Komoot: Facebook goes also on tour
The App Review Week starts with the Android app Komoot (version 9.16.2) - a navigation app for cyclists and hikers. Let's start with the network connections that Komoot establishes during use.
App start: Immediately after start (no user interaction)
[1] Immediately after starting the app, the app contacts Facebook. Among other things, the following information is transmitted [graph.facebook.com]:
👉🏼 Read the fully translated article:
https://rwtxt.lelux.fi/blackbox/pstrongkomoot-facebook-goes-also-on-tourstrong
👉🏼 Source 🇩🇪:
https://www.kuketz-blog.de/komoot-facebook-geht-mit-auf-tour/
#komoot #navigation #app #review #kuketz #DeleteFacebook
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The App Review Week starts with the Android app Komoot (version 9.16.2) - a navigation app for cyclists and hikers. Let's start with the network connections that Komoot establishes during use.
App start: Immediately after start (no user interaction)
[1] Immediately after starting the app, the app contacts Facebook. Among other things, the following information is transmitted [graph.facebook.com]:
Google Advertising ID: advertiser_id = c3639f11-626a-4692-9574-6a0f632e1ea3
Whether Ad-Tracking is enabled / allowed: advertisertrackingenabled = true
One identifier: anon_id = XZce953baa-18a8-42e0-82ad-2d1b3866fe63
Whether app tracking is enabled / allowed: applicationtrackingenabled = true
Further information:Package name of the app: de.komoot.android
Version number of the app: 9.16.2
Android version number: 7.1.2
Device model: Redmi Note 4
Country code: de_DE
Time zone: CEST, Europe/Berlin
Display resolution: 1080×1920
❗️ How critical the integration of Facebook building blocks (SDKs) are with regard to privacy still doesn't seem to have penetrated the app developers - simply irresponsible. The mere transmission of the Google Advertising ID is basically enough for Facebook to establish a link between Facebook users and the data transmitted. The reason: The Facebok app (if installed) also reads the Google Advertising ID. Facebook then has an identifier that they can assign to a person exactly.👉🏼 Read the fully translated article:
https://rwtxt.lelux.fi/blackbox/pstrongkomoot-facebook-goes-also-on-tourstrong
👉🏼 Source 🇩🇪:
https://www.kuketz-blog.de/komoot-facebook-geht-mit-auf-tour/
#komoot #navigation #app #review #kuketz #DeleteFacebook
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Read emails unobserved: How to protect yourself against tracking pixels in newsletters and Co.
Many services for sending newsletters use tracking pixels to analyze your behavior: Retrieval time of the e-mail, bounce rate, clicked links, location. Here you can find out how it works, why you should fight it and what you can do.
Ping. There's a newsletter coming into your digital mailbox. One click later you'll hopefully be a little smarter. In any case the senders of the newsletter are smarter after your click. They know at what time and where on earth you open the e-mail. They know which links from the newsletter you clicked on and which e-mail program you use. Depending on the newsletter service, you may know even more. Sounds creepy, but is everyday in email marketing.
Many professional newsletters are sent with the software of special service providers. They offer very different services. Tracking of the readers: inside belongs almost always to it. For some it's about being cheap. Others advertise with the fact that they can pursue visitors: inside with the help of individual tags also outside of the E-Mail on the web page of the sender. Still others make so-called A/B testing possible, with which similar target groups are presented different contents, in order to test for example the success of different formulations.
☣️ 1 pixel × 1 pixel = ∞ Tracking
Usually, these providers use HTML emails: that is, they embed the text to be displayed in HTML encodings so that the email becomes prettier and gets more design elements. Images can also be integrated via HTML code. The graphic can either be attached to the e-mail or downloaded externally.
Almost all newsletter services have in common the use of so-called "tracking pixels". They are integrated in the way described above via HTML codes and reloaded by an external server when the e-mail is opened. These tracking graphics are usually one pixel times one pixel in size or completely hidden. For each reader:in, a unique identifier is added to the graphic, which makes it possible to assign the behavior to individual profiles. A link could look like this:
👉🏼 Read the fully translated guide:
https://rwtxt.lelux.fi/blackbox/pstrongread-emails-unobserved-how-to-protect-yourself-against-tracking-pixels-in-newsletters-and-costrongp
👉🏼 Source 🇩🇪:
https://netzpolitik.org/2019/unbeobachtet-mails-lesen-so-schuetzt-ihr-euch-gegen-tracking-pixel-in-newslettern-und-co/#trick-applemail
#mail #tracking #guide #DataProtection #privacy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Many services for sending newsletters use tracking pixels to analyze your behavior: Retrieval time of the e-mail, bounce rate, clicked links, location. Here you can find out how it works, why you should fight it and what you can do.
Ping. There's a newsletter coming into your digital mailbox. One click later you'll hopefully be a little smarter. In any case the senders of the newsletter are smarter after your click. They know at what time and where on earth you open the e-mail. They know which links from the newsletter you clicked on and which e-mail program you use. Depending on the newsletter service, you may know even more. Sounds creepy, but is everyday in email marketing.
Many professional newsletters are sent with the software of special service providers. They offer very different services. Tracking of the readers: inside belongs almost always to it. For some it's about being cheap. Others advertise with the fact that they can pursue visitors: inside with the help of individual tags also outside of the E-Mail on the web page of the sender. Still others make so-called A/B testing possible, with which similar target groups are presented different contents, in order to test for example the success of different formulations.
☣️ 1 pixel × 1 pixel = ∞ Tracking
Usually, these providers use HTML emails: that is, they embed the text to be displayed in HTML encodings so that the email becomes prettier and gets more design elements. Images can also be integrated via HTML code. The graphic can either be attached to the e-mail or downloaded externally.
Almost all newsletter services have in common the use of so-called "tracking pixels". They are integrated in the way described above via HTML codes and reloaded by an external server when the e-mail is opened. These tracking graphics are usually one pixel times one pixel in size or completely hidden. For each reader:in, a unique identifier is added to the graphic, which makes it possible to assign the behavior to individual profiles. A link could look like this:
https://newsletterversand.domain/trackingpixel.gif?identifier=123456789Consequently, the server from which the pixel is loaded can analyze your behavior. A program stores on the server: When exactly was this link retrieved for the first time? And from where? From this it is also possible to determine which links from the newsletter you click on and thus also your more precise interests. The IP address is used to read out your supposed whereabouts.
