Advertise here
Advertise here

found

now browsing by tag

 
 

Canadian billionaire found dead in Toronto: Ontario health minister

TORONTO (Reuters) – Canadian police said they were investigating the mysterious deaths of Barry Sherman, founder of Canadian pharmaceutical firm Apotex Inc, and his wife, Honey, one of the nation’s wealthiest couples whose bodies were found in their mansion on Friday.

Police said they learned of the deaths after responding to a midday (1700 GMT) medical call at the Sherman’s home in an affluent section of northeast Toronto. Two bodies covered in blankets were removed from the home and loaded into an unmarked van on Friday evening.

“The circumstances of their death appear suspicious and we are treating it that way,” said Constable David Hopkinson. Homicide detectives later told reporters gathered outside the home that there were no signs of forced entry.

Their neighbors, business associates and some of Canada’s most powerful politicians said they were saddened by the deaths.

“Our condolences to their family friends, and to everyone touched by their vision spirit,” Prime Minister Justin Trudeau wrote on Twitter.

Toronto Mayor John Tory said in statement he was “shocked and heartbroken” to learn of the deaths, noting that the couple had made extensive contributions to the city.

“Toronto Police are investigating, and I hope that investigation will be able to provide answers for all of us who are mourning this tremendous loss,” Tory said.

The Shermans recently listed their home for sale for nearly C$7 million ($5.4 million). A real estate agent discovered the bodies in the basement while preparing for an open house, the Toronto Globe and Mail reported, citing a relative.

Sherman, 75, founded privately held Apotex in 1974, growing it by introducing large numbers of low-cost generic drugs that took market share from branded pharmaceuticals. He stepped down as chief executive in 2012 but remained executive chairman.

Forbes has estimated Sherman’s fortune at $3.2 billion.

Apotex is the world’s No. 7 generic drugmaker with 11,000 employees and annual sales of more than C$2 billion in more than 45 countries, according to its website.

The couple was known for their philanthropy, giving tens of millions of dollars to hospitals, universities and Jewish organizations, CBC reported.

“They were extremely successful in business, but also very, very giving people,” former Ontario Premier Bob Rae told CBC. “It’s going to be a very, very big loss.”

The Globe and Mail reported in February that Lobbying Commissioner Karen Shepherd was investigating a complaint about a 2015 political fundraiser that Trudeau had attended.

Writing and additional reporting by Julie Gordon in Vancouver; Editing by Jim Finkle, Leslie Adler and Paul Tait

Alibaba researchers say they have found an untethered jailbreak for iPhone X & iOS 11.2.1

Security researches from Chinese company Alibaba claim to have successfully jalibroken the iPhone X running iOS 11.2.1. In a blog post, the researchers explained that they were originally able to successfully jailbreak iOS 11.2, the same jailbreak is also applicable to iOS 11.2.1, which was released just this week…


e5c3f_spigen-teka-on-airpods Alibaba researchers say they have found an untethered jailbreak for iPhone X & iOS 11.2.1

Spigen TEKA RA200 Airpods Earhooks Cover

The announcement is somewhat bizarre as Song Yang, head of Alibaba’s Secure Pandora Labs, calls the jailbreak “perfect” and “different” from other recent jailbreaks. Furthermore, the jailbreak is believed to be fully untethered and supports Cydia.

Unfortunately for those still interested in jailbreaking, Pandora Labs has no plans to publicly release its findings and didn’t share too many details about the technical side, which could make it hard for others to imitate. The blog post explains that Pandora Labs was limited to “security research purposes.”

Although iOS 11.2 fixes some security issues, we confirmed the new iOS will still be jailbroken on the first day it was released. Although we escaped iOS 11.2 quickly, we were limited to security research purposes, our team won’t provide any jailbreak tool.

While specific details about this jailbreak are unclear, it appears that it takes advantage of a memory buffer overflow bug to incite a kernel panic. Whether or not others would be able to imitate that and subsequently release this jailbreak remains to be seen (via 3uTools).

News of Alibaba’s successful jailbreak comes following an announcement from Google Project Zero researcher Ian Beer, who said he found a kernel vulnerability in iOS 11.1.2 that paves the way for the first iOS 11 jailbreak. While that jailbreak was limited to an outdated version of iOS, Alibaba’s founding works even on the just-released iOS 11.2.1.

Jailbreak interest has waned over recent years, there’s still a strong community behind it. A Reddit thread concerning Alibaba’s jailbreak has accumulated over 280 comments from excited users, but it remains to be seen as to whether or not it will see the light of day.

Commenters on an earlier 9to5Mac article about Google’s Project Zero discovery outlined a few viable jailbreak use cases, such as bringing Google Maps to CarPlay and adding features like Live Photos to older devices.

Would you be interested in an iPhone X and iOS 11.2.1 jailbreak? Or are you no longer interested in jailbreaking at all? Let us know down in the comments.


Subscribe to 9to5Mac on YouTube for more Apple news:

Juniper Hands OpenContrail SDN to Linux Found. Before It’s Too …

This week at its annual NXTWORK user conference in San Francisco, Juniper Networks announced its intent to move the codebase for OpenContrail, its open source software defined networking project, to the Linux Foundation. While this might seem like a stereotypical open source Kumbaya moment, it probably isn’t. All indications are that Juniper really didn’t have much choice but relinquish control of the project, which was otherwise doomed to become irrelevant.

Of course, you wouldn’t know this by listening to Juniper, which was apparently hoping for that stereotypical moment.

“Our goal of placing OpenContrail’s codebase with the Linux Foundation shows Juniper’s commitment to open networking and open source overall,” Randy Bias, Juniper’s cloud software VP of technology and strategy, said in a statement. “Over the past year, we have been working closely with the community to transition the governance for OpenContrail’s codebase because we believe it has the unique opportunity to be a ubiquitous cloud-grade network fabric used everywhere. We look forward to continuing our close participation with the community once this project takes on new life under the Linux Foundation.”

As Paul Harvey used to say, “And now, the rest of the story.”

OpenContrail is a scalable network virtualization control plane that provides feature-rich SDN and strong security. It’s used to simplify operational complexities and automate workload management across cloud environments, including multicloud. Its user base includes the manufacturer Gencore, the OpenStack cloud builder Mirantis, and the Linux distribution maker Ubuntu.

Juniper, a silicon valley-based networking company known for its routers, switches, network management software, and network security products, got the Contrail software through its purchase of the eponymous company in 2012. The following year, the giant made the software open source under the OpenContrail brand using the permissive MIT license — the license made it possible for Juniper to roll improvements to the code into its proprietary version.

As an open source project under Juniper’s control, OpenContrail didn’t see much of a developer community form around it. It also found only two major backers, ATT and the Japanese telecommunications company NTT, which isn’t surprising. Open source projects under control of a single corporation often have trouble attracting developer interest. Oracle discovered this when it took control Sun Microsystem’s open source portfolio. Devs often express concerns over permissive licensing. Just as often, as seems to be the case with both Oracle and Juniper, the parent company doesn’t want to give up control of something they see as belonging to them.

Earlier this year at the Open Networking Summit in Santa Clara, ATT let it be known that it was considering pushing back from the project over concerns about its community, or lack of it. The company had integrated the software into ATT Integrated Cloud, its OpenStack data center design that includes top-of-rack switches, storage, servers, and open source software.

“The biggest challenge with Contrail is the lack of that community,” Paul Carver, a principle member of the technical staff with ATT, said at the time. “I personally have not given up yet to get more non-Juniper people working on it. But it’s been a real uphill battle. The key takeaway is: the communities are what’s most important to us.”

Carver indicated that ATT was taking a look at another open source SDN project, OpenDaylight (ODL), which is another Linux Foundation project. Among ODL’s capabilities are the ability to configure top-of-rack switches. “Our Contrail-based OpenStack cloud runs on servers that are connected to top-of-rack switches that are manually configured,” he said.

This was evidently something of a wakeup call for Juniper, which had undergone a reorganization about a month earlier. By August, Randy Bias, who is a founding member and former director of the OpenStack Foundation, was publicly admitting that Juniper had done a poor job promoting the open source project and that it was working to expand the project’s community base. “In the past we focused on the commercial version, and the open version got lost without the right focus,” SDxCentral reported him saying. “We have an ask in at Juniper to add dedicated headcount to the community.”

The move to hand control of the project to the Linux Foundation would seem to have laid ATT’s concerns to rest, at least for the time being. “We applaud Juniper for putting OpenContrail as a project within the Linux Foundation,” ATT Labs’ senior VP, Chris Rice, said in a statement. “We expect that this move will further expand its community reach and spur new innovations.”

According to reports, OpenContrail will be placed under a new sub-foundation the Linux Foundation is creating called the Linux Networking Foundation, which will also include Open Networking Automation Platform, and perhaps other projects. Arpit Joshipura, currently the Linux Foundation’s VP of networking and orchestration, will serve as the new foundation’s director.

