Features Of Stealthgenie

StealthGenie has multipurpose features like:

• It can help you trace call records, call logs and does SMS monitoring.
• You can also keep an eye on all the email exchanging and internet browsing that is done on the target device.
• It allows geo fencing and geo location monitoring.
• It allows live call intercept.

Key Features:

• It allows you live call intercept, i.e. you may be able to get connected to an ongoing call and conversation without being detected.
• Another important feature of this software is that of SMS monitoring. The SMS feature of StealthGenie enables you to read all the SMS received on and sent from your target’s phone, including the trigger numbers.
• It also enables you to receive instant alerts on messages containing trigger words and phrases that you have set. You are instantly notified when these words are mentioned in an SMS.
• SMS redirect feature enables you to send an SMS from your member’s area to any contact saved on the targets phone or any other mobile number. The recipient of the phone will get the impression that the SMS was sent from the monitored phone.
• Geo tracking is one of the best features of StealthGenie. It enables you to view your target smartphone’s geographical location on the map, and as the location changes, you’re updated. Then there’s geo fencing which enables you to define the boundaries which you would not like your target to cross and in case they do, you’re instantly notified of that.
• Other features include recording the live surroundings of your target and monitoring the emails and contact list of your target. The information relating to photos, videos, internet browsing history and bookmarks, blackberry chat messaging and stored music history is also provided.

StealthGenie is a very efficient and unique low-cost mobile spy software application with features that very clearly makes it worth buying as compared to others in market. In today’s fast-moving world where everyone is busy earning a living, the existence of doubts and insecurities is inevitable. In such cases, this software may prove very beneficial for the buyers of the product who might be in any kind of doubt regarding their relations. So, to remove all your doubts and live a peaceful life, one must make StealthGenie a regular part of their life!

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizeron Twitter OR on Facebook Fanpage, Google+:

Carrier IQ is a tool that runs on almost all modern smartphones, installed by your own favorite carrierrunning the app on one of their own phones. This is basically a keylogger that captures all your keystrokes & monitors user’s full phone activity.

How to Remove, Disable Carrier IQ Keylogger

Logging Checker is a too developed by Trevor Eckhart, which checks logging activity on your phone and lets you know where the logging data is going to. Besides checking Carrier IQ logs, it can look for Google and HTC Usage logs, Dropbox logs etc. It lets you check app usage logs in a UI as well as giving you some pretty strong internet security features (like enabling HTTPS wherever possible and more).

It checks:

• Check CIQ files (Root Only)- Sees if CIQ exists in your system
• Check Google Usage Logs(Root Only)- Checks for logs in /data/system/usagestats
• Check HTC Usage Logs (Root Only)- Checks for logs in /data/system/appusagestats
• Check Devlog (Root Only) – Checks /devlog partition, written out by htc_ebdlogd
• Check Dropbox Logs(Root Only)- Checks for logs in /data/system/dropbox
• Check UserBehavior DB(Root Only)- Reads user Behavior monitoring database
• AppUsage UI – See app usage logs in UI
• CIQ APP UI – Attempts to open all known CIQ Activities
• Start HTCLoggers – Start HTC Logging Activities

This app has started to turn into a full security suite. It can be used to verify what logging is being done on your phone and where data is going to. It will assist you in manually removing parts you do not running (see post#1), or you can go pro for automatic everything (and support me).

We had a chance to check this app on various unlocked Android devices, and we found Carrier IQ was not present on Samsung Galaxy S, SII, Nexus S. However, it is definitely present on carrier specific locked phones.

Go ahead and launch the application, tap on CIQ Checks and then read the scrolling text at the bottom which will let you know if it found Carrier IQ activity or not.

Free app only checks the presence, paid version can assist you in removing it. Download Logging Checker [Official Thread], Get Logging Checker Pro [Market]

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizeron Twitter OR on Facebook Fanpage, Google+:

Michigan police was already found to do that last month, but if sources are to be trusted, they are going nationwide in US and soon in several other countries. The device used is the CelleBrite UFED, which is able to copy most of the data on over 2500 different mobile devices. It does all that in under 2 minutes. UFED brochure claims:

The UFED system extracts vital information from 95% of all cellular phones on the market today, including smartphones and PDA devices (Palm OS, Microsoft, Blackberry, Symbian, iPhone, and Google Android). Simple to use even in the field with no PC required, the UFED can easily store hundreds of phonebooks and content items onto an SD card or USB flash drive.

And technical description:

The UFED hardware with Physical Extraction module, used to create Physical and/or Logical dumps from mobile devices, which can then be saved to a USB disk drive, SD memory card, or directly to your PC.ƒ The UFED Physical Analyzer (PA) PC application, which provides an in-depth physical memory analysis of the extracted mobile phone data (phonebook contents, SMS messages, call logs, image files, video files, audio files, and more) The Physical Analyzer also serves to generate comprehensive and verified evidence reports of relevant data extracted and analyzed from the mobile device.