👉🏼 Read the fully translated guide:
https://rwtxt.lelux.fi/blackbox/pstrongread-emails-unobserved-how-to-protect-yourself-against-tracking-pixels-in-newsletters-and-costrongp
👉🏼 Source 🇩🇪:
https://netzpolitik.org/2019/unbeobachtet-mails-lesen-so-schuetzt-ihr-euch-gegen-tracking-pixel-in-newslettern-und-co/#trick-applemail
#mail #tracking #guide #DataProtection #privacy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Tech billionaire Thiel wants FBI and CIA to investigate Google
According to media reports, tech billionaire Peter Thiel has demanded FBI and CIA investigations against Google. The question is whether the company has been infiltrated by China.
Billionaire investor Peter Thiel said Sunday that the FBI and the CIA should investigate if Google has been infiltrated by Chinese intelligence, according to a report from Axios.
Thiel blasted the Alphabet-owned Google for its work in China, saying the search engine giant was "engaged in the seemingly treasonous decision to work with the Chinese military and not with the US military," according to Axios.
Last year, Google came under fire after it was revealed that the company was working on a controversial project to launch a censored search service in China.
Billionaire investor Peter Thiel said Sunday that the FBI and the CIA should investigate if Google has been infiltrated by Chinese intelligence, according to a report from Axios.
Thiel, a Facebook board member, was speaking at the National Conservatism Conference in Washington, D.C. and his speech focused on three questions that should be presented to the tech giant, Axios said.
"Number one, how many foreign intelligence agencies have infiltrated your Manhattan Project for AI (artificial intelligence)?" Thiel reportedly asked. "Number two, does Google's senior management consider itself to have been thoroughly infiltrated by Chinese intelligence?"
He said those questions "need to be asked by the FBI, by the CIA."
Thiel also blasted Alphabet-owned Google for its work in China.
"Number three, is it because they consider themselves to be so thoroughly infiltrated that they have engaged in the seemingly treasonous decision to work with the Chinese military and not with the US military," Thiel said, according to Axios.
Google did not immediately respond to CNBC's request for comments.
#thiel #CIA #FBI #Google #DeleteGoogle
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
According to media reports, tech billionaire Peter Thiel has demanded FBI and CIA investigations against Google. The question is whether the company has been infiltrated by China.
Billionaire investor Peter Thiel said Sunday that the FBI and the CIA should investigate if Google has been infiltrated by Chinese intelligence, according to a report from Axios.
Thiel blasted the Alphabet-owned Google for its work in China, saying the search engine giant was "engaged in the seemingly treasonous decision to work with the Chinese military and not with the US military," according to Axios.
Last year, Google came under fire after it was revealed that the company was working on a controversial project to launch a censored search service in China.
Billionaire investor Peter Thiel said Sunday that the FBI and the CIA should investigate if Google has been infiltrated by Chinese intelligence, according to a report from Axios.
Thiel, a Facebook board member, was speaking at the National Conservatism Conference in Washington, D.C. and his speech focused on three questions that should be presented to the tech giant, Axios said.
"Number one, how many foreign intelligence agencies have infiltrated your Manhattan Project for AI (artificial intelligence)?" Thiel reportedly asked. "Number two, does Google's senior management consider itself to have been thoroughly infiltrated by Chinese intelligence?"
He said those questions "need to be asked by the FBI, by the CIA."
Thiel also blasted Alphabet-owned Google for its work in China.
"Number three, is it because they consider themselves to be so thoroughly infiltrated that they have engaged in the seemingly treasonous decision to work with the Chinese military and not with the US military," Thiel said, according to Axios.
Google did not immediately respond to CNBC's request for comments.
Read more:https://www.cnbc.com/2019/07/15/peter-thiel-reportedly-says-the-fbi-and-cia-should-investigate-google.html
#thiel #CIA #FBI #Google #DeleteGoogle
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
Richard Stallman on Pedophilia
Richard Stallman had a birthday a couple of days ago. On varius forums and subreddits, people were wishing RMS a happy birthday and some were sharing their favorite quotes from Stallman. Some of these quotes I had never read before and, to be honest, kind of shocked me. Not sure I will ever view Richard Stallman the same.
📺 https://www.youtube.com/watch?v=8BDm88o94nk
#RMS #Stallman #pedophilia #thinkabout #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Richard Stallman had a birthday a couple of days ago. On varius forums and subreddits, people were wishing RMS a happy birthday and some were sharing their favorite quotes from Stallman. Some of these quotes I had never read before and, to be honest, kind of shocked me. Not sure I will ever view Richard Stallman the same.
📺 https://www.youtube.com/watch?v=8BDm88o94nk
#RMS #Stallman #pedophilia #thinkabout #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
EU states unanimously vote against stricter export controls for surveillance equipment
The EU wants to more closely control the trade of the European surveillance industry with autocratic regimes. After two years of tough negotiations, the member states have found a „compromise“: they are against anything that could limit the trade of spyware. Germany agreed as well.
Daniel Moßbrucker accompanies the reform of the EU Dual Use Regulation for Reporters Without Borders. The human rights NGO works globally for the protection of journalists and fights against censorship online and offline. (This text is the translation of the original German version.)
On 28 May, the UN special rapporteur on the right to freedom of opinion and expression, David Kaye, appealed to the international community and demanded a moratorium on the sale of spying technology. Everywhere in the world, journalists, activists and opposition members are being monitored with state-of-the-art technology, trade is flourishing – and global regulation is at best in its infancy.
With the same arguments, the EU Commission had already submitted a reform proposal in 2016 for the European control system. The items include hacking software, large data centres for data retention, IMSI catchers for monitoring demonstrations and equipment for telecommunications surveillance.
For more than two years, the EU member states had been arguing fiercely about the Commission’s plans before they presented their „compromise“ exactly one week after Kaye’s demand. They are against any plans that would allow stronger controls on surveillance technology.
Read more:
https://rwtxt.lelux.fi/blackbox/peu-states-unanimously-vote-against-stricter-export-controls-for-surveillance-equipmentp
#EU #surveillance #export #equipment
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The EU wants to more closely control the trade of the European surveillance industry with autocratic regimes. After two years of tough negotiations, the member states have found a „compromise“: they are against anything that could limit the trade of spyware. Germany agreed as well.
Daniel Moßbrucker accompanies the reform of the EU Dual Use Regulation for Reporters Without Borders. The human rights NGO works globally for the protection of journalists and fights against censorship online and offline. (This text is the translation of the original German version.)
