Home Tags MAC Address

Tag: MAC Address

Netgear ‘fixes’ router by adding phone-home features that record your IP...

Yeah, that'll be secure for sure Netgear NightHawk R7000 users who ran last week's firmware upgrade need to check their settings, because the company added a remote data collection feature to the units.…

Shielding MAC addresses from stalkers is hard and Android fails miserably...

Only an estimated 6% of Android phones randomize MACs, and they do it poorly.

MAC randomization: A massive failure that leaves iPhones, Android mobes open...

Security flaws smash worthless privacy protection Analysis  To protect mobile devices from being tracked as they move through Wi-Fi-rich environments, there's a technique known as MAC address randomization.

This replaces the number that uniquely identifies a device's wireless hardware with randomly generated values.…

Viral Chinese selfie app Meitu phones home with personal data

Reg man submits self to invasive sparkly-unicorn androgyny transformation PIC The Meitu selfie horrorshow app going viral through Western audiences is a privacy nightmare, researchers say. The app harvests information about the devices on which it runs, includes invasive advertising tracking features and is just badly coded.

But worst of all, the free app appears to be phoning some to share personal data with its makers. Meitu, a Chinese production, includes in its code up to three checks to determine if an iPhone handset is jailbroken, according to respected forensics man Jonathan Zdziarski, a function to grab mobile provider information, and various analytics capabilities. Zdziarski says the app also appears to build a unique device profile based in part on a handset's MAC address. "Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it," Zdziarski says. Unique phone IMEI numbers are shipped to dozens of Chinese servers, malware researcher FourOctets found. These people are on your networks, they handle your payroll.

This app I pretty benign to what could have been done. — FourOctets (@FourOctets) January 19, 2017 Location information is captured when activated on handsets, and may even be pulled from exif data in existing photos. There is no evidence the application is outright malicious, but rather is an example of how app developers can and are pushing boundaries of legitimacy in the quest to quietly harvest loads of user data to pay for the provision of free products and services. Technical users wanting to install Meitu should weigh up its value against its collection and dissemination of their identifiable information to unknown sources. More general non-technical users are in perilous land and may try denying Meitu permission requests other than access to the device camera should they want to install the app, although this is by no means a sure means to protect device data. Security and privacy boffins are largely avoiding the application and calling out its collection capabilities, but millions of regular users are downloading and highly rating the app. If you like being the target of marketing and big data, by all means run Meitu.
I’m sure whoever’s buying their data will thank you. — Jonathan Zdziarski (@JZdziarski) January 19, 2017 Others have probed the app, tallying a huge number of permissions the app seeks including: Device and app history; Accurate location; Phone status; USB, photos, and files storage read and write; Camera; Wifi connections; Device ID & call information; Full network access Run at startup, And prevent device from sleeping. In a test on a Vulture South spare phone, the application was still able to function sufficiently well to capture this writer's nightmare-fuel selfie with storage and camera permissions accepted and phone permissions denied. No other prompts were thrown on the Android 7 Nougat device. ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

FBI let alleged pedo walk free rather than explain how they...

'Tor pedo' torpedo torpedoed In a surprising and worrying move, the FBI has dropped its case against a man accused of downloading child sex abuse images, rather than reveal details about how they caught him. Jay Michaud, a middle school teacher in Vancouver, Washington, was arrested in July last year after visiting the Playpen, a dark web meeting place tens of thousands of perverts used to swap mountains of vile underage porn. Unbeknown to him at the time, the FBI were, for about a fortnight, running the site after taking over its servers, and managed to install a network investigative technique (NIT) on his computer to get his real public IP address and MAC address. The Playpen was hidden in the Tor anonymizing network, and the spyware was needed to unmask suspects – about 1,300 public IP addresses were collected by agents during the operation. According to the prosecution, a police raid on his home revealed a substantial hoard of pictures and video of child sex abuse on computer equipment. But now, guilty or not, he's now off the hook after the FBI filed a motion to dismiss its own case [PDF] late last month. Why? Because Michaud's lawyer insisted that the FBI hand over a sample of the NIT code so it could be checked to ensure that it didn't breach the terms of the warrant the FBI obtained to install the malware, and to check that it wouldn't throw up any false positives. US District Judge Robert Bryan agreed, saying that unless the prosecution turned over the code, he'd have to dismiss the charges. The FBI has since been arguing against that, but has now decided that it's better to drop the case than reveal its techniques. The Playpen affair has proved to be a legal minefield in more ways than one. For a start, the admission that the FBI had been distributing such images and videos online troubled many. But the agency also only sought a single warrant to distribute its NIT internationally, which may have been illegal at the time. That's no longer the case, since a change in Rule 41 of the Federal Rules of Criminal Procedure was nodded through by the US Supreme Court and came into effect on December 1 last year. Judges in Playpen cases – there have been hundreds of prosecutions similar to Michaud's lined up by the Feds – haven't always agreed that the FBI had the right to introduce evidence gathered without a local warrant. In the past the FBI has dropped cases rather than reveal their investigation techniques, particularly with its cellphone-tracking Stingray equipment. But those were minor cases – nothing so serious as child abuse. ® Sponsored: Customer Identity and Access Management

