Surfeit and Blasé Security
Taking your tablet online can make you vulnerable to an assortment of internet dangers, including identity theft and hackers. This is especially true if you’re taking advantage of a public hotspot rather than your home network.
Follow these simple steps to ensure safe and secure browsing no matter where you are.
An article on Google’s grandly-named European Public Policy Blog, which offers “Google’s views on government, policy and politics in Europe”, has gently announced what the search-and-advertising behemoth calls A new option for location-based services.
Google’s location-based services rely extensively on its controversial global database of WiFi access points.
The idea is simple. Google’s many StreetView cars and bicycles spend their time driving around our suburbs, snapping a continuous stream of photographs of houses, gardens, offices, parks – whatever they pass on their all-encompassing journeys.
Whilst they’re about it, the StreetView vehicles also make digital recordings in other parts of the electromagnetic spectrum – to wit, they sniff out WiFi access points and record their identification information and location.
Most access points spend long periods of time with the same MAC address and network name, and in the same place. So, a list of the access points currently within range of your laptop or mobile phone lets Google make a pretty good guess at your current location.
This obviates the need for GPS – which is slow to lock when you first power it up, drains your battery if you leave it running, and doesn’t work well indoors.
Google’s outward-facing explanation of the benefit of its massive WiFi database is that it represents value to you – it helps you find out where you are. Sadly, most of the time you already know where you are. You’re at home, or in the office, or stuck yet again in a traffic jam on Parramatta Road on your way to work. Or from it.
The inward-facing explanation, of course, is that it represents value to Google – it helps Google know where you are. And that’s good for targeted advertising, and that’s great for business.
Anyway, after pressure from various privacy-minded data protection authorities in Europe, Google has changed its stance on its WiFi location database. You will soon be able to opt out, Google says, from being a part of the access point service.
The details of how this will work have not yet been released. How you will opt out has not been explained. And calling it “opting out” when you didn’t opt in in the first place is a little cheeky.
It doesn’t even sound from the blog article as though Google intends to remove your access point data from its database if you opt out. The lawyerly prose in the article simply says that if you opt out, “[Google’s] services will not use that access point to determine users’ locations.”
(Actually, this is a Catch-22. Google pretty much has to keep you on file, simply in order to know that you didn’t want to be on file in the first place. Otherwise they’d just add you back in next time the StreetView WiFi scanner came round – and then you’d have to opt out again. Sadly, you can’t opt out of the StreetView collection process proactively.)
Nevertheless, this is an interesting change because it shows that, with enough pressure, even data-accumulation juggernauts like Google can be persuaded to change their ways.
In short: if big companies are doing things online with your data which you aren’t happy with, don’t just keep quiet. Write to your Privacy Commissioner. You can make a difference!
If you saw a toy quadricopter flying outside your office would you be alarmed?
Researchers at the Stevens Institute of Technology, New Jersey, believe they have dreamt up a way for malicious hackers to break into WiFi networks and commandeer computers into a botnet – not via the internet, but using a DIY drone helicopter that costs less than $600.
With one mischievous eye towards the “Terminator” movies, Theodore Reed, Joseph Geis and Sven Dietrich have dubbed their creation “SkyNET” and say that for a few hundred dollars an off-the-shelf remote-controlled quadricopter can be turned into a stealth device which can seek out poorly protected WiFi networks, and then infect computers attached to them.
Because botmasters use the internet to deliver commands to their networks of compromised computers (which can in turn provide clues on if a botnet is active, and how to defend against it), the researchers were curious as to whether there were other ways to both create a botnet and send it instructions.
And thus, SkyNET was born.
The Parrot AR.Drone quadricopter sells for less than $300 on Amazon, and once modded with a lightweight computer running Linux, a 3G mobile broadband data connection, GPS receiver and two WiFi cards (one to receive commands, and the other to attack wireless networks) it’s ready.
According to Reed, Geis and Dietrich the whole system can be built for less than $600.
Via a web interface and built-in forward-facing camera, the drone can be flown into position to hunt for WiFi networks. It can even conduct attacks while in flight for an average of 20 minutes – but because of battery life limits it’s probably more realistic to land it in a position where it can do its dirty work for an average of up to 2.5 hours.
