Privates on parade: fitness tracker app reveals sensitive user details

By Danny Bradbury

Another online fitness tracking app is giving up sensitive information – but this time, it is revealing the names and home locations of government personnel.

Permissive search capabilities in Polar Flow, an online tracking app by Finnish fitness wearables company Polar, has enabled researchers to pinpoint highly sensitive military and intelligence operatives and quickly find out where they live. Furthermore, until Polar shut the app down it was possible to download gigabytes of this information automatically.

Foeke Postma, a volunteer at open source intelligence collective Bellingcat, originally discovered the issue and contacted Dutch news site De Correspondent, who dug into it further. The flaw lay in the way that Polar Flow displayed the details of users’ workouts over several years and allowed people to search for them.

The web app displayed icons in a geographic area of the visitor’s choicer, indicating exactly where someone had worked out. Clicking on an icon revealed the details that the person had registered in the app along with all their other workout locations.

The researchers could use that information to find workout routes that began and ended at the same residential address to pinpoint where they lived.

They also used this technique to identify workouts near sensitive sites such as military bases, detention centers, intelligence offices and nuclear weapons sites. They could then identify employees by name and search their other workouts to find their homes.

Even when people had marked themselves private in the app or registered with a fake name, the reporters were still able to find their identities. Polar Flow still exposed a unique identifying number, and allowed public searches using that ID.

The app revealed all their logged activity to anyone who searched, enabling the reporters to quickly track down the private individual’s home address. From there, a quick public record search revealed their real name.

Read more at https://nakedsecurity.sophos.com/2018/07/10/privates-on-parade-fitness-tracker-app-reveals-sensitive-user-details/

Your social media memories may have been compromised

By Paul Ducklin

Remember Timehop, the “digital nostalgia” app?

No, nor do we, but the company still has a database of about 21,000,000 users who have given the app permission to sift through their digital photos and social media posts – even if they no longer actively use Timehop service.

The idea is that the app turns every day into an anniversary, reminding you of what you were doing on this day last year, three years ago, five years ago, and so on.

The app was briefly popular a few years ago, before Facebook built a similar feature, known as On This Day, into its own social network.

The good news is that a third-party app like Timehop can’t work without your permission.

The Timehop app has to be authorized by you, and furnished with cryptographic keys (known in the jargon as access tokens), to get into the various online services from which you want it to scrape photos and posts.

Per-user, per-service access tokens of this sort are a great idea (notably, this system means you never have to share your actual passwords with a third party), as long as the company holding the tokens doesn’t let crooks wander in and steal them.

The bad news is that Timehop just announced a data breach.

Read more at https://nakedsecurity.sophos.com/2018/07/09/your-social-media-memories-may-have-been-compromised/

What sensitive data is lurking on your old SD card?

By Danny Bradbury

SD cards – those tiny devices that go into your camera or tablet – may be small, but they can hold a lot of revealing information. Because they are often used for storing photos, that information can be highly visual. A research team from the University of Hertfordshire just bought 100 second-hand SD cards and found two thirds of them carrying incriminating files.

The team, commissioned by consumer device advisory site Comparitech, found that 65% of the SD cards still had sensitive files ranging from pornography and intimate personal photos through to passport pictures.

SD cards use a different technology to hard drives, but they have some commonalities. One of these is that deleting a file or even using the standard quick format option in your operating system doesn’t really erase the data. It only marks the file as deleted in the drive’s index, which tells the operating system that the space occupied by that file is now available. The file’s data is still there, and curious users – or organizations wanting to prove a point – can recover it with freely-available forensics tools.

The researchers’ report on the project explains that the cards came from various sources including second hand shops, auctions, and eBay. Researchers typically bought the cards one at a time, and then used a free data forensics tool called FTK Imager to create a bit-for-bit copy of each card. This enabled them to work from a copy without disturbing the original. Then, they used WinHex and OSForensics to work out what data was in the imaged disk.

Four of the drives couldn’t be read at all, four of them had no data present, 25 had been properly wiped with a data erasing tool, and 29 had been improperly formatted, leaving the data easily recoverable. On two of the disks, files had only been deleted (again, leaving the files exposed). Alarmingly, 36 of the drives’ former owners had taken no steps to remove their data. This enabled the researchers to recover data from 65% of the cards.