In a statement, Joshipura said, “We are excited at the prospect of our growing global community being able to broadly adopt, manage and integrate OpenContrail’s codebase to manage and secure diverse cloud environments. Having this addition to our open-source projects will be instrumental in achieving the level of technology advancements our community has become known for.”

Chemical contaminant found at sites across Michigan poses health and environmental risk

CLOSE

They come from everyday products ranging from nonstick pan surfaces, carpet stain-proofing and water-resistant clothing. And they’re in almost every American’s blood: highly fluorinated toxic chemicals known as PFCs.
Keith Matheny, Detroit Free Press

Twenty-eight locations across Michigan, and rising, have been found contaminated with potentially health-harming chemicals once used in nonstick surfaces and firefighting foam.

Gov. Rick Snyder last month launched a coordinated, statewide effort to find and begin addressing polyfluoroalkyl substances, or PFAS, which includes a group of man-made chemicals that were commonly used since the 1950s in stain-resistant carpeting, nonstick pots and pans, waterproof shoes and other household products. PFAS was also used in firefighting foam, particularly at military bases. Use of the chemicals was largely phased out by 2015.

In Kent County, lawyers on Tuesday announced a class-action lawsuit against shoe manufacturer Wolverine World Wide, 3M Corp. and Waste Management Inc., for allegedly dumping PFAS and polluting groundwater in Belmont, Rockford and other areas of the county. 3M’s Scotchgard was used in waterproofing boots and shoes made by Wolverine since the 1950s, and contained the chemical. 

Environmental activist Erin Brockovich, made famous by actress Julia Roberts’ Oscar-winning portrayal , is working with the legal team on the Kent County litigation.

“The scope of this contamination is alarming, and thousands in Kent County are now faced with unsafe drinking water and increased health risks,” Brockovich said in a statement.

According to the federal Agency for Toxic Substances and Disease Registry, studies have shown PFAS increases the risk of some cancers, can harm fetal development; decrease fertility and interfere with the body’s hormones; cause high cholesterol; and affect the immune system.

The chemicals don’t easily break down in nature, and were so common, avoiding exposures is near-impossible.

“Using very sensitive measurements, you can find it in the blood of everybody in the United States — and, really, a high proportion of people in the world,” said Dr. David Savitz, a Brown University epidemiologist who’s serving as an academic adviser to Snyder’s Michigan PFAS Action Response Team, in an interview with WOOD Radio on Wednesday.

The Kent County class-action suit seeks immediate blood-testing, health and environmental monitoring and damages for residents who have been harmed by the pollutants, uncovered in DEQ groundwater testing this past summer.

The companies named in the lawsuit “knew or should have known,” said Sharon Almonrode, a Rochester attorney with the Miller Law Firm, who is part of the legal team representing the proposed class-action participants.

“These residents are obviously facing a great deal of uncertainty. Parents are worried about their children. (And) property values have been diminished as a result of being within the zone of the contamination.”

More on freep.com:

 

Military bases often source

At least five contaminated areas in Michigan are connected to current and former military facilities, where the firefighting foam was used in training and fire suppression for decades: contamination of the Clinton River and northern Lake St. Clair, believed connected to Selfridge Air Force Base; near Camp Grayling; near the Alpena Combat Readiness Training Center, and the now-shuttered Wurtsmith Air Force Base in Oscoda and K.I. Sawyer Air Force Base in Marquette.

The DEQ and U.S. Air Force have spent the past five years dealing with a PFAS-containing groundwater plume emanating from the former Wurtsmith base into other parts of Oscoda. The legacy from years of firefighting foam use on the base is so pervasive, the DEQ has yet to determine the outermost boundary of the contamination plume.

More:Air Force snubs Michigan law on tainted well fixes
More:Did Wurtsmith Air Force Base cause health woes?

And now, a new manifestation of the harmful chemicals has emerged — in surface foam on Van Etten Lake, just northeast of the former Wurtsmith base. Samples of the foam tested this summer and fall by the DEQ had PFAS at up to 110,000 parts per trillion, more than 1,500 times the EPA advisory level.

“Frankly, we didn’t think to check the foam,” said DEQ external relations director Sue Leeming, adding that the foam was thought to be naturally occurring and not related to PFAS. 

DEQ officials are still trying to determine whether the foam is from the chemical, or whether naturally occurring lake foam in some way concentrates PFAS, Leeming said.

“This is an emerging issue,” she said.

The local and state health departments, in late September, advised visitors to the lake to avoid ingesting the foam.

The Van Etten Lake Association, a property owners’ group, has called on the Air Force to immediately address the lake foam problem.

“It certainly impacts the use of property,” said Anthony Spaniola, a Troy attorney whose family has owned frontage on Van Etten Lake for years.

“Common sense tells you you’re not going to let your kids go out and play in that. You’re not going to let your dogs drink that water. And what’s it doing to the fish?”

The DEQ has also sampled foam from Lake Margrethe in Crawford County, where the Michigan National Guard’s Camp Grayling Joint Maneuvering Training Center has long operated on the southern end of the lake. 

Municipal wells in Grayling are showing low levels of PFAS, according to the DEQ, and eight residential wells in the area have tested for PFAS levels above the EPA’s 70 parts-per-trillion advisory guideline.

“Filters are being provided to approximately 90 homes in the area, and ongoing discussions are needed to determine if filters should be provided to additional homes until a long-term solution is identified,” the state PFAS Action Response Team states on its website.

Damage done years ago

PFAS chemicals were detected in water samples taken from the Clinton River and Lake St. Clair on Aug. 31. The samples were taken near the city of Mt. Clemens and along the lake shoreline just north of the Selfridge Air National Guard Base in Harrison Township.

As a follow-up to the initial findings, fish and surface water samples were collected from Lake St. Clair north and south of Mt. Clemens last month. Water samples were also taken from four sites along the Clinton River, and at a drain near the north perimeter of the Selfridge base “to determine the distribution and magnitude of contamination,” the state PFAS Task Force website states.

The DEQ has also asked water treatment plants in the area to sample for PFAS.

Harrison Township Supervisor Kenneth Verkest said the DEQ has not yet discussed the contamination finding with township officials, but speculated that may because they don’t yet fully understand what they are dealing with.

“If you’re discovering something that goes back God knows how many years, and there are questions about the potential impact, it may be unwise to take an overly alarming (approach),” he said.

“Throughout our history, we’ve made ecological mistakes. Certainly not in every case did we know we were making ecological mistakes.

“We’ve treated the lake horribly for decades. The good news is, people are paying more attention to these issues. The bad news is, every day, it seems, we find out we did something in the past that we thought was OK, and we found out it wasn’t.”

Drinking water a top concern

The state’s new PFAS Action Response Team combines the departments of Environmental Quality, Health and Human Services, Military and Veterans Affairs, and Agriculture and Rural Development. Its priority: to put government in the best position to respond quickly and effectively to the emerging contaminant, said Carol Isaacs, executive director.

“It pulls together a team at the state level that allows for really enhanced coordination,” she said. 

The state’s short-term strategy on PFAS has focused on drinking water — getting those with affected residential wells a different water source. 

“There’s quite a bit of science that went behind that (EPA 70 parts-per-trillion) action level,” said Dr. Eden Wells, chief medical executive for the Michigan Department of Health and Human Services.

“Seventy is a pretty conservative number. It does take into account pregnant women, fetuses. And it’s a lifetime advisory level — if I have a water level of 60 in my home, I could probably drink from that water for the rest of my life, without any untoward health effects.”

But some Oscoda residents say more is required than addressing residential and municipal wells — particularly with the emerging issue of contaminated foam on area lake surfaces.

“The Air Force didn’t do anything wrong in using this (firefighting) foam, based on what they were told by the manufacturer. As a veteran, I don’t say they are the bad guys,” said Van Etten Lake Association member Arnie Leriche, who serves as a civilian member on the Former Wurtsmith AFB Restoration Advisory Board.

“But now that they know they have to clean it up, I want them and their budget people to push Congress and get the funding they need with the same force with which they won the Cold War.”

Messages left with the Air Force’s Civil Engineer Center weren’t immediately returned Friday afternoon.

A military spending bill approved by both the House and Senate last month includes $7 million for a 5-to-7-year health study of citizens exposed to PFAS in firefighting foam; and $72.2 million for Navy and Air Force firefighting foam-related contamination remediation. President Donald Trump is expected to sign the bill, but has not yet taken action on it.

Contact Keith Matheny: (313) 222-5021 or kmatheny@freepress.com. Follow on Twitter @keithmatheny.

Windows 10: UK’s GCHQ found out how to hack Windows Defender …

1f150_optimize-power Windows 10: UK's GCHQ found out how to hack Windows Defender ...

Microsoft has released an out-of-band patch for two severe flaws in Windows Defender. The flaws were discovered by the National Cyber Security Centre (NCSC), a unit of the UK’s spy agency GCHQ, which dispenses cyberdefense advice to the government and public.

Just last week, for example, the NCSC told UK agencies hosting information classified ‘secret’ never to use any Russian antivirus, including Kaspersky, due to the risk of Russian cyber-spies using it as a backdoor.

