnings.

This is not the first time that an early warning system has fallen victim to a mischievous hacker. On Friday, 17 April 2017, Dallas residents got a rude awakening when all 156 of the city’s emergency sirens went off between 11:40 PM and 1:20 AM.

Calls from worried citizens doubled over the night to at least 4,400 according to officials, who admitted that a hacker had compromised its early warning infrastructure. The city, which said that the sirens had been triggered using a radio signal rather than via the internet, subsequently installed encryption equipment to make the sirens more secure.

A year later, San Francisco-based security company Bastille found a vulnerability that it labelled SirenJack, affecting emergency alert equipment created by ATI Systems. The sirens it investigated used unencrypted radio protocols for remote control, enabling researchers to create malicious activation messages and beam them to the devices directly. The vulnerability affected the city of San Francisco among others, the research team said, adding that attackers could play their own music or alerts across cities using something as simple as a “handheld radio you can buy from Amazon.”

Aside from the potential for phishing campaigns and malware distribution, attacks on early warning systems pose another danger: the ability to spread confusion. An intruder could use attacks like these to spark panic among a wide population, possibly as part of a bigger attack by a terrorist group or nation state. The tendency for initial warnings to spread quickly on social media could throw cities into chaos.

It’s yet another area where enhanced security measures are crucial to avoid attackers exploiting vulnerabilities at some critical point in the future.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/iPBeo6F7SwE/

Well, well, well, if it isn’t the WhatsApp Gold/’martinelli’ video scam, back again, as half-bunk and half-real-threat as ever.

Excellent! It’s a great opportunity to offer some advice on pulling the rug out from under these and other scammers. For the dissection of Gold/martinelli, read on. For some advice to forward to the prey of the scammers, jump on further down!

The current bunk

As Snopes tells it, the WhatsApp Gold scam messages have been kicking around since at least 2016 in varyingly worded messages, claiming that some new “premium service” would get users extra goodies, such as video calling and new emojis.

Hey Finally Secret WhatsApp golden version has been leaked, This version is used only by big celebrities. Now we can use it too.

Users who clicked on the link got no goodies. They got baddies, in the form of a malware-rigged, non-WhatsApp website. The malware, nicknamed WhatsApp Gold, was designed to break into phones and steal victims’ messages and other private data.

Bad enough, eh? Well, the mad cyber scientists decided to make it a bit more poisonous when they wrapped a true warning about the real WhatsApp Gold malware around a bogus warning about a fictional video called martinelli.

This scam burrito has been getting passed around since at least mid-2017, picking up only minor word swaps but still refusing to unglue its death-grip on arbitrary, proofreader-taunting, inappropriate spaces around punctuation.

The version we saw in November:

If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called martinelli do not open it , it hacks your phone and nothing will fix it. Spread the word. If you receive a message to update the Whatsapp to Whatsapp Gold, do not click !!!!!
Now said on the news this virus is difficult and severe

Pass it on to all

According to multiple news outlets, that sage, fictional “IT colleague” is back again, once again babbling about this equally fictional martinelli video.

That’s just fine, you scammers. We’re back again, too, you purveyors of WhatsApp Fool’s Gold. We’re here to tell you how to spot these hoaxes. Sage IT colleague types, please do enlighten the not-so-IT-savvy among you with these nuggets.

How to spot WhatsApp hoaxes

Atrocious punctuation and feeble English are common in phishing/spam/hoax messages, but we need more tools than that to discern when something’s a threat. After all, it’s not a given that a) non-threat-actors (as in, our friends) know how to use commas, et al., or b) scammers don’t use proper English and punctuation. To that end, keep an eye out for these elements on top of funky, clunky English:

Call to action. As Sophos’s John Shier has noted in an excellent “Phish or legit?” walk-through, most phishing campaigns snap their fingers at you.

Scam WhatsApp messages and Facebook hoaxes have a call to action, too: they urge readers to copy/paste the warning and forward it to others. It’s meant to add a sense of urgency to the message and compel you to do something.

The threat. As WhatsApp notes in its FAQ about hoax messages, hoaxers often claim you can avoid punishment, such as account suspension, if you forward the message. A sender might imply that they have the law on their side, and that they’ll use their law enforcement affiliations should you be up to something dodgy.

In the case of WhatsApp Gold/martinelli, the “threat” is from a (nonexistent) video, and that you shouldn’t click on a link urging you to update Whatsapp to Whatsapp Gold (true!), less your phone get hacked.

