Skip to content

Posts tagged ‘tracking’

29
Aug

New “Lost Mode” in Find My iPhone (iCloud)

With iOS 6, Apple will be releasing an updated set of web apps on iCloud.com, including Mail, Calendar, Notes, Reminders and Find My iPhone. Find My iPhone is a useful feature that allows you to track or wipe your iPhone, iPad or iPod Touch should it get lost or stolen. For more info check out my article on Protecting and Recovering Your iPhone and iPad from Loss and Theft. In this post I just want to point out the changes to Find My iPhone, in particular the new “Lost Mode”. Read moreRead more

10
Jun

Locate Lost or Stolen Macs with ‘Find My Mac’ in Lion and iCloud

Apple’s popular Find My iPhone feature of MobileMe is being extended to Macs as well, as part of iCloud and Lion (10.7.2). It will also allow the person who found or stole the machine to login using a limited guest account (with only access to Safari), in order to allow your Mac to connect to the internet. As with the iOS version, Find My Mac will allow you to remotely send a message, lock or even wipe your computer.

I’m guessing the geolocation will be limited to triangulating local wireless networks, but I’m hoping it will also send back the public IP address of the network it’s currently connected to, which would help significantly when trying to recover a stolen device. I wonder how developers of commercial Mac tracking software are feeling right about now?

For more info and pictures check out this post at Cult of Mac. In other news, iOS 5 will finally bring the ability to delete entries from your call history.

7
Jun

Find My iPhone Brings Improved Offline Device Support

Apple has released an update to their free Find My iPhone offering, which greatly improves the support for tracking devices that are offline at the time. Note that this doesn’t mean you can track an iPhone or iPad that is turned off, or out of signal range (not possible). Instead, if a device is offline when you try to locate it, Apple will later send you an email with its location the next time that device gets back online. Thanks to this, it’s no longer necessary to constantly be checking the Find My iPhone app/webpage. Here is Apple’s summary of the changes:

  • When you are unable to locate a device because it is offline, you will receive an email if the device comes online and is located.
  • Ability to remove an offline device from the list using the app.

Note, it appears this updated feature is only available using the Find My iPhone app (version 1.2) available in the App Store – it is not yet available in the MobileMe web interface. I assume it won’t be updated until the new iCloud Find My iPhone web interface is launched. [Update: I was right.]

For more information on how to use this great free service to recover your iOS devices, check out Protecting and Recovering Your iPhone and iPad from Loss and Theft.

5
May

iPhone/iPad iOS 4.3.3 Fixes Location Tracking Bugs

Following the recent over-hyped “location tracking scandal“, Apple has released iOS 4.3.3 which fixes bugs in the Location Services on iPhone and iPad devices that caused them to store excessive location information. As detailed by Apple’s Q&A on Location Data, the location data stored on iOS devices (and backed up by iTunes) are merely a subset of Apple’s crowd-sourced location database of Wifi hotspots and cell towers, used to facilitate Location Services when GPS is unavailable or unreliable. The bugs were causing iOS to download this location cache even if Location Services were turned off, and to store the cache indefinitely, instead of being regularly purged.

This update contains changes to the iOS crowd-sourced location database cache including:

  • Reduces the size of the cache
  • No longer backs the cache up to iTunes
  • Deletes the cache entirely when Location Services is turned off

It’s nice to see Apple resolve this issue so swiftly, and these changes will help improve the privacy of iPhone and iPad users, regardless of whether they use Location Services. The only thing I would have added if I were Apple, is the ability for the user to clear the location cache in the device settings. It’s a button that could be easily added in Settings > Location Services.  Just sayin’!

