Web attack knows where you live

One visit to a booby-trapped website could direct attackers to a person's home, a security expert has shown.

The attack, thought up by hacker Samy Kamkar, exploits shortcomings in many routers to find out a key identification number.

It uses this number and widely available net tools to find out where a router is located.

Demonstrating the attack, Mr Kamkar located one router to within nine metres of its real world position.

'Creepy' attack
Many people go online via a router and typically only the computer directly connected to the device can interrogate it for ID information.

However, Mr Kamkar found a way to booby-trap a webpage via a browser so the request for the ID information looks like it is coming from the PC on which that page is being viewed.

He then coupled the ID information, known as a MAC address, with a geo-location feature of the Firefox web browser. This interrogates a Google database created when its cars were carrying out surveys for its Street View service.

This database links Mac addresses of routers with GPS co-ordinates to help locate them. During the demonstration, Mr Kamkar showed how straightforward it was to use the attack to identify someone's location to within a few metres.

"This is geo-location gone terrible," said Mr Kamkar during his presentation. "Privacy is dead, people. I'm sorry."

Mikko Hypponen, senior researcher at security firm F Secure, attended the presentation and said it was "very interesting research".

"The thought that someone, somewhere on the net can find where you are is pretty creepy," he said.

"Scenarios where an attack like this would be used would be stalking or targeted attacks against an individual," he added.

"The fact that databases like Google Streetview's Mac-to-Location database or the Skyhook database can be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly," said Mr Hypponen.

Mr Kamkar detailed the attack during a presentation at the Black Hat hacker conference. In 2005, Mr Kamkar created a worm that exploited security failings in web browsers to garner more than one million "friends" on the MySpace social network in one day.

Prosecuted for the hack, Mr Kamkar was given three years' probation, did 90 days of community service and paid damages. He was also banned from using the net for personal purposes for an undisclosed amount of time.

Smartphone overseas web warning

The consumers' association Which? is warning that people going abroad with smartphones can still face huge bills if they connect to the internet.

By 1 July, new rules will come into force in the European Union which will cap bills for downloading data.

But, until then, people travelling in Europe could face unlimited bills.

And anyone visiting non-EU countries, like Turkey, the US or the Caribbean, will continue to have no limits on their internet usage.

Bill shock

If you use your phone in the UK to connect to the internet, for example to check emails or go on Facebook, you don't usually need to worry about the bill - most home tariffs include unlimited downloads.

But, if you take a smartphone, like an iPhone, on your travels, it can have expensive consequences.

One German man was reported to have been charged £41,000 after downloading a television programme onto his phone.Julia Feuell, from north London, also got a shock after a visit to New Zealand. Her 17 year-old son racked up a bill of £590.

"It was a telephone bill that I'd never seen in my life before. It was a great shock to Alex, who's an apprentice mechanic."

However, the phone company concerned eventually agreed to halve the bill.

According to research by Which?, people using smartphones abroad can pay up to £8 for every megabyte downloaded. That's the equivalent of one email with a photo attachment.

But anyone who downloads videos or films can expect to pay considerably more.

According to Which?, a ten minute video clip and five music tracks could cost as much as £200.

New EU rules

If you travel within the 27 countries of the European Union, or Switzerland, you will soon be protected by new rules to limit bills for data downloading.

From the 1 July this year there will be a default limit of 50 euros (£45) a month.

Until then, it's up to consumers to get in touch with their phone company to get that, or a different limit, applied to their account.

Users will receive a warning when they are approaching 80% of their limit, and will then be cut off once the limit is reached. But travellers to the rest of the world will receive no such protection.

Which? would like the EU data download limits extended to the rest of the world.

But this would have to be done by the phone companies themselves, as there is no regulatory body that has global reach.

"Mobile phone companies should voluntarily take these very sensible steps, and apply them on a worldwide basis," says Matt Bath of Which?.

But the GSM Association, which represents global mobile phone companies, disagrees.

"Europe is a very unique market. We would not advocate copycat regulation for other territories," a spokesperson told.

It also says it is trying to drive down bills by other means, and points out that the price of mobile services has already fallen by a third in the last five years.

Agree limits

Some owners of smartphones are unaware that their phones roam the internet whenever they are switched on.

With so-called "push email" programmes, that means you will be charged whenever someone sends you an email.

Equally, if you use an application to search for a nearby restaurant, or go onto Google maps for local directions, you are downloading data.

Which? advises users to go into their settings and simply turn off the data roaming facility.

Users should, in any case, be warned about this whenever they arrive in a foreign country and their mobile operator is substituted by another.

Otherwise, if you are travelling to Europe before the 1 July, you should get in touch with your phone company to agree a limit on data downloads.

Those who want an allowance which is larger than 50 euros should also contact their phone company, to get the limit raised.

Twitter embeds itself in the web

Twitter has announced technology that it hopes will further embed the service into the fabric of the web.

@anywhere, as it is known, will allow people using websites such as Amazon or the New York Times to follow new users or share media directly from the page.

It was unveiled at the South by Southwest festival in Austin, Texas.

It is similar to Facebook's Connect service that allows people to log in to other websites using their Facebook details and interact with friends.

"Imagine being able to follow a New York Times journalist directly from her byline, tweet about a video without leaving YouTube, and discover new Twitter accounts while visiting the Yahoo home page," Twitter said on its blog.

'Different approach'

The social network has not said when the service will launch, but said that it had already partnered with YouTube, Microsoft Bing and eBay amongst others.

Developers can already add Twitter functionality to their sites using a so-called API (application programming interface).

APIs are a set of tools offered by a firm to allow people outside the company to access and manipulate data held about their users.