On 28 May, the UN special rapporteur on the right to freedom of opinion and expression, David Kaye, appealed to the international community and demanded a moratorium on the sale of spying technology. Everywhere in the world, journalists, activists and opposition members are being monitored with state-of-the-art technology, trade is flourishing – and global regulation is at best in its infancy.
With the same arguments, the EU Commission had already submitted a reform proposal in 2016 for the European control system. The items include hacking software, large data centres for data retention, IMSI catchers for monitoring demonstrations and equipment for telecommunications surveillance.
For more than two years, the EU member states had been arguing fiercely about the Commission’s plans before they presented their „compromise“ exactly one week after Kaye’s demand. They are against any plans that would allow stronger controls on surveillance technology.
Read more:
https://rwtxt.lelux.fi/blackbox/peu-states-unanimously-vote-against-stricter-export-controls-for-surveillance-equipmentp
#EU #surveillance #export #equipment
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System
Apps can also access tracking data without authorization
The Android permission model can be circumvented with tricks. A study found 1,325 apps that can access the corresponding data even without authorization.
The Android authorization system is designed to protect particularly sensitive data. Only when the user grants an app the corresponding authorization can it access the location or the device ID, for example. However, some applications bypass the permissions by accessing the corresponding data in other ways. Researchers at Berkeley University (USA), the IMDEA Networks Institute (Spain) and the University of Calgary (Canada) found this out.
PDF:
https://www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_serge_egelman.pdf
#android #data #circumvent #tracking #authorization #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Apps can also access tracking data without authorization
The Android permission model can be circumvented with tricks. A study found 1,325 apps that can access the corresponding data even without authorization.
The Android authorization system is designed to protect particularly sensitive data. Only when the user grants an app the corresponding authorization can it access the location or the device ID, for example. However, some applications bypass the permissions by accessing the corresponding data in other ways. Researchers at Berkeley University (USA), the IMDEA Networks Institute (Spain) and the University of Calgary (Canada) found this out.
PDF:
https://www.ftc.gov/system/files/documents/public_events/1415032/privacycon2019_serge_egelman.pdf
#android #data #circumvent #tracking #authorization #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Audio
🎧 The Internet’s Carbon Footprint
Manoush Zomorodi explores the surprising environmental impact of the internet in this episode of IRL. Because while it’s easy to think of the internet as living only on your screen, energy demand for the internet is indeed powered by massive server farms, running around the clock, all over the world. What exactly is the internet’s carbon footprint? And, what can we do about it?
📻 https://irlpodcast.org/
#IRL #carbon #footprint #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Manoush Zomorodi explores the surprising environmental impact of the internet in this episode of IRL. Because while it’s easy to think of the internet as living only on your screen, energy demand for the internet is indeed powered by massive server farms, running around the clock, all over the world. What exactly is the internet’s carbon footprint? And, what can we do about it?
📻 https://irlpodcast.org/
#IRL #carbon #footprint #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
(Can’t) Picture This 2 An Analysis of WeChat’s Realtime Image Filtering in Chats
Key Findings:
👁🗨 WeChat implements realtime, automatic censorship of chat images based on text contained in images and on an image’s visual similarity to those on a blacklist
👁🗨 WeChat facilitates realtime filtering by maintaining a hash index populated by MD5 hashes of images sent by users of the chat platform
👁🗨 We compare levels of filtering across WeChat’s Moments, group chat, and 1-to-1 chat features and find that each has different images censored; we find that Moments and group chat are generally more heavily filtered than 1-to-1
👁🗨 WeChat targets predominantly political content including images pertaining to government and social resistance
👁🗨 WeChat’s image censorship is reactive to news events; we found censored images covering a wide range of events, including the arrest of Huawei’s CFO, the Sino-US Trade War, and the 2018 US Midterm Elections
https://citizenlab.ca/2019/07/cant-picture-this-2-an-analysis-of-wechats-realtime-image-filtering-in-chats/
#WeChat #filter #realtime #images #china #censorship
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Key Findings:
👁🗨 WeChat implements realtime, automatic censorship of chat images based on text contained in images and on an image’s visual similarity to those on a blacklist
👁🗨 WeChat facilitates realtime filtering by maintaining a hash index populated by MD5 hashes of images sent by users of the chat platform
👁🗨 We compare levels of filtering across WeChat’s Moments, group chat, and 1-to-1 chat features and find that each has different images censored; we find that Moments and group chat are generally more heavily filtered than 1-to-1
👁🗨 WeChat targets predominantly political content including images pertaining to government and social resistance
👁🗨 WeChat’s image censorship is reactive to news events; we found censored images covering a wide range of events, including the arrest of Huawei’s CFO, the Sino-US Trade War, and the 2018 US Midterm Elections
https://citizenlab.ca/2019/07/cant-picture-this-2-an-analysis-of-wechats-realtime-image-filtering-in-chats/
#WeChat #filter #realtime #images #china #censorship
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
The WORST Part of the Epstein Case – #PropagandaWatch
According to the dinosaur media, the worst part about the exposure of Jeffrey #Epstein’s child sex trafficking and high-level #blackmail operation is that it bolsters #conspiracy theories about child sex trafficking and elite corruption.
❗️Newsflash: they’re trying to gaslight you. Don’t fall for it for a second.
📺 https://www.corbettreport.com/the-worst-part-of-the-epstein-case-propagandawatch/
#corbettreport #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
According to the dinosaur media, the worst part about the exposure of Jeffrey #Epstein’s child sex trafficking and high-level #blackmail operation is that it bolsters #conspiracy theories about child sex trafficking and elite corruption.
❗️Newsflash: they’re trying to gaslight you. Don’t fall for it for a second.
📺 https://www.corbettreport.com/the-worst-part-of-the-epstein-case-propagandawatch/
#corbettreport #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Security reports reveal how Assange turned an embassy into a command post for election meddling
New documents obtained exclusively by CNN reveal that WikiLeaks founder Julian Assange received in-person deliveries, potentially of hacked materials related to the 2016 US election, during a series of suspicious meetings at the Ecuadorian Embassy in London.
The documents build on the possibility, raised by special counsel Robert Mueller in his report on Russian meddling, that couriers brought hacked files to Assange at the embassy.
The surveillance reports also describe how Assange turned the embassy into a command center and orchestrated a series of damaging disclosures that rocked the 2016 presidential campaign in the United States.
