Your phone’s sensors could be used as a cookie you can’t delete

By John E Dunn

Researchers keep finding new ways that advertisers can track users across websites and apps by ‘fingerprinting’ the unique characteristics of their devices.

Some of these identifiers are well known, including phone and IMEI numbers, or the Wi-Fi and Bluetooth Mac addresses, which is why access to this data is controlled using permissions.

But iOS and Android devices have a lot of other hardware that could, in theory, be used to achieve the same end.

In the study SensorID: Sensor Calibration Fingerprinting for Smartphones, Cambridge University researchers give some insight into the latest candidate – sensor calibration fingerprinting.

If sensors don’t sound like a big deal, remember that today’s smartphones are stuffed with them in the form of accelerometers, magnetometers, gyroscopes, GPS, cameras, microphones, ambient light sensors, barometers, proximity sensors, and many others.

Researchers have been looking at whether these sensors could be used to identify devices for some time using machine-learning algorithms without much success, but the Cambridge researchers finally cracked the problem with a novel proof of concept for iOS devices using M-series motion co-processors.

And there’s a good reason why sensors represent an attractive target, say the researchers:

Access to these sensors does not require any special permissions, and the data can be accessed via both a native app installed on a device and also by JavaScript when visiting a website on an iOS and Android device.

In other words, unlike traditional fingerprinting nobody is going to stop them, ask for permission to do what they’re doing, or even notice it’s happening at all, rendering the whole exercise invisible.

Read more at https://nakedsecurity.sophos.com/2019/06/03/your-phones-sensors-could-be-used-as-a-cookie-you-cant-delete/

New controversy erupts over Chrome ad blocking plans

By Danny Bradbury

Google Chrome extension developers were fuming last week over a new approach in the way that the browser will handle extensions. It will limit the way that Chrome lets browsers block content – unless you’re an enterprise user.

In November 2018, Google proposed an update to the Manifest system, which restricts what extensions can do in Chrome. In its forthcoming Manifest v3, it wants to change the way that browser extensions intercept and modify network requests from the browser.

The proposed change would limit the functions of a specific application programming interface (API). APIs define how a piece of software can be spoken to by other bits of software.

Today, extensions running on the Chromium browser use the webRequest API to intercept network requests. They can use it to analyze and block requests from online domains like advertising networks.

Chromium’s developers want to limit the blocking form of webRequest, instead allowing only a neutered version that simply observes network requests. If developers want to block a site, they’d need to use another API called declarativeNetRequest.

The move would improve performance and improve user privacy, said Chromium’s developers. When using webRequest, Chrome gives the network request to the extension and waits for its decision. Under declarativeNetRequest, the extension tells Chromium its rules and lets the browser use those to handle the decisions itself.

Read more at https://nakedsecurity.sophos.com/2019/06/03/new-controversy-erupts-over-chrome-ad-blocking-plans/

Fake news writer: If people are stupid enough to believe this stuff…

By Lisa Vaas

In 2017, Facebook banned several fake news sites. One of them was the one that “Tamara” (not her real name) was writing for.

Poof! went her livelihood. Poof! went her boss’s Facebook Messenger account. When she finally got through to him, he sounded “shook up,” said Tamara, a Macedonian fake-news writer who recently described to the BBC what it’s like to manufacture mental sludge.

She didn’t hear from him again until last summer, when “Marco” – an awkward young man who seemed to be embarrassed about being younger than his employee – called to see if Tamara wanted to write for another website. She declined.

It’s not that she was overwhelmed with guilt that her job consisted of copying and pasting obviously made-up stories from other sites after searching for strings such as “Muslim attacks,” then creating a mashup of fact and fiction and searching Google for images to attach to the articles she published.

My take was that if people are stupid enough to believe these stories, maybe they deserve this. If they think this is the truth, then maybe they deserve this as a way of punishment.

And it’s not that she agreed with the content she was writing. Tamara says she’s a liberal, and she was “horrified” by the content she had to rewrite. She told the BBC that she basically turned off her brain and became a set of hands at a keyboard as she rewrote US articles to hide them from being flagged as plagiarized content.

I try to split myself and my own beliefs from the stuff I was writing. So I tried to stay as out of it as I can. I just saw it as writing words. I tried not to think about writing propaganda.

So why did she stop?

Read more at https://nakedsecurity.sophos.com/2019/06/03/fake-news-writer-if-people-are-stupid-enough-to-believe-this-stuff/

G Suite users will have ‘confidential’ Gmail mode set to ON by default

By Lisa Vaas

Google announced on Wednesday that on 25 June 2019, its Gmail confidential mode will be switched on by default as the feature becomes generally available.

The feature gives G Suite users who use Gmail the option to send emails with expiration dates or to revoke previously sent messages. It also prevents recipients from forwarding, copying, printing, or downloading messages. Since confidential mode will be switched on by default, admins will have to switch it off if they so choose – for example, if they’re in industries that face regulatory requirements to retain emails.

Google introduced confidential mode for personal Gmail accounts last year and made the beta available in March 2019.

The screenshot/photo caveats still apply

As with other ephemeral-messaging services, including Snapchat and ProtonMail, there’s nothing stopping recipients from doing a screen grab of a message or simply taking a photo of it.

And as we noted in April 2018, when Google first gave admins a heads-up about confidential mode, there’s a reason why the company called it “confidential” rather than “private.”

For one thing, an email sent in confidential mode isn’t encrypted end-to-end. That’s unlike ProtonMail, the end-to-end, encrypted, self-destructing email service.

Read more at https://nakedsecurity.sophos.com/2019/06/03/g-suite-users-will-have-confidential-gmail-mode-set-to-on-by-default/

Unpatched Docker bug allows read-write access to host OS

By Danny Bradbury

There are lots of books on tools and techniques to secure software containers, but what happens when someone discovers a basic architectural flaw? And what do you do when there’s no working patch for it?

That’s the situation in the Docker universe this week after Suse developer Aleksa Sarai uncovered a bug in the way that the container framework handles path names.

The bug lies in FollowSymlinkInScope, which resolves file paths given to the Docker container system. Because the function doesn’t immediately use the file path after resolving it, it creates a race condition. An attacker who can interfere with the resolved file path could change it, potentially giving them read-write access to the host OS as a root user.

Containers are a software packages that contain an application and its dependencies. They’re designed to run in exactly the same way, regardless of infrastructure and work by virtualizing an operating system (unlike Virtual Machines that virtualizing hardware). Like Virtual Machines, Containers are not supposed to be able to influence their host container.

This all sounds very serious, and the National Vulnerability Database (NVD) ranks the bug severity as high. Nevertheless, Docker security engineer Justin Cormack had his own context for the flaw, in a statement mailed to Naked Security:

The vulnerability is a rare/unlikely scenario that would require an already compromised container, a copy being made without pausing the container, and a bad actor that knows when that copy is being made.

Someone would have to be using docker cp, a docker command used to copy files between the host OS and the container. The attacker would have to modify the files at the same time the copy was being made. That window is just a few milliseconds long, the company pointed out in its mail.

Read more at https://nakedsecurity.sophos.com/2019/05/31/unpatched-docker-bug-allows-read-write-access-to-host-os/