Authority figures. To make the threat convincing, hoaxers often sprinkle in references to voices of authority. If it’s not the cops, it’s that Gold/martinelli “IT colleague”. Way, way too often, friends will pass on these words from purported experts, or police, or the tax authorities, reasoning that “it can’t hurt.”

And after you’ve spotted the Gold/martinelli or any other hoax…

Don’t forward. Just simply warn them without the forward. Consider doing it by private message. After all, if you comment on, say, a Facebook post itself, you’re adding to its page ranking, pushing it all that much closer to going viral.

Like Sophos’s Paul Ducklin said in a recent video, it can do us harm when we copy, paste and spread somebody else’s lies. It hurts our reputations and our accountability. Who needs that?

Arm yourself against WhatsApp Gold malware

Staying safe online means keeping out all the malware that’s out there, not just the one or two rogue applications you hear about via friends’ WhatsApp messages.

Instead, just follow some simple advice to keep your phone secure, and advise your friends and family to do the same:

• Apply security updates promptly.
• Get your apps from the App Store or Google Play.
• Use security software like Sophos Mobile Security for iOS or Android.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/G09iYUuEsf0/

How easy is it to bypass the average smartphone’s facial recognition security?

According to the Dutch consumer protection organisation Consumentenbond, in the case of several dozen Android models, it’s a lot easier than most owners probably realise.

Its researchers tested 110 devices, finding that 42 could be beaten by holding up nothing more elaborate than a photograph of a device’s owner.

Consumentenbond offers little detail of its testing methodology but it seems these weren’t high-resolution photographs – almost any would do, including those grabbed from social media accounts or selfies taken on another smartphone.

While users might conclude from this test that it’s not worth turning on facial recognition, the good news is that 68 devices, including Apple’s recent XR and XS models, resisted this simple attack, as did many other high-end Android models from Samsung, Huawei, OnePlus, and Honor.

Confusingly, many of the models that failed were from the same vendors, including Asus, Huawei, Lenovo/Motorola, LG, Nokia, Samsung, BlackBerry, and Xiaomi. In the case of Sony, every model tested failed. A further six – an Honor and six LG models – only passed the test when put into a ‘strict’ mode.

Generally, expensive handsets performed better than cheaper ones but this wasn’t always the case. For example, Sony’s $1,000 Xperia XZ2 Premium (US version) failed while Motorola’s Moto G6 costing less than a third of that price tag passed. A full list of the models that passed the photo test can be found on Consumentenbond’s website.

Apple’s Face ID v the rest

Apple famously made a big deal of its Face ID technology when it launched the iPhone X in 2017 and for good reason – the model X was a premium model that needed to justify its hefty price tag.

The idea was that Face ID wasn’t only a convenient way for owners to unlock their iPhones, but the beginnings of a more sophisticated system capable of authenticating users.

Reliably identifying someone as being who they say they are sets a much higher bar for device security (in Face ID’s case, Apple says it’s a one in a million chance a random person could unlock a device).

That didn’t stop researchers looking for weaknesses in Face ID, which some claimed to have found within days of the iPhone X’s appearance using a naturalistic 3D mask.

Nevertheless, this still puts it way ahead of the same technology on even quite expensive Android handsets, which apparently can be fooled by fake 3D wax heads in ways that Face ID resists.

The bigger question is what expectations smartphone owners should have for their security when using this technology.

Right now, our advice for anyone owning a handset that failed Consumentenbond’s simple photograph test is to use an alternative security mechanism such as PIN or fingerprint.

Despite the advances made by Apple, facial recognition on many of today’s smartphones remains a promising technology that is some way from being reliable.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/JPnd9UnFuDU/

German police said a 20-year-old German man had “confessed” to leaks in connection what the country’s media is calling “the Hacker Attack”, a years-long data exfiltration campaign against politicians and other public figures.

The German Feds (BKA) revealed this morning that the unnamed 20-year-old suspect from Central Hesse, the county home to the city of Frankfurt, had “provided information on his own offences”. They added that he had been released last night.

Security sources were said to have told the German Press Agency and Der Spiegel, a news magazine, that the suspect is a student who lives at home with his parents.

Police said the “investigations have so far revealed no evidence of third-party participation”. In a press release, the BKA said the suspect had claimed to have “acted alone” and had “stated that he acted out of annoyance over public statements made by the politicians, journalists and public figures concerned”.

