Have you monitored the data flowing in and out of your home network? You can use tools such as port scanners and packet sniffers to see just how noisy the devices are in your home. Whether your printer is calling home to see if there are any firmware updates or your set-top TV boxes are receiving scheduling updates you may be surprised just how much traffic is flowing in and out of your home network without any of your knowledge.
One such type of data that has interested me recently is telemetry data. This is data that operating systems and devices send back to their manufacturer to help them improve their products.
Let’s take Microsoft Windows as an example. It has four levels of telemetry data:
Security to help keep their OS secure.
Basic for everyday use.
Enhanced for how you are using the OS.
Full for collecting as much info as possible.
The worrying thing is they don’t go into much detail about what exactly they are collecting and how this may affect your privacy.
Searching online we learn that the telemetry data should include:
Device specifications and health
App usage and performance
Error reports and crash dumps
Feedback and ratings
Browser history and search queries
Location and activity history
Advertising ID and interests
This data could be used to help them improve their software, but it could also be used to profile you. What software you use, what devices you have, when you are online and from what location, what you are viewing and buying online. All valuable information. To someone.
So are you happy for your devices to send telemetry data?
Category: privacy
Data leakage
Data leakage
Our devices and activity are constantly leaking data into the digital ether. What we choose to watch is recorded and reported to a remote server somewhere, along with the make and model of device we are using, the version of firmware it is running, and it’s IP address.
When we shop our loyalty cards and apps record our purchases as does the method of payment. Our modern cars record telematics and track our location via GPS. The in-car entertainment system tracks what we listen to and watch.
Web browsers profile our surfing habits, smartphones track our social and communication history. Smart meters track our utilities and can even tell when no one is home.
All of our smart devices connect to their manufacturer’s command and control center reporting telematics, performance, and usage data.
The photos and videos we take and upload contain metadata that shows where we took the image or video and on what device. We can be tracked via our smartphones right now and going back in time.
All this data leakage is valuable to someone. How much data are you leaking right now?
Data brokers
Data about us is so valuable that companies now offer cheap or free services in return for collecting data about us. If you’ve ever wondered why there are so many free email providers, or free streaming services, it’s because you are the commodity, or at least the data you generate is.
Data brokers make a living by collecting all this data about you and building a profile linking data from various sources. This profile data is organised and analysed and then sold to whoever can make use of it.
Examples of some of the data collected includes:
Your name, contact numbers, email, and address
Age, gender, and other physical attributes
Employment status, income band, credit status
Geographical region for home, work, and travel
Political beliefs, religion, marriage history, dependants
Patent and copyright data, businesses owned
Property and vehicle ownership
Social media membership
Club and organisation membership
Digital entertainment subscriptions and viewing habits
Web surfing usage
Fitness and health tracking
Data brokers, also known as Information brokers collate all this data and sell it to anyone that can make use of it. There are some restrictions to what they can collect, store, and sell, depending on the country they operate in and where the individuals the data is about resides, such as GDPR in the UK.
The data can be scraped from public sources and then combined using bespoke software or AI. This may introduce errors. Individuals can submit freedom of information requests to brokers requesting details of what information is held about them in their database. In some regions you can then request to have this data removed known as the right to be forgotten.
Some data brokers have been hacked due to lax security practices. They are an attractive target as they contain consumer data that is useful to malicious actors that do not wish to pay for it nor wish to be identified as having access to it.
The main types of data broker are:
Marketing and advertising
People searching
Financial information
Personal health
How much info do data brokers have about you?
Thoughts on CCTV hacking
CCTV stands for Closed-Circuit TeleVision. Or at least stood for, as today it’s rarely a closed circuit nor TV. It’s usually online and over IP and available to access via an app on your phone, making it all the more hackable.
So how easy is it to hack modern CCTV?
I did some research and the answer is it depends. It depends on the manufacturer, the availability of software and firmware updates, and how it is configured.
Let me explain by switching sides to that of a potential attacker. First you have to find the target CCTV system. This can be achieved using a database like Shodan and tools like Angry IP Scanner. With an IP address and a port scanner such as nmap or the aforementioned Angry IP you can locate the login page. Then it’s just a matter of trying the manufacturer’s default passwords, employing a brute force attack, or making use of an exploit where available.
So how do you secure your online CCTV system? First, make sure it’s a closed system unless you really need to be able to access it remotely; in which case secure the connection by changing any default passwords, make sure all software and firmware is up to date, employ a firewall and VPN (or whitelist IPs for access) and monitor access logs for anything suspicious.
Simple?
Ways drones could be used and abused
I’ve been thinking about drones recently. I have a friend that races them, a neighbour that has one to map out the local area, and I own a tiny in-door one myself. Drones seem to be growing in popularity and so I started looking into the security implications of drones and noted all the ways that drones could be hacked, used and abused.
Here’s my list:
– Crashed on purpose or flown into obstacles, vehicles, or people.
– Used for remote surveillance, monitoring, eavesdropping, shoulder-surfing of keypad entry use, invasion of personal privacy.
– To steal other drones using techniques such as jamming and spoofing. See Samy Kamkar’s Skyjack experiment as an example.