The UFED Physical Analyzer software allows the investigator to perform in-depth analysis of the extracted data
and generate reports. The UFED PA application provides the following key features:

• ƒ Analysis of the hex dump with a layered view of memory content
• Provides a detailed view of the hex dump
• Reconstructs the phone file system
• Decodes contact lists, SMS messages, call logs, phone information (IMSI, ICCID, user codes) and more
• Provides a view of data files – images, videos, etc.
• Provides access to both current and deleted data
• Retrieves phone passwords
• Simple viewing and user friendly browsing of information

ƒ Powerful search tools

• Instantly search for project content
• Search the hex dump or file system

Search by various parameters such as strings, bytes, numbers, dates

• Use GREP search (regular expressions) to look for specific data strings
• Bookmarking memory locations for indexing of key areas for later review

The ACLU fears that the next time you get stopped for speeding in Michigan, you’ll be handing over your cell phone, and your entire mobile history, to the nice officers. Of course, you have no idea into what all they can grab. Of course, you don’t have an option.

There’s something thats more scary than being able to extract your information — Being able to inject information into the phone like fake call logs, gps logs, text messages, calendar appointments. It would open your call log SQLLite DB (in the case of an iPhone, Android) and write a new entry. e.g. If my intake information says I received the phone at 15:20:00 but there is a write to phonecalls.sql at 16:22:00 User better have a logical explanation.

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone, Android and latest in Tech @geeknizer on Twitter or by subscribing below:

Researchers from the University of California Davis, have successfully decoded the keystrokes on an Android on-screen keyboard by measuring the wiggles, jiggles, and vibrations picked up by the device’s accelerometer caused by pressing onscreen keys. Hao Chen and Lian Cai claim that this is a big deal coz almost any app can use the accelerometer without attracting user attention. Accelerometer data can sure be collected in the background, without a clue.

Any script kiddie can do it on windows, but smartphones have a more robust approach to applications and permissions, that makes it even harder.

How Accelerometer is used as Keylogger [PDF whitepaper]

Using the 3-axis of the accelerometer, keylogger can be built with accuracy of upto 71.5%, on an average.

Every key has a unique “pitch, roll and yaw” fingerprint that can be identified absed on the sample data that had been compiled in advance. The data looks like the patterns below.

The accuracy actually depends on the sensitivity of the accelerometer, so it varies from device to device. Newer Android phone’s accelerometer have response times of the order of 30ms vs 110ms on older ones like Original Motorola Droid.

The motion of a smartphone during typing depends on several factors: 1) the striking force of the typing fin- ger; 2) the resistance force of the supporting hand; 3) the landing location of the typing finger; and 4) the location of the supporting hand on the smartphone. The first two factors mainly affect the shift of the phone, while the lat- ter two mainly affects the rotation. We observe that the first two factors likely depend on the user, while the lat- ter two are likely to be user-independent because (1) on each soft keyboard configuration, each key is at a fixed location, and (2) a user typically holds her smartphone in a consistent way. Therefore, we would like to extract the rotation components while filtering out the shift compo- nents from motion sensor data.

Achieving 71.5% accuracy, on average across all devices, for numpad keys is a good number to begin with.

TouchLogger performs even better on larger and newer devices like tablets, given that they have gyroscopes and better cameras.

Possibilities

Although this cannot be considered a bug in Android or any other smartphone, its sure is hardest to get rid of. Even by capturing numbers alone, enough private data about user can be collected.

If someone takes these algorithms and port to javascript, its easy to grab your keystrokes on a random webpage that has asks for say credit card and/or password.  XSS/JS injection can do wonders to it.

The app would be demoed at HotSec in San Francisco next week.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook Fanpage:

Microsoft is gathering data from Windows Phone 7 handsets that connect to wi-fi networks, along with cars that go around sniffing out hotspots, and logging it all here. I don’t know why by anyone can get access to the data. Cnet did a self test of various MAC address of its Windows devices and found themselves with complete location history.

How it Works: iPhone and Android devices automatically change their Wi-Fi MAC address when acting as an access point. Android devices appear to choose a MAC address beginning with 02:1A.

Google’s database doesn’t include the MAC address 02:1A:11:F2:12:FF. But Microsoft’s does, and reports that it is located in the Embassy of Montenegro on New Hampshire Avenue in Washington, D.C.

Ugly Part: Since you might have used your smartphone’s Tether Wifi hotspot,  its highly possible that your data has been captured by Microsoft and available to public. If an attacker knows your MAC address, he already knows your mobile activity on the map. Story doesn’t end here, Microsoft still doesn’t comment on whether they collect additional data on the WP7 devices  like the devices connected to the network. What this means is that they might have also captured all phones, laptops connected to those Wifi networks. So If you’ve ever connected to a Wifi (which you often do), your location might be already public to everyone.

Microsoft’s statement:

“To provide location-based services, Microsoft collects publicly broadcast cell tower IDs and MAC addresses of Wi-Fi access points via both user devices and managed driving. If a user chooses to use their smartphone or mobile device as a Wi-Fi access point, their MAC address may also be included as a part of our service. However, since mobile devices typically move from one place to another they are not helpful in providing location. Once we determine that a device is not in a fixed location, we remove it from our list of active MAC addresses.”

Ugliest part of the whole story is that  there’s no way to “Opt-out”, you can’t prevent your MAC address from being added.

How to check if your location is Public or not

Go to this website and enter your mac address, if you see your location info, go and fight with them.

Update: 31st July – Microsoft seemed to have fixed the problem [via]

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us @geeknizer on Twitter OR on Facebook Fanpage:

Hacktivist group Anonymous has already teamed-up with LulzSec, to launch Operation Anti-Security (#AntiSec), has alarmed the cyber defence industry and got almost everyone involved in the discussion. As per the official statement from AntiSec:

“the government and whitehat security terrorists across the world continue to dominate and control our Internet ocean. Sitting pretty on cargo bays full of corrupt booty, they think it’s acceptable to condition and enslave all vessels in sight. Our Lulz Lizard battle fleet is now declaring immediate and unremitting war on the freedom-snatching moderators of 2011.”