Despite being confined to the embassy while seeking safe passage to Ecuador, Assange met with Russians and world-class hackers at critical moments, frequently for hours at a time. He also acquired powerful new computing and network hardware to facilitate data transfers just weeks before WikiLeaks received hacked materials from Russian operatives.
These stunning details come from hundreds of surveillance reports compiled for the Ecuadorian government by UC Global, a private Spanish security company, and obtained by CNN. They chronicle Assange’s movements and provide an unprecedented window into his life at the embassy. They also add a new dimension to the Mueller report, which cataloged how WikiLeaks helped the Russians undermine the US election.
An Ecuadorian intelligence official told CNN that the surveillance reports are authentic.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/exclusive-security-reports-reveal-how-assange-turned-an-embassy-into-a-command-post-for-election-meddling
#FreeAssange #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
New documents obtained exclusively by CNN reveal that WikiLeaks founder Julian Assange received in-person deliveries, potentially of hacked materials related to the 2016 US election, during a series of suspicious meetings at the Ecuadorian Embassy in London.
The documents build on the possibility, raised by special counsel Robert Mueller in his report on Russian meddling, that couriers brought hacked files to Assange at the embassy.
The surveillance reports also describe how Assange turned the embassy into a command center and orchestrated a series of damaging disclosures that rocked the 2016 presidential campaign in the United States.
Despite being confined to the embassy while seeking safe passage to Ecuador, Assange met with Russians and world-class hackers at critical moments, frequently for hours at a time. He also acquired powerful new computing and network hardware to facilitate data transfers just weeks before WikiLeaks received hacked materials from Russian operatives.
These stunning details come from hundreds of surveillance reports compiled for the Ecuadorian government by UC Global, a private Spanish security company, and obtained by CNN. They chronicle Assange’s movements and provide an unprecedented window into his life at the embassy. They also add a new dimension to the Mueller report, which cataloged how WikiLeaks helped the Russians undermine the US election.
An Ecuadorian intelligence official told CNN that the surveillance reports are authentic.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/exclusive-security-reports-reveal-how-assange-turned-an-embassy-into-a-command-post-for-election-meddling
#FreeAssange #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Shelter: Isolate Big Brother apps - Take back control! (Part 7)
1. Big Data
The collection, processing and analysis of as much information as possible is Big Data’s core business. In this non-transparent data processing, which is determined by algorithms, personal rights are hardly taken into consideration. This dilemma becomes particularly clear in the Android world: Apps access personal data uninhibitedly and send it unsolicited to the most diverse protagonists. This is exactly what the article series “Take back control!” wants to protect against.
Another piece of the puzzle to achieve this goal is the App Shelter, which locks selected Android apps in a sandbox, depriving them of access to phone books, calendars, images and other data. Curious apps can thus be denied access to sensitive user data.
💡 This article is part of a series of articles:
✅ Android without Google: Take back control! Part 1
✅ LineageOS - Take back control! Part2
✅ Magisk: By the power of Root - Take back control! Part 3 (not yet translated)
✅ AFWall+: Digital Door Controller - Take back control! Part 4
✅ F-Droid: Free and Open Source Apps - Take back control! Part 5
✅ AdAway: Advertising and tracking blocker - Take back control! Part 6
✅ Shelter: Isolate Big Brother apps - Take back control! Part 7
2. Shelter
Shelter is an open source app for Android that can be downloaded from the App-Store F-Droid. Alternatively the app can be downloaded via GitHub or the Google Play Store.
To separate apps, Shelter uses the Android work profiles that Google introduced as early as 2015 to separate private data from business content or apps. The work profile is a specially isolated area in which, for example, data-hungry apps can be stored. In addition to the normal environment in which all apps are normally located, Shelter creates another workspace that is logically separated from the other workspace. From this bunker (Shelter) apps can not access data which are in the normal environment - but all data of apps which are also stored or locked in the Shelter.
👉🏼 Read the fully translated guide:
https://rwtxt.lelux.fi/blackbox/shelter-isolate-big-brother-apps-take-back-control-part-7
👉🏼 Source 🇩🇪:
https://www.kuketz-blog.de/shelter-big-brother-apps-isolieren-take-back-control-teil7/
#android #shelter #NoGoogle #guide #part1 #part2 #part4 #part5 #part6 #part7 #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
1. Big Data
The collection, processing and analysis of as much information as possible is Big Data’s core business. In this non-transparent data processing, which is determined by algorithms, personal rights are hardly taken into consideration. This dilemma becomes particularly clear in the Android world: Apps access personal data uninhibitedly and send it unsolicited to the most diverse protagonists. This is exactly what the article series “Take back control!” wants to protect against.
Another piece of the puzzle to achieve this goal is the App Shelter, which locks selected Android apps in a sandbox, depriving them of access to phone books, calendars, images and other data. Curious apps can thus be denied access to sensitive user data.
💡 This article is part of a series of articles:
✅ Android without Google: Take back control! Part 1
✅ LineageOS - Take back control! Part2
✅ Magisk: By the power of Root - Take back control! Part 3 (not yet translated)
✅ AFWall+: Digital Door Controller - Take back control! Part 4
✅ F-Droid: Free and Open Source Apps - Take back control! Part 5
✅ AdAway: Advertising and tracking blocker - Take back control! Part 6
✅ Shelter: Isolate Big Brother apps - Take back control! Part 7
2. Shelter
Shelter is an open source app for Android that can be downloaded from the App-Store F-Droid. Alternatively the app can be downloaded via GitHub or the Google Play Store.
To separate apps, Shelter uses the Android work profiles that Google introduced as early as 2015 to separate private data from business content or apps. The work profile is a specially isolated area in which, for example, data-hungry apps can be stored. In addition to the normal environment in which all apps are normally located, Shelter creates another workspace that is logically separated from the other workspace. From this bunker (Shelter) apps can not access data which are in the normal environment - but all data of apps which are also stored or locked in the Shelter.
👉🏼 Read the fully translated guide:
https://rwtxt.lelux.fi/blackbox/shelter-isolate-big-brother-apps-take-back-control-part-7
👉🏼 Source 🇩🇪:
https://www.kuketz-blog.de/shelter-big-brother-apps-isolieren-take-back-control-teil7/
#android #shelter #NoGoogle #guide #part1 #part2 #part4 #part5 #part6 #part7 #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Amazon is listening to your kids and visitors, warns German parliament report
Smart speakers like Alexa not only store the voices of their registered users, but also those of children and unsuspecting guests. This constitutes a legal problem, says a report commissioned by the German parliament.
