New “Lost Mode” in Find My iPhone (iCloud)
With iOS 6, Apple will be releasing an updated set of web apps on iCloud.com, including Mail, Calendar, Notes, Reminders and Find My iPhone. Find My iPhone is a useful feature that allows you to track or wipe your iPhone, iPad or iPod Touch should it get lost or stolen. For more info check out my article on Protecting and Recovering Your iPhone and iPad from Loss and Theft. In this post I just want to point out the changes to Find My iPhone, in particular the new “Lost Mode”. Read more
Locate Lost or Stolen Macs with ‘Find My Mac’ in Lion and iCloud
Apple’s popular Find My iPhone feature of MobileMe is being extended to Macs as well, as part of iCloud and Lion (10.7.2). It will also allow the person who found or stole the machine to login using a limited guest account (with only access to Safari), in order to allow your Mac to connect to the internet. As with the iOS version, Find My Mac will allow you to remotely send a message, lock or even wipe your computer.
I’m guessing the geolocation will be limited to triangulating local wireless networks, but I’m hoping it will also send back the public IP address of the network it’s currently connected to, which would help significantly when trying to recover a stolen device. I wonder how developers of commercial Mac tracking software are feeling right about now?
For more info and pictures check out this post at Cult of Mac. In other news, iOS 5 will finally bring the ability to delete entries from your call history.
Find My iPhone Brings Improved Offline Device Support
Apple has released an update to their free Find My iPhone offering, which greatly improves the support for tracking devices that are offline at the time. Note that this doesn’t mean you can track an iPhone or iPad that is turned off, or out of signal range (not possible). Instead, if a device is offline when you try to locate it, Apple will later send you an email with its location the next time that device gets back online. Thanks to this, it’s no longer necessary to constantly be checking the Find My iPhone app/webpage. Here is Apple’s summary of the changes:
- When you are unable to locate a device because it is offline, you will receive an email if the device comes online and is located.
- Ability to remove an offline device from the list using the app.
Note, it appears this updated feature is only available using the Find My iPhone app (version 1.2) available in the App Store – it is not yet available in the MobileMe web interface. I assume it won’t be updated until the new iCloud Find My iPhone web interface is launched. [Update: I was right.]
For more information on how to use this great free service to recover your iOS devices, check out Protecting and Recovering Your iPhone and iPad from Loss and Theft.
iPhone/iPad iOS 4.3.3 Fixes Location Tracking Bugs
Following the recent over-hyped “location tracking scandal“, Apple has released iOS 4.3.3 which fixes bugs in the Location Services on iPhone and iPad devices that caused them to store excessive location information. As detailed by Apple’s Q&A on Location Data, the location data stored on iOS devices (and backed up by iTunes) are merely a subset of Apple’s crowd-sourced location database of Wifi hotspots and cell towers, used to facilitate Location Services when GPS is unavailable or unreliable. The bugs were causing iOS to download this location cache even if Location Services were turned off, and to store the cache indefinitely, instead of being regularly purged.
This update contains changes to the iOS crowd-sourced location database cache including:
- Reduces the size of the cache
- No longer backs the cache up to iTunes
- Deletes the cache entirely when Location Services is turned off
It’s nice to see Apple resolve this issue so swiftly, and these changes will help improve the privacy of iPhone and iPad users, regardless of whether they use Location Services. The only thing I would have added if I were Apple, is the ability for the user to clear the location cache in the device settings. It’s a button that could be easily added in Settings > Location Services. Just sayin’!
Everything You Need to Know About the iPhone Tracking ‘Scandal’ [Updated]
Seeing as I cover OSX/iOS security and privacy, I figured it’s about time I weighed in on this whole iPhone/iPad tracking ‘scandal’. I have to admit I was surprised when I first heard of the iPhone storing location data, especially that it does so with Location Services turned off. This issue is not new, however, and was described in a fair amount of depth by Alex Levinson several months ago. What has made it so popular this month is the release of the iPhoneTracker app, developed by Pete Warden and Alasdair Allan, that creates a visual map of your visited locations. I promptly tested iPhoneTracker, and sure enough it showed a bunch of areas that I’d visited. Upon closer inspection, however, I noticed that it didn’t specifically geolocate me in two places where I’d spent a lot of time; namely home and work. On top of that, there were a number of locations I’d never even been to.
[Updated] According to the info recently published by Apple, this stored location data is not the location of the iPhone itself, but rather a subset of crowd-sourced location information for local cell towers and wifi networks, which is only used to rapidly provide the user with location information. Full details at the bottom of this post. Read more
Protecting and Recovering Your iPhone and iPad from Loss and Theft
My sister recently had her iPhone stolen, and it occurred to me that not enough people know how to help protect their iPhone/iPad from theft, what to do if it gets lost or stolen, and the steps to take even if they’re unable to get it back. Using a combination of security tips and geolocation, using Find My iPhone, you should have a much higher chance of recovering your device. Note that although this article is iPhone/iPad-centric… the principles apply to any smartphone!
NEW! Please refer to my Find My iPhone FAQ for the answers to some frequently asked questions (especially before asking a question in the comments). Read more
Clever Full-Site Tracking with XSS-Track
Cross-site Scripting (or XSS) is a common web application vulnerability with varying levels of severity. Generally the capabilities of a XSS are limited to the locations of vulnerable inputs and outputs, and crafting complex XSS payloads can be a time-consuming process.
XSS-Track (cached) helps simplify cross-site scripting by allowing the attacker to silently track the user across the entire site, using a single embedded XSS. It does this by cleverly creating a full-window invisible iFrame, and maintaining control of that window as the user browses the site. This also allows the attacker to look for valuable pieces of information, such as passwords or credit card numbers.
Combining XSS-Track with the older XSS-Shell script, which turns the browser into a zombie of sorts, could give an attacker a significant amount of power over infected sites and their users.
Firefox users may want to consider using the NoScript extension to protect themselves from unknowingly running malicious scripts. Despite having some limited XSS protection, and a JavaScript Blacklist extension, Safari unfortunately does not afford nearly the same protection as the whitelist-style Firefox+NoScript combination. If someone releases a NoScript-style JS Whitelist for Safari then it’ll be a big step forward.
Persistent Tracking using Supercookies and Evercookies
Normal websites use cookies to keep track of their visitors, either to remember that they are logged in, track statistics, or a number of other purposes. Sites can usually only track users while they are browsing that actual site (apart from Google who tracks you more or less wherever you go), however the past few years have revealed more and more ways web users can be tracked.
The concept of supercookies and ubercookies is not entirely new, but has been refined recently to turn them into digital cockroaches – very hard to permanently get rid of. Supercookies are basically an amalgamation of different software features that can be used to create a uniquely identifying token, usually one that is hard or too convoluted to delete. Now that HTML5 is becoming more widespread, there are even more options than before.
Modern supercookies comprise a number (or all) of the following:
- Standard HTTP Cookies
- Local Shared Objects (Flash Cookies)
- Silverlight Isolated Storage
- Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
- Storing cookies in Web History
- Storing cookies in HTTP ETags
- Storing cookies in Web cache
- window.name caching
- Internet Explorer userData storage
- HTML5 Session Storage
- HTML5 Local Storage
- HTML5 Global Storage
- HTML5 Database Storage via SQLite
Samy Kamkar recently released Evercookie, a JavaScript API for creating extremely persistent browser cookies. The list above is what is what Evercookie uses to create them. If websites were to start using these techniques, they would be able to uniquely identify you (as a user, not a person) each time you visited, even if you deleted your cookies, cleared your cache, and removed your history (or used a private browsing feature). Due to the use of shared objects, such as Flash, some cookies are persistent even across different browsers!
Ultimately, I wouldn’t panic and stop surfing the web just yet, but this goes to show how the evolution of the browser (and countless plugins that now go with it) is having an effect on privacy and security (which can’t quite keep up the pace set by innovation). Dominic White describes how to delete the Evercookie when using Safari on OSX. Others have written about how to do the same on Firefox and Chrome. One reddit user has created a pseudo lockdown-script which improves the security and privacy of Firefox by making some configuration changes (eg. disabling prefetching, geolocation, caching, etc).
This post by Christopher Soghoian provides a good argument for why privacy (and security, I would add) should be adopted in web browsers by default, instead of letting users fend for themselves. Some browsers are making an effort by adding features such as private browsing, cross-site scripting protection, and Google SafeSearch (although this impacts privacy by sending Google every URL you browse to), however all too often browser plugins and add-ons are given too many privileges.
Browser security and user awareness are becoming more important than ever as traditional programs are phased out and replaced by web applications. Unfortunately both of these are still lagging a bit behind.
- Standard HTTP Cookies - Local Shared Objects (Flash Cookies) - Silverlight Isolated Storage - Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out - Storing cookies in Web History - Storing cookies in HTTP ETags - Storing cookies in Web cache - window.name caching - Internet Explorer userData storage - HTML5 Session Storage - HTML5 Local Storage - HTML5 Global Storage - HTML5 Database Storage via SQLite
Facebook’s Suspicious Login Tracking
This is kind of old news, but I’ve only recently become acquainted with Facebook’s tracking of suspicious logins. If you only use a couple of devices, or haven’t traveled around much, you may not have seen come across these recent security additions to the authentication mechanism.
When logging in to Facebook, the site looks up the last location you logged in from (by geolocating the IP address), and compares it to a list of ‘known’ locations. If the location the user is logging in from is beyond a certain ‘distance threshold’ from the known locations, the user will be challenged. There are two types of challenges that can be chosen; the first is to recognise friends based on their picture (a solution I find both elegant and effective); the second is to answer a pre-set security question. If the user fails both of these challenges (I did… go figure), they have to wait an hour before trying again.
The next time you successfully log in, you will be alerted to any recent suspicious login attempts, complete with a geolocated map of that attempt’s location (see screenshot).
This feature has been added to Facebook’s authentication mechanism, and is thus on by default for all accounts. There is another feature however, that is not on by default, but is also interesting. You can set Facebook to notify you whenever a new computer or mobile device is used to log in to your account. This setting is found under Account Settings -> Account Security -> Login Notifications.
Thought this would be of interest to anyone looking to further secure their use of Facebook. Check out their full blog post about these features.