“We encourage any vessel, large or small, to open fire on any government or agency that crosses their path,” … “We fully endorse the flaunting of the word ‘AntiSec’ on any government website defacement or physical graffiti art. We encourage you to spread the word of AntiSec far and wide, for it will be remembered. To increase efforts, we are now teaming up with the Anonymous collective and all affiliated battleships.” “Top priority is to steal and leak any classified government information, including email spools and documentation,”. “Prime targets are banks and other high-ranking establishments. If they try to censor our progress, we will obliterate the censor ….” A LulzSec tweet declared simply,  “anarchy is now.”

The new partner’s first show of strength was a distributed denial of service raid on the website of Britain’s Serious Organised Crime Agency (SOCA) and its obvious that there will be a Fission of hacks happening around the world. Iranian hackers and nearly 20 other hacker groups have already joined the cause, at the time of writing. Several hundreds would follow.

No one is sure what it may all lead to, but the point worth noting is that Governments are worried, and Anti-corruption gets its first global CyberWarfare. Every citizen should be excited, are you?

A video from NMA tv explains it differently:

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizeron Twitter OR on Facebook Fanpage:

Lulzsec hacker group have been on a hacking rampage since a while now. They have been taking down sites of the CIA, Sony, FBI and a bulk of other large and small companies. Motive behind the hacks has rather been dicey, is it for fun or something else. The document is available on Pastebin and their activities are visible via their Twitter account.

Very recently they hacked released 62,000 username and passwords of a popular porn site. However, the ugly part of the story is that users tend to have similar passwords for all their accounts: mail, facebook and even paypal. Hackers and script buggies have been scanning the password list and discovered that this is actually the case for most users whose username/passwords have been shared in the leak.

If you analyze the password list, its not hard to figure out that a lot of users registered on the porn site are actually people from government organizations. Other than that Google, Yahoo, facebook have already out the accounts corresponding to those ids on hold till user verifies the ownership to prevent all kinds of misuses. However, hotmail and other unpopular email providers are still vulnerable.

What You can do: Staying secure online

Go through the password list and if you are on it, you are probably already in trouble. Going further, make it a habit to have different user/password combos for different sites. Doing so can be hard but if you follow a pattern for passwords, remembering them could be piece of a cake. e.g. you can change the first or last digit of the password based on the domain name. A password that was “pA$$w0rdG” on gmail would become  “pA$$w0rdf” on facebook. Do something similar, but purely your own idea.

What is the Future of LulzSec

Lulzsec would continue to hack down the internet with almost no clear intent. The press release states that for the past month or so they have been causing chaos throughout the internet by attacking several targets and they’re going to bring down more internet laws by continuing their public shenanigans, and that their actions are causing clowns with pens to write new rules for users.

They say that releasing data is just as ‘evil’; however they mock by saying, “This is the Lulz lizard era, where we do things just because we find it entertaining.”

They conclude by saying, “We’ve been entertaining you 1000 times with 140 characters or less, and we’ll continue creating things that are exciting and new until we’re brought to justice, which we might well be.“

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizeron Twitter OR on Facebook Fanpage:

Government has shifted its older ways of monitoring traditional landlines, phone calls, to cell phones and email, while they try to hunt down the criminals and terrorists.

We don’t care about this, coz its for our own safety at the cost of privacy that remains in the hands of officials behind closed doors. But the truth is, giving backdoor access to governments make a business’ data more vulnerable to the bad guys as well.

Which Countries spy on citizens?

Governments in US, UK and EU already monitor citizen’s mode of communications.

How do they do it?

Government may not peek into everything, but the most relevant data like: Email subject lines, mobile phone GPS locations, call histories. Trust me, this data dtogether makes up piles of data that is sent for monitoring to governments.

Julian Assange, head of WikiLeaks,  stated that tech companies, such as Facebook, are so accessible to US intelligence agencies that they act as de facto information gathering sources. You would be surprised to knwo the facts shown in the video below:

EU is working with several telecom giants to assist them in establishing automated data mining for mobiles, email, social networks, etc. This data, however, is not accessible to any human, a unless required. Mostly smart algorithms would determine suspicious activity before they are put under scrutiny.

Backdoors that grant access to the FBI or NSA also serve as tempting targets for everyone else. Whether they are exploited for identity theft, or used to coordinate concentrated cyber attacks from other nations, wiretapping access is a proven weak point in telecommunication security.

Here’s another news video on the topic:

How secure is your online information? Depends on how much attention you’ve gained by posting an update to the web.

via NYtimes

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@geeknizer on Twitter OR on Facebook Fanpage:

Security researchers have comeup with a new tool that can verify email account existance/genuineness for people at businesses, even if the address hasn’t been published online and lies in a closed private company.

Peepmail assures the delivery of emails to everyone from Apple’s Steve Jobs and Microsoft’s Steve Ballmer to the random guy whose business card you lost. It uses the knowledge of the mail protocol to verify email delivery. Simply stated, its based on the fact that many email servers will inform the email sender whether the address is valid, even before the message is actually sent.