On a subsequent trip it selects which networks to attack (simple if the wireless network is unprotected or using weak WEP encryption, but more complicated cracking can, say the researchers, be offloaded to Amazon’s EC2 cloud as it too computationally intensive to do onboard the helicopter).
Once it has cracked into networks, SkyNET would theoretically be capable of recruiting computers into its botnet and send them commands.
As the above promotional YouTube video from Parrot proves, the quadricopter is a neat device – capable of manouevering itself into extraordinary positions in the hands of a skilled operator.
In feasibility tests in New York City, the researchers found a large number of exposed wireless access points which – if they had been so minded – they could have attempted to infiltrate.
Yes, it’s an awful lot of effort to go to to send some Viagra spam. But that’s probably not the reason why an attack like this would be contemplated. If something like this were to be used I suspect it would be in the form of a more targeted attack, with the drone flown to a hard-to-reach part of the target office’s rooftop to collect data and inject attacks.
That doesn’t mean it would necessarily be undetectable, of course. The research paper says that it may be possible to correlate the location of affected host computers and analysis may reveal the approximate relative location of the drone.
Furthermore, a drone might be traced back to the location where the botmaster plans to retrieve his device – one wonders if he would pose as a park-goer playing with an expensive toy.
In addition, lets not forget, unlike just about any other form of computer attack this is one which simply won’t work when the weather is too wet or windy.
Hat tip: “SkyNET: a 3G-enabled mobile attack drone and stealth botmaster” [PDF] via Technology Review.
A pair of security researchers have created their own version of the notorious Firesheep plugin to expose a data leak in the world’s favourite search engine.
The proof-of-concept plugin exploits the use of unencrypted cookies by Google’s Web History feature.
Although you need to be logged in to make use of Web History it does not require an encrypted (HTTPS) connection. This flaw can allow attackers to find out what you’ve been searching for, who your social contacts are and who’s in your Gmail address book.
The new variant of Firesheep allows hackers to easily exploit the flaw if they are sharing the same WiFi hotspot as you.
For researchers Vincent Toubiana and Vincent Verdot the choice to adapt Firesheep must have been obvious. The original Firesheep was released last October by a security researcher fed up with what he saw as the failure of big websites such as Twitter and Facebook to protect their users. Whilst his efforts weren’t greeted with a chorus of approval they do appear to have had the desired effect.
The good news is that this latest exploit does not allow attackers to take over users’ Google Accounts. However, it does expose private data. In the researchers’ own words:
"while the direct access to users’ data is subject to a strict security policy, using personalized services (which may leak this same personal information) is not"
Anyone thinking that search histories are innocuous need only cast their mind back to 2006.
In a well-intentioned but disastrous move AOL released a sizeable chunk of its users’ search data for research purposes. And what did we learn? That users put all sorts of private information into search engines.
The supposedly anonymised searches included names, addresses and social security numbers amongst other things. In some cases users’ search histories built up to create mosaic-like pictures of their lives (and in the sinister case of user 17556639 not a flattering one).
As well as introducing their take on Firesheep, Toubiana and Verdot’s recent paper outlines a number of ways to acquire the offending cookies, including just Googling for them.
They estimate that about 50% of Google’s users have Web Search History switched on and that many users are unaware of it. To make matters worse the compromised cookies are used across more than 20 websites including some web behemoths like Google Search, Google Maps, YouTube and Blogger.
The researchers have already alerted the Google Security Team who are working on a fix. In the meantime they recommend making sure you’re not logged in to your Google account when you’re using an unsecured network.
Although it is possible to protect yourself when searching by using Google’s HTTPS search many of the webpages where the cookie can be exposed don’t offer HTTPS as an option.
If you don’t use Web Search History or you’ve never heard of it you may want to visit your search history page and disable it.
For more information on this research you can download Toubiana and Verdot’s paper “Show Me Your Cookie And I Will Tell You Who You Are” from arxiv.org.
You might also like to watch our video showing you how to counter Firesheep and its friends, even on unencrypted WiFi:
(Enjoy this video? Why not check out the SophosLabs YouTube channel?)