The NCSC’s probe of Microsoft’s antivirus uncovered two critical remote code execution bugs in the core of Windows Defender, called Microsoft Malware Protection Engine.

The bugs, tracked as CVE-2017-11937 and CVE-2017-11940, are similar to the “crazy-bad” bug Google’s Project Zero disclosed in May, which could be exploited by having the engine process a specially crafted file. The technique could lead to a complete system compromise.

The two new bugs can lead to a memory corruption when the Malware Protection Engine scans a particular attack file.

“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” said Microsoft.

1f150_optimize-power Windows 10: UK's GCHQ found out how to hack Windows Defender ...

The agency’s probe of Microsoft’s antivirus uncovered two critical remote code execution bugs in the core of Windows Defender’s Microsoft Malware Protection Engine.


Image: Microsoft

An attacker can perform the exploit by leading a target to a malicious website or by sending the specially crafted file as an email or instant message, which the malware engine would automatically scan when the file is opened.

An attacker could also upload the attack file to a shared location on a server that the engine scans.

As with the earlier vulnerability, the two bugs could be more dangerous to systems where real-time protection is on, because the engine is configured to automatically scan all files. On systems where real-time protection is off, the attacker would need to wait for a scheduled scan to launch the attack.

The bugs affect Windows Defender for all supported Windows PC and server platforms, as well as Windows Intune Endpoint Protection, Security Essentials, Forefront, Endpoint Protection, and Exchange Server 2013 and 2016.

Fortunately, Microsoft says the bugs have not been publicly disclosed and are not known to have been exploited.

Microsoft notes that typically admins won’t need to take action since updates will be applied by the system that affected products use to detect and deploy updates. They will be available within 48 hours of release.

Google’s Project Zero researchers have reported a total of 10 bugs this year in the Microsoft Malware Protection Engine, evenly split between remote code execution and denial-of-service flaws.

Previous and related coverage

Windows 10 security: ‘So good, it can block zero-days without being patched’

Systems running the Windows 10 Anniversary Update were shielded from two exploits even before Microsoft had issued patches for them, its researchers have found.

Microsoft releases emergency patch for ‘crazy bad’ Windows zero-day bug

The vulnerability has been dubbed the worst Windows remote code execution flaw in recent memory.

Microsoft patches Office zero-day used to spread FinSpy surveillance malware

The malware, often used by nation states, exploits a flaw in Office, and it’s known to have targeted Russians.

Read more on security

Windows 10: UK’s GCHQ found out how to hack Windows Defender to own your PC

b7d7f_filedownloadhandler Windows 10: UK's GCHQ found out how to hack Windows Defender to own your PC

The agency’s probe of Microsoft’s antivirus uncovered two critical remote code execution bugs in the core of Windows Defender’s Microsoft Malware Protection Engine.


Microsoft

Microsoft has released an out-of-band patch for two severe flaws in Windows Defender discovered by the National Cyber Security Centre (NCSC), a unit of UK spy agency GCHQ that dispenses cyber defense advice to the government and public.

Just last week, for example, NCSC told UK agencies hosting information classified ‘secret’ never to use any Russian antivirus, including Kaspersky, due to the risk of Russian cyber spies using it as a backdoor.

NCSC’s probe of Microsoft’s antivirus uncovered two critical remote code execution bugs in the core of Windows Defender called Microsoft Malware Protection Engine.

The bugs, tracked as CVE-2017-11937 and CVE-2017-11940, are similar to the “crazy-bad” bug Google’s Project Zero disclosed in May, which could be exploited by having the engine process a specially crafted file. This technique would lead to a complete system compromise.

The two new bugs can lead to a memory corruption when the Malware Protection Engine scans a specially crafted file.

“An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” explains Microsoft.

An attacker can perform the exploit by leading a target to a malicious website or by sending the specially crafted file as an email or instant message, which the malware engine would automatically scan when the file is opened.

An attacker could also upload the attack file to a shared location on a server that the engine scans.

As with the earlier vulnerability, the two bugs could be more dangerous to systems where real-time protection is on because the engine is configured to automatically scan all files. On systems where real-time protection is off, the attacker would need to wait for a scheduled scan to launch the attack.

The bugs affect Windows Defender for all supported Windows PC and server platforms, as well as Windows Intune Endpoint Protection, Security Essentials, Forefront, Endpoint Protection, and Exchange Server 2013 and 2016.

Fortunately, Microsoft says the bugs have not been publicly disclosed and are not known to have been exploited.

Microsoft notes that typically admins won’t need to take action since updates will be applied by the system that affected products use to detect and deploy updates. They will be available within 48 hours of release.

Google’s Project Zero researchers have reported a total of 10 bugs this year in the Microsoft Malware Protection Engine, evenly split between remote code execution and denial-of-service flaws.

Previous and related coverage

Windows 10 security: ‘So good, it can block zero-days without being patched’

Systems running the Windows 10 Anniversary Update were shielded from two exploits even before Microsoft had issued patches for them, its researchers have found.

Microsoft releases emergency patch for ‘crazy bad’ Windows zero-day bug

The vulnerability has been dubbed the worst Windows remote code execution flaw in recent memory.

Microsoft patches Office zero-day used to spread FinSpy surveillance malware

The malware, often used by nation states, exploits a flaw in Office, and it’s known to have targeted Russians.

Several Vulnerabilities Found in Common Android IDEs Including Android Studio, IntelliJ IDEA, and Eclipse

When we think of Android vulnerabilities we typically picture a zero-day vulnerability that exploits some process to escalate privileges. This can be anything from tricking your smartphone or tablet into connecting to a malicious WiFi network, or allowing code to be executed on a device from a remote location. However, there’s a new type of Android vulnerability that has recently been discovered. It’s being called ParseDroid and it exploits developer tools including Android Studio, IntelliJ IDEA, Eclipse, APKTool, the Cuckoo-Droid service and more.

ParseDroid isn’t isolated to just Android’s developer tools, though, and these vulnerabilities have been found in multiple Java/Android tools that programmers are using these days. It doesn’t matter if you’re using a downloadable developer tool or one that works in the cloud, Check Point Research has found these vulnerabilities in the most common Android and Java development tools. Once exploited, an attacker is then able to access internal files of the developer’s work machine.

Check Point Research first did some digging into the most popular tool for reverse engineering third party Android apps (APKTool) and found that both its decompiling and building APK features are vulnerable to the attack. After looking at the source code, researchers managed to identify an XML External Entity (XXE) vulnerability that is possible because its configured XML parser of APKTool does not disable external entity references when parsing an XML file.

Once exploited, the vulnerability exposes the whole OS file system of APKTool users. In turn, this potentially allows the attacker to retrieve any file on the victim’s PC by using a malicious “AndroidManifest.xml” file that exploits an XXE vulnerability. Once that vulnerability was discovered, the researchers then looked at popular Android IDEs and found out that by simply loading the malicious “AndroidManifest.xml” file as part of any Android project, the IDEs starts spitting out any file configured by the attacker.

32978_ParseDroid-1024x506 Several Vulnerabilities Found in Common Android IDEs Including Android Studio, IntelliJ IDEA, and Eclipse

Credits: Check Point Research

Check Point Research also demonstrated an attack scenario potentially affecting a large number of Android developers. It works by injecting a malicious AAR (Android Archive Library) containing an XXE payload into online repositories. If a victim clones the repository, then the attacker would then have access to potentially sensitive company property from the victim’s OS file system.

32978_ParseDroid-1024x506 Several Vulnerabilities Found in Common Android IDEs Including Android Studio, IntelliJ IDEA, and Eclipse

Credits: Check Point Research

Finally, the authors described a method through which they can execute remote code on a victim’s machine. This is done by exploiting a configuration file in APKTool called “APKTOOL.YAML.” This file has a section called “unknownFiles” where users can specify file locations that will be placed during the rebuilding of an APK. These files are stored on the victim’s machine in an “Unknown” folder. By editing the path where these files are saved, an attacker can inject any file they want on the victim’s file system since APKTool did not validate the path where unknown files are extracted from an APK.

The files that the attacker injects lead to full Remote Code Execution on the victim’s machine, meaning that an attacker can exploit any victim with APKTool installed by crafting a maliciously made APK and having the victim attempt to decode and then rebuild it.

32978_ParseDroid-1024x506 Several Vulnerabilities Found in Common Android IDEs Including Android Studio, IntelliJ IDEA, and Eclipse

Credits: Check Point Research

Since all of the IDEs and tools mentioned above are cross-platform and generic, the potential for exploiting these vulnerabilities is high. Thankfully, after reaching out to the developers of each of these IDEs and tools, Check Point Research has confirmed that these tools are no longer vulnerable to this kind of attack. If you are running an older version of one of these tools, we recommend you update immediately to secure yourself against a ParseDroid-style attack.


Source: Check Point Research

Fort Lee computer scientist charged in bizarre racial attack found not guilty by reason of insanity

Whenever Mark Bowes posts new content, you’ll get an email delivered to your inbox with a link.

Email notifications are only sent once a day, and only if there are new matching items.