Peepmail does a great job at finding the email address for any person in the world using his first, second name. Peepmail tests permutations of the name until the company’s email server responds with a message that indicates the address is valid. However, peepmail tricks the server, and doesn’t actually sends the email, so the person being looked up has no idea about it.

We tried peepmail to actually locate email addresses of business corporates. With our tests, the app did a good job by giving the right email 50 percent of the time.

For cetain searches, the tool failed to return any email address, thats because some mail servers don’t actually reply back whether an address is valid before getting the email. They just digest every incoming email and later send back an error message only after the offending email is sent.

The developer of the tool claims that the tools is not intended to hurt privacy of the corporates, but its a Proof of concept that shows how vulnerable our email servers are, and how bad our Email security is,  “I created the tool to demonstrate what has been possible for years but very few people know,” he said.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@taranfx on Twitter OR on Facebook Fanpage:

Apple has integrated this malicious behavior into iOS 4 and its so dirty that it takes automatic backups every time it’s connected to iTunes, then pulls out a lifelong list of your locations, timestamps included. This data can be visualized using iPhoneTracker, showing you complete location history.

Apple uses Cellular tower triangulation and that’s why it always works no matter your GPS is off or out of range. This location data is available to any person (or app) that knows where to look.

How to Disable iPhone location Tracking

Thanks to the Jailbroken app in Cydia, its now possible to escape this apple’s blunder. The app is called “Untrackerd” and it continuously watches and deletes the database that is used by apple to store location data. The app is available for free on Cydia under BigBoss repository, simply search for Untrackerd on Cydia and install it to prevent your iPhone from tracking your location.

The package [will install a] daemon (process that can run in the background) to clean consolidated.db file. No new icons are added to your homescreen. There are no options to configure.

We write latest and greatest in Tech Guides, Apple, iPhone, Tablets, Android,  Open Source, Latest in Tech, subscribe to us@taranfx on Twitter OR on Facebook Fanpage:

Read more about how to Jailbreak your iPhone: http://geeknizer.com/untethered-jailbreak-ios-4-3-2-iphone-ipad-ipod-touch

Now users can now create/select groups to whom an update would be shared rather than sharing it to everyone  or all friends. It’s a simple way to stay up to date with small groups of your friends and to share things with only them in a private space. The default setting is Closed, which means only members see what’s going on in a group, along with group chat with members.

What’s even better is that Facebook now allows you to download everything about your profile, in one click. This includes – your messages, Wall posts, photos, status updates and profile information. Once the feature rolls out to your account, All you need to do is head to Account > Account Settings > Download Your Information. From there, you can download a zip file containing all your profile information, including your photos, wall posts, messages, videos, friend lists, and other content. If you unzip the file, you can actually view a simple HTML page of your profile, with simple links to all of these things.

A new dashboard has also been announced that would give you visibility into how applications use your data to personalize your experience. Definitely, this will prevent all the spammy messages from appearing, which apps had been flooding Facebook with. Also, it provides account usage detail by each of those apps.

Hope all this will cleanup the clutter on facebook and reduce the frustration of millions of users.

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

Facebook recently announced 500 Million users, of which 100 Million are leaked and are fully available, uncesored, unaltered for download on PirateBay. Every 3rd profile is available, and if these not so lucky users had most stuff in “info” tab open to Public, congratulations, its all in there.

Background:

A researcher, Ron Bowes, has compiled a list of more than 170 million Facebook users and the Web address of their profile page on the site and released it on a BitTorrent site, meaning it is making it accessible to millions of web users. Initially, he wrote a script to download all Facebook profiles listed in the social network’s public profile directory, which only includes people who have configured their settings for Public Search Listings to be available on Facebook.

He had the information published in his blog, which has been down for long now.

“I realized that this is a scary privacy issue,” Bowes wrote. “I can find the name of pretty much every person on Facebook.”

He also said:

“Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details,” he wrote. “If the user has set their privacy higher, at the very least I can view their name and picture. So, if any searchable user has friends that are non-searchable, those friends just opted into being searched, like it or not! Oops ”

What you should do

There’s a little you can do if the information is already in there.

But to clarify any doubts, either download the Torrent file to lookout for your name  OR  Verify your settings on Facebook.

Checking Facebook Privacy settings: Goto  ”Account”  and click on “Privacy Settings.” Then select “Basic Directory Information” and “View Settings.” If “Search for me on Facebook” is marked for “Everyone,” your information might be on the list.

With no surprises from Facebook, they were calm and cold as the restated the useless words “members have control over their settings and the information collected on them they had chosen to make public”. Even Facebook’s bug that lets Hackers delete User’s Friendlist, had cold responses from this company.

Facebook Privacy Flaw

Many Facebook members may not understand how they can configure their settings to avoid sharing more information than they would like to. Members have complained that they were forced to reset their privacy settings back to higher privacy when the company made changes to the site that undid their settings.

“Facebook isn’t going to do this for us; we have to do that for ourselves,” he said. “This is a solved problem (with cryptography)… it’s just that these sites aren’t going to implement it.”

Stay safe even with your Browser, with Browser Fingerprinting: Privacy is a Myth.

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

Forget privacy, a newly discovered Bug in Facebook lets hackers delete Victim’s Facebook friends, without permission.

The flaw was reported by Steven Abbagnaro, a student in New York. But as of Saturday  morning, Eastern time, it had still not been patched, based on tests conducted by one of the security analyst.