Deutsche Welle, a TV station, reported that police had also searched a 19-year-old Heilbronn man’s home, adding that “he is co-operating with police”. The teen is said to have been in contact with the suspected hacker.

Der Spiegel quoted an investigator who said the suspect was “apparently not aware” of the extent of his actions, repeating the line that he had confessed to the hack in initial police interviews – and adding that he had “destroyed his computer” prior to police searchers arriving at his home.

The BKA said in its statement that it was evaluating both a computer that the suspect told them he had “done away with” two days prior to the search and a data backup from a file-hosting service.

Most German media appears to emphasising that “there appears to be no links to foreign intelligence services” in an attempt to rule out Russian-linked shenanigans.

Work of one suspect alone?

As reported last week, the so-called “Hacker-Angriff” (Hacker Attack) saw various figures from across the spectrum of public life having their personal data dumped online. Those targeted most notably included politicians, as well as journalists and others. Data dumped online included names, addresses, personal email addresses, phone numbers, chat logs, the contents of emails, scans of letters and more.

Media concluded the hack was politically motivated, based on the noticeable absence of the UKIP-a-like party Alternative für Deutschland (AfD) from the data dumps. Others pointed out that right-wing politicians (including Chancellor Angela Merkel’s own Christian Democrat Union political party) had been targeted.

The data was drip-fed out on Twitter –  in the form of an Advent calendar – during December; a few days ago, Twitter got round to suspending the accounts spreading the information. One pseudonymous infosec bod on the social media platform noted that the data itself had been meticulously mirrored across multiple websites, platforms and hosts in an apparent attempt to evade takedown attempts.

This data leak has so much data squirrelled away to avoid take downs. It must have required many man hours of uploading.

– 70 mirrors of the download links

– 40 d/l links, each with 3-5 mirrors

– 161 mirrors of data files

Plus the tweets, blog posts, mirrors of mirror links.

— the grugq (@thegrugq) January 4, 2019

If I had to guess, I’d say that the leak files were not produced at the same time. The changes in layout and naming suggest that it wasn’t one person in one marathon session creating these. There is variation in the archive passwords too: 123, abbreviations, variations

— the grugq (@thegrugq) January 4, 2019

It appears strange that a lone 20-year-old should go to such lengths if he was not aware of the extent of his actions.

A police press conference is due to take place later today and investigators are expected to release more information about the case. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/08/german_20_yr_old_confess_mass_hack_angriff/

Promo As data thieves and hackers become more numerous, more inventive and more destructive, learning to protect themselves against cybercrime is ever higher on the list of companies’ priorities.

SANS London 2019 from 8-13 April promises to provide the training that security professionals at all levels need to defend their organisations. A choice of nine lab-heavy courses is on offer, along with a chance to gain valuable GIAC Certification. Attendees are assured they will be able to put their newfound skills into practice immediately.

The choices include:

• Enterprise threat and vulnerability assessment
  
  A new course aimed at professionals securing 10,000 or more systems in mid-sized to large organisations. Newfound skills are put to the test on the final day against an enterprise-grade cyber range.
• Open-source intelligence (OSINT) gathering and analysis
  
  How to find and analyse internet data, focusing on the techniques used by threat intelligence analysts, private investigators, insurance claims investigators and law enforcement officers. Hands-on labs will explore the live internet and dark web.
• Security essentials bootcamp style
  
  Would you be able to find compromised systems on your network? Do you know if each security device is configured correctly? Are proper security metrics set up and understood by your executives?
• Hacker tools, techniques, exploits, and incident handling
  
  Follow a step-by-step response to computer incidents and learn about legal issues such as employee monitoring, working with law enforcement and handling evidence.
• Cloud security architecture and operations
  
  A brief introduction to cloud security fundamentals followed by the critical concepts of cloud policy and governance. Learn about adapting security processes to the cloud and delve into incident handling, forensics, event management and application security.
• SIEM with tactical analytics
  
  Logging systems collect vast amounts of data which require an understanding of the varied sources for proper analysis. Discover the when, what and why behind the logs. Lab work uses SOF-ELK, a free security information and event management (SIEM) solution.
• Windows forensic analysis
  
  Learn how to recover and analyse forensic data on Windows systems and track user activity on your network for incident response and investigations.
• Advanced digital forensics, incident response, and threat hunting
  
  Defenders need to catch intrusions in progress, rather than after attackers have done their worst. Learn to recognise adversary behaviours to spot new data breaches.
• Advanced smartphone forensics
  
  An in-depth course revealing the techniques investigators use to recover and interpret evidence from mobile devices.

Find out more and sign up here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/08/fill_the_gaps_in_your_security_knowledge_at_sans_london_april_2019/

The operator of an Australian emergency warning service has denied that user information was breached after someone accessed its system to post “you’ve been hacked” messages.

Over the weekend, people who were registered with EWN.com.au received messages that the system had been hacked. Those messages told users the hack included a breach of their personal information.

The messages read: “EWN has been hacked. Your personal data is not safe. Trying to fix the security issues,” and included a support email address.

However, managing director Kerry Plowright said personal data wasn’t breached.

The company’s announcement called the message “a nuisance spam-notification,” and added that the link in the message was non-harmful.

“Investigations are continuing with the Police and Australian Cyber Security Centre involved,” the company added.

South Australia bins emergency alert app, contract

READ MORE

Speaking to the ABC’s AM radio current affairs program Tuesday morning (audio starts at 20:17), Plowright said he believed the company knew who had used staff credentials to access the part of the system that sends emergency alerts.

It was identified “within seconds by our guys on the operational side” who “killed the process,” but not before “a bunch” of messages had already been sent via SMS, landline and/or email.

Plowright also told the ABC the company avoids holding personal information and restricts what it does hold to “white pages-type data”.

Affected government agencies included federal and state government clients, and a number of Queensland councils, including the cities of Gladstone, Tablelands, and Ipswich. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/08/emergency_warning_network_hacked/

Analysis Researchers have demonstrated yet again that location metadata from Twitter posts can be used to infer private information like users’ home addresses, workplaces, and sensitive locations they’ve visited.

Computer science boffins Kostas Drakonakis, Panagiotis Ilia, Sotiris Ioannidis, and Jason Polakis affiliated with The Foundation for Research Technology in Greece and the University of Illinois in the US published their findings in a paper titled “Please Forget Where I Was Last Summer: The Privacy Risks of Public Location (Meta)Data,” which is scheduled to be presented at the Network and Distributed System Security Symposium in February.

“We show that location metadata enables the inference of sensitive information that could be misused for a wide range of scenarios (eg: from a repressive regime de-anonymizing an activist’s account to an insurance company inferring a customer’s health issues, or a potential employer conducting a background check),” they claim in their paper.

The privacy risk associated with Twitter geolocation data was explored in academic research published in 2015 and since then Twitter has provided users with more control over location data and limited the precision of recorded coordinates. The company presently disables precise location by default and it requires users to opt-in to share their location.

“Account holders choose to share their location when they Tweet,” a Twitter spokesperson said in an email to The Register on Monday.

“Please note this is opt-in; we never attach location to a Tweet without the person’s permission. If someone chooses to share their location in a Tweet, the location is also available via our APIs. Again, this is strictly when a person opts in.”

Some progress, but not enough

But Twitter’s changes haven’t really mitigated the privacy risk since the company continues to offer historic location data through its developer API. Versions of the Twitter mobile app for Android and iOS released before April 2015 automatically included precise GPS coordinates as metadata in tweets tagged with a low-precision location label.

“In the dataset we collected we found that tweets with coarse grained location labels (e.g., the name of a city) also have GPS coordinates in the metadata dating back to 2010,” said Polakis. “After April 2015 tweets started appearing with coarse grained labels but without GPS coordinates in the metadata, indicating that around that time there was a change in Twitter’s app.”

For the researchers, the Twitter policy that allowed the inclusion of precise location data represents a privacy problem that should be addressed.

“This privacy violation is invisible to users, as the GPS coordinates are only contained in the metadata returned by the API and not visible through the Twitter website or app,” the paper explains. “To make matters worse, this historical metadata currently remains publicly accessible through the API.”

Location data presents businesses with a challenge: It’s potentially so valuable for ad targeting that companies appear to be disinclined to discourage its disclosure and don’t go to great lengths to explain how such data might be used. Last week, the Los Angeles City Attorney filed a lawsuit against IBM’s weather company for failing to adequately disclose how it uses the location data harvested through its Weather Channel app.

For Twitter users, the problem is privacy. To outline possible risks, the paper describes how a user’s negative statements about a doctor on Twitter allowed the individual to be placed at the office of a mental health professional. It also recounts a user complaining about blood testing in a tweet geo-tagged to a rehab center.

Some tools better left unshared

In the course of their work, the researchers developed and tested a location data auditing tool called LPAuditor to examine tweets for location metadata and infer sensitive personal information.

The tool, which relies on publicly accessible geolocation databases, will not be open sourced due to the potential for misuse, said Jason Polakis, assistant professor of computer science at the University of Illinois at Chicago and one of the paper’s co-authors, in an email to The Register.

The software can pinpoint the locations associated with homes and workplaces much more accurately than previously demonstrated techniques.

“Our system is able to identify the home and workplace for 92.5 per cent and 55.6 per cent of the users respectively,” the paper says.

That’s between 18.9 per cent and 91.6 per cent more accurate for homes and 8.7 per cent to 21.8 per cent more accurate for workplaces than has been demonstrated in the past, the researchers say.

Polakis and his colleagues found “71 per cent of users have tweeted from sensitive locations, 27.5 per cent of which can be placed there with high confidence based on the content of their tweets.”

When users can choose whether location data gets published, there’s a 94.6 per cent reduction in tweets tagged with GPS coordinates, according to the researchers. They argue such stats underscore the benefit of giving people control over location data. But location controls are not retroactive – developers presently have access to years of location data through the Twitter API.

Facebook admits it does track non-users, for their own good

READ MORE

Out of 290,162 users in the survey dataset, 87,114 posted geotagged tweets via the official Twitter and Foursquare apps. The researchers did not consider other third-party apps, which they said “may handle geolocation data differently as Twitter’s Geo Guidelines are neither mandatory nor enforceable.”

Using the Twitter API, the researchers were able to find precise geolocation data for about 30 per cent of those in the user dataset. They say the Twitter policies that allowed such data to be published resulted in “an almost 15-fold increase in the number of users whose key locations are successfully identified by our system.”

What’s in the databases?

The fact that third parties may have collected this data and stored it without the explicit consent of Twitter users is troubling for Polakis.

“So much data is being collected and shared/sold to third parties without the users being explicitly aware of that (or able to prevent it),” he said. “And indeed it is problematic when users have no way to delete that data in third-party databases, even though the first party may offer such an option.”

Cautioning that he’s not a legal scholar, he nonetheless says that given the research findings and the sensitive nature of the what can be inferred from location data, legislation or more explicit oversight may make sense for such data.

“We hope to see a change in how major companies collect and share location data, and the adoption of more privacy-preserving approaches,” he said.

“We also hope that our work can help educate users on the risks that they face when they share their location data (either explicitly or inadvertently) with web services or other users. Being aware of what someone could infer about you using that data can be a powerful incentive towards being more cautious during your online activities.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/08/twitter_privacy_problems/

The Linux kernel will be tweaked to mitigate data-stealing attacks that exploit system page caches.

As we revealed first over the weekend, a group of experts – including some of the researchers who discovered the Spectre family of chip flaws – had worked out how to get operating system page caches to leak information from one application to another. Among other things, a successful exploit would allow malware or rogue logged-in users to swipe sensitive data from application sandboxes that they should not otherwise be able to access.

For Linux environments, the issue has been assigned CVE-2019-5489. That bug database entry also notes that remote attacks could, for example, exploit latency differences in accessing files from an Apache Web server.

The Windows kernel was patched for Insider testers ahead of the paper’s public reveal on Monday, with the patch due for a formal rollout. Now the Linux kernel has followed suit with this fix to the mincore syscall, which should be trickling into distros once it’s undergone testing.

New side-channel leak: Boffins bash operating system page caches until they spill secrets

READ MORE

Publishing the patch, kernel chieftain Linus Torvalds wrote that mincore‘s traditional semantic “exposes a lot of system cache state that it really probably shouldn’t, and that users shouldn’t really even care about.”

That made fixing the issue relatively straightforward, he added: “So let’s try to avoid that information leak by simply changing the semantics to be that mincore() counts actual mapped pages, not pages that might be cheaply mapped if they were faulted.”

As is often the case in software projects, something complex that’s just working can remain untouched for a very long time, lest someone break it. And such is the case for this syscall. Torvalds noted that mincore semantics were ill-defined from the beginning, though, with a code comment from 2000 stating “later we can get more picky about what ‘in core’ means precisely.”

Torvalds said the patch shouldn’t have any downstream effects. While the update is “a real semantic change,” he hoped that nobody has “any workflow that cares.” If fixing mincore breaks someone’s software, Torvalds said, it may be necessary to revisit the code. That, to us, sounds like a real-life scream test. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/08/linux_patch_page_cache/