Timesdelhi.com

January 18, 2019
Category archive

privacy

Wrest control from a snooping smart speaker with this teachable “parasite”

in Advertising Tech/Alexa/Artificial Intelligence/connected devices/Delhi/Europe/Gadgets/GitHub/Google/google home/Hardware/Home Automation/India/Internet of Things/IoT/neural network/Politics/privacy/Security/smart assistant/smart speaker/Speaker by

What do you get when you put one Internet connected device on top of another? A little more control than you otherwise would in the case of Alias the “teachable ‘parasite’” — an IoT project smart speaker topper made by two designers, Bjørn Karmann and Tore Knudsen.

The Raspberry Pi-powered, fungus-inspired blob’s mission is to whisper sweet nonsense into Alexa’s (or Google Home’s) always-on ear so it can’t accidentally snoop on your home.

Project Alias from Bjørn Karmann on Vimeo.

Alias will only stop feeding noise into its host’s speakers when it hears its own wake command — which can be whatever you like.

The middleman IoT device has its own local neural network, allowing its owner to christen it with a name (or sound) of their choosing via a training interface in a companion app.

The open source TensorFlow library was used for building the name training component.

So instead of having to say “Alexa” or “Ok Google” to talk to a commercial smart speaker — and thus being stuck parroting a big tech brand name in your own home, not to mention being saddled with a device that’s always vulnerable to vocal pranks (and worse: accidental wiretapping) — you get to control what the wake word is, thereby taking back a modicum of control over a natively privacy-hostile technology.

This means you could rename Alexa “Bezosallseeingeye”, or refer to your Google Home as “Carelesswhispers”. Whatever floats your boat.

Once Alias hears its custom wake command it will stop feeding noise into the host speaker — enabling the underlying smart assistant to hear and respond to commands as normal.

“We looked at how cordyceps fungus and viruses can appropriate and control insects to fulfill their own agendas and were inspired to create our own parasite for smart home systems,” explain Karmann and Knudsen in a write up of the project. “Therefore we started Project Alias to demonstrate how maker-culture can be used to redefine our relationship with smart home technologies, by delegating more power from the designers to the end users of the products.”

Alias offers a glimpse of a richly creative custom future for IoT, as the means of producing custom but still powerful connected technology products becomes more affordable and accessible.

And so also perhaps a partial answer to IoT’s privacy problem, for those who don’t want to abstain entirely. (Albeit, on the security front, more custom and controllable IoT does increase the hackable surface area — so that’s another element to bear in mind; more custom controls for greater privacy does not necessarily mesh with robust device security.)

If you’re hankering after your own Alexa disrupting blob-topper, the pair have uploaded a build guide to Instructables and put the source code on GitHub. So fill yer boots.

Project Alias is of course not a solution to the underlying tracking problem of smart assistants — which harvest insights gleaned from voice commands to further flesh out interest profiles of users, including for ad targeting purposes.

That would require either proper privacy regulation or, er, a new kind of software virus that infiltrates the host system and prevents it from accessing user data. And unlike this creative physical IoT add-on that kind of tech would not be at all legal.

News Source = techcrunch.com

Researcher shows how popular app ES File Explorer exposes Android device data

in Apps/computing/Delhi/India/Politics/privacy/Security/smartphones/web server/wi-fi by

Why is one of the most popular Android apps running a hidden web server in the background?

ES File Explorer claims it has over 500 million downloads under its belt since 2014, making it one of the most used apps to date. It’s simplicity makes it what it is: a simple file explorer that lets you browse through your Android phone or tablet’s file system for files, data, documents and more.

But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the exposed port last week, and disclosed his findings in several tweets on Wednesday. Prior to tweeting, he showed TechCrunch how the exposed port could be used to silently exfiltrate data from the device.

“All connected devices on the local network can get [data] installed on the device,” he said.

Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos, and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.

He sent over his script for us to test, and we verified his findings using a spare Android phone. Robert said app versions 4.1.9.5.2 and below have the open port.

“It’s clearly not good,” he said.

A script, developed by security researcher , to obtain data on the same network as an Android device running ES File Explorer. (Image: supplied)

We contacted the makers of ES File Explorer but did not hear back prior to publication. If that changes, we’ll update.

The obvious caveat is that the chances of exploitation are slim, given that this isn’t an attack that anyone on the internet can perform. Any would-be attacker has to be on the same network as the victim. Typically that would mean the same Wi-Fi network. But that also means that any malicious app on any device on the network that knows how to exploit the vulnerability could pull data from a device running ES File Explorer and send it along to another server, so long as it has network permissions.