Amazon’s voice assistant listens far more often than people might know. Alexa does not only pick up the voices of adults who consciously interact with the system, but also those of others who do not know the assistant is recording them. That could be a visitor or a minor.
This function of Alexa is now subject of a report by the Research Service of the German parliament, the Bundestag. The service is impartial, researching and analysing information on behalf of committees and by request of members of parliament. The paper examines whether the recording, trannoscription and evaluation of voice recordings by Amazon are legal under German law.
When Alexa is first installed, users must give their consent to the processing and storage of their data. The mandatory information about the use and administration of their data is described sufficiently on Amazon’s website and in the Alexa app, according to the experts. Users can manage and delete the stored data in their profile. However, it remains unclear for how long Amazon stores the voice recordings and how often the software records unintended noises and conversations.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/amazon-is-listening-to-your-kids-and-visitors-warns-german-parliament-report
#DeleteAmazon #Alexa #DataProtection #privacy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Smart speakers like Alexa not only store the voices of their registered users, but also those of children and unsuspecting guests. This constitutes a legal problem, says a report commissioned by the German parliament.
Amazon’s voice assistant listens far more often than people might know. Alexa does not only pick up the voices of adults who consciously interact with the system, but also those of others who do not know the assistant is recording them. That could be a visitor or a minor.
This function of Alexa is now subject of a report by the Research Service of the German parliament, the Bundestag. The service is impartial, researching and analysing information on behalf of committees and by request of members of parliament. The paper examines whether the recording, trannoscription and evaluation of voice recordings by Amazon are legal under German law.
When Alexa is first installed, users must give their consent to the processing and storage of their data. The mandatory information about the use and administration of their data is described sufficiently on Amazon’s website and in the Alexa app, according to the experts. Users can manage and delete the stored data in their profile. However, it remains unclear for how long Amazon stores the voice recordings and how often the software records unintended noises and conversations.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/amazon-is-listening-to-your-kids-and-visitors-warns-german-parliament-report
#DeleteAmazon #Alexa #DataProtection #privacy
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
SwiftKey: BlackBox with permanent tracking
On the fourth day of the App Review Week, I test the Android app SwiftKey (version 7.3.3.12) - a keyboard app from Microsoft that accepts input via wipe gestures. Let’s start with the network connections that SwiftKey establishes during use.
App start: Immediately after start (no user interaction)
[1] Immediately after startup, the app contacts the SwiftKey servers [jenson.api.swiftkey.com] to update LanguagePack information:
👉🏼 Full translated review:
https://rwtxt.lelux.fi/blackbox/swiftkey-blackbox-with-permanent-tracking
Source 🇩🇪:
https://www.kuketz-blog.de/swiftkey-blackbox-mit-dauerhaftem-tracking/
#SwifkKey #App #review #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
On the fourth day of the App Review Week, I test the Android app SwiftKey (version 7.3.3.12) - a keyboard app from Microsoft that accepts input via wipe gestures. Let’s start with the network connections that SwiftKey establishes during use.
App start: Immediately after start (no user interaction)
[1] Immediately after startup, the app contacts the SwiftKey servers [jenson.api.swiftkey.com] to update LanguagePack information:
GET /swiftkey/sksdk-3.0/sk-7.3.3/market/languagePacksSSL.json HTTP/1.1 Accept-Encoding: gzip, deflate Range: bytes=0- User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Mi A1 Build/PQ3A.190705.003) Host: jenson.api.swiftkey.com Connection: close[2] The updates for the language packs (LanguagePacks) are then downloaded via a cloudfront server
[d4kkhvu20wq9i.cloudfront.net]:👉🏼 Full translated review:
https://rwtxt.lelux.fi/blackbox/swiftkey-blackbox-with-permanent-tracking
Source 🇩🇪:
https://www.kuketz-blog.de/swiftkey-blackbox-mit-dauerhaftem-tracking/
#SwifkKey #App #review #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Firefox classifies HTTP websites as insecure in the future
The function is active and works in Firefox 70. The function is currently available only in the Nightly Channel. But Firefox 68 can also be configured manually so that the URLs of unencrypted websites are provided with a crossed-out lock and the addition "Not secure".
💡 According to the report, the security warning is now activated in the Nightly version of Firefox 70.
Users of the current version 68 can already unlock the feature via the configuration page "
You simply have to change the following settings by double clicking to "True":
„
„
„
„
„
https://www.ghacks.net/2019/07/18/firefox-to-mark-all-http-sites-as-not-secure/
#mozilla #firefox #browser #tip #tricks #HTTP #encryption
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
The function is active and works in Firefox 70. The function is currently available only in the Nightly Channel. But Firefox 68 can also be configured manually so that the URLs of unencrypted websites are provided with a crossed-out lock and the addition "Not secure".
💡 According to the report, the security warning is now activated in the Nightly version of Firefox 70.
Users of the current version 68 can already unlock the feature via the configuration page "
about:config".You simply have to change the following settings by double clicking to "True":
„
about:config“„
security.insecure_connection_icon.enabled“„
security.insecure_connection_icon.pbmode.enabled“„
security.insecure_connection_text.enabled“„
security.insecure_connection_text.pbmode.enabled“ https://www.ghacks.net/2019/07/18/firefox-to-mark-all-http-sites-as-not-secure/
#mozilla #firefox #browser #tip #tricks #HTTP #encryption
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Amazon is turning advertising into its next huge business — here’s how
☢️ Amazon has built a huge advertising business. Here’s a little more about how it all works.
☢️ The e-commerce giant lets advertisers reach consumers through product ads or even videos on third-party websites.
☢️ While shopping on Prime Day, this is how to spot and understand some of the ad products used to encourage you to buy certain products.
If you were browsing Amazon in search of deals for Prime Day, you undoubtedly came across a lot of ads. That’s because Amazon has a trove of information about buying habits that makes it a valuable place for advertisers.
Think about it: Amazon knows the last time you bought toothpaste on the site and which brand you typically like to buy. Advertisers can use that information to try to get you to buy their brand of toothpaste right when you’re running low.
Other advertisers can use Amazon to target ads, even if they’re selling products that you can’t necessarily buy on Amazon, like insurance or a car. These advertisers can use Amazon’s extensive customer data to figure out who might buy their product or services, and they can use Amazon’s ad products to reach those people, both on Amazon’s properties and through a network of third-party sites.