– To steal on-board data from other drones. Drones have digital storage for video, image, and audio recorded data. This could be stolen. Also the interception of the data streams that a drone sends back to its base station could be intercepted.
– To steal wireless data. Drones can be used to intercept Wifi, Bluetooth, RFID, ZigBee, and any other wireless data by carrying the appropriate hacking tools and communications equipment. The drone can be flown within range of the target communications signals and then spoof and hack its way in. It could even be flown onto an office building roof in order to become a WiFi pineapple device then return to base with no human required to access the target location.
– To deliver contraband across borders, fences, and other restricted areas.
– To hack vehicles by flying above the vehicle and employing vehicle hacking technology.
– To create a communications network. Instead of using the cell towers of a communications company a network of drones with specialist on-board software and equipment could act as a mobile cell network to provide communications for an organisation preventing eavesdropping from the authorities.
– To map out locations and buildings in greater detail than Google streetview and Google Earth can offer.
– To disable security cameras in an area by locating the cameras and using various techniques such as IR to disable the cameras for a period of time before criminals access the location.
– To assist with heists from vehicle hijacks to museum robberies.
Can you think of any others?
Who called me
Who called me
When you work with computers and possess at least one certification in cyber security, you tend to have friends or family that call or message you on occasion asking you to trace a phone number for them as if you are some form of digital private eye.
The truth is that only the authorities with the assistance of the telecom providers can legally do that. All these websites that say they can trace any number in the world for you are lying. They are just scams after your money. At best they have scraped open source content for numbers and can tell you the network provider, country of origin, and anything that is available online for free. Maybe they’ve concatenated and absorbed phone directories and public domain phone number repositories. They certainly can’t trace an unlisted number for you.
That said, if the number does have a footprint of some kind in the public domain then there are ways of finding it. Using Google Dorking to scour search engine data may uncover something useful. Governmental company registration databases that are open to the public may also reveal data. Whois records, club memberships, company websites, etc.
The phone number is just a character string. Play with the format when searching. For example if you were called by 07709 123456 and you are in the UK you could search for exact string matches of:
07709 123456
07709123456
7709 123456
7709123456
44 07709 123456
44 7709 123456
4407709123456
447709123456
Google for OSINT tools and techniques related to phone numbers for more suggestions.
Fingerprinting and profiling
I’ve been thinking a lot recently about digital fingerprinting and profiling, how bad it’s getting, all of us becoming easily tracked, digitally.
You could be emailing a friend about going camping and the next minute your phone apps are serving you adverts about camping equipment and camp sites in your area. Or maybe you are considering a holiday to Greece and you look at a few travel sites. Then every web site you seem to visit afterwards is serving you Greece-related getaway adverts.
It’s getting out of control. Not quite Minority Report, but not far off. Web sites are able to capture data about your device via user agent strings, cookies, through third-party arrangements, and other methods, and they can knit-together your surfing history to build a picture of your habits and interests to better target you with product and service advertisements.
We are being tracked, fingerprinted, and profiled digitally without our explicit consent. And it’s getting worse. Smart TVs and devices listen and buffer your conversations waiting for you to provide instructions. Are they recording what we say? How come when I spoke about maybe going to buy a new car with my wife in the comfort of our own home, that when I checked my web mail on my mobile later I was served car adverts? Or how come when I bought some beer, chicken, and BBQ sauce at the local supermarket where I used my loyalty card with cash, the adverts on my phone and PC are now trying to sell me BBQs? A coincidence? Or am I being digitally tracked across multiple devices and accounts?
Am I being paranoid or are we being digitally tracked, fingerprinted and profiled?
Temporary email
It’s very annoying when you come across something useful online that you want to access like an ebook or article that states that it is completely free, you just have to provide your email address before you can access it.
When we think of something that is free we tend to think in terms of monetary value. But cost comes in other forms as well, such as our time, and our data. By providing your email address you are giving away information, for free. The individual or company that you are giving this information to may use it to sell you something or to sell the actual data that you just freely gave. There are data brokers, email harvesters, etc, that will pay real money for valid email addresses, especially if it comes with context. For example if you were trying to access a free eBook on investing they now know that your email address belongs to someone that is interested in investing and that is valuable information.
The trick with such sites and asks is not to give your real email address yet still get access to the free content. To do this there are free temporary email services. Just google temporary email to see what I mean. With the click of a button you can create a randomly generated email address with a short time to live in minutes that you can use with the site offering the free content. You can then read the article or download the eBook (obviously scanning it for viruses and malware before opening) and when you are done no one has your real email address. Simples!
Avatar tracking
People are attached to images, especially the ones they use to represent themselves online. Even if it’s not a photo of themselves, it will usually mean something to them and can be unique on a pixel-level.
With services like Gravatar it’s easier to track someone by their avatar. Grab a copy of their avatar and paste it into reverse image search engines and you could find where that image has been used across the net. You could find the email addresses and accounts associated with that individual. You could build a map of their haunts online.
Your avatar is like a fingerprint. It allows you to be tracked almost as much as an email address. So take care when creating yours.