Google torches this nasty Tizi Android spyware it found on Play …

9c58f_5a157e8460b2653d8bb776bb-1280x7201nov222017161446poster Google torches this nasty Tizi Android spyware it found on Play ...

New tech-support scam hijacks your phone to call bogus hotline

Google has revealed its recent efforts to root out Android apps infected with spyware it calls Tizi.

The Google Play Protect team discovered a trojanized app in September after its device scans found an app on Google Play that could root devices with a handful of old vulnerabilities.

The offending app, a supposed workout app called MyTizi, has been removed from the Play Store. After identifying it, Google’s malware researchers discovered several other apps with the same capabilities and removed them too.

9c58f_5a157e8460b2653d8bb776bb-1280x7201nov222017161446poster Google torches this nasty Tizi Android spyware it found on Play ...

Google has detailed the geographic scope of Tizi.


Google

The oldest Tizi app has been available since October 2015, but Google notes that only newer versions have rooting capabilities. The attacker was using Twitter and other social-media platforms to spread links to Play Store listings and third-party sites.

According to Google, Tizi has similar capabilities to commercial spyware and after gaining root steals data from Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

It can also record calls from WhatsApp, Viber, and Skype, as well as access calendar events, call log data, contacts, photos, Wi-Fi encryption keys, and a list of installed apps.

Additionally, it can record audio when the user is not actively using the phone and take pictures without displaying the image on the screen.

The malware was used in targeted attacks, with the vast majority of infected devices located in Kenya, but there was also a significant number of infections in Nigeria and Tanzania.

One of the other Tizi-infected apps, for example, appeared to target people who would be interested in installing an app about the National Super Alliance, a Kenyan political coalition known as NASA. Another Tizi-infected app was a bogus system update.

Google shared the examples from VirusTotal to encourage security researchers to dig into this malware.

The company has suspended several developer accounts responsible for the Tizi-infected apps and has disabled the apps on affected devices using Google Play Protect. Google found 1,300 devices affected by Tizi.

The Twitter account spreading links to the MyTizi app was still today posting links to the now-removed Play Store page.

All devices with a security patch level of April 2016 or later are “far less exposed to Tizi’s capabilities”, according to Google.

Among nine vulnerabilities the Tizi apps use to root devices were the so-called Towel Root CVE-2014-3153, and Ping Pong Root CVE-2015-3636 flaws.

The most recently patched flaw was CVE-2015-1805, or Pipe Root, a kernel exploit that researchers at Zimperium found in a rooting app called KingRoot. Google published a fix for this flaw to the Android Open Source Project (AOSP) in March 2016.

However, the patch for Pipe Root highlights the problem that Android users face, particularly for users who own cheaper and older devices.

Google quickly patched affected Nexus 5 and Nexus 6 devices, but it’s likely many other Android OEMs did not follow suit.

The same problem applies to Google’s Android monthly patches in general: Google and some larger handset makers such as Samsung and LG regularly provide monthly patches, but many handset makers make no commitment to do so.

9c58f_5a157e8460b2653d8bb776bb-1280x7201nov222017161446poster Google torches this nasty Tizi Android spyware it found on Play ...

The attacker was using Twitter and other social-media platforms to spread links to Play Store listings and third-party sites.


Image: Google

Previous and related coverage

Fake WhatsApp app fooled million Android users on Google Play: Did you fall for it?

Fraudsters are managing to get fake WhatsApp apps published on the Play Store.

Android apps: Now Google will let you try before you install

Google rolls out a host of features to boost the appeal of Play Store app subscriptions.

Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world [Tech Pro Research]

Tech Pro Research surveyed IT professionals about their companies’ cybersecurity readiness in the face of threats presented by mobile and IoT-connected devices

Read more about Android security

Sensitive personal information of 246000 DHS employees found on home computer

WASHINGTON — The sensitive personal information of 246,000 Department of Homeland Security employees was found on the home computer server of a DHS employee in May, according to documents obtained by USA TODAY.

Also discovered on the server was a copy of 159,000 case files from the inspector general’s investigative case management system, which suspects in an ongoing criminal investigation intended to market and sell, according to a report sent by DHS Inspector General John Roth on Nov. 24 to key members of Congress. 

The information included names, Social Security numbers and dates of birth, the report said.

The inspector general’s acting chief information security officer reported the breach to DHS officials on May 11, while IG agents reviewed the details.

.Acting DHS Secretary Elaine Duke decided on Aug. 21 to notify affected employees who were employed at the department through the end of 2014 about the breach. 

The department’s office of privacy is completing the details of the notices to those affected.

“All potentially affected individuals will be offered an 18-month subscription to credit monitoring services,” the report says.

Officials at Office of Inspector General, which acts as an internal watchdog at DHS, said in a statement provided to USA TODAY that “DHS is coordinating notice to the affected individuals and we are working closely with DHS to accomplish this.”

“The responsible individuals are no longer on the OIG payroll,” the statement said. 

Other agencies have suffered serious data breaches in recent years. In June 2015, the personal information of about 21.5 million people was leaked in a breach at the Office of Personnel Management.

Contributing: Donovan Slack.

More: President Trump signs cybersecurity executive order

 

 

 

Google torches this nasty Tizi Android spyware it found on Play Store

Video: What apps are businesses banning? Top security threats for Android and iOS

Google has revealed its recent efforts to root out Android apps infected with spyware it calls Tizi.

The Google Play Protect team discovered a trojanized app in September after its device scans found an app on Google Play that could root devices with a handful of old vulnerabilities.

The offending app, a supposed workout app called MyTizi, has been removed from the Play Store. After identifying it, Google’s malware researchers discovered several other apps with the same capabilities and removed them too.

0bfc0_tizi2 Google torches this nasty Tizi Android spyware it found on Play Store

Google has detailed the geographic scope of Tizi.


Google

The oldest Tizi app has been available since October 2015, but Google notes that only newer versions have rooting capabilities. The attacker was using Twitter and other social-media platforms to spread links to Play Store listings and third-party sites.

According to Google, Tizi has similar capabilities to commercial spyware and after gaining root steals data from Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

It can also record calls from WhatsApp, Viber, and Skype, as well as access calendar events, call log data, contacts, photos, Wi-Fi encryption keys, and a list of installed apps.

Additionally, it can record audio when the user is not actively using the phone and take pictures without displaying the image on the screen.

The malware was used in targeted attacks, with the vast majority of infected devices located in Kenya, but there was also a significant number of infections in Nigeria and Tanzania.

One of the other Tizi-infected apps, for example, appeared to target people who would be interested in installing an app about the National Super Alliance, a Kenyan political coalition known as NASA. Another Tizi-infected app was a bogus system update.

Google shared the examples from VirusTotal to encourage security researchers to dig into this malware.

The company has suspended several developer accounts responsible for the Tizi-infected apps and has disabled the apps on affected devices using Google Play Protect. Google found 1,300 devices affected by Tizi.

The Twitter account spreading links to the MyTizi app was still today posting links to the now-removed Play Store page.

All devices with a security patch level of April 2016 or later are “far less exposed to Tizi’s capabilities”, according to Google.

Among nine vulnerabilities the Tizi apps use to root devices were the so-called Towel Root CVE-2014-3153, and Ping Pong Root CVE-2015-3636 flaws.

The most recently patched flaw was CVE-2015-1805, or Pipe Root, a kernel exploit that researchers at Zimperium found in a rooting app called KingRoot. Google published a fix for this flaw to the Android Open Source Project (AOSP) in March 2016.

However, the patch for Pipe Root highlights the problem that Android users face, particularly for users who own cheaper and older devices.

Google quickly patched affected Nexus 5 and Nexus 6 devices, but it’s likely many other Android OEMs did not follow suit.

The same problem applies to Google’s Android monthly patches in general: Google and some larger handset makers such as Samsung and LG regularly provide monthly patches, but many handset makers make no commitment to do so.

0bfc0_tizi2 Google torches this nasty Tizi Android spyware it found on Play Store

The attacker was using Twitter and other social-media platforms to spread links to Play Store listings and third-party sites.


Image: Google

Previous and related coverage

Fake WhatsApp app fooled million Android users on Google Play: Did you fall for it?

Fraudsters are managing to get fake WhatsApp apps published on the Play Store.

Android apps: Now Google will let you try before you install

Google rolls out a host of features to boost the appeal of Play Store app subscriptions.

Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world [Tech Pro Research]

Tech Pro Research surveyed IT professionals about their companies’ cybersecurity readiness in the face of threats presented by mobile and IoT-connected devices

Read more about Android security

Staggering Variety of Clandestine Trackers Found in Popular Android Apps

Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, ride-sharing, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising.

Exodus security researchers identified 44 trackers in more than 300 apps for Google’s Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university’s law school, is working to replicate the Exodus findings and has already released reports on 25 of the trackers.

Yale Privacy Lab researchers have only been able to analyze Android apps but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital “signatures” distilled from known trackers. A signature might be a telltale set of keywords or string of bytes found in an app file, or a mathematically derived “hash” summary of the file.

The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking.

