October 25, 2018

Google and Facebook accused of secretly tracking users’ locations

By Danny Bradbury

Google and Facebook have been hit separately by class action lawsuits accusing the companies of secretly tracking users’ locations, even after those users were led to believe that they had switched such tracking off.

Anyone whose location information has been tracked without their knowledge could join these class action suits. With millions of users potentially eligible, the bill could stretch into billions if plaintiffs get full relief in court.

In a class action suit filed in California District Court, former Facebook app user Brett Heeger sued the social media giant for allegedly continuing to collect users’ location information from their mobile phones even after they had taken advantage of its option to turn off location tracking.

The suit also accuses Facebook of violating its 2011 Consent Decree with the Federal Trade Commission. Under this 20-year agreement, Facebook promised:

…not [to] misrepresent in any manner… the extent to which it maintains the privacy or security of covered information.

The suit against Google follows similar arguments. Filed by individuals Leslie Lee, Stacy Smedley and Frederick Davis, it accuses the company of continuing to collect location data even after a user had opted out. Rather than stopping the collection altogether, it simply stopped aggregating it and displaying it visually on a timeline for users, the suit says, citing press coverage from earlier this year. To truly turn off location tracking:

Users had to disable a setting titled “Web and App Activity” – even though Google did not describe the setting as including location data or disclose that the setting allowed Users’ location to be tracked and stored.

Both lawsuits are suing the two tech giants for violating California laws including the state’s Constitutional Right of Privacy, and its Consumers Legal Remedies Act, and its Invasion of Privacy Act.

Read more at https://nakedsecurity.sophos.com/2018/10/25/google-and-facebook-accused-of-secretly-tracking-users-locations/

Could TLS session resumption be another ‘super cookie’?

By John E Dunn

The problem with trying to stop advertisers from tracking web users is that the complex engineering of the web offers so many ways for them to do this.

Well-known techniques include using cookies and browser fingerprinting, which is why Firefox and Apple’s Safari have introduced new controls designed to blunt them in recent weeks.

However, researchers at the University of Hamburg think they’ve spotted another one nobody has been paying attention to – Transport Layer Security (TLS) session resumption.

Session resumption isn’t supposed to be a tracking tool – it’s a perfectly sensible way for a server to resume an encrypted TLS session (TLS being the protocol successor to SSL used to secure HTTPS), without having to go through the palaver of repeated handshakes every time.

These days, a visit to almost any website will establish possibly dozens of these TLS connections, mostly to advertisers whose ads are placed on or around the page that interests the user.

Under TLS 1.2 this works using either session IDs or tickets, while the newer TLS 1.3 uses pre-shared keys (PSKs). In either case, what matters is that they all create a session ticket or key that sits in the browser cache which could, in theory, be tracked as the user moves from site to site.

Read more at https://nakedsecurity.sophos.com/2018/10/25/could-tls-session-resumption-be-another-super-cookie/

Are your jilted apps stalking you?

By Lisa Vaas

Have you recently tried to ditch a mobile app, only to have it keep following you around?

If so, you may be a victim of a new crop of uninstall trackers that go beyond letting app developers track bugs and poor user experience: they also let developers track app users “the instant” they give them the heave-ho, as one mobile app analytics/marketing company, Localytics, brags about on its site.

All the better to “remarket” at those fleeing users, Localytics says. In other words, send ads to people even after they’ve uninstalled apps:

Start sending remarketing campaigns to users the instant they remove your app.

The new phenomenon was first spotted by Bloomberg, which has noticed these new tracking tools coming from a slew of companies that create development tools for app makers: besides Localytics, they include Adjust, AppsFlyer, MoEngage, and CleverTap.

The uninstall trackers represent a run-around when it comes to iOS and Android policies that forbid silent push notifications. Hopefully, Apple and Google will crack down on the practice soon, though neither company has responded yet to inquiries from Bloomberg or myself.