This rich trove of data has made Amazon into the third-largest digital ad platform in the U.S. and a growing contender to take on the digital ad duopoly of Google and Facebook. Earlier this year, eMarketer said it expected Amazon to claim 8.8% of U.S. digital ad spend in 2019, up from 6.8% in 2018, while expecting Google to drop from 38.2% to 37.2%. Meanwhile, Facebook was expected to pull 22.1% of digital ad spend in 2019, up very slightly from 21.8%. Amazon’s net sales in its “other” category, which consists primarily of advertising sales, was $2.72 billion in the first quarter.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/amazon-is-turning-advertising-into-its-next-huge-business-heres-how
#DeleteAmazon #advertising #business
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
☢️ Amazon has built a huge advertising business. Here’s a little more about how it all works.
☢️ The e-commerce giant lets advertisers reach consumers through product ads or even videos on third-party websites.
☢️ While shopping on Prime Day, this is how to spot and understand some of the ad products used to encourage you to buy certain products.
If you were browsing Amazon in search of deals for Prime Day, you undoubtedly came across a lot of ads. That’s because Amazon has a trove of information about buying habits that makes it a valuable place for advertisers.
Think about it: Amazon knows the last time you bought toothpaste on the site and which brand you typically like to buy. Advertisers can use that information to try to get you to buy their brand of toothpaste right when you’re running low.
Other advertisers can use Amazon to target ads, even if they’re selling products that you can’t necessarily buy on Amazon, like insurance or a car. These advertisers can use Amazon’s extensive customer data to figure out who might buy their product or services, and they can use Amazon’s ad products to reach those people, both on Amazon’s properties and through a network of third-party sites.
This rich trove of data has made Amazon into the third-largest digital ad platform in the U.S. and a growing contender to take on the digital ad duopoly of Google and Facebook. Earlier this year, eMarketer said it expected Amazon to claim 8.8% of U.S. digital ad spend in 2019, up from 6.8% in 2018, while expecting Google to drop from 38.2% to 37.2%. Meanwhile, Facebook was expected to pull 22.1% of digital ad spend in 2019, up very slightly from 21.8%. Amazon’s net sales in its “other” category, which consists primarily of advertising sales, was $2.72 billion in the first quarter.
👉🏼 Read the full story without ads n shit:
https://rwtxt.lelux.fi/blackbox/amazon-is-turning-advertising-into-its-next-huge-business-heres-how
#DeleteAmazon #advertising #business
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Newly Discovered Malware Framework Cashing in on Ad Fraud
A newly discovered malware framework is responsible for more than one billion fraudulent ad impressions in the past three months, generating its operators significant Google AdSense revenue on a monthly basis.
Flashpoint researchers uncovered the framework, which features three separate stages that ultimately install a malicious browser extension designed to perform fraudulent AdSense impressions, as well as generate likes on YouTube videos and watch hidden Twitch streams.
The framework is designed to pad statistics on social sites and ad impressions, creating revenue for its operators who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers including Google Chrome, Mozilla Firefox, and Yandex’s browser.
Most video and streaming services have tiers for their content producers, which calculates how much they are paid for their content. Content producers benefit financially from higher counts, which can lead to some unscrupulous behavior.
Flashpoint researchers found code, for example, that looks for YouTube referrers and then injects a new noscript tag to load code for YouTube. In this case, the injected JavaScript has an extensive amount of code that is designed to like videos, most of which are related to political topics in Russia. Separately, researchers also found code that injects an iframe into the browser designed to play a hidden Twitch stream, padding the viewer stats for the streamer on that page.
Read more:
https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/
#malware #malicious #framework #AdFraud #AdSense #browser #extension
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
A newly discovered malware framework is responsible for more than one billion fraudulent ad impressions in the past three months, generating its operators significant Google AdSense revenue on a monthly basis.
Flashpoint researchers uncovered the framework, which features three separate stages that ultimately install a malicious browser extension designed to perform fraudulent AdSense impressions, as well as generate likes on YouTube videos and watch hidden Twitch streams.
The framework is designed to pad statistics on social sites and ad impressions, creating revenue for its operators who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers including Google Chrome, Mozilla Firefox, and Yandex’s browser.
Most video and streaming services have tiers for their content producers, which calculates how much they are paid for their content. Content producers benefit financially from higher counts, which can lead to some unscrupulous behavior.
Flashpoint researchers found code, for example, that looks for YouTube referrers and then injects a new noscript tag to load code for YouTube. In this case, the injected JavaScript has an extensive amount of code that is designed to like videos, most of which are related to political topics in Russia. Separately, researchers also found code that injects an iframe into the browser designed to play a hidden Twitch stream, padding the viewer stats for the streamer on that page.
Read more:
https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/
#malware #malicious #framework #AdFraud #AdSense #browser #extension
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
David K. Levine is Against Intellectual Monopoly
David K. Levine is an economist at the European University Institute and at Washington University in St. Louis. He is the author with Michele Boldrin of Against Intellectual Monopoly, an empirical study of the economics of intellectual property that concludes that IP is not necessary for innovation and as a practical matter is damaging to growth, prosperity and liberty.
📺 https://www.corbettreport.com/david-k-levine-is-against-intellectual-monopoly/
#corbettreport #intellectual #monopoly #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
David K. Levine is an economist at the European University Institute and at Washington University in St. Louis. He is the author with Michele Boldrin of Against Intellectual Monopoly, an empirical study of the economics of intellectual property that concludes that IP is not necessary for innovation and as a practical matter is damaging to growth, prosperity and liberty.
📺 https://www.corbettreport.com/david-k-levine-is-against-intellectual-monopoly/
#corbettreport #intellectual #monopoly #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Media is too big
VIEW IN TELEGRAM
NBC Released A Tape Showing Donald Trump and Jeffrey Epstein discussing women at 1992 party
An footage from 1992 released this week by NBC, United States President Donald Trump can be seen joking and laughing with Jeffrey Epstein at a party.
Trump said that Epstein was a “terrific guy”
“He’s a lot of fun to be with. It is even said that he likes beautiful women as much as I do, and many of them are on the younger side,” Trump said at the time.
https://www.nbcnews.com/news/us-news/tape-shows-donald-trump-jeffrey-epstein-discussing-women-1992-party-n1030686
#Epstein #Trump #pedo #conspiracy #SexTrafficking
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
An footage from 1992 released this week by NBC, United States President Donald Trump can be seen joking and laughing with Jeffrey Epstein at a party.
