Smashing Security podcast #320: City Jerks, AI animals, and is the BBC hacking again?

Read Time:21 Second

Two unsavoury websites suffer from a worrying leak, scientists are going animal crackers over AI, and the BBC is intercepting scammers’ live phone calls with victims. All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week … Continue reading “Smashing Security podcast #320: City Jerks, AI animals, and is the BBC hacking again?”

Read More

CVE-2017-11197

Read Time:10 Second

In CyberArk Viewfinity 5.5.10.95 and 6.x before 6.1.1.220, a low privilege user can escalate to an administrative user via a bug within the “add printer” option.

Read More

Vanta adds new SaaS capability to address growing concerns over vendor security

Read Time:33 Second

SaaS-based security and compliance solution provider Vanta has launched a Vendor Risk Management (VRM) offering to help organizations streamline third-party vendor security reviews and due diligence.

The company claims that the new offering will automate vendor discovery, vendor assessment, and remediation workflows to significantly reduce the time and cost associated with third-party vendor risk reviews and management.

“Organizations are more reliant on third-party vendors than ever, with most companies using more than 100 SaaS vendors on average,” said Christina Cacioppo, CEO of Vanta. “The bulk of these vendors are adopted directly by employees, bypassing security reviews.”

To read this article in full, please click here

Read More

Google rolls out passkey support across accounts on all major platforms

Read Time:32 Second

Google has begun rolling out support for passkeys across Google Accounts on all major platforms, adding a new sign-in option that can be used alongside passwords and two-step verification. The tech giant announced passkey availability on the eve of World Password Day as it looks to introduce more secure, reliable sign-in options.

The rollout comes in the wake of Google updates on bringing passkey experiences to both Chrome and Android, as well as tech industry support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.

To read this article in full, please click here

Read More

How to Limit Location Tracking on Your Phone

Read Time:11 Minute, 20 Second

We all know that our phones know a lot about us. And they most certainly know a lot about where we go, thanks to the several ways they can track our location. 

Location tracking on your phone offers plenty of benefits, such as with apps that can recommend a good restaurant nearby, serve up the weather report for your exact location, or connect you with singles for dating in your area. Yet the apps that use location tracking may do more with your location data than that. They may collect it, and in turn sell it to advertisers and potentially other third parties that have an interest in where you go and what you do.  

Likewise, cell phone providers have other means of collecting location information from your phone, which they may use for advertising and other purposes as well. 

If that sounds like more than you’re willing to share, know that you can do several things that can limit location tracking on your phone—and thus limit the information that can potentially end up in other people’s hands. 

How do Smartphones Track Your Movements? 

As we look at the ways you can limit location tracking on your phone, it helps to know the basics of how smartphones can track your movements. 

For starters, outside of shutting down your phone completely, your phone can be used to determine your location to varying degrees of accuracy depending on the method used:  

GPS: The Global Positioning System, or GPS as many of us know it, is a system of satellites operated by the U.S. government for navigation purposes. First designed for national defense, the system became available for public use in the 1980s. It’s highly accurate, to anywhere between nine to 30 feet depending on conditions and technology used, making it one of the strongest tools for determining a phone’s location. This is what powers location services on cell phones, and thus can help an app recommend a great burger joint nearby. 
Cell towers: Cell phone providers can track a phone’s location by the distance it is to various cell phone towers and by the strength of its signal. The location information this method provides is a bit coarser than GPS, providing results that can place a phone within 150 feet. It’s most accurate in urban areas with high densities of cell phone towers, although it does not always work well indoors as some buildings can weaken or block cell phone signals. One of the most significant public benefits of this method is that it automatically routes emergency services calls (like 911 in the U.S.) to the proper local authorities without any guesswork from the caller. 
Public Wi-Fi: Larger tech companies and internet providers will sometimes provide free public Wi-Fi hotspots that people can tap into at airports, restaurants, coffeehouses, and such. It’s a nice convenience but connecting to their Wi-Fi may share a phone’s MAC address, a unique identifier for connected devices, along with other identifiers on the smartphone. Taken together, this can allow the Wi-Fi hosting company to gather location and behavioral data while you use your phone on their Wi-Fi network. 
Bluetooth: Like with public Wi-Fi, companies can use strategically placed Bluetooth devices to gather location information as well. If Bluetooth is enabled on a phone, it will periodically seek out Bluetooth-enabled devices to connect to while the phone is awake. This way, a Bluetooth receiver can then capture that phone’s unique MAC address. This provides highly accurate location information to within just a few feet because of Bluetooth’s short broadcast range. In the past, we’ve seen retailers use this method to track customers in their physical stores to better understand their shopping habits. However, more modern phones often create dummy MAC addresses when they seek out Bluetooth connections, which helps thwart this practice. 