Mozilla Patches Firefox Zero Day Used to Unmask Tor Browser Users

As expected, Mozilla released a new version of Firefox on Wednesday to address a zero-day vulnerability that was actively being exploited to de-anonymize Tor Browser users. The vulnerability, disclosed on a public Tor Project mailing list late Tuesday night, forced the Tor Project to also issue an emergency update (6.0.7) in its Tor Browser – which is partially built on open source Firefox code – on Wednesday. According to Daniel Veditz, who leads Mozilla’s security team, Firefox users should have their browsers automatically updated at some point over the next 24 hours.
If they’d rather not wait, users can download the updated versions – Firefox 50.0.2, Firefox ESR 45.5.1, and Thunderbird 45.5.1. – manually. Firefox users should update to get an important vulnerability fix https://t.co/DohnA5coHd — Daniel Veditz (@dveditz) November 30, 2016 The issue, a use-after-free vulnerability, technically existed in an object, nsSMILTimeContainer, which is used to facilitate SVG animation in Firefox.

Assuming an attacker could trick a user into visiting specially-crafted web content, they could have leveraged the vulnerability to remotely execute arbitrary code on the system. Veditz said Wednesday afternoon that because of the way the vulnerability behaved, it was collecting and forwarding IP and MAC addresses thought to be private and forwarding them back to a central server. “The exploit took advantage of a bug in Firefox to allow the attacker to execute arbitrary code on the targeted system by having the victim load a web page containing malicious JavaScript and SVG code.
It used this capability to collect the IP and MAC address of the targeted system and report them back to a central server. While the payload of the exploit would only work on Windows, the vulnerability exists on Mac OS and Linux as well,” Veditz wrote. Veditz acknowledged many security researchers surmised on Twitter Wednesday that the way ToR vulnerability worked was similar to the way the FBI de-anonymized Tor users in 2013. While Veditz stopped short of saying the exploit was created by the FBI or law enforcement, he did float the idea and warned how it could pose a serious threat to privacy. “As of now, we do not know whether this is the case.
If this exploit was in fact developed and deployed by a government agency, the fact that it has been published and can now be used by anyone to attack Firefox users is a clear demonstration of how supposedly limited government hacking can become a threat to the broader Web,” Veditz said.

Firefox Patched for Zero-Day Vulnerability

Mozilla moves quickly to fix vulnerability that was being actively exploited in attacks against Tor Browser, which is based on Firefox. Late afternoon on November 30, Mozilla rushed out an emergency update for its open-source Firefox web browser, fixin...

Mozilla Races To Patch Bug Used To Attack Tor Browser Users

While the attacks are currently targeting Tor users, the publication of the exploit code allows anyone to use it, potentially putting all Firefox users at risk. Image: Mozilla Users of online anonymity network Tor are facing a new attack that uses near...

Drive-by web nasty unmasks Tor Browser users, Mozilla dashes to patch...

SVG, JavaScript smuggles malicious payload into PCs Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users. Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and leaks the user's MAC address, hostname and potentially their public IP address.

Typically, this exploit would be embedded in a webpage and leap into action when opened by an unsuspecting visitor. Tor Browser is a repackaged version of Firefox that runs connections through the anonymizing Tor network; it's supposed to hide your public IP address, and the exploit is designed to leak that potentially identifying information to persons unknown. The exploit was posted by an anonymous user of the Sigaint dark web email service.

That mailing list message said the flaw is being used right now against Tor Browser folks. "This is a JavaScript exploit actively used against Tor Browser now," the author wrote. "It consists of one HTML and one CSS file, both pasted below and also de-obscured.