Trump said that Epstein was a “terrific guy”
“He’s a lot of fun to be with. It is even said that he likes beautiful women as much as I do, and many of them are on the younger side,” Trump said at the time.
https://www.nbcnews.com/news/us-news/tape-shows-donald-trump-jeffrey-epstein-discussing-women-1992-party-n1030686
#Epstein #Trump #pedo #conspiracy #SexTrafficking
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Tracking sex: The implications of widespread sexual data leakage and tracking on porn websites
This paper explores tracking and privacy risks on pornography websites. Our analysis of 22,484 pornography websites indicated that 93% leak user data to a third party.
Tracking on these sites is highly concentrated by a handful of major companies, which we identify. We successfully extracted privacy policies for 3,856 sites, 17% of the total. The policies were written such that one might need a two-year college education to understand them.
Our content analysis of the sample's domains indicated 44.97% of them expose or suggest a specific gender/sexual identity or interest likely to be linked to the user. We identify three core implications of the quantitative results: 1) the unique/elevated risks of porn data leakage versus other types of data, 2) the particular risks/impact for vulnerable populations, and 3) the complications of providing consent for porn site users and the need for affirmative consent in these online sexual interactions.
PDF - Analysis:
https://arxiv.org/pdf/1907.06520.pdf
#study #analysis #sex #porn #websites #tracking #google #facebook #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
This paper explores tracking and privacy risks on pornography websites. Our analysis of 22,484 pornography websites indicated that 93% leak user data to a third party.
Tracking on these sites is highly concentrated by a handful of major companies, which we identify. We successfully extracted privacy policies for 3,856 sites, 17% of the total. The policies were written such that one might need a two-year college education to understand them.
Our content analysis of the sample's domains indicated 44.97% of them expose or suggest a specific gender/sexual identity or interest likely to be linked to the user. We identify three core implications of the quantitative results: 1) the unique/elevated risks of porn data leakage versus other types of data, 2) the particular risks/impact for vulnerable populations, and 3) the complications of providing consent for porn site users and the need for affirmative consent in these online sexual interactions.
PDF - Analysis:
https://arxiv.org/pdf/1907.06520.pdf
#study #analysis #sex #porn #websites #tracking #google #facebook #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
DataSpii: The catastrophic data leak via browser extensions
We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users.
Our investigation uncovered an online service selling the collected browsing activity data to its subnoscription members in near real-time. In this report, we delineate the sensitive data source types relevant to the security of individuals and businesses across the globe.
We observed two extensions employing dilatory tactics — an effective maneuver for eluding detection — to collect the data. We identified the collection of sensitive data from the internal network environments of Fortune 500 companies.
Several Fortune 500 companies provided an additional measure of confirmation through a process of responsible disclosure. By deploying a honeypot to monitor web traffic, we discovered near-immediate visits to URLs collected by the extensions. To address the evolving threat to data security, we propose preemptive measures such as limiting access to shareable links, and removing PII and CI from metadata.
👉🏼 https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/
I found your data. It’s for sale.
As many as 4 million people have Web browser extensions that sell their every click. And that’s just the tip of the iceberg.
I’ve watched you check in for a flight and seen your doctor refilling a prenoscription.
I’ve peeked inside corporate networks at reports on faulty rockets. If I wanted, I could’ve even opened a tax return you only shared with your accountant.
I found your data because it’s for sale online. Even more terrifying: It’s happening because of software you probably installed yourself.
My latest investigation into the secret life of our data is not a fire drill. Working with an independent security researcher, I found as many as 4 million people have been leaking personal and corporate secrets through Chrome and Firefox. Even a colleague in The Washington Post’s newsroom got caught up. When we told browser makers Google and Mozilla, they shut these leaks immediately — but we probably identified only a fraction of the problem
👉🏼 https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/
#DataSpii #DataSpy #browser #extensions #data #leak #security #investigation #chrome #firefox
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users.
Our investigation uncovered an online service selling the collected browsing activity data to its subnoscription members in near real-time. In this report, we delineate the sensitive data source types relevant to the security of individuals and businesses across the globe.
We observed two extensions employing dilatory tactics — an effective maneuver for eluding detection — to collect the data. We identified the collection of sensitive data from the internal network environments of Fortune 500 companies.
Several Fortune 500 companies provided an additional measure of confirmation through a process of responsible disclosure. By deploying a honeypot to monitor web traffic, we discovered near-immediate visits to URLs collected by the extensions. To address the evolving threat to data security, we propose preemptive measures such as limiting access to shareable links, and removing PII and CI from metadata.
👉🏼 https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/
I found your data. It’s for sale.
As many as 4 million people have Web browser extensions that sell their every click. And that’s just the tip of the iceberg.
I’ve watched you check in for a flight and seen your doctor refilling a prenoscription.
I’ve peeked inside corporate networks at reports on faulty rockets. If I wanted, I could’ve even opened a tax return you only shared with your accountant.
I found your data because it’s for sale online. Even more terrifying: It’s happening because of software you probably installed yourself.
My latest investigation into the secret life of our data is not a fire drill. Working with an independent security researcher, I found as many as 4 million people have been leaking personal and corporate secrets through Chrome and Firefox. Even a colleague in The Washington Post’s newsroom got caught up. When we told browser makers Google and Mozilla, they shut these leaks immediately — but we probably identified only a fraction of the problem
👉🏼 https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/
#DataSpii #DataSpy #browser #extensions #data #leak #security #investigation #chrome #firefox
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
No solo FaceApp: miles de aplicaciones espían aunque se les niegue el permiso.
El caso de FaceApp, la aplicación que utiliza inteligencia artificial para envejecer un rostro y mostrar una imagen realista, ha puesto el punto de mira sobre un aspecto común en el que pocos usuarios reparan. Al instalarla, se advierte de que todos nuestros datos serán utilizados e incluso cedidos a terceros, por lo que se pierde el control. En este caso se avisa en un proceso que pocos usuarios leen o que aceptan sin pensar en las consecuencias. Pero algunos programas para móviles pueden no necesitar ni siquiera el consentimiento explícito. Miles de aplicaciones burlan las limitaciones y espían, aunque no se les autorice.
¿Para qué necesita la linterna del móvil acceder a la ubicación de un usuario? ¿Y una aplicación de retoque fotográfico al micrófono? ¿O una grabadora a los contactos? En principio, estas apps no precisan de este tipo de permisos para su funcionamiento. Cuando acceden a ellos, suele ser en búsqueda de un bien sumamente valioso: los datos. Los usuarios pueden dar o denegar diferentes permisos a las aplicaciones para que accedan a su ubicación, los contactos o los archivos almacenados en el teléfono. Pero una investigación de un equipo de expertos en ciberseguridad ha revelado que hasta 12.923 apps han encontrado la forma de seguir recopilando información privada pese a haberles negado los permisos explícitamente.