Read more at https://nakedsecurity.sophos.com/2018/07/09/what-sensitive-data-is-lurking-on-your-old-sd-card/

Copyright Directive legislation voted down by European Parliament

By Lisa Vaas

Our sympathies to Paul McCartney, Annie Lennox, Placido Domingo and David Guetta, as well as to newspapers and other outlets whose music and content are sucked from them for nary a dime in recompense by internet giants including Google and Facebook.

For better (and there’s a lot of that) and worse (sorry, again, content creators), the European Parliament on Thursday voted down proposed legislation known as the Copyright Directive.

The EU’s rejection of the controversial legislation – the vote was 318 against 278 with 31 abstaining – isn’t the end of the fight. It now goes back to the drawing board before it faces a second vote in September.

The purpose of the legislation is to drag copyright law into the digital age and ensure that content creators get paid for their work, be it newspaper copy, music or other copyrighted content.

The Copyright Directive encompassed two highly controversial articles: the first was Article 11, intended to protect newspapers and the like from having their material used without payment. Opponents dubbed it the Link Tax, given that it would have given media giants the power to charge licensing fees for posting links such as this one.

According to an opposing group, Save the Link, Article 11 would have required websites to install bots to monitor posts for copyrighted content and to censor posts to filter it out. That would have had a major impact on the quotidian work of scores of internet content producers, including journalists looking up and citing sources and professional reviewers discussing the latest film, the group says.

The second controversial piece of the Copyright Directive was Article 13, also known as the Censorship Machine.

Read more at https://nakedsecurity.sophos.com/2018/07/09/copyright-directive-legislation-voted-down-by-european-parliament/

Smart TVs are spying on you through your phone

By Lisa Vaas

Last year, the US Federal Trade Commission (FTC) slapped TV maker Vizio with a $2.2m fine for watching us watch its TVs: the spy boxes were collecting data that included IP addresses and demographic information on 11 million users.

Pffft! Amateurs. Vacuuming our data straight out of our living rooms to see what we’re watching so they can target-market us is so last year. Now, it turns out, one company that’s all about making personalized viewing recommendations is jumping beyond our living rooms in order to sniff out what’s happening on any device that’s on our networks, including our mobile devices, and that of course means following us around.

The New York Times on Thursday published a report about Samba TV, which collects data on 13.5 million TV viewers in order to make its personalized show recommendations. Samba has signed deals with about a dozen TV makers, including Sony, Sharp, Magnavox, Toshiba and Philips, to install its software on certain sets.

It calls that software Automatic Content Recognition (ACR) and says that it delivers “essential TV insights.”

As the Times reports, when a user gets one of these TVs out of the box, a screen urges them to enable a service called Samba Interactive TV. The service promises to recommend shows and provide special offers “by cleverly recognizing onscreen content.” As of 2016, company executives said that more than 90% of people clicked the enable button.

But they were likely agreeing to give away far more data than they realized. What the initial “enable” screen doesn’t include: a terms of service agreement that exceeds 6,500 words and a privacy policy that pushes past 4,000 words. That’s a lot of reading for somebody who just wants to find out if Jon Snow is going to accidentally sleep with his aunt.

With all those words, tucked into screens that Game of Thrones fans clearly aren’t clicking through to pore over, Samba gives itself the go-ahead to create a “device map” that matches TV content to devices sharing a network with a smart TV. And that, according to Jeffrey Chester, executive director of the Center for Digital Democracy, helps the company to leap out of living rooms in order to track users “in their office, in line at the food truck and on the road as they travel.”

Sounds a lot like the internet at large, doesn’t it? Online services follow us around after we leave, taking note of where we go. Facebook, in fact, found itself in quite a bit of hot water over that one: CEO Mark Zuckerberg was in the hot seat in Congress a few months ago, as Florida Rep. Kathy Castor asked whether or not Facebook collects personal data on people who aren’t even Facebook users.

Read more at https://nakedsecurity.sophos.com/2018/07/09/smart-tvs-are-spying-on-you-through-your-phone/