Archive

Posts Tagged ‘Twitter’

iOS7 Security issues give access to your photos and more

October 3, 2013 1 comment

E-Crime Expert brings once again to your attention a security issue, thanks to Jose Rodriguez, from Canary Islands which has found this iOS7 Security glitch that gives access to your photos, and enables the sharing of them via Twitter, Mail, Flickr, Message.

The following demo, pictures and testing is done entirely by E-Crime Expert (Dan Manolescu) on one of our devices. This security issues apply to any Apple device (iPhone, Ipad) that runs on iOS7.

How it works:

From the locked screen menu (Fig.1), pull the “Control center” tab up (Fig.2) and click the “Clock” pictogram (Fig.3)

Fig.1

photo 1

Fig.2

photo 2

Fig.3

photo 3

Then, press the “sleep button” until “turn off your device” (Fig.4) message appears. Instead, press “cancel” and right after double click the Home button (Fig.5).

Fig.4

photo 1

Fig.5

photo 2

The “Multitasking” screen will appear (Fig.6). You can now chose the “Camera” app from there and click the “Camera roll” (Fig.7) and you will instantly have access to your photos (Fig.8).

Fig.6

photo 5

Fig.7

photo-4

Fig.8

photo 1

From here, you can share them via Twitter, Facebook, Mail, Flickr (Fig.9).

Fig.9

photo 2
In order to avoid this security glitch, update your iOS:

Go to “Settings” (Fig.10), then to “General” (Fig.11) and after to “Software update” (Fig.12).

Fig.10

photo 3

Fig.11

photo 4

Fig.12

photo 5

Done Deal!

Again, credit goes to: Jose Rodriguez, from Canary Islands (Spain).

Any questions can be submitted to: dan@e-crimeexpert.com
Additional information can be found at: http://www.e-crimeexppert.com
To find out more about Dan Manolescu, visit his LinkedIn page here.
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Advertisements

Do you know what is your child’s age requirement to sign up online?

May 27, 2013 1 comment

As the Internet permeates every aspect of the economy and society, it is also becoming an essential element of our children’s lives. While it can bring considerable benefits for their education and development, it also exposes them to online risks such as access to inappropriate content, harmful interactions with other children or with adults, and exposure to aggressive marketing practices.

Children online can also put their computer systems at risk and disseminate their personal data without understanding the potential long-term privacy consequences.

In addition, there are other risks for children using online environments, such as:

Privacy risks

-cyber-bullying

-cyber-stalking

-age-inappropriate content

-online grooming

-identity theft

-emotional implications.

Beside support and guidance from parents when using the online environment, an appropriate mental development and understanding is important for a child when using an online platform. For these reasons, in both the United States and the European Union, a minimum age requirements for accessing the “online world” was set as a legal requirement.

E-Crime Expert thinks that the minimum age requirements a child should meet when signing up for an email account, Facebook, etc., should be a topic of interest for parents. For these reasons, we researched the minimum age requirements on some of the most popular online sites and platforms.

The Children’s Online Privacy Protection Act (COPPA) in United States applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age. It details what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent or guardian, and what responsibilities an operator has to protect children’s privacy and safety online including restrictions on the marketing to those under 13. While children under 13 can legally give out personal information with their parents’ permission, many websites altogether disallow underage children from using their services due to the amount of work involved.

In the European Union, the European Commission released in January 2012, a Proposal on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

This Proposal has specific requirements with regards to Children. They deserve specific protection of their personal data, as they may be less aware of risks, consequences, safeguards and their rights in relation to the processing of personal data. To determine when an individual is a child, this Regulation should take over the definition laid down by the UN Convention on the Rights of the Child.

“Article 8
Processing of personal data of a child

For the purposes of this Regulation, in relation to the offering of information society services directly to a child, the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. The controller (i.e. the person in charge with the collection, use and disclosure of personal data) shall make reasonable efforts to obtain verifiable consent, taking into consideration available technology”.

Following, are the minimum age requirements for children using different Internet websites or Social Networking Services and other online platforms:

facebook-age-restriction

 1.      Facebook:

How old do you have to be to sign up for Facebook?

In order to be eligible to sign up for Facebook, you must be at least 13 years old.

The minimum age requirement on Facebook is more or less enforceable. Simply lying about your birthdate easily circumvents the policy.

The Children’s Online Privacy Protection Act (COPPA) mandates that websites that collect information about users aren’t allowed to sign on anyone under the age of 13. As a result, Facebook’s Statement of Rights and Responsibilities require users of the social network to be at least 13 years old (and even older, in some jurisdictions).

According to MinorMonitor, over 38 percent of children with Facebook accounts are 12-years-old and under. Even more worryingly, 4 percent of children on Facebook are reported to be 6-years-old or younger, which translates to some 800,000 kindergarteners on Facebook.

These results come from a survey of 1,000 parents of children under 18-years-old who use Facebook. The company provides a free, web-based parental tool that gives parents a quick view into their child’s Facebook use, including potential dangerous activities such as the friending of online predators, cyberbullying, violence, drug and alcohol use, as well as sexual references.

2.      Google:

Age requirements on Google Accounts:

  •  United States: 13 or older
  •  Spain: 14 or older
  •  South Korea: 14 or older
  •  Netherlands: 16 or older
  •  All other countries: 13 or older

Some Google products have specific age requirements. Here are a few examples:

  • YouTube: When a YouTube video has been age-restricted, a warning screen is displayed and only users who are 18 or older can watch it. Learn more about age-restricted videos.
  • Google Wallet: 18+
  •  AdSense: 18+
  •  AdWords: 18+

3.      Yahoo

When a child under age 13 attempts to register with Yahoo!, they ask the child to have a parent or guardian create a Yahoo! Family Account to obtain parental permission.

Yahoo! does not contact children under age 13 about special offers or for marketing purposes without a parent’s permission.

Yahoo! does not ask a child under age 13 for more personal information, as a condition of participation, than is reasonably necessary to participate in a given activity or promotion.

Yahoo! is concerned about the safety and privacy of all its users, particularly children. For this reason, parents of children under the age of 13 who wish to allow their children access to the Yahoo! Services must create a Yahoo! Family Account. When you create a Yahoo! Family Account and add your child to the account, you certify that you are at least 18 years old and that you are the legal guardian of the child/children listed on the Yahoo! Family Account. By adding a child to your Yahoo! Family Account, you also give your child permission to access many areas of the Yahoo! Services, including, email, message boards and instant messaging (among others). Please remember that the Yahoo! Services is designed to appeal to a broad audience. Accordingly, as the legal guardian, it is your responsibility to determine whether any of the Yahoo! Services areas and/or Content are appropriate for your child.

4.      Hotmail

As on Hotmail’s Terms of Use is no reference to the age requirements to join the service, we did our own registration and it appears that 13 is the age requirement for joining Hotmail, as shown below:

I.                   Attempt indicating the user is 6 years old

Step 1   

1

Step 2                        

2

Step 3

3

 

II.                Second attempt, indicating the user is 13 years old.

Step 1

4Step 2

5

 

5.        MySpace 

  • You must be at least 13 years old to have a Myspace profile
  • If you’re under 16 years old, you’re not allowed to list your age as over 16 and make your profile public (your profile must be set to private)
  • If you’re under 18, you’re not allowed to list your age as over 18
  • Users under 18 are not able to make changes to their listed age

Notes & Tips

  • If you break any of the above rules, MySpace will be forced to delete your profile for safety and security reasons (it’s all in their Terms of Use)

6.      Skype

Skype not directly sets up an age restriction within their Terms of Use.

“Jurisdiction’s Restrictions: If the law of Your country prohibits You from downloading or using Skype Software because You are under the age limit or because the Skype Software is not allowed in Your country, please don’t use it”.

According to this, for US the minimum age requirement is 13 + (COPPA).

7.      LinkedIn

PRIVACY POLICY, 18!

In terms of LinkedIn’s Privacy Policy:

 ”Children are not eligible to use our service and we ask that minors (under the age of 18) do not submit any personal information to us or use the service.”

8.      Twitter

Age screening on Twitter

Age screening is a way for brands and others to determine online whether a follower meets a minimum age requirement, in a way that is consistent with relevant industry or legal guidelines. This makes it easier for advertisers and others with content not suitable for minors (e.g. alcohol advertisers) to advertise on Twitter.

There apparently, is now age restriction for setting up an account on Twitter (as we set it up without being asked about our age). See below:

Step 1

6

Step 2: Done!

7

For more advice on how children could stay safe online (you could also share this with your child), click here to visit the material E-Crime Expert specially created for this purpose.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

SHODAN, the search engine: is it “scarry” or not?

April 12, 2013 27 comments

E-Crime Expert presents to you today a search engine which is totally different (in functionality and scope) than the ones we are used to (i.e Google, Bing etc).

For us  (E-crime Expert), Shodan has a positive value as it uncovers security vulnerabilities. Used by others (i.e. cybercriminals), Shodan could have a negative side as enables access to different systems (routers, webcams, etc) which have little or no security protection.