Read more at https://nakedsecurity.sophos.com/2018/10/24/are-your-jilted-apps-stalking-you/

WordPress takes aim at ancient versions of its software

By Danny Bradbury

If you’re running a very old version of WordPress on your website, the project’s staff would like a word with you. The people responsible for producing the open source content management system want to wipe your code from the face of the earth.

Don’t take it personally. WordPress just wants you to upgrade to a newer version of its free software to improve security. Aaron Campbell, full-time leader of the WordPress open source security team, explained all during a talk at the DerbyCon security conference early in October.

Campbell explained that while WordPress is busier fixing security holes in its software than ever before, all that will be for nothing if it doesn’t fix arguably the biggest security problem of all: the users that install the free software but don’t upgrade it.

WordPress is by far the most popular website CMS (Content Management System) on the planet, meaning that people of all kinds use it. That includes not only people in charge of enterprise IT, but also solopreneurs and individuals who just want to blog on their own sites. That creates a really patchy update picture.

When the project releases new, more secure versions of its software, it can’t rely on all users to diligently install it. Campbell:

The only way to get users to upgrade and use the secure version is to do it for them, which is how we ended up with automatic updates.

In 2013, it switched its code to automatically check for new security and minor updates and install them automatically, with the release of WordPress 3.7. That doesn’t mean it will automatically update itself with new major releases (like moving from 3.7 to 3.8, for example). Users still do that manually. But it does mean that they at least get security patches, as long as they don’t manually switch the feature off.

Read more at https://nakedsecurity.sophos.com/2018/10/24/wordpress-takes-aim-at-ancient-versions-of-its-software/

Poorly secured SSH servers targeted by Chalubo botnet

By John E Dunn

SophosLabs has detected a new DDoS botnet targeting poorly secured SSH servers. Called Chalubo (or ChaCha-Lua-bot) in honor of its use of the ChaCha stream cipher, the malware started circulating in August before seeing an activity spike in early September.

The malware’s purpose is to compromise the large global population of Linux servers running SSH (Secure Shell) for remote admin, which these days includes the expanding population of Internet of Things (IoT) devices.

It does this by scanning large IP address ranges looking for devices running SSH on port 22, attempting to brute force the credentials using common defaults or by trying weak passwords.

In Chalubo’s case, the ultimate goal is to download and run malware designed to launch Distributed Denial of Service (DDoS) attacks using DNS, UDP, and SYN floods.

In the example analysed by SophosLabs, the target appeared to be a single Chinese IP address but in principle it could be any network.

Given clues hidden in its design, the IoT theme seems clear, as Timothy Easton of SophosLabs points out:

Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.

Where did it come from?

SophosLabs noticed the attacker’s command-and-control (C&C) server retrieving a second piece of malware, Linux/DDoS-BD (Linux/BillGates), which has been connected to the Chinese Elknot botnet first seen in 2014.

Read more at https://nakedsecurity.sophos.com/2018/10/24/poorly-secured-ssh-servers-targeted-by-chalubo-botnet/

Former high school teacher pleads guilty to hacking celebrities

By Lisa Vaas

A fifth person has pleaded guilty to federal charges of phishing logins and raiding iCloud accounts for nude photos in the 2014 Celebgate thievery blitz.

This one is a former high school teacher who picked on fellow teachers and students.

The US Attorney’s office in the Eastern District of Virginia announced on Monday that 31-year-old Christopher Brannan has pleaded guilty to getting his mitts on the complete iCloud backups, photographs, and other private information of more than 200 victims, including both celebrities and non-celebrities.

According to court records, those non-celebrities included his sister-in-law – who was a minor at the time – as well as current and former teachers and students at Lee-Davis High School, where Brannan taught special education until 2015.

Brannan used the same scams as that of the other Celebgate crooks who’ve pleaded guilty: He’d research social media accounts to glean answers to security questions – yet another reason why we should lock down access to our public profiles. Once he had that information, he’d use it to get unauthorized access to victims’ email accounts.

Read more at https://nakedsecurity.sophos.com/2018/10/24/former-high-school-teacher-pleads-guilty-to-hacking-celebrities/


Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation