Web attack knows where you live

One visit to a booby-trapped website could direct attackers to a person's home, a security expert has shown.

The attack, thought up by hacker Samy Kamkar, exploits shortcomings in many routers to find out a key identification number.

It uses this number and widely available net tools to find out where a router is located.

Demonstrating the attack, Mr Kamkar located one router to within nine metres of its real world position.

'Creepy' attack
Many people go online via a router and typically only the computer directly connected to the device can interrogate it for ID information.

However, Mr Kamkar found a way to booby-trap a webpage via a browser so the request for the ID information looks like it is coming from the PC on which that page is being viewed.

He then coupled the ID information, known as a MAC address, with a geo-location feature of the Firefox web browser. This interrogates a Google database created when its cars were carrying out surveys for its Street View service.

This database links Mac addresses of routers with GPS co-ordinates to help locate them. During the demonstration, Mr Kamkar showed how straightforward it was to use the attack to identify someone's location to within a few metres.

"This is geo-location gone terrible," said Mr Kamkar during his presentation. "Privacy is dead, people. I'm sorry."

Mikko Hypponen, senior researcher at security firm F Secure, attended the presentation and said it was "very interesting research".

"The thought that someone, somewhere on the net can find where you are is pretty creepy," he said.

"Scenarios where an attack like this would be used would be stalking or targeted attacks against an individual," he added.

"The fact that databases like Google Streetview's Mac-to-Location database or the Skyhook database can be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly," said Mr Hypponen.

Mr Kamkar detailed the attack during a presentation at the Black Hat hacker conference. In 2005, Mr Kamkar created a worm that exploited security failings in web browsers to garner more than one million "friends" on the MySpace social network in one day.

Prosecuted for the hack, Mr Kamkar was given three years' probation, did 90 days of community service and paid damages. He was also banned from using the net for personal purposes for an undisclosed amount of time.

Private browsing modes leak data

The private browsing modes on modern browsers leak information about where people have visited, suggests a study.

Available in many browsers, the private modes are not supposed to log information about sites visited.

However, the study found that in many cases the privacy mode was compromised by additions to the browser or extra security on websites.

Many extras that people add to browsers can "completely undermine" the anonymity of private browsing.

Computer scientist Dan Boneh from Stanford University led the study of private browsing modes on the Firefox, Internet Explorer, Chrome and Safari browsers.

The researchers tested when people used private browsing modes by employing adverts that log the state of the machine on which the ad is being displayed.

It found that private browsing was most popular when people visited adult sites.

Private browsing modes typically work by erasing the information logged when any site is visited.

These logs include small text files known as cookies, entries on a history file and data put in the browser's cache.

However the study found that other ways in which a browser logs data were often left undisturbed at the end of a private browsing session.

This occured, for example, if the site being visited used security systems such as those which protect data sent back and forth during web purchases.

Add-ons or plug-ins for browsers, particularly those that help with searching, also readily log information that the private browsing mode was supposed to delete, found the study.

The researchers concluded that, in some cases, these weaknesses were able to "completely defeat the benefits of private mode".

The paper will be presented at the Usenix Security conference which is being held in Washington, DC from 11-13 August.

Saudi Blackberry services Resumes

Blackberry services have been restored in Saudi Arabia, reports say.

A ban on the use of the device for sending and receiving messages was due to have come into force.

And locals said the handsets had stopped working for four hours.

But there is no sign yet that the ban has been lifted. Earlier reports that Blackberry manufacturers RIM (Research in Motion) had found a solution to security issues raised by local authorities cannot be confirmed.
The authorities object to the devices because they operate an encrypted message service meaning that communication from Blackberry devices cannot be monitored.

Ben Thompson, in Dubai, said that there are conflicting reports about why the handsets are currently working again.

"Services are up and running again across the country," he confirmed.

"But inevitably, that raises more questions than it answers. If RIM did grant Saudi Arabia access to its security codes, other countries in the region would now expect the same.

"The UAE - which is threatening its own ban by October alongside Algeria, Indonesia and India would all be expecting similar deals."

Dubai-based British businessman Nazar Musa said that had been a lot of local interest in the issue.

"There's been an awful lot of discussion and debate about the Blackberry issue," he told.

"Clearly as a centre of regional business and with links and ties to the rest of the world the use of Blackberry services is vital."

He added that there had been "limited concern" expressed on chat rooms about the desire of the authorities to access the data itself.

RIM has been contacted.

In a statement earlier this week a spokesperson for the company said that the devices were deliberately designed to prevent anybody from accessing individual message data, which is stored on servers in Canada.

"RIM cannot accommodate any request for a copy of a customer's encryption key, since at no time does RIM, or any wireless network operator or any third party, ever possess a copy of the key."

Net neutrality talks stall in US

US regulators have halted closed-door meetings intended to find a way to make sure all web data is treated equally.

The Federal Communications Commission began the meetings after a court limited its net regulation powers.

The FCC faced criticism over the meetings by groups that supported the principle known as net neutrality.

The FCC decision follows reports that Google and Verizon hatched a separate deal to allow faster speeds for web sites that pay for the privilege.

"Any outcome, any deal that doesn't preserve the freedom and openness of the internet for consumers and entrepreneurs will be unacceptable," said FCC chair Julius Genachowski.
Both firms denied they were close to an agreement that many fear would lead to a "two-tier internet".

Google said: "We remain as committed as we always have been to an open internet".

In a blog post net service provider Verizon also clarified its position.

"As we said in our earlier FCC filing, our goal is an internet policy framework that ensures openness and accountability, and incorporates specific FCC authority, while maintaining investment and innovation," wrote David Fish, executive director of media relations for Verizon.

"To suggest this is a business arrangement between our companies is entirely incorrect," he added.

Despite the public statements, reports that an agreement will soon be announced persist.

During the Techonomy conference in Lake Tahoe, California, Google boss Eric Schmidt would not be drawn on the issue.

"We have been talking to Verizon for a long time about trying to get an agreement on what the definition of what net neutrality is," he told reporters.

"We are trying to find solutions that bridge between the hard core 'net neutrality or else' view and the historical telecom view of no such agreement."

Log Jam

The issue of net neutrality, which means no data traffic is prioritised over any other, has become a thorny one for the FCC. A recent court case limited the agency's powers to police what happens to data when it ruled that the FCC did not have the power to sanction Comcast for throttling some traffic.

As a result the FCC said it would reclassify broadband under a more heavily regulated part of the telecommunications law known as Title II. Cable and phone companies claimed the move would stifle investment in next generation broadband.

With the fear that these companies would resort to legal action, the agency began holding what critics termed "secret negotiations" aimed at forging a consensus on how to treat internet traffic.

The FCC's move to end these talks with firms such as Verizon, Google, Skype and AT&T suggest they broke down without reaching a decision.

Edward Lazarus, FCC chief of staff, said the talks had not "generated a robust framework to preserve the openness and freedom of the internet".

Pay to play

Public interest groups believe the Google Verizon tie-up, if it came to pass, would change the very nature of the internet and how it operates

"The deal marks the beginning of the end of the internet as you know it," said Josh Silver, president of the Free Press consumer group.

"Since its beginnings, the net was a level playing field that allowed all content to move at the same speed, whether it's ABC News or your uncle's video blog. That's all about to change."

At the Techonomy Conference Mark Carges, chief technology officer of auction site eBay, underlined the company's support for net neutrality.

"eBay supports net neutrality legislation that will prohibit phone and cable companies from replacing the robust open internet with 'Pay to Play' private networks that will force out and discriminate against content and service providers that refuse to pay new tolls," Mark Carges told.

"Consumers, non-profits and businesses already pay for access to the internet," he said. "Broadband providers should not be permitted to 'double dip' by charging consumers twice for high-speed internet access."

Techonomy attendee Neelie Kroes, European Commissioner for the Digital Agenda, said she was watching the situation in the US closely.

"We are facing the same types of issues and with our discussions we are consulting everyone," said Ms Kroes adding that she was a supporter of net neutrality.

"I know Chairman Genachowski and that he is doing his utmost to find solutions to this issue," she said.