Now here’s what makes these tracking methods so powerful: in addition to the way they can determine your phone’s location, they’re also quite good at determining your identity too. With it, companies know who you are, where you are, and potentially some idea of what you’re doing there based on your phone’s activity. 

Throughout our blogs we refer to someone’s identity as a jigsaw puzzle. Some pieces are larger than others, like your Social Security number or tax ID number being among the biggest because they are so unique. Yet if someone gathers enough of those smaller pieces, they can put those pieces together and identify you. 

Things like your phone’s MAC address, ad IDs, IP address, device profile, and other identifiers are examples of those smaller pieces, all of which can get collected. In the hands of the collector, they can potentially create a picture of who you are and where you’ve been. 

What Happens to Your Location Information That Gets Collected? 

What happens to your data largely depends on what you’ve agreed to.  

In terms of apps, we’ve all seen the lengthy user agreements that we click on during the app installation process. Buried within them are terms put forth by the app developer that cover what data the app collects, how it’s used, and if it may be shared with or sold to third parties. Also, during the installation process, the app may ask for permissions to access certain things on your phone, like photos, your camera, and yes, location services so it can track you. When you click “I Agree,” you indeed agree to all those terms and permissions.  

Needless to say, some apps only use and collect the bare minimum of information as part of the agreement. On the other end of the spectrum, some apps will take all they can get and then sell the information they collect to third parties, such as data brokers that build exacting profiles of individuals, their histories, their interests, and their habits.  

In turn, those data brokers will sell that information to anyone, which can be used by advertisers along with identity thieves, scammers, and spammers. And as reported in recent years, various law enforcement agencies will purchase that information as well for surveillance purposes. 

Further, some apps are malicious from the start. Google Play does its part to keep its virtual shelves free of malware-laden apps with a thorough submission process as reported by Google and through its App Defense Alliance that shares intelligence across a network of partners, of which we’re a proud member. Android users also have the option of running Play Protect to check apps for safety before they’re downloaded. Apple has its own rigorous submission process for weeding out fraud and malicious apps in its store as well. 

Yet, bad actors find ways to sneak malware into app stores. Sometimes they upload an app that’s initially clean and then push the malware to users as part of an update. Other times, they’ll embed the malicious code so that it only triggers once it’s run in certain countries. They will also encrypt malicious code in the app that they submit, which can make it difficult for reviewers to sniff out. These apps will often steal data, and are designed to do so, including location information in some cases. 

As far as cell phone service providers go, they have legitimate reasons for tracking your phone in the ways mentioned above. One is for providing connectivity to emergency service calls (again, like 911 in the U.S.), yet others are for troubleshooting and to ensure that only legitimate customers are accessing their network. And, depending on the carrier, they may use it for advertising purposes in programs that you may willingly opt into or that you must intentionally opt out of. 

Ways to Limit Tracking on Your Smartphone 

We each have our own comfort level when it comes to our privacy. For some, personalized ads have a certain appeal. For others, not so much, not when it involves sharing information about themselves. Yet arguably, some issues of privacy aren’t up for discussion, like ending up with a malicious data-stealing app on your phone.  