The Facebook Hack

Combined with spam,  or a self-copying worm, a hacker to create a havoc on the Facebook social network. The hack captures publicly available data from users’ Facebook pages and then, one by one, deletes all of their friends. For the hack to work, the victim has to be made to navigate to a particular link, and that’s all.

Obviously, this looks like a cookie stealer code which uses user’s Facebook authenticated cookie to access the profile and create certain actions. Fortunately, the security code used in this attack has not been made public, but will go public when Facebook fixes the flaw, but it wont be long before Elite hackers would figure out how to trigger it.

The flaw and related behaviors had been observed by Keith. He discovered that Facebook’s Web site was not properly checking code sent by users’ browsers to ensure that they were authorized to make changes on the site. So this could mean that the attack doesn’t even utilize a cookie and can rely on session ids to trigger XSS (cross site scripting) forgery.

Facebook attempted on fixing the early reports of forcefully “like” on links, pages by hackers, but the exact problem was not fixed and is still left ready to be exploited.

For Facebook,  security has always been a trouble. Some times its malicious Facebook Apps that hit on User’s privacy or even hack/alter information without user’s consent. Their QA team had been under siege lately, tracking down 100s of issues everyday. These security issues plus Facebook’s native Privacy negligence makes it the most unsafe place on the internet. They need to overhaul the way they work, user’s data is not their property and hence can land them into trouble if issues grow in number.

Users have been quitting the social network and a several campaigns on the same had seen some successful results.

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

Apart from capturing the said data, Google has “mistakenly” collected payload data from “open” (un-encrypted) WiFi networks as its Street View cars drove around taking pictures. Google humbly said that they never used any of that data, and company has decided to completely stop collecting WiFi data from its Street View cars.

The data which was mistakenly collected had almost everything users were doing over Open wifi networks — Anything from browsing, emailing, IMs, and what not.

Last month, in a blog post they detailed what kind of data was Street View cars collecting in response to an inquiry from German lawmakers. Google reported that they use only 3 of those for use in Google’s location-based services, like Skyhook Wireless‘s services for locating devices without use of GPS.

Recently, Google reviewed the data that Street View cars had collected and found that some “samples” of information users sent over their networks were indeed saved. Why, Google explains:

“In 2006 an engineer working on an experimental WiFi project wrote a piece of code that sampled all categories of publicly broadcast WiFi data,” Google’s Senior VP, Engineering & Research Alan Eustace wrote. “A year later, when our mobile team started a project to collect basic WiFi network data like SSID information and MAC addresses using Google’s Street View cars, they included that code in their software—although the project leaders did not want, and had no intention of using, payload data.”

Google wants to harden future policies on data privacy, and that is why they have asked a third party to review what was collected and confirm that it was deleted. It also plans to review its procedures to ensure something similar doesn’t happen in the future.

Every company makes mistakes, but only few come forward and admit it.

We write about Google,  Security, Open Source, iPhone, Android and latest in Tech @taranfx on Twitter or by subscribing below:

The number of spamming, phishing have taken a new Horizon. Leaving the web aside, apart from spamming, Phishing is common on phones too. Consider this, you get a call from a correspondent who pretends to be from your bank and with little “intelligently faked” information about you, (say some kind of your recent activity), would be enough for you to trust the other party. In fact, in 95% of the cases, users would fall for it without bearing a doubt in mind.

Honestly telling, its really hard to tell when you are wrong. Its hard to figure out who is calling you and your family. The right thing to do is Reverse Number Lookup. To start with you can look for any of the free Phone Lookup which would provide you a report includes information, when available, associated with residential, business, cell, unlisted, non-published, Internet, pager or pay phone numbers, plus name, address, carrier, connection status and more. Sometimes it could be just your curiosity to findout the actuals of a call, or even the identity of a missed call., these kinds of services always are helpful.

Tracking the Cell Phone Location
In case you a successful lookup results out to be a cellphone with outdated, or in some cases totally false information, Mobile tracking is your next step. The mobile tracking (you’ve probably hard about it) is now being offered to the general public at least in some countries like US, UK. For most other countries, its still availble to government agencies, and to police authorities only.

Apart from dealing with pranksters, tracking companies are even targeting employers, who are able to track their staff members and receive detailed reports on their daily movements.

How does it work: Mobile phone tracking is set up using the SIM card, with an ID number that trackers can then enter online to view a real-time location. Although this can be legitimately initiated by asking permission from the phone user, the system is open to misuse.  Although the tracking company is legally required to send occasional warning messages to the trackee’s mobile, but a recent analysis reported that none of the phones in that experiment received any such warnings. Other researchers have found that it is perfectly possible to track someone for two or more days before they receive a warning. The methodology is as simple as sending a text message to the victim’s cellphone, before he’s pinpointed.

So what this means is that before even you get into a legal action with a prankster, you can track him without his knowledge, which is helpful in most of the cases. Of course, this technology has the side hurting the privacy of the masses.

How do you avoid it?

The Data Protection Act saves the day. Tracking companies are legally obliged to ask permission from the tracked person, and then to offer options for dropping out or registering preferences. For instance, a tracked employee can contact the tracking company to stop them carrying out traces on weekends.

And of course there exists the last resort: If you suspect you’re being tracked, look out for suspicious text messages, and keep your mobile switched off when you don’t need to receive any calls.