“I think people are used to the idea, whether they should be or not, that Lyft might be tracking them,” said Sean O’Brien, a visiting fellow at Yale Privacy Lab. “And they’re used to the fact that if Lyft is on Android and coming from Google Play, that Google might be tracking them. But I don’t think that they think that their data is being resold or at least redistributed through these other trackers.”

Among the Android apps researchers identified were, with six or seven trackers each, dating apps Tinder and OkCupid, the Weather Channel app, and Super-Bright LED Flashlight; the app for digital music service Spotify, which embedded four trackers, including two from Google; ride-sharing service Uber, with three trackers; and Skype, Lyft, AccuWeather, and Microsoft Outlook.

(A Spotify spokesperson wrote, “We take data security and privacy very seriously. Our goal is to give both our users and advertising partners a great experience while maintaining consumer trust.” An Uber spokesperson referred The Intercept to its published details on its use of cookies, which lists some of their third-party cookie providers but is not intended to be comprehensive. Users who visit the privacy policy section of Uber’s website can follow an opt-out link that appears to only apply to interest-based advertising on web traffic. The preferences do not work if a user disables third-party cookies, and users must opt out again after deleting their cookies.)

Some apps have their own analytics platforms but include other trackers as well. For example, Tinder uses a total of five trackers in addition to its own.

“The real question for the companies is, what is their motivation for having multiple trackers?” asked O’Brien.

“Data is the oil in the machinery here, and I think they’re just trying to find different ways to extract it.”

Tinder’s heavy use of trackers means the company has been able to make use of behavior analytics and accept payment from shaving company Gillette for highly targeted research: Do college-aged male Tinder users with neatly groomed facial hair receive more right swipes than those with untidy facial hair?

Capabilities of the trackers Exodus uncovered include targeting users based on third-party data, identifying offline movement through machine learning, tracking behavior across devices, uniquely identifying and correlating users, and targeting users who abandon shopping carts. Most trackers work by deriving an identification code from your mobile device or web browser and sharing it with third parties to more specifically profile you. App makers can even tie data collected from trackers with their own profiles of individuals, including names and account details. Some tracking companies say they anonymize data and have strict rules against sharing publicly identifiable information, but the sheer wealth of data collected can make it possible to identify users even in the face of such safeguards.

Although some or all of the apps identified by Exodus and Yale researchers may technically disclose the use of trackers in the fine print of their privacy policy, terms of service, or app description, it is difficult, to say the least, for smartphone users to get a clear handle on the extent and nature of the monitoring directed at them. The whole point of using a mobile app, after all, is often to save time.

“How many people actually know that these trackers are even there?” said Michael Kwet, another visiting fellow at Yale Privacy Lab. “Exodus had to create this software to even detect that they were in there.”

A few of the trackers offer users the option to opt-out via email or through their privacy settings. But tracking can resume even after this step is taken. For example, one app requires that users who clear their cache set up the opt-out again. Some opt-outs are temporary. Even if the opt-outs do end up being permanent, few users would even know to activate them in the first place.

cbd47_android-apps-google-play-1511296860 Staggering Variety of Clandestine Trackers Found in Popular Android Apps

Google Vice President of Engineering David Singleton speaks during the Google I/O 2015 keynote presentation in San Francisco.

Photo: Jeff Chiu/AP

Meet the Trackers

Google has a vested interest in allowing liberal use of trackers in apps distributed through Google Play. One of the most ubiquitous in-app trackers is made by Google’s DoubleClick ad platform, which targets users by location and across devices and channels, segments users based on online behavior, connects to personally identifiable information, and offers data sharing and integration with various advertising systems. DoubleClick’s tracker is found in many popular apps, including Tinder, OkCupid, Lyft, Uber, Spotify, the Weather Channel, AccuWeather, and the popular flashlight apps Super-Bright LED Flashlight and LED Light.

A Google spokesperson confirmed that its ad platforms DoubleClick for Publishers and AdMob serve ads on both Android and iOS devices and that it ties information collected by the networks to a persistent identifier to measure engagement. Although users can control information Google uses to show them ads, they cannot specifically opt-out of DoubleClick.

DoubleClick prohibits vendors from sharing personally identifiable information or other unique identifiers, and states that it only stores general location data, like city and ZIP code, rather than precise location information unless users enable location history in their Google account. App developers who use DoubleClick Ad Exchange are required to disclose in their privacy policies that the user’s identifier will be shared unless the user opts-out of ad tracking, and to explain how the user can reset their identifier. Google shares attribution data with advertisers and third-party measurement partners using these identifiers.

Perhaps the most invasive of the trackers is Fidzup, a France-based mobile performance marketing platform for brick-and-mortar retailers. The company has stated in its advertising copy that it has developed communication between a sonic emitter and a mobile phone (either iOS or Android) by emitting an inaudible tone to locate a user within a shopping mall or a store. User phones receive the signal and decode it to give away their location. The company further uses geofencing to track users to a so-called catchment area, such as a specific section within a store, where it can serve them targeted ads, possibly for a competing retailer.

Mathieu Vaas, a spokesperson for Fidzup, said that the company has not used inaudible tones in two years, but is instead using Wi-Fi-based technology to obtain data regarding how customers behave within stores and re-target them with ads. But information on sonic technologies is posted on Fidzup’s website (as of November 21) and detailed further in an older version of the site accessed October 15. Vaas stated that these pages are outdated and inaccessible from the main page, and will be scrubbed from a new website that’s currently being prepared.

Vaas also confirmed that, even just using Wi-Fi technology, Fidzup can track highly specific in-store behavior, such as aisles visited, the time spent in them, the number of visits to a store, and so forth. Fidzup can also leverage other apps to obtain geolocation data, but the only third parties receiving that data are retailers that have installed the company’s Wi-Fi technology within their store, he added, and the data is only related to behavior within the store.  Vaas later said that Fidzup does not share information with third parties.

“In every store where we are present, we inform the public of the presence of data-gathering technology in the store and indicate to them that they can turn their Wi-Fi off, as well as provide them with a link that allows them to permanently opt-out of Fidzup. In that case, their data will be recognized and scrapped automatically and they won’t be retargeted with ads from Fidzup ever,” he said via email.

Though based in France, Fidzup has a presence in San Francisco, and Vaas said that the company plans to start effectively operating in the U.S. soon. Vaas said the company is subject to stricter privacy laws and regulations in France than the U.S. has, and as they “deeply respect consumers’ rights to privacy and their civil liberties,” they plan to operate under those standards in the U.S. as well.

O’Brien and Kwet seemed less impressed with the company’s privacy commitment, writing, “Fidzup’s practices mirror that of Teemo (formerly known as Databerries), the tracking company that was embroiled in scandal earlier this year for studying the geolocation of 10 million French citizens.” Teemo collected navigation data from mobile users and used it to drive in-store sales by targeting users based on locations they had visited. Its website states that it may collect location data using GPS, cell towers, Wi-Fi access points, wireless networks, and sensors, such as gyroscopes, accelerometers, compasses, and barometers. In addition to collecting IP addresses and identifiers assigned to mobile devices, it also may obtain information from third parties to combine with what it has and share its information with third parties (with some stipulations) as well. As with Fidzup, it is not immediately clear to what extent Teemo is operating in the U.S. Although Teemo is a French company based in Paris, it has an office in New York. Teemo did not respond to request for comment.

Surveillance Mission Creep

Not all trackers are equally invasive, though many grab more information than they arguably should. For example, Google-owned Crashlytics is presumably just a crash reporter, but it does much more than simply performing analytics on app logs. The app, used by Tinder, OkCupid, Spotify, Uber, Super-Bright LED, and LED Light, can also link users across multiple cookies and devices. Microsoft’s HockeyApp, used by Microsoft Outlook, Skype, and the Weather Channel, goes beyond simply collecting and analyzing crash reports but can also track daily active users, monthly active users, the net number of new users, and session counts. AppsFlyer (used by Tinder, Super-Bright LED, and the Weather Channel) does fraud prevention and protects from malware, but also fingerprints devices by their IDs, tracks users across datasets to circumvent the fragmentation caused by users with different devices, and tracks which users install which apps. A spokesperson for AppsFlyer directed The Intercept to the company’s privacy policy and stated that the tracker only works with businesses and advertisers, and does not engage with end users. Its terms and conditions also require clients to disclose the collection and use of data in their own privacy policies.

In addition to DoubleClick, Teemo, and Fidzup, Braze (formerly Appboy) and Salesforce DMP (formerly Krux) appear to collect large amounts of user data. Braze, used by OkCupid and Lyft, can track users by location, target them across devices and channels, and serve targeted advertising based on consumer actions. Salesforce DMP, used by OkCupid, not only captures user clicks, downloads, and other interactions, but also uses hashed device management to effectively circumvent Safari’s third-party blocking. The tracker allows marketers to use machine learning to discover personas, uses cross-device ID, and even uses behavioral analysis to guess when a user is sleeping, and a probabilistic matching algorithm to match identities across devices. There is an opt-out on the Salesforce website, though it’s unclear what percentage of OkCupid users are aware that the dating site is wrapped around the Salesforce DMP tracker and would even know to opt-out. (OkCupid did not respond to request for comment.)