In all, you can take several steps to limit tracking on your smartphone to various degrees—and boost your privacy to various degrees as a result: 

Switch your phone into Airplane Mode. Disconnect. Without a Wi-Fi or data connection, you can’t get tracked. While this makes you unreachable, it also makes you untraceable, which you may want to consider if you’d rather keep your whereabouts and travels to yourself for periods of time. However, note that iPhones have a feature called “Find My Network” that helps track lost devices, even when they are powered off or disconnected. 
Turn off location services altogether. As noted above, your smartphone can get tracked by other means, yet disabling location services in your phone settings shuts down a primary avenue of location data collection. Note that your maps apps won’t offer directions and your restaurant app won’t point you toward that tasty burger when location services are off, but you will be more private than with them on.  
Provide permissions on an app-by-app basis. Another option is to go into your phone settings and enable location services for specific apps in specific cases. For example, you can set your map app to enable location services only while in use. Other apps, you can disable location services entirely. Yet another option is to have the app ask for permissions each time. Note that this is a great way to discover if apps have defaulted to using location services without your knowledge when you installed them. On an iPhone, you can find this in Settings à Privacy & Security à Location Services. On an Android, go to Settings à Locations à App Locations Permissions. 
Delete old apps. And be choosy about new ones. Fewer apps mean fewer avenues of potential data collection. If you have old, unused apps, consider deleting them, along with the accounts and data associated with them. Also, steer clear of unofficial app stores. By sticking with Google Play and Apple’s App Store, you have a far better chance of downloading safe apps thanks to their review process. Check out the developer of the app while you’re at it. Have they published several other apps with many downloads and good reviews? A legit app typically has quite a few reviews, whereas malicious apps may have only a handful of (phony) five-star reviews. 
Turn off Bluetooth while not in use. You can keep passive location-sniffing techniques from logging your location by disabling your phone’s Bluetooth connectivity when you aren’t using it.  
Use a VPN. A VPN can make your time online more private and more secure by obscuring things like your IP address and by preventing snoops from monitoring your activity.  
On iPhones, look into using Private Relay. Apple’s Private Relay is similar to a VPN in that it changes your IP address so websites you visit can’t tell exactly where you are. It works on iOS and Macs as part of an iCloud+ subscription. Yet there is one important distinction: it only protects your privacy while surfing with the Safari browser. Note that as of this writing, Apple Private Relay is not available in all countries and regions. If you travel somewhere that Private Relay isn’t available, it will automatically turn off and will notify you when it’s unavailable and once more when it’s active again. You can learn more about it here and how you can enable it on your Apple devices. 
Stash your phone in a Faraday bag. You can purchase one of these smartphone pouches online that, depending on the model, can block Bluetooth, cellular, GPS, RFID, and radio signals—effectively hiding your phone and that prevent others from tracking it.   
Opt out of cell phone carrier ad programs. Different cell phone carriers have different user agreements, yet some may allow the carrier to share insights about you with third parties based on browsing and usage history. Opting out of these programs may not stop your cell phone carrier from collecting data about you, but it may prevent it from sharing insights about you with others. To see if you participate in one of these programs, log into your account portal or app. Look for settings around “relevant advertising,” “custom experience,” or even “advertising,” and then determine if these programs are of worth to you.  

More privacy on mobile 

There’s no way around it. Using a smartphone puts you on the map. And to some extent, what you’re doing there as well. Outside of shutting down your phone or popping into Airplane Mode (noting what we said about iPhones and their “Find My Network” functionality above), you have no way of preventing location tracking. You can most certainly limit it. 

For yet more ways you can lock down your privacy and your security on your phone, online protection software can help. Our McAfee+ plans protect you against identity theft, online scams, and other mobile threats—including credit card and bank fraud, emerging viruses, malicious texts and QR codes. For anyone who spends a good portion of their day on their phone, this kind of protection can make life far safer given all the things they do and keep on there. 

The post How to Limit Location Tracking on Your Phone appeared first on McAfee Blog.

Read More