The exact functionality is unknown but it's getting access to VirtualAlloc in kernel32.dll and goes from there." The exploit was lobbed at Mozilla's security team, which has studied the code and located the programming bug attacked by the JavaScript and SVG.
It is working on a patch, Tor Project lead Roger Dingledine said. "So it sounds like the immediate next step is that Mozilla finishes their patch for it then … a quick Tor Browser update and somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser," Dingledine noted. Early analysis reveals the payload has striking similarities to a separate Tor Browser spying tool that emerged in 2013.

According to reverse-engineering efforts, it appears once this latest x86 code injected by the JavaScript is running within the browser, it phones home to 5.39.27.226 on port 80 and sends over the machine's information. Whatever was behind that IP address is no longer responding to connections; it appears to have belonged to an OVH-hosted virtual machine.

The 2013 payload was used by the FBI to decloak Tor-protected suspected criminals. First off, it's a garden variety use-after-free, not a heap overflow, and it affects the SVG parser Firefox. — Dan Guido (@dguido) November 30, 2016 As far as exploit techniques, this is a routine UAF that heap sprays a controlled object to kick off a ROP chain. Pwn2Own 2012-level tech. — Dan Guido (@dguido) November 30, 2016 We'll update this story as details come to hand. ® Sponsored: Customer Identity and Access Management

One warrant used to target thousands of child porn suspects in...

EnlargeNorth Charleston reader comments 30 Share this story A newly released federal court hearing transcript reveals that one warrant issued as part of a massive child porn investigation in the US was also used to authorize government malware that targeted more than 8,000 users across 120 countries, including a “satellite provider.” As Vice Motherboard first reported, the remarks came from the November 1 hearing in the case of United States v.

Tippens
and two other related cases, which are ongoing in Tacoma, Washington.

These cases, and more than 100 others like them, are part of a global effort to target people suspected of accessing the now-defunct Tor-hidden child porn site known as “Playpen.” As Colin Fieman, a federal public defender who represents David Tippens and other Playpen defendants in that area, said during the November 1 hearing in Tacoma: Every time Your Honor grants a discovery request and we get new information, it’s like—to use an appropriate metaphor, like peeling an onion.

There’s just another layer of fact there that we did not know about.
I mean, we did not know this was a truly global warrant before.

There are 120 countries and territories listed outside the United States that the FBI hacked into, and they also hacked into something called a “satellite provider.” So now we are into outer space as well... The privacy interest at stake here isn’t the IP address or MAC address, it’s the fact that they went into a personal computer in our clients’ homes. Fieman asked the judge to suppress the evidence collected against his clients. As Ars has reported, federal investigators temporarily seized Playpen in 2015 and operated it for 13 days before shutting it down.

The agency then used a “network investigative technique” (NIT) as a way to ensnare site users. That NIT, which many security experts have dubbed as malware, thwarted Tor and forced people’s computers to cough up their true IP addresses. With that, it became trivial for investigators to subpoena ISPs and determine the identities of the account holders. Part of the controversy surrounding the Playpen affair is the fact that a more junior type of judge, known as a federal magistrate (here, Virginia-based US Magistrate Judge Theresa C.

Buchanan), was the one who signed the warrant authorizing this search that not only targeted users in other parts of the United States, but abroad as well. Under one part of the current rules of federal criminal procedure, known as Rule 41, only more senior federal judges, known as district judges, have the authority to issue out-of-district warrants. However, a change in this rule set to take effect on December 1, 2016 will expand this power to magistrate judges, absent Congressional action. Of the more than 100 Playpen-related child pornography cases that have been prosecuted, federal judges in Iowa, Massachusetts, and Oklahoma have ruled that such a search violated current laws of federal procedure and was in fact so egregious that the evidence collected as a result should be tossed. Other judges have rebuked prosecutors for unlawful searches, but they have not gone so far as to suppress evidence. Balancing test In Tippens, Fieman argued that US District Judge Robert Bryan should, in fact, suppress the evidence gathered as a result of the NIT. In an exchange during the same November 1 hearing, federal prosecutors argued that the judge should do no such thing.
In fact, Judge Bryan seemed a bit skeptical as to the government’s arguments. For their legal reasoning, prosecutors and investigators relied on the portion of Rule 41 that refers to a “tracking device,” which is defined elsewhere in federal law as: “an electronic or mechanical device which permits the tracking of the movement of a person or object.” In Tippens, as in all the other Playpen cases, the “object” seems to be data—the IP address revealed by the NIT. As Judge Bryan said: A tracking device is not designed under Section 3117 to track other than a person or object.