Weather apps are ubiquitous, and one wouldn’t guess that they’d include surveillance. But both AccuWeather and the Weather Channel apps (along with Spotify) use the ScorecardResearch tracker, which can also track data on usage, including information on web browsing and app usage behavior over time and across digital properties, possible relationships between browsers and devices — which can be provided to third parties for advertising purposes. The tracker can even use third-party service providers to obtain more non-personally identifiable information to add to unique profiles using cookies.

The tracker Millennial Media (formerly Nexage) is used by AccuWeather and Super-Bright LED to “automate the buying and selling of mobile advertising” targeting channel and demographic segments, such as a shampoo company targeting “women ages 25-55 with an emphasis on … pregnancy, stress, and bleach/coloring.”

Microsoft Outlook, the Weather Channel, Super-Bright LED, and LED Light use Flurry, a mobile ad platform acquired from Yahoo by Verizon subsidiary Oath. Flurry tracks device and app performance metrics and analyzes user interactions, identifies user interests, stores data profiles as personas, groups and correlates user data, and injects both native and video ads. A spokesperson for Oath said that Flurry’s terms of service require app developers to post a privacy policy notifying what data is collected, stored, and shared, and either linking to Flurry’s privacy policy or describing their opt-out service. In addition, the spokesperson said only information that’s not personally identifiable leaves Flurry’s system.

Another tracker, Tune, follows ride-sharing users’ online and offline behavior across devices and also tracks in-app user behavior, uniquely identifies users, and tracks their location.

The AppNexus tracker, used by, among other apps, Super-Bright LED, uses machine learning for targeted advertising. In a phone call, AppNexus spokesperson Joshua Zeitz confirmed that the tracker collects mobile advertising identifiers, type of phone, IP addresses, and a unique app identifier. The company does store mobile advertising identifiers, as well as cookies from web users, but Zeitz said data on what ads have been served to what identifiers is only retained for up to 33 days, and that the tracker does not collect names, numbers, or account numbers, that it only keeps device and browser identifiers and cookies, and that it cannot de-anonymize users from its data set. AppNexus stated that it does not share device and browser identifiers tied with third parties.

O’Brien said app developers can choose the types of advertising they embrace, but that it’s unlikely users are thinking about those decisions when installing apps. He also doesn’t see permissions as a solution. “If you’re in a situation where you’re asking the victim of the tracking how much tracking they want, you’ve already gone too far. It’s already a problem,” he said.

Without an overhaul of the advertising-rich phone system, O’Brien said the best solution may be to use the software repository F-Droid, which distributes only free and open source software that does not include unknown or masked trackers or code.

Staggering Variety of Clandestine Trackers Found In Popular Android Apps

Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, rideshare, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising.

Exodus security researchers identified 44 trackers in more than 300 apps for Google’s Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university’s law school, is working to replicate the Exodus findings and has already released reports on 25 of the trackers.

Yale Privacy Lab researchers have only been able to analyze Android apps, but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital “signatures” distilled from known trackers. A signature might be a tell-tale set of keywords or string of bytes found in an app file, or a mathematically-derived “hash” summary of the file itself.

The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking.

“I think people are used to the idea, whether they should be or not, that Lyft might be tracking them,” said Sean O’Brien, a visiting fellow at Yale Privacy Lab. “And they’re used to the fact that if Lyft is on Android and coming from Google Play, that Google might be tracking them. But I don’t think that they think that their data is being resold or at least redistributed through these other trackers.”

Among the Android apps identified by the researchers were, with six or seven trackers each, dating apps Tinder and OkCupid, the Weather Channel app, and Superbright LED Flashlight; the app for digital music service Spotify, which embedded four trackers, including two from Google; ridesharing service Uber, with three trackers; and Skype, Lyft, Accuweather, and Microsoft Outlook.

(A Spotify spokesperson wrote, “We take data security and privacy very seriously. Our goal is to give both our users and advertising partners a great experience while maintaining consumer trust.” An Uber spokesperson referred The Intercept to its published details on its use of cookies, which lists some of their third-party cookie providers but is not intended to be comprehensive. Users who visit the privacy policy section of Uber’s website can follow an opt-out link which appears to only apply to interest-based advertising on web traffic. The preferences do not work if a user disables third party cookies, and users must opt out again after deleting their cookies.)

Some apps have their own analytics platforms but include other trackers as well. For example, Tinder uses a total of five trackers in addition to its own.

“The real question for the companies is, what is their motivation for having multiple trackers?” asked O’Brien.

“Data is the oil in the machinery here, and I think they’re just trying to find different ways to extract it.”

Tinder’s heavy use of trackers means the company has been able to make use of behavior analytics, and also to accept payment from shaving supply company Gillette for highly targeted research: Do college-aged male Tinder users with neatly-groomed facial hair receive more right swipes than those with untidy facial hair?

Capabilities of the trackers uncovered by Exodus include targeting users based on third-party data, identifying offline movement through machine learning, tracking behavior across devices, uniquely identifying and correlating users, and targeting users who abandon shopping carts. Most trackers work by deriving an identification code from your mobile device or web browser and sharing it with third parties to more specifically profile you. App makers can even tie data collected from trackers with their own profiles of individuals, including names and account details. Some tracking companies say they anonymize data, and have strict rules against sharing publicly identifiable information, but the sheer wealth of data collected can make it possible to identify users even in the face of such safeguards.

Although some or all of the apps identified by Exodus and Yale researchers may technically disclose the use of trackers in the fine print of their privacy policy, terms of service, or app description, it is difficult, to say the least, for smartphone users to get a clear handle on the extent and nature of the monitoring directed at them. The whole point of using a mobile app, after all, is often to save time.

“How many people actually know that these trackers are even there?” said Michael Kwet, another visiting fellow at Yale Privacy Lab. “Exodus had to create this software to even detect that they were in there.”

A few of the trackers offer users the option to opt out via email or through their privacy settings. But tracking can resume even after this step is taken. For example, one app requires that users who clear their cache set up the opt-out again. Some opt-outs are temporary. Even if the opt-outs do end up being permanent, few users would even know to activate them in the first place.

a3c0e_android-apps-google-play-1511296860 Staggering Variety of Clandestine Trackers Found In Popular Android Apps

David Singleton speaks during the Google I/O 2015 keynote presentation in San Francisco.

Photo: Jeff Chiu/AP

Meet the Trackers

Google has a vested interest in allowing liberal use of trackers in apps distributed through Google Play: One of the most ubiquitous in-app trackers is made by Google’s DoubleClick ad platform, which targets users by location and across devices and channels, segments users based on online behavior, connects to personally identifiable information, and offers data sharing and integration with various advertising systems. DoubleClick’s tracker is found in many popular apps, including Tinder and OkCupid, Lyft and Uber, Spotify, the Weather Channel and Accuweather, and the popular flashlight apps Superbright LED flashlight and LED light.

A Google spokesperson confirmed that its ad platforms DoubleClick for Publishers and AdMob serve ads on both Android and iOS devices, and that it ties information collected by the networks to a persistent identifier to measure engagement. Although users can control information Google uses to show them ads, they cannot specifically opt out of DoubleClick.

DoubleClick prohibits vendors from sharing personally identifiable information or other unique identifiers, and states that it only stores general location data like city and zip code rather than precise location information unless users enable location history in their Google account. App developers who use the DoubleClick Ad Exchange are required to disclose in their privacy policies that the user’s identifier will be shared unless the user opts out of ad tracking, and to explain how the user can reset their identifier. Google shares attribution data with advertisers and third party measurement partners using these identifiers.

Perhaps the most invasive of the trackers is Fidzup, a France-based mobile performance marketing platform for brick and mortar retailers. The company has stated in its advertising copy that it has developed communication between a sonic emitter and a mobile phone (either iOS or Android) by emitting an inaudible tone to locate a user within a shopping mall or a store. User phones receive the signal and decode it to give away their location. The company further uses geofencing to track users to a so-called “catchment area,” such as a specific section within a store, where it can serve them targeted ads, possibly for a competing retailer.

Mathieu Vaas, a spokesperson for Fidzup, said that the company has not used inaudible tones in two years, but is instead using wifi-based technology to obtain data regarding how customers behave within stores and to retarget them with ads. But information on sonic technologies is posted on Fidzup’s website (as of November 21st) and detailed further in an older version of the site accessed on October 15. Vaas stated that these pages are outdated and inaccessible from the main page, and will be scrubbed from a new website that’s currently being prepared.

Vaas also confirmed that, even just using wifi technology, Fidzup can track highly specific in-store behavior such as aisles visited, the time spent in them, the number of visits to a store, and so forth. Fidzup can also leverage other apps to obtain geolocation data, but the only third parties receiving that data are retailers that have installed the company’s wifi technology within their store, he added, and the data it is only related to behavior within the store.  Vaas later said that Fidzup does not share information with third parties.