According to the description available on their main page here, “SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners”.

Web search engines, such as Google and Bing, are great for finding websites. Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content.

How to use it:

Create and login using a SHODAN account, or Login using one of several other options (Google, Twitter, Yahoo, AOL, Facebook, OpenID).

Login is not required, but country and net filters are not available unless you login.

Basic Operations:

Filters
-country: filters results by two letter country code hostname;

-filtering by country can also be accomplished by clicking on the country map (available from the drop down menu);

-mouse over a country for the number of scanned hosts for a particular country.

-filters results by specified text in the hostname or domain net;

-filter results by a specific IP range or subnet operating system;

-search for specific operating systems port: narrow the search for specific services;

After the search returns some entries (webcams located in a certain area), just click on one of those entries and you will have instant access to what that webcam records live (Fig 1).

Figure 1.

01

Examples:

Note:
E-Crime Expert will try contact all the owners of these vulnerable systems in order to report their security issues and advise how to protect their devices with appropriate passwords and security measures.

Please watch the video or read our material on how to create a stronger password.

1. Run a search for all existing default passwords, as shown in Figure 2.
Having access to the password, one could enter the router’s settings and change them or even more, use the router as a back door to access any device connected to it such as a computer, printer, etc.

Figure 2.

02

2. Once we selected a webcam, click on it and wait for the live footage to play.
What we see is an intersection which could be considered as a public space. The live feeds record everything live (Fig. 3).

Figure 3.

033. The access is granted regardless the geographical location: E-Crime Expert had access to a webcam located in Russia from a computer located in North America (Figure 4).

Figure 4.

04

4. We next tested a webcam which was recording someone’s home front steps for security reasons perhaps. But the issue here is how that camera’s angle is recording as you can also see the next neighbor’s front alley, car and probably anyone entering their house (Fig. 5).

Figure 5.

05

5. Next example is more intrusive as transmits live feeds from a restaurant where clients could be identified along with the staff members. The purpose of this camera is theft protection but due to its non-existing security measures, now anyone on the Internet could check who came at that restaurant and at what time, transforming the purpose of that camera into a monitoring one (Fig. 6).

Figure 6.

06

6. Not surprisingly, the next webcam becomes even more intrusive by showing live the staff member working in a convenience store, with a “from behind the counter” view. Anytime the staff opens the money drawer, everyone having access to this webcam (available worldwide as shown in this blog post) could approximate how much money is available there. Beside the privacy invasive aspect of the clients and also of the staff member, potentially, could also lead to robberies or similar attacks (Fig. 7).

Figure 7.

photo 07

7. Last examples is the most intrusive and concerning one as it transmits live video streaming from someone’s home. It is intrusive because most probably the guests visiting this person are not aware of the webcam, and also because the footage is now available not just to the security company in charge of protecting this home, but also to virtually anyone on the Internet. The second concerning aspect is that anyone could see what is available on the kitchen counter whether a large amount of cash or cheques or other valuable goods. This again, could lead to robberies or other violent crimes (Fig. 8).

Figure 8.

08

Conclusions:

SHODAN aggregates a significant amount of information that is not already widely available in an easy to understand format.

SHODAN collects basic information about the websites, the information “from the inside”, data covering the so-called back-end (simplified information about the type of your server software versions, and so on). On the one hand, it is therefore an excellent data base for those involved in security – but on the other, it is also a source of information for cybercriminals.

The Shodan software runs 24 hours a day. It automatically reaches out to the World Wide Web and identifies digital locators, known as internet protocol addresses, for computers and other devices. For security monitoring teams, Shodan may present some serious challenges. It is highly unlikely that security monitoring teams will ever be alerted to an attack that is using Shodan.

From a privacy perspective, there on the World Wide Web could be some available information accessible to the regular people by simply running a search, which it is not necessarily to be regarded as publically available information, such as the webcam in someone’s home, in a store, gas station etc. This is not publically available information from a legal perspective but it actually becomes available to anyone as some monitoring systems have little or no security measures. According to most international privacy legislation, a surveillance camera should be installed and used just on a legal basis and after a privacy impact assessment is done (as a best practice). That legal basis strictly refers to the purpose of why that camera is used for which definitely does not grant worldwide access to the footage, except where in question is a public space (i.e. park, street, etc).

Even though in question is a public domain under surveillance, there are cases when footage or pictures of those public spaces record more than the public space itself (i.e. Google maps litigations for capturing more than the streets, etc).