To summarize, here’s what you can do to get rid of potential implications of this tracking ability:

• Switch your mobile phone off when not in use, or when you see suspicious messages.
• Don’t give out your mobile phone number on forms/forums/internet – use your landline or perhaps email.
• Don’t transmit your credit card details via your mobile, its easy to tap the calls.
• Never trust strangers on phone unless they prove themselves.

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

The method grabs a large amount of data about your browser, such as plug-ins, system fonts, and your operating system, screen resolution, etc. Each one when considered alone, they don’t identify you. But when collaborated, they’re a digital fingerprint: A Digital replica of you identity on the web.

It’s like describing a person. Just saying “blonde hair” won’t identify anyone. But add in “5 feet, 11 inches tall,” “mole on left little finger”, “versace glasses,” and so on, and soon you have enough information to pull someone out of a crowd, even without their name, PAN/SSN, or any facial recognition.

Probably, if you are concerned, you might consider taking a “safe” test at Panopticlick.eff.org. Panopticlick gathers little details about your browser and computer, mostly using Javascript. For what I tested my Chrome with, it claims to to uniquely identify my surfing out of more than 760,458 visitors. And the fact is, more than 90% of them are unique. In other words, there’s 9/10 chance that your identity is unique and you are traceable wherever you go.

Some Background
Electronic Frountier foundation, (founder of the Panopticlick project) claim that it’s accurate to high degree.
But who Invented. Unlike most bad intentions behind privacy lapses, the original intent  of Browser Fingerprinting was to prevent Banking Frauds. Often hackers used anonymous proxies to deface websites, but since the browsers stayed the same (in most cases, if not all), they were still back-traceable.

Privacy issues
Things often take a different shape with time. As PCWorld notes,  Scout Analytics, a publisher’s analytics tool, collects not just browser data but also some advanced fingerprints like how you type–things like your typing speed and typing patterns.

The data is all collected using javascript alone, and therefore very hard to prevent. The company says that it sells its service primarily to paid subscription sites, such as those offering real estate listings, and that it is keen to expand into marketing and advertising by helping sites track visitors in a way that, as he notes, is more accurate than using cookies. (Cookies can be deleted, which makes a repeat visit look like a new person to the site.)
Short of in-depth analysis of a given page, browser fingerprinting doesn’t leave tracks, so it’s hard to pinpoint sites that use it. But clearly advertisers want accurate tracking.

Does Law stop it?
The question is can sites legally use this fingerprinting? Existing guidelines from the Network Advertising Initiative wouldn’t allow it if a target had opted out of it for use in behavioral advertising.
But these hardly apply anywhere except for few states in US. There is no clear cut law on this for the web.

Counterfeiting Browser Fingerprinting
Virtually, reading every website’s Privacy Policy could help understanding their tracking, but it’s way too distant dream for each user to read each one of those websites.
EFF has listed some critical ones that can help you stay out of the mess, but they are not as easy as deleting a cookie. Most important among them are:

1. Try using a non-rare browser i.e. use a browser which is popular. This way you owe higher chances of duplicating someone else’s fingerprint thereby making your signature  non-unique.
2. Disable Javascript: this is impossible to do if you live on the modern web, but when possible do it. Usage of addons/extensions like NoScript  can be considered better but you can endup blocking Ads and ad Blocking is devastating to the sites you love.
3. Use TorButton: Tor button addon strips-off some private ids like useragent strings and “Standardizes” them for making it hard to backtrace.
4. Use “Private Browsing” Almost all modern browsers like Firefox, Opera, Chrome support Private browsing which protect their users against fingerprint tracking

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

Now, if it looks like something unusual is going on with your account, Gmail will alert you by posting a warning message saying, “Warning: We believe your account was last accessed from…” along with the geographic region, as illustrated below:

In order to make this possible, Gmail keeps track of your frequently used IPs and then matches with a totally new one newly incurred. Apart fromt his, Gmail already featured list of IPs from which your account was last accessed. This info can be seen by clicking “show details” from the Footer of gmail page. It looks something like this:

Its always a good idea to change the password when you feel some unusual IP appears.

We write about Google, Twitter, Security, Open Source, Programming, Web, Apple, iPhone,Android and latest in Tech @taranfx on Twitter or by subscribing below:

Recently, at Black Hat DC conference, a security consultant (Jorge Luis Alvarez Medina) demoed how it’s possible to exploit a flaw in Internet Explorer browser that turns your personal computer into a public file server. In other words, attacker can remotely read files on the victim’s local drive.

There are a few ways to initiate the attack, which is somewhat complex because you have to “string alot of the features together to build an attack tool,” Medina said. One method involves enticing the victim to click a link to a malicious Web site.

The flaw is said to work across all versions of Internet Explorer, and just can’t be fixed in a single shot. Medina said it doesn’t appear that the IE flaw is subject to patching because it encompasses design features related to how IE and Windows Explorer handle zone elevation, HTML code and MIME types.

Related:

• All Windows PC Exploited by a Hack
• Windows 7 Kills Laptop Battery

As a response, Microsoft prompted a security advisory

Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location. These versions include Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service 4; Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4; and Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows Server 2003 Service Pack 2. Protected Mode prevents exploitation of this vulnerability and is running by default for versions of Internet Explorer on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008.

A workaround, according to Medina, would include setting “IE Network Protocol Lockdown,” adjusting the security level setting for the Internet and Intranet Zones to “high,” and disabling Active Scripting for the Internet and Intranet Zones with a custom setting.

Perhaps, the best that can be done is to use a different browser.

One weakness in IE is that it “doesn’t behave consistently. when accessing the same resources,” he pointed out. This exploit leverages it by “chaining the exploitation of a series of weak features.”

His dialogue with Microsoft’s security team about the exploit so far has indicated that Microsoft thinks this is not something it can fix because the flaw is so much a part of the fundamental design of the browser.

Complete Details available in this Paper [PDF]

Wake-up “User“, Are you still on IE?

We write latest in Microsoft, Windows 7, Android, Google, iPhone, Tech Guides, Open Source, Security get them all @taranfx on twitter or below:

A Swiss iPhone developer has unveiled a new application that is capable of harvesting huge amounts of personal data from iPhones, including geolocation data, passwords, address book entries and email accounts information, images, Safari Browsing history, youtube, keyboard logger, etc. all this using just the public API exposed by Apple’s SDK.

In oder for this application, SpyPhone,  to work, it does not need any exploits or any jailbreaking/firmware modification, attacks in order to access the iPhone’s data. Instead, SpyPhone relies on using the iPhone’s usability and depth of features to its advantage. Once an application is on an iPhone, it has unrestricted access to the large amount of the data and settings available on the device.

Seriot, the application developer, has posted the source code for SpyPhone online and gave a talk detail document on iPhone Privacy at a security conference, earlier this week.

The Worst Part: SpyPhone is more like a Trojan sitting in your OS silently and stealing data. All of the SpyPhone’s operations are executed in the background, without the knowledge of the iPhone’s owner, and just like any other Trojan, the application can be set to email reports on each infected phone back to the attacker.

Seriot mentions in his presentation:

Spywares are on the AppStore

And when this kind of app makes it to App store, it becomes a serious issue. And who knows if “one of those spyware apps” already has SpyPhone-alike features.

No doubt, Apple has taken utmost efforts to keep strict control over what applications (their rejections are the proof), but despite their effort, exposing a lot of core of the Operating system has leaded them to misery.

What do you think?

Often, Facebook `s apps been known for their scam activity. For those who don’t know, the most popular game FarmVille is nothing but  ScamVille, and KoobFace is one worm that almost infected millions.

Everything that you now do on Facebook is configurable. Users can now designate content they post as being viewable to just friends, or friends of their friends, or everyone. Earlier, this wasn’t the case. For instance, Images posted on Walls are viewable by friends of friends providedone of the common friend comments on it.

The realization came after lots of allegations that stand against the Facebook:

Finally, Google has taken a wise decision to counter the concern. The step is to comply with Data Liberation Front.

Starting Today, Google will give you the power to manage the Data that is exposed to Google. The user control comes through “Dashboard,” a tool for giving users of its services an all-in-one view of their personal information tied to the various Google services they use.

Dashboard lets users see info about their Web, email usage and additional stuff like when they are logged into Google services such as Gmail, YouTube and Google Calendar.

You can get a glimpse of the service in this video :

As illustrated, Dashboard will let users delete information as well

On its blog, Google welcomes Data Liberation as:

“In an effort to provide you with greater transparency and control over their own data, we’ve built the Google Dashboard. Designed to be simple and useful, the Dashboard summarizes data for each product that you use (when signed in to your account) and provides you direct links to control your personal settings. Today, the Dashboard covers more than 20 products and services, including Gmail, Calendar, Docs, Web History, Orkut, YouTube, Picasa, Talk, Reader, Alerts, Latitude and many more. The scale and level of detail of the Dashboard is unprecedented…”

Subscribe to Twitter, RSS, or join Facebook fanpage for more Tech news and updates

Back in the days, it needed a undercover agent to spy on one person, Today all you need is Google Earth to do it on whole community. Using motion capture data the Google Earth has succeeded in mapping and animating the real time movements of cars, people and clouds. proper version the application is coming up next month. By that time, they are expected to add  weather patterns, birds and river motions to that list.

Georgia Institute of Technology’s students are collaborating with Google to integrate all this in Google Earth. For this, they are using CCTV video to map actual vehicles and people. This is Scary.

The good thing at this moment is all the data displayed is anonymous, which makes it legal technology. What you get to see is the amazing stuff : watch a football game in real time or the actual traffic in your route to work before deciding which route to take etc.. And it would be good for Traffic control systems to eventually control over the congestion by pinpointing the cause.

But wait a minute, think about the other side:

What if someone can label you someway in the virtual world. This would be as good as as having access to one of the CCTV cameras and this system. Someone labels your car, and there you go, you are being watched. There have been several Privacy concerns with Google Products. but nothing has been proved, yet.

Watch the video,

I’m all excited about the +ve side of this technology, possibilities are endless.

Let’s go by an example. Try accessing Gmail on iPhone or Android phone,  you will have notice some differences from what it used to be a month ago. The new thing worth noticing is the introduction of the offline access.

Gmail went down, offline in September, but credits to Gears, Gmail was still up and running with select Browsers. On the other side, iPhone Safari doesn’t have a Gears plugin, so how was it still running?

The answer lies with the HTML 5 standard, more specifically: the local database storage. Though HTML 5 is still in-progress, WebKit powered browsers, such as Safari, Mobile Safari, (and Firefox) have already adopted local database storage. This opens a new door of opportunities for developers to create and innovate subsequently to read from/write to a fully capable: Locally stored, Relational SQL database via the web browser itself.