“In every store where we are present, we inform the public of the presence of data-gathering technology in the store and indicate to them that they can turn their wifi off, as well as provide them with a link that allows them to permanently opt-out of Fidzup. In that case, their data will be recognized and scrapped automatically and they won’t be retargeted with ads from Fidzup ever,” he said via email.

Though based in France, Fidzup has a presence in San Francisco, and Vaas said that the company plans to start effectively operating in the U.S. soon. Since Fidzup is a French company, Vaas said they are subject to stricter privacy laws and regulations than the U.S. has, and as they “deeply respect consumers’ rights to privacy and their civil liberties,” they plan to operate under those standards in the U.S. as well.

O’Brien and Kwet seemed less impressed with the company’s privacy commitment, writing, “Fidzup’s practices mirror that of Teemo (formerly known as Databerries), the tracking company that was embroiled in scandal earlier this year for studying the geolocation of 10 million French citizens.” Teemo collected navigation data from mobile users and used it to drive in-store sales by targeting users based on locations they had visited. Its website states that it may collect location data using GPS, cell towers, wifi access points, wireless networks, and sensors such as gyroscopes, accelerometers, compasses, and barometers. In addition to collecting IP addresses and identifiers assigned to mobile devices, it also may obtain information from third parties to combine with what it has and share its information with third parties (with some stipulations) as well. As with Fidzup, it is not immediately clear to what extent Teemo is operating in the U.S. Although Teemo is a French company based in Paris, it has an office in New York. Teemo did not respond to request for comment.

Surveillance Mission Creep

Not all trackers are equally invasive, though many grab more information than they arguably should. For example, Google-owned Crashlytics is presumably just a crash reporter, but it does much more than simply performing analytics on app logs. The app, used by Tinder, OkCupid, Spotify, Uber, Superbright LED and LED Light, can also link users across multiple cookies and devices. Microsoft’s HockeyApp, used by Microsoft Outlook, Skype, and the Weather Channel, goes beyond simply collecting and analyzing crash reports but can also track daily active users, monthly active users, the net number of new users, and session counts. AppsFlyer (used by Tinder, Superbright LED, and the Weather Channel) does fraud prevention and protects from malware, but also fingerprints devices by their IDs, tracks users across datasets to circumvent the fragmentation caused by users with different devices, and tracks which users install which apps. A spokesperson for AppsFlyer directed The Intercept to the company’s privacy policy, and stated that the tracker only works with businesses and advertisers, and does not engage with end users. Its terms and conditions also require clients to disclose the collection and use of data in their own privacy policies.

In addition to DoubleClick, Teemo, and Fidzup, Braze (formerly App-Boy) and Salesforce DMP (formerly Krux) appear to collect large amounts of user data. Braze, used by OkCupid and Lyft, can track users by location, target them across devices and channels, and serve targeted advertising based on consumer actions. Salesforce DMP, used by OkCupid, not only captures user clicks, downloads, and other interactions, but also uses hashed device management to effectively circumvent Safari’s third-party blocking. The tracker allows marketers to use machine learning to discover personas, uses cross-device ID, and even uses behavioral analysis to guess when a user is sleeping, and a probabilistic matching algorithm to match identities across devices. There is an opt-out on the Salesforce website, though it’s unclear what percentage of OkCupid users are aware that the dating site is wrapped around the Salesforce DMP tracker and would even know to opt out. (OkCupid did not respond to request for comment.)

 Weather apps are ubiquitous, and one wouldn’t guess that they’d include surveillance. But both Accuweather and the Weather Channel apps (along with Spotify) use the ScoreCardResearch tracker, which can also track data on usage, including information on web browsing and app usage behavior over time and across digital properties, possible relationships between browsers and devices—which can be provided to third parties for advertising purposes. The tracker can even use third-party service providers to obtain more non-personally identifiable information to add to unique profiles using cookies.

The tracker Millennial Media (formerly Nexage) is used by Accuweather and Super Bright LED to “automate the buying and selling of mobile advertising” targeting channel and demographic segments, such as a shampoo company targeting “women ages 25-55 with an emphasis on…pregnancy, stress, and bleach/coloring.”

Microsoft Outlook, the Weather Channel, Superbright LED, and LED Light use Flurry, a mobile ad platform acquired from Yahoo! by Verizon subsidiary Oath. Flurry tracks device and app performance metrics and analyzes user interactions, identifies user interests, stores data profiles as personas, groups and correlates user data, and injects both native and video ads. A spokesperson for Oath said that Flurry’s terms of service require app developers to post a privacy policy notifying what data is collected, stored, and shared and either linking to Flurry’s privacy policy or describing their opt-out service. In addition, the spokesperson said only information that’s not personally identifiable leaves Flurry’s system.

Another tracker, Tune, follows Rideshare users’ online and offline behavior  across devices and also tracks in-app user behavior, uniquely identifies users, and tracks their location.

The AppNEXUS tracker, used by, among other apps, Superbright LED, uses machine learning for targeted advertising. In a phone call, AppNexus spokesperson Joshua Zeitz confirmed that the tracker collects mobile advertising identifiers, type of phone, IP addresses, and a unique app identifier. The company does store mobile advertising identifiers as well as cookies from web users, but Zeitz said data on what ads have been served to what identifiers is only retained for up to 33 days, and that the tracker does not collect names, numbers, or account numbers, that it only keeps device and browser identifiers and cookies, and that it cannot de-anonymize users from its data set. AppNexus stated that it does not share device and browser identifiers tied with third parties.

O’Brien said app developers can choose the types of advertising they embrace, but that it’s unlikely users are thinking about those decisions when installing apps. He also doesn’t see permissions as a solution. “If you’re in a situation where you’re asking the victim of the tracking how much tracking they want, you’ve already gone too far. It’s already a problem,” he said.

Without an overhaul of the advertising-rich phone system, O’Brien said the best solution may be to use the software repository F-Droid, which distributes only free and open source software that does not include unknown or masked trackers or code.

 

 

‘Extreme pornography’ found on Deputy Prime Minister Damian Green’s House of Commons Computer ‘would have …

  • Police seized Damian Green’s House of Commons computer in November 2008
  • Some images were ‘so vile’ police sought advice about whether to prosecute
  • It has been claimed the pornography would have been illegal if found now

Larissa Brown For The Daily Mail

and
Katie French For Mailonline

117

View
comments

Pornography described as extreme found on the deputy prime minster’s computer would have been illegal if it had been discovered just weeks later, it has been claimed. 

The computer was seized in a raid on the deputy PM’s office in November 2008 during an inquiry into government leaks.

Some images found on the system were said to be so vile that police took advice from the CPS on whether to prosecute.

But they were told there was no relevant law was in place when Mr Green’s office was raided.

093d4_4675231300000578-0-image-a-62_1510960574781 'Extreme pornography' found on Deputy Prime Minister Damian Green's House of Commons Computer 'would have ...

093d4_4675231300000578-0-image-a-62_1510960574781 'Extreme pornography' found on Deputy Prime Minister Damian Green's House of Commons Computer 'would have ...

The computer was seized in a raid on the deputy PM’s office in November 2008 during an inquiry into government leaks. Pictured, Damian Green (left) and the prime minster (right)

The law was changed eight weeks later, in January 2009.

A source close to the investigation told the Sun: ‘Porn was being accessed on an almost virtual daily basis. Police were told nothing could be done.

‘Quite simply, it was not illegal to be in possession of extreme images before January 2009.

‘If the raid had happened a few weeks later it would have been.’

The First Secretary of State is clinging to his job as he faces a Whitehall ‘sleaze’ inquiry after a female journalist said he ‘fleetingly’ touched her knee two years ago.

He said of the latest claim last night: ‘As I have said throughout I did not put or view pornography on the computers taken from my office.’

It is unclear who could have downloaded the porn. It did not feature sexual images of children.

Accessing extreme porn became illegal under sections 63 to 67 of the 2008 Crime and Immigration Act which came into force on January 26, 2009.

The 2009 law made it illegal to possess images featuring acts which threaten life, cause serious injury to a person’s private parts or depict sex with animals or a corpse.

It came into force following a four-year campaign by the parents of murdered Jane Longhurst.

Her killer Graham Coutts, 46, of Brighton, had a strangulation fetish and accessed violent images of simulated murders and rapes.

Mr Green has previously said police never told him that any improper material had been found on a parliamentary computer.

He also also denied making any sexual advances to the journalist Kate Maltby. 


093d4_4675231300000578-0-image-a-62_1510960574781 'Extreme pornography' found on Deputy Prime Minister Damian Green's House of Commons Computer 'would have ...

Comments 117

Share what you think

The comments below have been moderated in advance.

The views expressed in the contents above are those of our users and do not necessarily reflect the views of MailOnline.

Close

 

Close

We will automatically post your comment and a link to the news story to your Facebook timeline at the same time it is posted on MailOnline. To do this we will link your MailOnline account with your Facebook account. We’ll ask you to confirm this for your first post to Facebook.