The Privacy Impact Assessment is specifically done (among others) to make sure that no unauthorized person has access to the footage recorded by a surveillance camera. Being able to publically find this footage on the Internet, is outside the Privacy and Security requirements and measures in place for a surveillance camera located either within a public space (with the potential of recording private areas as well) and or in a household which is by definition a private space. Probably some of these surveillance cameras are installed by the household owners, aiming to act as a theft protection and consequently be accessible just by the police or other law enforcement entities.

Contrary, by having access globally to this kind of footage, does not align with most of the international existing privacy legislation.

Once again, E-Crime Expert has taken this opportunity (SHODAN – search as a positive tool) to asses current privacy and security issues.

If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

WHAT TO DO WHEN YOUR EMAIL GOT HACKED OR COMPROMISED

February 5, 2013 2 comments

E-Crime Expert explains in this blog post the steps to be taken when your email or Social Networking Site has been hacked or compromised.

When someone’s friends or close contacts start telling that they are receiving emails or messages that one never sent, or when appears online content that one never posted, it could mean that another person has gained illegitimate control over this individual’s email or Social Networking Site.

If this happened, in order to limit the damage and the possibility of spreading malwares/viruses to others, firstly the passwords to all accounts that have been compromised and to other important accounts should be changed*, and also notifications to all contacts regarding that they may receive spam messages that appear to come from the compromised account, should be sent.  

It could also happen that one cannot access his/her account anymore because a password has been changed.

If this happen, bellow are provided the contact details for the most popular email and Social Networking sites providers:

yahoo-logo

* Hacked account – click here:email-icon

* Account is sending spam – click here: email-icon

* Help Center – click here: telephone-logo

Gmail_logo

* Hacked account – click here: email-icon

* Inaccessible account – click here: email-icon

wave4hotmail

 * Hacked account – click here: email-icon

* Inaccessible account – click here: email-icon

* Help Center – click here: telephone-logo

twitterlogo_web

* Hacked account – click here: email-icon

* Inaccessible account – click here: email-icon

facebook-logo

* Hacked account – click here: email-icon

* Help Center – click here: telephone-logo

youtube_logo-copy1

* Hacked account – click here: email-icon

TIPS:

* How to choose a strong password:

Watch video : “Creatting a strong password video tutorial”

Read blog post: “Tips for a better, stronger password”

Frequently check your account activity/log in history as explained in this blog post: “Does anyone snoop in your email account? Find out”

If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

LinkedIn new Scam: Upgrade free to LinkedIn Premium

August 8, 2012 15 comments

Today, E-Crime Expert encountered a new scam, related to LinkedIn this time.

How it woks:

I received an email on my regular email address which said that because I am a valuable LinkedIn user, they will upgrade my Basic accoun to a Premium one for free, for one month period.

Picture 1

I did not know that this is a scam so I proceeded with the upgrade. After I clicked “upgrade” I was promted to introduce my LinkedIn password. I did so, but nothing hapenned.

Then, I checked my LinkedIn account on a different webpage and still there my account appears “Basic”, so no upgrade done as promised.

Picture 2

Instantly I realize that this is a scam having as purpose the access of your valuable friends database with email addresses, phone numbers, professions, etc. The purpose of this scam is to retrive for free this valuable information that later can be used for identity theft, or spam, or aother related scams.

Action:

if you did upgrade your account, please change your password as soon as possible

If you received this message but did not upgrade yet, please don’t do it.

If you have further questions, please fel free to contact us at: dan@e-crimeexpert.com

Cloud computing and the Internet part II

October 13, 2011 1 comment

As announced on yesterday’s post “Cloud computing and the Internet part I, E-Crime Expert is posting the second part on cloud computing.

In addition to the methods in which Cloud computing is delivered, there are different types of the cloud computing which include: public cloud, hybrid cloud and private cloud.

Public cloud which is when a service provider offer services such as application usage, development or storage of data, to anyone on the Internet.

Hybrid cloud is when a business uses some applications in house and some provided by an external provider such as storage of data, etc.

Private cloud is when a provider offers cloud computing solutions, but on a private infrastructure network. A business does not want its employees files to be accessible for example on a public cloud and so it rents/buys a private cloud that no one else except that business has access to.

Besides the usefulness of cloud computing solutions, there are questions regarding how the Data Protection Directive applies to this situation? How the personal data of users is dealt with, stored, accessed, manipulated, and processed by the cloud-computing providers. A unique characteristic of cloud computing is that data is floating around from server to server located within the EU or also outside the EU for example to India, the US, etc. Part of someone’s data could be at the same time in the EU and India, on different servers.