Of the reasonable explanations, some have suggested that it’s used to stream video to other apps using the HTTP protocol. Others who historically found the same exposed port found it alarming. The app even says it allows you to “manage files on your phone from your computer… when this feature is enabled.”

But most probably don’t realize that the open port leaves them exposed from the moment that they open the app.

News Source = techcrunch.com

Another huge database exposed millions of call logs and SMS text messages

in california/communications/Delhi/firewall/India/Password/Politics/privacy/Security/SMS/text messaging by

An unprotected server storing millions of call logs and text messages was left open for months before they were found by a security researcher.

If you thought you’d heard this story before, you’re not wrong. Back in November, another telecoms company, Voxox, exposed a database containing millions of text messages — including password resets and two-factor codes.

This time around, it’s a different company: Voipo, a Lake Forest, Calif. communications provider, exposed tens of gigabytes worth of customer data.

Security researcher Justin Paine found the exposed database last week, and reached out to the company’s chief technology officer. Yet, the database was pulled offline before Paine even told him where to look.

Voipo is a voice-over-internet provider, providing residential and business phone line services that they can control themselves in the cloud. The company’s backend routes calls and processes text messages for its users. But because one of the backend ElasticSearch databases wasn’t protected with a password, anyone could look in and see streams of real-time call logs and text messages sent back and forth.

It’s one of the largest data breaches of the year — so far — totaling close to seven million call logs, six million text messages and other internal documents containing unencrypted passwords that if used could have allowed an attacker to gain deep access to the company’s systems.

TechCrunch reviewed some of the data, and found web addresses in the logs pointed directly to customer login pages. (We didn’t use the credentials, as doing so would be unlawful.)

Paine said, and noted in his write-up, that the database was exposed since June 2018, and contains call and message logs dating back to May 2015. He told TechCrunch that the logs were updated daily and went up to January 8 — the day the database was pulled offline. Many of the files contained highly detailed call records of who called whom, the time and date and more.

A log showing an incoming call. (Screenshot: TechCrunch. Data: Justin Paine)

Some of the numbers in the call logs were scrubbed, Paine said, but the text message logs contained the numbers of both the sender and the recipient, and the contents of the message itself.

An SMS text message sent just after New Year’s. (Screenshot: TechCrunch. Data: Justin Paine)

Similar to the Voxox breach last year, Paine said that any intercepted text messages containing two-factor codes or password reset links could have then “allowed the attacker to bypass two-factor on the user’s account,” he said in his write-up. (Another good reason why you should to upgrade to app-based authentication.)

But Paine didn’t extensively search the records, mindful of customers’ privacy.

The logs also contained credentials that permitted access to Voipo’s provider of E911 services, which allows emergency services to know a person’s pre-registered location based on their phone number. Worse, he said, E911 services could have been disabled, rendering those customers unable to use the service in an emergency.

Another file contained a list of network appliance devices with usernames and passwords in plaintext. A cursory review showed that the files and logs contained a meticulously detailed and invasive insight into a person or company’s business, who they’re talking to and often for what reason.

Yet, none of the data was encrypted.

In an email, Voipo chief executive Timothy Dick confirmed the data exposure, adding that this was “a development server and not part of our production network.” Paine disputes this, given the specifics and amount of the data exposed in the database. TechCrunch also has no reason to believe that the data is not real customer data.

Dick said in an email to TechCrunch: “Almost immediately after he reached out to let us know the dev server was exposed, we took it offline and investigated and corrected the issue.” He added: “At this time though, we have not found any evidence in logs or on our network to indicate that a data breach occurred.”

Despite asking several times, Dick did not say how the company concluded that nobody else accessed the data.

Dick also said: “All of our systems are behind firewalls and similar and don’t even allow external connections except from internal servers so even if hostnames were listed, it would not be possible to connect and our logs do not show any connections.” (When we checked, many of the internal systems with IP or web addresses we checked loaded — even though we were outside of the alleged firewall.)

However, in an email to Paine, Dick conceded that some of the data on the server “does appear to be valid.”

Dick didn’t commit to notify the authorities of the exposure under state data breach notification laws.

“We will continue to investigate and if we do find any evidence of a breach or anything in our logs that indicate one, we will of course take appropriate actions to address it [and] make notifications,” he said.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

News Source = techcrunch.com

DuckDuckGo debuts map search results using Apple Maps

in Apple/apple inc/Apple Maps/computing/Delhi/DuckDuckGo/eddy cue/India/iPads/Politics/privacy/search engine/Security/smartphones/Software/Technology by

DuckDuckGo has a new, unlikely partner in search: Apple.

The privacy-focused search engine that promises to never track its users said Tuesday it’s now using data provided by Apple Maps to power its map-based search results. Although DuckDuckGo had provided limited mapping results for a while using data from open-source service OpenStreetMap, it never scaled its features to those of its search engine rivals, notably Google and Bing.

Now, DuckDuckGo will return addresses, businesses, geographical locations, and nearby places using Apple Maps by default. (When we tested, directions and transit times open up in Apple Maps on your Mac, iPhone, or iPad — but on non-Apple devices, the directions defaults to and opens in Bing.)

In using Apple’s mapping data, DuckDuckGo will become one of the biggest users of Apple Maps to date, six months after Apple said it would open up Apple Maps, long only available on Macs, iPhones and iPads, to the web.

“We’re excited to work closely with Apple to set a new standard of trust online, and we hope you’ll enjoy this update,” said the search engine in a blog post.

DuckDuckGo in the Tor browser, using the new Apple Maps feature. (Screenshot: TechCrunch)

In reality, the partnership isn’t that unsurprising at all.

Apple faced flak for ditching Google Maps in iOS and rushing its overhauled Maps service out to the market, prompting a rare mea culpa from chief executive Tim Cook, apologizing for the disastrous rollout. At its most recent Worldwide Developers Conference in June, Apple promised a do-over, offering reliability and stability — but more importantly, privacy.

Where Google tracks everything you do, where you go and what you search for, Apple has long said it doesn’t want to know. Any data that Apple collects is anonymous, said Eddy Cue, Apple internet software and services chief, in an interview with TechCrunch last year. “We specifically don’t collect data, even from point A to point B,” said Cue. By anonymizing the data, Apple doesn’t know where you came from or where you went, or even who took the trip.

DuckDuckGo finally brings a much-needed feature to the search engine, while keeping true to its privacy-focused roots as a non-tracking search rival to Google.

“At DuckDuckGo, we believe getting the privacy you deserve online should be as simple as closing the blinds,” the company said. “Naturally, our strict privacy policy of not collecting or sharing any personal information extends to this integration.”

“You are still anonymous when you perform map and address-related searches on DuckDuckGo,” the search engine said.

In a separate note, DuckDuckGo said users can turn on their location for better “nearby” search results, but promises to not store the data or use it for any purposes. “Even if you opt-in to sharing a more accurate location, your searches will still be completely anonymous,” said DuckDuckGo.

“We do not send any personally identifiable information such as IP address to Apple or other third parties,” the company said.

DuckDuckGo processes 30 million daily searches, up by more than 50 percent year-over-year, the company said last year.

News Source = techcrunch.com

Millions of Android users tricked into downloading 85 adware apps from Google Play

in Android/Apps/Delhi/Google/Google Play/India/online marketplaces/Politics/privacy/Security/smartphones by

Another day, another batch of bad apps in Google Play.

Researchers at security firm Trend Micro have discovered dozens of apps, including popular utilities and games, to serve a ton of deceptively displayed ads — including full-screen ads, hidden ads and running in the background to squeeze as much money out of unsuspecting Android users.

In all, the researchers found 85 apps pushing adware, totaling at least 9 million affected users.

One app — a universal TV remote app for Android — had more than five million users alone, despite a rash of negative reviews and complaints that ads were “hidden in the background.” Other users said that there were “so many ads, [they] can’t even use it.”

The researchers tested each app and found that most shared the same or similar code, and often the apps were similarly named. At every turn, tap or click, the app would display an ad, they found. In doing so, the app generates money for the app maker.

Some of the bad adware-ridden apps found by security researchers. (Image: Trend Micro)

Adware-fueled apps might not seem as other apps packed with malware or hidden functionality, such as apps that pull malicious payloads from another server after the app is installed. At scale, that can amount to thousands of fraudulent ad dollars each week. Some ads also have a tendency to be malicious, containing hidden code that tries to trick users into installing malware on their phones or computers.

Some of the affected apps include: A/C Air Conditioner Remote, Police Chase Extreme City 3D Game, Easy Universal TV Remote, Garage Door Remote Control, Prado Parking City 3D Game, and more. (You can find a full list of apps here.)

Google told TechCrunch that it had removed the apps, but a spokesperson did not comment further.

We tried reaching out to the universal TV remote app creator but the registered email on the since-removed Google Play store points to a domain that no longer exists.

Despite Google’s best efforts in scanning apps before they’re accepted into Google Play, malicious apps are one of the biggest and most common threats to Android users. Google pulled more than 700,000 malicious apps from Google Play in the past year alone, and has tried to improve its back-end to prevent malicious apps from getting into the store in the first place.

Yet the search and mobile giant continues to battle rogue and malicious apps, pulling at least 13 malicious apps in sweep in November alone.

News Source = techcrunch.com

1 2 3 38
Go to Top