Este estudio pone de manifiesto la dificultad de los usuarios de salvaguardar su privacidad. Investigadores del Instituto Internacional de Ciencias Computacionales (ICSI) en Berkeley, IMDEA Networks Institute de Madrid, la Universidad de Calgary y AppCensus han analizado un total de 88.000 aplicaciones de la Play Store y han observado cómo miles de aplicaciones acceden a información como la ubicación o datos del terminal que el usuario les había denegado previamente.
Los expertos aún no han hecho pública la lista completa de apps que realizan estas prácticas. Pero según la investigación, se encuentran entre ellas la aplicación del parque de Disneyland en Hong Kong, el navegador de Samsung o el buscador chino Baidu. El número de usuarios potenciales afectados por estos hallazgos es de “cientos de millones”.
Borja Adsuara, abogado experto en derecho digital, asegura que se trata de “una infracción muy grave” porque el sistema operativo Android requiere que las apps pidan el acceso consentido a estos datos a través de permisos y el usuario les dice expresamente que no. El consentimiento, según explica, funciona de forma muy parecida tanto en la intimidad física como en la no física —datos personales—. “Es como en el caso de una violación en el que la víctima dice expresamente que no”, afirma.
Narseo Vallina-Rodríguez, coautor del estudio, señala que “no está claro si habrá parches o actualizaciones para los miles de millones de usuarios Android que a día de hoy utilizan versiones del sistema operativo con estas vulnerabilidades". Google no ha concretado a este periódico si tiene pensado retirar del mercado o tomar alguna medida en relación a las aplicaciones que, según el estudio, acceden a los datos de los usuarios sin el permiso pertinente. No obstante, ha asegurado que el problema se resolverá con Android Q, la próxima versión de su sistema operativo. La compañía pretende lanzar a lo largo del año seis versiones beta antes de dar a conocer la versión final durante el tercer trimestre del año.
¿Cómo acceden las aplicaciones a información privada del usuario sin los permisos necesarios? Las apps burlan los mecanismos de control del sistema operativo mediante los side channels y los covert channels. Vallina hace la siguiente comparación: “Para entrar en una casa [el dato del usuario] puedes hacerlo por la puerta con la llave que te ha dado el dueño [el permiso], pero también lo puedes hacer sin consentimiento del propietario aprovechándote de una vulnerabilidad de la puerta [un side channel] o con la ayuda de alguien que ya está dentro [covert channel]".
El caso de FaceApp, la aplicación que utiliza inteligencia artificial para envejecer un rostro y mostrar una imagen realista, ha puesto el punto de mira sobre un aspecto común en el que pocos usuarios reparan. Al instalarla, se advierte de que todos nuestros datos serán utilizados e incluso cedidos a terceros, por lo que se pierde el control. En este caso se avisa en un proceso que pocos usuarios leen o que aceptan sin pensar en las consecuencias. Pero algunos programas para móviles pueden no necesitar ni siquiera el consentimiento explícito. Miles de aplicaciones burlan las limitaciones y espían, aunque no se les autorice.
¿Para qué necesita la linterna del móvil acceder a la ubicación de un usuario? ¿Y una aplicación de retoque fotográfico al micrófono? ¿O una grabadora a los contactos? En principio, estas apps no precisan de este tipo de permisos para su funcionamiento. Cuando acceden a ellos, suele ser en búsqueda de un bien sumamente valioso: los datos. Los usuarios pueden dar o denegar diferentes permisos a las aplicaciones para que accedan a su ubicación, los contactos o los archivos almacenados en el teléfono. Pero una investigación de un equipo de expertos en ciberseguridad ha revelado que hasta 12.923 apps han encontrado la forma de seguir recopilando información privada pese a haberles negado los permisos explícitamente.
Este estudio pone de manifiesto la dificultad de los usuarios de salvaguardar su privacidad. Investigadores del Instituto Internacional de Ciencias Computacionales (ICSI) en Berkeley, IMDEA Networks Institute de Madrid, la Universidad de Calgary y AppCensus han analizado un total de 88.000 aplicaciones de la Play Store y han observado cómo miles de aplicaciones acceden a información como la ubicación o datos del terminal que el usuario les había denegado previamente.
Los expertos aún no han hecho pública la lista completa de apps que realizan estas prácticas. Pero según la investigación, se encuentran entre ellas la aplicación del parque de Disneyland en Hong Kong, el navegador de Samsung o el buscador chino Baidu. El número de usuarios potenciales afectados por estos hallazgos es de “cientos de millones”.
Borja Adsuara, abogado experto en derecho digital, asegura que se trata de “una infracción muy grave” porque el sistema operativo Android requiere que las apps pidan el acceso consentido a estos datos a través de permisos y el usuario les dice expresamente que no. El consentimiento, según explica, funciona de forma muy parecida tanto en la intimidad física como en la no física —datos personales—. “Es como en el caso de una violación en el que la víctima dice expresamente que no”, afirma.
Narseo Vallina-Rodríguez, coautor del estudio, señala que “no está claro si habrá parches o actualizaciones para los miles de millones de usuarios Android que a día de hoy utilizan versiones del sistema operativo con estas vulnerabilidades". Google no ha concretado a este periódico si tiene pensado retirar del mercado o tomar alguna medida en relación a las aplicaciones que, según el estudio, acceden a los datos de los usuarios sin el permiso pertinente. No obstante, ha asegurado que el problema se resolverá con Android Q, la próxima versión de su sistema operativo. La compañía pretende lanzar a lo largo del año seis versiones beta antes de dar a conocer la versión final durante el tercer trimestre del año.
¿Cómo acceden las aplicaciones a información privada del usuario sin los permisos necesarios? Las apps burlan los mecanismos de control del sistema operativo mediante los side channels y los covert channels. Vallina hace la siguiente comparación: “Para entrar en una casa [el dato del usuario] puedes hacerlo por la puerta con la llave que te ha dado el dueño [el permiso], pero también lo puedes hacer sin consentimiento del propietario aprovechándote de una vulnerabilidad de la puerta [un side channel] o con la ayuda de alguien que ya está dentro [covert channel]".