There are some questions regarding cloud computing in Facebook’s. Facebook provides services to its clients such as: storage of information (e.g. pictures, videos, profiles, personal data, etc.), application access (e.g. Facebook Places or other applications where the user should agree with the access of that particular application to her personal data), or infrastructure for sending messages, invitations, updates, and posting comments which all deal with private information and data. Everything is done on the Facebook’s platform, which could host the users’ personal information on different servers inside or outside the EU.

The question is who has access to users’ personal data when uploaded and processed on Facebook? According to EU Data Protection Directive (DPD) the users have the right to know which personal data is stored and processed in regards at least to the online marketing advertisers that could be granted access to that data for advertising purposes, profiling, and delivery of targeted advertising. In addition, when a user delete her Facebook account, this operation is not done in real time, it has a delay and the account basically is not deleted but becomes inactive. For example, I ran a search under my name, and some entries showed pictures from my Facebook account that I deleted in the past. This shows that even if the users want to delete some information concerning his person, it would be still available on the Internet.  Furthermore, some entries generate pictures or names of my friends on Facebook by associating them with my Facebook account friends’ list.

In other words, even if a user asks for all of his personal data provided on Facebook to be removed, this most likely would not happen. Facebook claims that some users’ personal data would not be available to any other user on Facebook, but some personal information and data will be kept for technical reasons (such as to provide service to other users which are inter-connected with the account that was deleted).

Regarding the compliance with the EU DPD, it is not clear which rules and regulations could apply to cloud computing, as the cloud concept itself is “volatile” (continually changing). Cloud computing is subject to multiple jurisdictions as the information is moved from one server to another or is stored on different servers located in different geographical areas. Kumaraswany and Latif scholars asked: how does moving the private information to the cloud impact the current privacy compliance requirements?  Is information kept on the server, in the cloud or in a data center? These are questions that momentarily have no answer, at least in regards to how Facebook deals with, makes accessible, stores, and “floats” the users’ private data.

Who has the technical capabilities, jurisdiction and access to verify whether Facebook complies with these requirements?

For how long is the users’ personal data stored on its servers, cloud or in data centers?

According to the EU DPD, the user owns her personal data, but when this data is transferred and stored outside the EU, does the user still own her data?

How could a user enforce her right in this case?

If Facebook had provided the answers to these questions, there would be more transparency and less tensions regarding how users’ personal data is dealt with. The burden of proof regarding that the personal data is dealt with, stored, processed, and made available according to the EU DPD, falls on the provider’s shoulders, at least on an informal level when users are questioning more and more how their privacy is protected.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Do you think that cloud computing is a threat to privacy? Do you think that cloud computing is “out” of jurisdiction?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

Cloud computing and the Internet part I

October 12, 2011 1 comment

From the same series that aims to contribute to a better understanding regarding why privacy and personal data are so vulnerable in relation to the Internet and its adjacent services/platforms today, E-Crime Expert shows in two different posts (today and tomorrow), what cloud computing is and how it works.

According to Forrester, “Cloud Computing is buying Information Technology (IT) capacities and utilities as need for a utility provider”. Cloud computing is the IT capabilities delivered as an internet-based service, software or IT infrastructure by a service provider accessible through the Internet protocols and accessible from any terminal (e.g. computer or smartphone). These services could be accessible through pay-per-use, pay-as-you-go or the provider could support it from the revenue generate by advertising (e.g. Google docs). One of its main characteristics is customer self-service, which means that the customer needs no assistance in uploading, modifying, accessing her files, applications, documents, etc. It is accessible anytime and anywhere, and has instant scalability.

Cloud computing is delivered under three forms: software as a service (SaaS); Infrastructure as a service (IaaS) and Platform as a service (PaaS).

Software as a service is when someone needs, for example, to create a word document; the person goes on Google docs where the word processor is located and creates the document without having Microsoft Office installed on her computer. The document is created on the server by having access to Google docs, which is a software being used as a service.

Infrastructure as a service is when a business, for example, does not have the technical capabilities to store all its information in house and they need to store and access it on a server. That server is the host that provides service in storing the data. That service rents the infrastructure (e.g storage medium) to the client.

Platform as a service is when the provider offers facilities for application design, development, testing, computer coding or hosting. For example, GoDaddy is a platform service provider as it offers website hosting services to its clients. Another example related to this research is Facebook, which provides the platform for its clients to upload photos, videos, play games, send messages, etc.

Stay tunned for the second part of this blog tomorrow.

Any questions can be submitted to: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Did you know what cloud computing is? Do you realize that already you are using it?

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

%d bloggers like this: