Ready to Start Your Career?
January 5, 2018
UNM4SK3D: Intel, AdThink, and GPS
January 5, 2018
We're aware of this industry-wide issue and have been working closely with chip manufacturers to develop and test mitigations to protect our customers. We are in the process of deploying mitigations to cloud services and are releasing security updates today to protect Windows customers against vulnerabilities affecting supported hardware chips from AMD, ARM, and Intel. We have not received any information to indicate that these vulnerabilities had been used to attack our customers. -Microsoft statementLearn various techniques to keep your OS generally secure. Read 'Securing Your Unix Operating System.'
#passwordsHave targeted advertisements been giving you the creeps lately? Even though you may have been covering your online activity, it appears an 11-year-old bug in browsers' built-in password managers is secretly stealing your email address for targeted advertising. Back up, what? Yes, even the cautious among us should beware. According to Princeton’s Center for Information Technology Policy, this bug allows advertisers to track web users and can’t be stopped by private browsing, clearing cookies, or even changing devices. It works through the exploitation of login managers that autofill login details such as email addresses and passwords when they visit a familiar website. It appears on some sites that have embedded either one of two tracking scripts, 'AdThink' and 'OnAudience,' "the user is fed a second invisible login screen on a subsequent page that is autofilled by most browser password managers without the user realizing this is happening." From the invisible script, advertisers capture a hashed version of the user’s email address, which is sent to one or more remote servers run by the advertising companies. This is especially concerning as it could mean malicious actors could steal your saved usernames and passwords from browsers without requiring your interaction.For those who say, "it's just a hash," this is just one method that can be used to connect the pieces of an online profile scattered across different browsers, devices, and mobile apps. Researchers also believe that tracking users via an email address identifier might allow advertisers to join different browsing histories together even after cookies have been cleared. Luckily, there are some limitations to this bug. First, it is not very common. The two scripts have only been found on 1,110 of the Alexa top one million websites. Second, LastPass, 1Password, or Dashlane don’t autofill invisible forms, so users of those tools are safe. Likewise, this bug only affects visitors to the sites who filled out their information, not simply those who visited. That being said, individuals should be especially cautious of ad tracking and use the Zero Trust Model when interacting with sites online.
Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier. A user's email address will almost never change, clearing cookies, using private browsing mode, or switching devices won't prevent tracking. -Pricnceton researchersWant a step-by-step tutorial for decoding a hash? Read 'Pass the Hash.'
#vulnerabilities'Trackmageddon' may sound like an episode from Black Mirror, but unfortunately, these vulnerabilities are real. They could enable attackers to expose sensitive data on millions of online location tracking devices managed by vulnerable GPS services.In a recent report, two security researchers, Vangelis Stykas and Michael Gruhn, have unearthed multiple vulnerabilities in hundreds of GPS services, affecting children trackers, car trackers, and pet trackers. Of the vulnerabilities found are easy-to-guess passwords (such as 123456), exposed folders, insecure API endpoints, and insecure direct object reference (IDOR) issues. This is especially worrisome because "an unauthorized third party or hacker can get access to personally identifiable information collected by all location tracking devices, including GPS coordinates, phone numbers, device model and type information, IMEI numbers, and custom assigned names." Perhaps worst of all, in some cases, unauthorized third parties can also access photos and audio recordings uploaded by these devices.From what researchers have seen, one of the largest global vendors for GPS tracking devices, ThinkRace, may have been the original developer of the flawed location tracking online service software and seller of licenses to the software. It appears since the initial disclosure, they have patched some of the vulnerabilities, but about 79 domains are still vulnerable. In order to protect yourself from falling victim to 'Trackmageddon,' the researchers recommend removing as much data from the affected devices as possible, changing the password for the tracking services and keeping a strong one, or just stopping to use the affected devices until the issues are fixed.
We understand that only a vendor fix can remove user’s location history (and any other stored user data for that matter) from the still affected services but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices much higher than the risk of historic data being exposed. -security researchersIn September 2017, more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online. Get the details of this similar story in a previous version of 'UNM4SK3D.'