You can choose on each post whether you would like it to be posted to Facebook. Your details from Facebook will be used to provide you with tailored content, marketing and ads in line with our Privacy Policy.

Health department says several rats found at Vancouver McDonald’s

A homeless man posed for photos with his dead wife, along with their newborn and toddler, before dismembering her body in a Kansas City hotel room, according to court records.

Android security: Sneaky three-stage malware found in Google Play store

00d50_istock-458933277 Android security: Sneaky three-stage malware found in Google Play store

Google is once again facing questions about the security of the Play Store for Android.


Image: Getty

Another crop of Android apps hiding malware have been discovered in – and removed from – the Google Play store.

Researchers at ESET discovered eight apps available to download via Google Play which all carried Trojan Dropper, a form of malware which allows attackers to drop additional malicious payloads ranging from banking trojans to spyware.

Disguised as apps including news aggregations and system cleaners, the apps looked legitimate but hid their malicious properties with the help of obfuscation and delaying the installation of the payload.

00d50_istock-458933277 Android security: Sneaky three-stage malware found in Google Play store

Some of the malicious apps identfied by ESET.


Image: ESET

Following the initial download, the app doesn’t request the suspicious permissions associated with malware and will initially mimic the activity the user expects – the latter is an increasingly common tactic by malicious software developers.

However, alongside this user-facing activity, the app secretly decrypts and executes a payloads in a multi-step process. The malicious app decrypts and executes a first-stage payload which when in turn decrypts and executes a second-stage payload. This second-stage payload contains a hardcoded URL which the malware uses to download a third-stage payload containing another malicious app.

All of this is going on in the background without the user’s knowledge until, after a five minute wait, they’re prompted to install or update an app. This is disguised to look as if it is a form of legitimate software such as update for Adobe Flash Player or the Android system itself when it it in fact the third-stage of the malware’s dropping process.

The installation request asks for permission for intrusive activities such as reading contacts, sending and receiving alls and text messages and the ability to modify and delete the contents of storage. If permission is given to install this ‘update’, Trojan Dropper delivers the third-stage payload which decrypts and executes the final payload in the form of the malware itself.

Once installed on the device, Trojan Dropper is used to install other forms of malware – the malware has been spotted attempting to deliver the MazarBot banking trojan and various forms of spyware, but researchers note it can be used to deliver any malicious payload of the criminals’ choice.

See also: Can Google win its battle with Android malware?

Researchers analysed the bit.ly URL used to deliver the final download and found that almost 3,000 users – mostly based in The Netherlands – reached this stage of the infection. ESET has informed Google of the apps, which have now been removed from the store.

ESET’s report comes at the same time as researchers at Malwarebytes have uncovered a new form of Android trojan malware masquerading as multiple apps in the Play Store.

Disguised as innocuous looking apps such as an an alarm clock, a QR code reader, a photo editor and a compass, thousands of users have downloaded AsiaHitGroup malware from the Google Play store.

“Based on data from Google Play, the apps present in the Play store that are infected with Android/Trojan.AsiaHitGroup have been installed 10,700 to 22,000 times,” Nathan Collier Senior Malware Intelligence Analyst told ZDNet.

Like other forms of malware, AsiaHitGroup appears to look legitimate, even coming with the advertised function. However, in this instance, the user only gets one chance to use the app, because after it is closed the icon disappears.

But rather than becoming inactive, AsiaHitGroup disguises itself as the phone’s ‘download manager’ in the downloaded apps and continues to carry out its malicious activity – which in this case involves tracking the user’s location and distributing adware in order to generate money. Researchers say the geolocation tools ensure that the malware only targets users in Asia.

Like Trojan Dropper, AsiaHitGroup uses obfuscation techniques to hide itself within the Google Play store.

In bother cases, users with Google Play Protect enabled would have been protected from the malicious apps, but these are just the latest instances of malware finding its way into official application marketplace for Android users – BankBot banking data stealing malware was recently found in the store for the third time.

Google says it has a stringent security process for stopping malicious software getting into the Play store and that it keeps the vast majority of its 1.4 billion Android users safe from malware.

ZDNet has attempted to contact Google for comment but hadn’t received a response at the time of publication.

READ MORE ON CYBER CRIME

Have you found Face ID on the iPhone X to be an adequate successor to Touch ID? [Poll]

The iPhone X has been available for over a week now, which means users have had the last week to use Face ID, Apple’s new biometric technology that replaces Touch ID.

Over the last week, have you found Face ID to be an adequate successor to Touch ID?


07325_spigen-teka-on-airpods Have you found Face ID on the iPhone X to be an adequate successor to Touch ID? [Poll]

Spigen TEKA RA200 Airpods Earhooks Cover

The initial response to rumors that Apple was planning to drop Touch ID in favor of Face ID was mixed. Touch ID had become an integral part of iOS, making the iPhone easier to use while also increasing security. In a poll we ran ahead of the iPhone X unveil, some 45 percent of respondents stated that facial recognition wouldn’t be enough to replace Touch ID.

Apple isn’t the first company to attempt face recognition in a smartphone. Samsung, for instance, included a feature called Iris Unlock in its Galaxy S8 and Galaxy Note 8. The issue with Samsung’s implementation, however, was security. Iris Unlock was quickly discovered to be easily fooled by photographs.

The poor implementation of facial recognition by companies like Samsung was likely the reason for many initial doubts about Apple’s Face ID. People were skeptical that Apple would be able to ensure the same level of security with Face ID that it had with Touch ID.

Of course, people had also grown to love Touch ID. The feature had become an integral part of Apple’s ecosystem, supported on the iPhone, iPad, and Mac. Now, there’s sort of a feature gap between the devices, though it seems Face ID will make its way to the iPad Pro with next year’s updates.

Now that Face ID is out to the public, however, the response seems to have changed. Many users are pleased with the feature, though some have issues.

Personally, as I wrote yesterday in my iPhone X impressions piece, I’ve been nothing short of amazed with Face ID. It works insanely fast and it’s passive, requiring no physical initiation by the user, unlike Touch ID. Apple also highly touts the security of Face ID – saying its even more secure than Touch ID.

What about you? After one week with the iPhone X, are you convinced that Face ID is the future? Or have you had issues? Let us know what you think in the poll above and share more down in the comments.


Subscribe to 9to5Mac on YouTube for more Apple news:

The Internet Has Found Lady Gaga’s Doppelgänger

It seems as though celebrity doppelgängers are all over Instagram — and some of them are convincing enough that you might be fooled into thinking that the “lookalike” is actually the celebrity themselves. (I mean, have you seen Selena Gomez’s doppelgänger on social media? They might as well be twins.)

The latest celebrity lookalike to hit the Insta circuit is none other than 18-year-old Amethyst Rose, who looks exactly like Lady Gaga. A quick spin through her Instagram page is all the proof that you need, and her bio even recognizes the uncanny resemblance. “If I had a dollar for every time someone said I look like Lady Gaga, I’d be V rich,” the teen writes.

If Amethyst Roses’s selfies weren’t convincing enough, she’s also shared several side-by-side photos of herself with the singer, and we’re pretty sure that these two are secretly sisters. “If @ladygaga ever plays a role in a movie where she needs to portray a teenage her I’m all for it,” she wrote in one caption, adding: “I’m also okay with being a stunt double.” There’s no doubt about it; these ‘grams are definitely mind-blowing. It remains to be seen whether or not Mother Monster will take notice, but we have a feeling she’d be just as stunned as the rest of us.

View on Instagram

View on Instagram

View on Instagram

View on Instagram

View on Instagram

Related: 9 Jaw-Dropping Celebrity Doppelgängers

Check This Out:

Ex-Scotland Yard chief ‘knew of claims pornography was found on Damian Green’s Parliamentary computer’

A former head of Scotland Yard knew of allegations that pornography had been found on one of Damian Green’s parliamentary computers during a 2008 police investigation into leaks, it has been reported. 

Sir Paul Stephenson, who was Metropolitan Police Commissioner between 2009 and 2011, told the BBC that the alleged discovery “wasn’t relevant” to the criminal probe that involved a search of Mr Green’s Commons office when he was a shadow minister. 

A Whitehall inquiry into the First Secretary of State, effectively the Prime Minister’s deputy, was widened last week after the Sunday Times reported that a statement prepared by ex-Met assistant commissioner Bob Quick for a separate review had discussed the alleged discovery. 

Following the Sunday Times’ report, Mr Green said the story was “completely untrue” and the allegations amounted to “false, disreputable political smears”. 

He added: “More importantly, the police have never suggested to me that improper material was found on my parliamentary computer, nor did I have a ‘private’ computer, as has been claimed.” 

The internet is freaking out about this strange critter that a man found in his home

Startling yes, but not worth canceling a tropical vacation over. In fact, researchers observed the moth playing dead when disturbed. The four hairy tentacles, or coremata, protruding from the red-orange abdomen are made for romance not horror. The coremata emerge from the abdomen, inflate like balloons and emit pheromones to attract mates. Then, the moth waves the coremata to better spread the scent. Consider it the Champagne and oyster equivalent for moths.




Advertise here