26
Apr

Everything You Need to Know About the iPhone Tracking ‘Scandal’ [Updated]

Seeing as I cover OSX/iOS security and privacy, I figured it’s about time I weighed in on this whole iPhone/iPad tracking ‘scandal’. I have to admit I was surprised when I first heard of the iPhone storing location data, especially that it does so with Location Services turned off. This issue is not new, however, and was described in a fair amount of depth by Alex Levinson several months ago. What has made it so popular this month is the release of the iPhoneTracker app, developed by Pete Warden and Alasdair Allan, that creates a visual map of your visited locations. I promptly tested iPhoneTracker, and sure enough it showed a bunch of areas that I’d visited. Upon closer inspection, however, I noticed that it didn’t specifically geolocate me in two places where I’d spent a lot of time; namely home and work. On top of that, there were a number of locations I’d never even been to.

[Updated] According to the info recently published by Apple, this stored location data is not the location of the iPhone itself, but rather a subset of crowd-sourced location information for local cell towers and wifi networks, which is only used to rapidly provide the user with location information. Full details at the bottom of this post. Read moreRead more

25
Jan

Protecting and Recovering Your iPhone and iPad from Loss and Theft

My sister recently had her iPhone stolen, and it occurred to me that not enough people know how to help protect their iPhone/iPad from theft, what to do if it gets lost or stolen, and the steps to take even if they’re unable to get it back. Using a combination of security tips and geolocation, using Find My iPhone, you should have a much higher chance of recovering your device. Note that although this article is iPhone/iPad-centric… the principles apply to any smartphone!

NEW! Please refer to my Find My iPhone FAQ for the answers to some frequently asked questions (especially before asking a question in the comments). Read moreRead more

8
Nov

Clever Full-Site Tracking with XSS-Track

Cross-site Scripting (or XSS) is a common web application vulnerability with varying levels of severity. Generally the capabilities of a XSS are limited to the locations of vulnerable inputs and outputs, and crafting complex XSS payloads can be a time-consuming process.

XSS-Track (cached) helps simplify cross-site scripting by allowing the attacker to silently track the user across the entire site, using a single embedded XSS. It does this by cleverly creating a full-window invisible iFrame, and maintaining control of that window as the user browses the site. This also allows the attacker to look for valuable pieces of information, such as passwords or credit card numbers.

Combining XSS-Track with the older XSS-Shell script, which turns the browser into a zombie of sorts, could give an attacker a significant amount of power over infected sites and their users.

Firefox users may want to consider using the NoScript extension to protect themselves from unknowingly running malicious scripts. Despite having some limited XSS protection, and a JavaScript Blacklist extension, Safari unfortunately does not afford nearly the same protection as the whitelist-style Firefox+NoScript combination. If someone releases a NoScript-style JS Whitelist for Safari then it’ll be a big step forward.

19
Oct

Persistent Tracking using Supercookies and Evercookies

Normal websites use cookies to keep track of their visitors, either to remember that they are logged in, track statistics, or a number of other purposes. Sites can usually only track users while they are browsing that actual site (apart from Google who tracks you more or less wherever you go), however the past few years have revealed more and more ways web users can be tracked.

The concept of supercookies and ubercookies is not entirely new, but has been refined recently to turn them into digital cockroaches – very hard to permanently get rid of. Supercookies are basically an amalgamation of different software features that can be used to create a uniquely identifying token, usually one that is hard or too convoluted to delete. Now that HTML5 is becoming more widespread, there are even more options than before.

Modern supercookies comprise a number (or all) of the following:

  • Standard HTTP Cookies
  • Local Shared Objects (Flash Cookies)
  • Silverlight Isolated Storage
  • Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
  • Storing cookies in Web History
  • Storing cookies in HTTP ETags
  • Storing cookies in Web cache
  • window.name caching
  • Internet Explorer userData storage
  • HTML5 Session Storage
  • HTML5 Local Storage
  • HTML5 Global Storage
  • HTML5 Database Storage via SQLite

Samy Kamkar recently released Evercookie, a JavaScript API for creating extremely persistent browser cookies. The list above is what is what Evercookie uses to create them. If websites were to start using these techniques, they would be able to uniquely identify you (as a user, not a person) each time you visited, even if you deleted your cookies, cleared your cache, and removed your history (or used a private browsing feature). Due to the use of shared objects, such as Flash, some cookies are persistent even across different browsers!

Ultimately, I wouldn’t panic and stop surfing the web just yet, but this goes to show how the evolution of the browser (and countless plugins that now go with it) is having an effect on privacy and security (which can’t quite keep up the pace set by innovation). Dominic White describes how to delete the Evercookie when using Safari on OSX. Others have written about how to do the same on Firefox and Chrome. One reddit user has created a pseudo lockdown-script which improves the security and privacy of Firefox by making some configuration changes (eg. disabling prefetching, geolocation, caching, etc).

This post by Christopher Soghoian provides a good argument for why privacy (and security, I would add) should be adopted in web browsers by default, instead of letting users fend for themselves. Some browsers are making an effort by adding features such as private browsing, cross-site scripting protection, and Google SafeSearch (although this impacts privacy by sending Google every URL you browse to), however all too often browser plugins and add-ons are given too many privileges.

Browser security and user awareness are becoming more important than ever as traditional programs are phased out and replaced by web applications. Unfortunately both of these are still lagging a bit behind.

     - Standard HTTP Cookies
     - Local Shared Objects (Flash Cookies)
     - Silverlight Isolated Storage
     - Storing cookies in RGB values of auto-generated, force-cached
        PNGs using HTML5 Canvas tag to read pixels (cookies) back out
     - Storing cookies in Web History
     - Storing cookies in HTTP ETags
     - Storing cookies in Web cache
     - window.name caching
     - Internet Explorer userData storage
     - HTML5 Session Storage
     - HTML5 Local Storage
     - HTML5 Global Storage
     - HTML5 Database Storage via SQLite
13
Oct

Warrantless and Unwarranted FBI Tracking of Egyptian Student

Twenty year-old US-born half-Egyptian marketing student from California, Yasir Afifi, recently found an FBI tracking device attached to the underside of his car. Apparently he wasn’t even the primary focus of the surveillance, but happens to be the friend of someone who’s of interest to the FBI. It’s believed the friend (Khaled) is of interest due to a post he made on his blog/reddit.

Here’s one of his posts:

bombing a mall seems so easy to do. i mean all you really need is a bomb, a regular outfit so you arent the crazy guy in a trench coat trying to blow up a mall and a shopping bag. i mean if terrorism were actually a legitimate threat, think about how many fucking malls would have blown up already.. you can put a bag in a million different places, there would be no way to foresee the next target, and really no way to prevent it unless CTU gets some intel at the last minute in which case every city but LA is fucked…so…yea…now i’m surely bugged : /

To be honest, sounds like a post I could’ve written. I definitely agree with the guy. I guess the only reason I’m not being watched is because I’m not dark skinned, or from an Eastern country, or whatever other profile they rely on these days. Or maybe I am being watched and just haven’t found the tracking device yet.

About 9 days ago, they found the device (pictured below), and originally thought it was either a tracking device – or a bomb. From his description of the events, however, it sounds like they may also have been stoned at the time. A recent ruling by the Ninth Circuit in California (and 8 other states) states there is no requirement for a warrant to be obtained in order to perform this kind of tracking. They are allowed to come onto your property and plant a tracking device on your car, as you have no reasonable expectation of privacy on your driveway. Good morning Orwell.

The American Civil Liberties Union in Washington are considering using these events to challenge the Ninth Circuit’s ruling.

Now why they chose to use what looks like a Soviet-era tracker is beyond me. Maybe they ran out of the smaller non-battery-powered models that they make in this century. According to a commenter on reddit, the device is a Guardian ST820, manufactured by Cobham. Apparently these things are meant to be hard to find (despite the size), when installed properly. Surveillance Fail? The FBI have since asked for their tracker back.

Check out this Wired article for more details.

If you want to build your own affordable GPS tracker, check out this project!

[Update 8/3/2011] Yasir Afifi files lawsuit over FBI’s GPS tracking

css.php