But in Rule 41, you are talking about information as property, and it was used apparently here to track information. You know, the language of the statutes and the rule seem to indicate that a tracking device is something very different than a computer NIT or some electronic communication between computers.
I know other judges have decided that was a good niche to hang their opinion on, but I have a little trouble with that.
It seems to me it’s stretching the tracking device rule and statute beyond its intended meaning. Assistant United States Attorney Matthew Hampton told the judge that deciding to toss the evidence was “a close call at best," saying, "the costs of suppression here are tremendous.

Defendants who committed horrific crimes could well be let go and go free, and the interest that would vindicate is at most a venue revision.
It certainly wouldn’t deter government misconduct. What government misconduct was there? The government did what the Fourth Amendment—what is a fundamental policy of the Fourth Amendment." Judge Bryan is expected to rule on the motion to suppress in the coming months.

FBI operated 23 Tor-hidden child porn sites, deployed malware from them

EnlargeThomas Trutschel / Getty Images News reader comments 43 Share this story As Ars has reported, federal investigators temporarily seized a Tor-hidden site known as Playpen in 2015 and operated it for 13 days before shutting it down.

The agency then used a “network investigative technique” (NIT) as a way to ensnare site users. However, according to newly unsealed documents recently obtained by the American Civil Liberties Union, the FBI not only temporarily took over one Tor-hidden child pornography website in order to investigate it, the organization was in fact authorized to run a total of 23 other such websites. According to an FBI affidavit among the unsealed documents: In the normal course of the operation of a web site, a user sends "request data" to the web site in order to access that site. While Websites 1-23 operate at a government facility, such request data associated with a user's actions on Websites 1-23 will be collected.

That data collection is not a function of the NIT.
Such request data can be paired with data collected by the NIT, however, in order to attempt to identify a particular user and to determine that particular user's actions on Websites 1-23. “That paragraph alone doesn't quite say the FBI is operating them,” Fred Jennings, a cybercrime lawyer, told Ars. “But definitely no other way to read that than websites 1-23 were hosted at a government facility, with the FBI's knowledge and to the FBI's informational benefit.
It's clever phrasing on their part.” Security researcher Sarah Jamie Lewis told Ars that “it’s a pretty reasonable assumption” that at one point the FBI was running roughly half of the known child porn sites hosted on Tor-hidden servers. Lewis runs OnionScan, an ongoing bot-driven analysis of the Tor-hidden darknet. Her research began in April 2016, and it shows that as of August 2016, there were 29 unique child porn related sites on Tor-hidden servers. “Doing the math, it’s not zero sites, it’s probably not all the sites, but we know that they’re getting authorization for some of them," she said. "I think it’s a reasonable assumption—I don’t think the FBI would be doing their job if they weren’t.” That NIT, which many security experts have dubbed as malware, used a Tor exploit of some kind to force the browser to return the user’s actual IP address, operating system, MAC address, and other data.

As part of the operation that took down Playpen, the FBI was then able to identify and arrest the nearly 200 child porn suspects. (However, nearly 1,000 IP addresses were revealed as a result of the NIT’s deployment, which could suggest that even more charges may be filed.) Rule 41's arrival In the Playpen case, the NIT’s deployment was signed off by one magistrate judge in Virginia, and it was used to target child porn users both in the United States and abroad. "Websites 1-23" were signed off by a different judge in Maryland. Under one part of the current rules of federal jurisprudence, known as Rule 41, only more senior federal judges, known as district judges, have the authority to issue out-of-district warrants. However, a change in this rule set to take effect on December 1, 2016 will expand this power to magistrate judges, absent Congressional action. Of the more than 100 Playpen-related child pornography cases that have been prosecuted, federal judges in Iowa, Massachusetts, and Oklahoma have ruled that such a search violated current laws of federal procedure and was in fact so egregious that the evidence collected as a result should be tossed. Other judges have rebuked prosecutors for unlawful searches, but they have not gone so far as to suppress evidence. Ars asked FBI spokesman Christopher Allen if at one point the FBI was running half of all child porn sites on the Tor-hidden Web, and if so, was this still true. “I would refer you to public documents on the Playpen investigation, in which we seized and operated a darkweb child pornography site for a period of less than two weeks,” he e-mailed. “That was an extraordinary investigation, and to my knowledge may be the only time that has occurred.
So to suggest this is a common thing is patently not true.” Lewis is herself a former computer scientist at the Government Communications Headquarters (GCHQ, the British-equivalent of the NSA).
She could imagine reasons for the agency to keep the child porn sites online. “I have no direct evidence to the contrary, but based on what I know about past investigations, not just CP but drugs market investigations, and the trends we have seen in security, hacking investigations—and the direction of other nations' authorities—I expect that we will see more busts where taking over the site plays a role,” she added.