Current Gmail’s iPhone release is the first web app that I’ve seen using the technology.

I foresee offline-access as an important feature for NextGen web applications: for speed and availability. Like Google believes with Chrome OS , we have, practically, continued to decrease the gap between desktop apps and their web  counterparts using technologies such as AJAX, Flash, JavaFX, Silverlight, etc. which have continued to push the hard limits.

But, despite all of the added functionality, web apps suffer from inherited old limitation – They don’t exist when you go off the line. Well, that’s about to change with HTML 5.

HTML 5 App with Local Storage:  Gmail

The iPhone doesn’t allow raw file access(I’m talking of Virgin iPhone), I’ll demonstrate Gmail’s use of HTML 5 via Safari on a standard OS X platform. First thing first, in order to get Google to serve the HTML 5 version of Gmail, we’ll change the User-Agent of our PC to match that used by the iPhone.

To fake iPhone’s Safari using Safari in Windows or Mac,  In Safari, click on Preferences, then go to Advanced tab. Check the checkbox for Show Develop menu in menu bar option. Exit from the Preference dialog window, a new “Develop” menu will show in the menu bar. Click on Develop, and then select User Agent in the pull down menu. Click to select Mobile Safari 3.0 – iPhone. Here is the resultant User-Agent:

Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0_0 like Mac OS X; en-us) AppleWebKit/525.18.1 (KHTML, like Gecko) Version/3.1.1 Mobile/5H11 Safari/525.20

Now next time we visit Gmail, the iPhone specific version of the app opens. And, the local database storage is automatically setup.

One thing that raises concern here is that the end-user is NOT informed of this. Data is being stored locally in plain text, and user is un-aware.  On the other side, Gears will at least mandate the end-user to acknowledge before it actually makes a copy of data, offline. The phone will carry a local copy of their email, which could be accessible to just anyone, if the phone was ever lost.

Now let’s see exactly what has been stored locally. The database is set up in the following location:

Windows: C:\Users\taranfx\AppData\Local\Apple Computer\Safari\Databases\https_mail.google.com_0\0000000000000001.db

Mac: /Users/taranfx/Library/Safari/Databases/http_mail.google.com_0/0000000000000001.db

New databases will be created for each separate Gmail account logged-in, each one gets an incremented number instead of “1″ that you see over there.  Now you might be thinking Which Database is that? It’s SQLite database. Surprisingly, there is no encryption, no protection, the database content can be viewed with any SQLLite compatible app: I used SQLite Browser. And the Results were alarming:

1. cached_contacts - Top 20 frequent contacts, including email address, names
2. cached_conversation_headers - Abbreviated content from email messages including the full subject, sender’s name and first sentence or two of the message.
3. cached_labels - User defined labels which can be assigned to emails.
4. cached_messages - Similar to cached_conversation_headers
5. cached_queries – Certain queries
6. unclearconfig_table - Application version number
7. hit_to_data – ??
8. log_store – Some logging info.

All are  shown in the screenshot below:

Now if someone gets access to your machine or mobile, you can guess the level of risk you are under.

Verdict:

Gears and HTML 5 represent great technologies, but  poorly implemented, and hence result in increased security risk.

Applications interface with local data storage via JavaScript API calls.  The calls, as per the specification,  are  restricted by the same origin policy to ensure that only the application which originally created the data, can then subsequently access it. When sites are vulnerable to XSS vulnerabilities, a remote attacker could gain access to local database storage and perform any type of  client-side SQL injection attacks.

Gmail might be currently suffering from any XSS vulnerabilities, as they had numerous times in the past. What’s more critical is the fact that XSS remains a too-common vulnerability and as developers adopt local database storage via HTML 5, we are sure to see plenty of vulnerable sites, which will place everyone at risk.  It is not just a privacy concern, it’s also a data integrity concern: What if an attacker can manage to write to the database just as easily as they can read from it?

Nothing more or less, I feel that the HTML 5 specification has a great deal to offer and it’s good to see it’s early adoption. But the fate of the game lies in the hands of the developers , who will have to ensure that powerful features such as local database storage do not expose end-users to increased threat.

We will use a free software accompanying your cam that will together make a Fool Proof motion detection system.

Highlight cam is a free software you can register online and start monitoring immediately and make your PC a security system and act as a silent security guard for your office, Home or any other space.

Features:

* Motion alert notifications sent via Email
* Off-site backup in case the intruder takes the computer

How to Setup:

It’s damn easy. Follow the link and Register and plugin your camera and then you’ll be asked to take a still recording of your workspace/environment you intend to monitor with no movement. It tries to adapt and learn the environment.

Then you can set the software to begin recording when motion is detected. There you go, you not only detect motion, you capture it too.

It has a premium service too. Checkout the plans here.

- If Highlight cam doesn’t work out, Motion Detection , Yawcam , Digi Watcher, are other good options you may consider.

- In Yawcam,  you can set automatic FTP uploading, emailing, or just saving captured images to your hard drive. You can even set a schedule for when Yawcam is enabled to capture images so your security camera isn’t constantly snapping pics while you’re sitting in front of your computer.

- Another good one is Digi Watcher. This one has large number of features, yet, free.

- Also, You can try Motion Detector. It’s limited on features though.

Some people like Yawcam better than others, try your flavor