They have become increasingly common amongst web firms to extend their reach beyond their own website.

Twitter said that @anywhere was a "different approach" that would be simpler for many sites to use.

This "open" approach to third-party developers allowed Twitter to grow at a phenomenal rate in its early days.

Recent data shows that traffic to Twitter's websites has levelled off since the middle of 2009.

However, measurements of Twitter use is very difficult as many users interact with the service through desktop software and mobile phones.

Dotcom web address celebrates silver anniversary

The internet celebrates a landmark event on the 15 March - the 25th birthday of the day the first dotcom name was registered.
In March 1985, Symbolics computers of Cambridge, Massachusetts entered the history books with an internet address ending in dotcom.
That same year another five companies jumped on a very slow bandwagon.
It took until 1997, well into the internet boom, before the one millionth dotcom was registered.
"This birthday is really significant because what we are celebrating here is the internet and dotcom is a good, well known placeholder for the rest of the internet," said Mark Mclaughlin, chief executive officer of Verisign the company that is responsible for looking after the dotcom domain.
"Who would have guessed 25 years ago where the internet would be today. This really was a groundbreaking event," he said.
Commercialisation
For most of the late 1980s and early 1990s hardly anyone knew what a dotcom was. Scholars generally agree that a turning point was the introduction of the Mosaic web browser by Netscape that brought mainstream consumers on to the web.With 668,000 dotcom sites registered every month, they have become part of the fabric of our lives.
Today people go to dotcom sites to shop, connect with friends, book holidays, be entertained, learn new things and exchange ideas.
"Dotcoms have touched us in a way we could not have imagined," Robert Atkinson of the Information Technology and Innovation Foundation (ITIF) told.
"It used to be, 10 years ago you could live an okay life if you weren't engaged on a dot com site on a daily basis. You could get what you needed.
"But today we see how dotcoms have enriched our lives that if you are not engaged you would be fine but much further behind than the rest of us."
Proof of that Mr Atkinson said can be seen with how dotcoms have commercialised the internet "bringing consumers choice and value and businesses greater customer reach and profits".A study by the ITIF claims that "the average profitability of companies using the internet increased by 2.7%".
The research also found that the economic benefits equal $1.5 trillion, which it says is "more than the global sales of medicine, investment in renewable energy and government investment in research and development combined".
By 2020 the internet should add $3.8 trillion (£2.5trillion) to the global economy, exceeding the gross domestic product of Germany, it found.
The future
An estimated 1.7 billion people - one quarter of the world's population - now use the internet.
Verisign's Mr McLaughlin only sees that figure growing over the next quarter of a century.
"I think that the way we access information today, mostly still through PCs and laptops is highly likely to change; that the voice will be more important than text input.
"I think the whole fabric of how we access, search, find and get information is going to be radically different."
At the moment Verisign logs 53 billion requests for websites - not just dotcoms - every day, about the same number handled for all of 1995.
"We expect that to grow in 2020 to somewhere between three and four quadrillion," Mr McLaughlin told.
One quadrillion is 1,000 billion.
It is a phenomenal pace of growth that would have been very difficult to predict 25 years ago when a small computer firm took the first pioneering steps into the connected world.

Net clash for web police projects

Social media activists are up in arms over plans by the UK's police watchdog for a project with the same name as an existing web initiative.
MyPolice.org was set up in mid-2009 to funnel feedback from victims of crime and others to police forces.
But Her Majesty's Inspectorate of Constabulary (HMIC) has unveiled plans for a project based around a site called Mypolice.org.uk.
The MyPolice.org founders say they may change their name to avoid confusion.
Force feedback
"This came completely out of the blue," said Lauren Currie, one of the founders of MyPolice.org.
Ms Currie said she and co-founder Sarah Drummond have been working on MyPolice.org since the summer of 2009 and were now getting close to launch.
The idea is to use the website as a central point through which to route messages to police forces about the job they are doing. It will also gather information about local issues and pass them on to UK forces.
"We are about giving feedback and we want that to result in change," said Ms Currie. "That's why it's called MyPolice. We are empowering people to make changes and make their voice heard."
"We have a lot of forces itching to be the pilot," she said adding that people were bound to be puzzled by a the HMIC launching a different service with the same name and very similar website.
Confusion was evident even before the HMIC site formally launched.
"It's causing a huge problem," said Ms Currie. Many supporters had got in touch in reaction to media reports about the launch of MyPolice, she said, only to find out that the reports were about the HMIC project.
One disgruntled supporter of MyPolice.org has set up a parody website called My HMIC.org to collect comments about the clash. Many others have vented their feelings on micro-blogging service Twitter.
HMIC said its mypolice.org.uk website would be used by members of the public to find out information about how their local force is performing.
In a statement an HMIC spokesman said: "We spoke with the owners of www.mypolice.org, and it is clear that we offer very different online products. Both however aim to improve engagement between the public and their police; and this is to be applauded.
"We remain very happy to work with www.mypolice.org to offer the best possible service to the public."
A spokeswoman for HMIC declined a chance to expand on its statement.
Ms Currie said the two projects have discussed the domain name confusion. The HMIC said it has no plans to change the name of its project nor move it to another site.
Legal action by MyPolice.org has been ruled out, said Ms Currie. "We don't want to go down that route," she told.
A spokesman for Nominet, which oversees the .uk domain, said Mypolice.org may have a case under its dispute resolution system. Although MyPolice.org does not own the .uk version it may be able to take it over as HMIC's action could be rule as "unfair".
However, he warned, each case was judged on its merits and the dispute resolution might mean HMIC keeps its claim to the .uk domain.