Leaks password, check. Leaks Wi-Fi password, check. Can be spoofed, check....

Another crud home CCTV box Here we have yet another example of an internet-facing home security camera that is about as secure a chocolate padlock. The surveillance cam, examined by security firm Bitdefender, comes with motion and sound detectors, two-way audio, built-in lullabies to send children to sleep, temperature and humidity sensors and a microSD/SDHC card slot. You can stream video from it in real-time across the web, and it's supposed to be used as a baby monitor, remote-controllable home CCTV, and so on. Its firmware does virtually nothing to protect it from miscreants around the world, we're told. When you switch it on, it creates its own unsecured Wi-Fi network so a management app running on a nearby smartphone can connect to it.

Then the app tells the camera how to connect to the home's wireless network so it can reach the internet. The home network's credentials are sent over the air from the app to the camera in plaintext, so anyone nearby snooping on the gadget's hotspot can get hold of the password to the home's private Wi-Fi. Next, when the app connects to the device directly over the internet – such as when the owner is out at work – the software uses basic HTTP authentication to log into the gadget, essentially exposing the plaintext username and password needed to access the device. The gizmo has a default username and password combination, although it can be changed by the owner.

Either way, it can be slurped by eavesdroppers or looked up from a manual, and used by anyone in the world to connect in and spy on victims.

Connections are allowed into the device from the outside world via UPnP.

The firmware and app also use Base64 to encode the traffic between themselves, which is trivial to decode. When the camera wishes to send an alert to the phone app, it contacts its backend servers using SSL and provides its hardware MAC address for authentication. However, the authentication checks are completely flawed.

This means anyone can ping the manufacturer's servers over HTTPS and provide the MAC address of a stranger's device to masquerade as that gizmo. You can potentially combine these security shortcomings to trigger a bogus alert to the phone app and capture the device's username and password login when the app tries to connect to the camera to see what the problem is, as Bitdefender explains: Every time it starts and at regular intervals, the device sends an UDP message to the authentication server, containing device data, an ID number represented by the MAC address and a 36-character code. However, the cloud server does not verify the code, it trusts the device’s MAC address to perform the authentication. Consequently, an attacker can register a different device, with the same MAC address, to impersonate the genuine one.

The server will communicate with the device that registered last, even if it’s rogue.
So will the mobile app.

This way, attackers can capture the webcam’s new password, if the user changes the default one. To speed up the process and grab the password faster, an attacker can take advantage of the camera’s push notification feature. Users can opt to receive notifications on their smartphone, specifically video alerts, whenever the camera detects any suspicious sound or movement in their homes. When the user opens the app to view the alert, the app will authenticate on the device using Basic Access Authentication and, thus, send the new password unencrypted to the hacker-controlled webcam. Finally, attackers can enter the username, password and ID to get full control of the user’s webcam, through the mobile app. Alexandru Balan, chief security researcher at Bitdefender, said that by changing the last six digits of the MAC address it is possible to brute-force access to other cameras, with a 9 or 10 per cent success rate, from anywhere in the world. "In a dark way, that's the fun of it," he said. "Most IoT attacks are proximity based – you have to be in range of the device itself.

But here you can hijack the camera and view its stream even through a firewall and private IP address." George Cabau, Bitdefender's antimalware researcher, explained: "Anyone can use the app [to access a camera] just as the user would.

This means turning on audio, mic and speakers to communicate with children while parents aren't around or having undisturbed access to real-time footage from your kids' bedroom.

Clearly, this is an extremely invasive device, and its compromise leads to scary consequences." Bitdefender is keeping quiet on the manufacturer's name until the issue is patched, but Balan said it was a well-known manufacturer with plenty of devices in circulation.

The vendor is working on a fix now. ®