Turning off Google location tracking may not be as simple as changing one setting to “off,” according to new research.
The unexpected Google location tracking behavior on Android and iOS devices was revealed by an Associated Press (AP) investigation and confirmed by computer science researchers at Princeton University. The issue was first raised in a blog post by K. Shankari, a graduate researcher at UC Berkley, in May 2018. Shankari kept note of prompts sent by Google to rate places or submit pictures to Google Maps, even though Google Location History was turned off on her device.
The AP investigation found that even with Google location tracking turned off, certain apps will take a timestamped snapshot of the user’s location and store that data when the user performs a search, opens Google Maps, or checks the weather.
The confusion stems from the different ways users have to control Google location tracking services. The Google Location History support page claims, “With Location History off, the places you go are no longer stored.” However, when turning off the Location History setting via a user’s Google My Activity page, a pop-up notes, “This setting does not affect other location services on your device, like Google Location Services and Find My Device. Some location data may be saved as part of your activity on other Google services, like Search and Maps.”
Turning off Google Location Services on a mobile device can cause apps to misbehave, so Google told the AP that the real fix for users would be to also turn off location tracking in Google’s “Web and App Activity” settings.
“Location History is a Google product that is entirely opt in, and users have the controls to edit, delete, or turn it off at any time. As the story notes, we make sure Location History users know that when they disable the product, we continue to use location to improve the Google experience when they do things like perform a Google search or use Google for driving directions,” a Google spokesperson wrote in an email.
Tim Mackey, technology evangelist at Synopsys, said this was an issue akin to saying “if my mother can’t figure out what it does, or how to turn it off, it’s too complicated.”
“The expectation of the consumer for an off switch is what matters most. Users wish their location be kept private indicate this preference through the Location History setting. That any given application might have independent settings for location related data is how an application developer or vendor approaches the problem,” Mackey wrote via email. “When we recognize that our digital footprint is effectively a personally identifying attribute, access to that attribute becomes more valuable. This is true for malicious actors who can use location information to determine not only patterns of behavior for their targets, but know when to best commit their crime. This is also true for law enforcement seeking to identify suspects following the commission of a crime. In each of these examples, the same location and identity data can be used for good or for ill to identify an individual.”
Apple plans to disable some Facebook web tracking capabilities in the next version of iOS and Mac operating systems.
At the Apple Worldwide Developers Conference (WWDC), the company’s senior vice president of software engineering Craig Federighi explained the new antitracking features that will be rolled out in the next iteration of Apple’s web browser Safari. The features are meant to prevent Facebook and other companies from collecting user data automatically.
Specifically, Federighi called out the “Like” and “Share” buttons that appear on countless websites. In order to use either of those buttons, or leave a comment in the comments section, the user has to be logged into Facebook. But even if the user doesn’t click on the buttons, they can still be used to track that person just because they loaded the webpage.
“We’ve all seen these like buttons and share buttons,” Federighi said on stage at WWDC. “Well, it turns out these can be used to track you, whether you click on them or not. So this year, we’re shutting that down.”
Facebook web tracking was called out specifically by Federighi, but Google has similar tracking abilities and will also be affected. Both Facebook and Google use web tracking to deliver targeted ads to users and collect data.
In the next version of the macOS Mojave, Apple will also disable what it calls “fingerprinting” by data companies. The companies collect information on the configuration of a particular device, including the fonts it has installed and the plug-ins that are enabled, to create a unique device profile and then use that to track the device from site to site.
“With Mojave, we’re making it much harder for trackers to create a unique fingerprint,” Federighi said. “We’re presenting webpages with only a simplified configuration system. We show them only built-in fonts. And legacy plug-ins are no longer supported, so those can’t contribute to a fingerprint. And as a result, your Mac will look like everyone else’s Mac, and it will be dramatically more difficult for data companies to uniquely identify your device and track you.”
In other news
The U.S. Department of Defense (DoD) is looking to purchase and set up a cloud browser for its employees. According to a request for information (RFI) from the Defense Information Systems Agency, the DoD intends to have its 3.1 million employees move to a cloud browser because the department believes it would be more secure to have employees browse the web via a remote server that operates outside the DoD network than to have it happen on their own devices. This is a technique the RFI called “cloud-based internet isolation” and has been gaining interest among enterprises. In 2017, security company Symantec acquired the company Fireglass with the intention of bolstering its browser isolation capabilities.
The email and password data of 92 million users of the genealogy website MyHeritage was exposed in a data breach, according to the company. A security researcher found a file named ‘myheritage’ on a private server not connected to MyHeritage that contained the email addresses and hashed passwords of users who had signed up before October 26, 2017, which is the date of the data breach. In a statement, MyHeritage said that the hackers don’t have the actual passwords and there was no evidence that any of the information had been used. “We believe the intrusion is limited to the user email addresses. We have no reason to believe that any other MyHeritage systems were compromised,” the blog post MyHeritage said credit card data is stored with third-party providers and actual DNA and family-related data are all on segregated systems, so they weren’t affected by the breach.” We have no reason to believe those systems have been compromised.”
The malware VPNFilter targets more devices than previously thought, according to updated research from Cisco Talos. VPNFilter was previously found to be infecting small office and home office routers and network-attached storage devices from several different vendors. Now, the researchers at Cisco Talos believe the malware is targeting more makes and models of those devices, and doing so with additional capabilities. New vendors now affected by VPNFilter are Asus, D-Link, Huawei, Ubiquiti, Upvel, ZTE, Linksys, MikroTik, Netgear and TP-Link. VPNFilter also now has the ability to deliver exploits to endpoints using a man-in-the-middle attack. “With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports,” Cisco Talos’ William Largent wrote in the blog post detailing the new findings.
Privacy researchers warned that third-party tracking scripts are able to secretly steal user identities from browsers’ login managers.
Privacy researchers Gunes Acar, Steven Englehardt and Arvind Narayanan from Princeton University’s Center for Information Technology Policy found that existing vulnerabilities in built-in login managers are abused by third-party tracking scripts on more than a thousand websites. The vulnerabilities exist in all major web browsers and stem from issues with the autofill credential tool included in them.
“First, a user fills out a login form on the page and asks the browser to save the login,” the researchers explained. “The tracking script is not present on the login page. Then, the user visits another page on the same website, which includes the third-party tracking script. The tracking script inserts an invisible login form, which is automatically filled in by the browser’s login manager. The third-party script retrieves the user’s email address by reading the populated form and sends the email hashes to third-party servers.”
The team found two services, Adthink and OnAudience, using these scripts. The researchers identified scripts from these services that gathered login information on 1,110 sites from the Alexa Top 1 Million sites list.
This method for stealing credentials through built-in browser login managers has been known for quite some time, but according to the researchers, it has only previously been used to collect login information during cross-site scripting attacks. In this case, there’s no evidence that passwords have been stolen — just usernames and email addresses.
The kicker with this particular attack method is users don’t even have to do anything for their information to be stolen. “Login form autofilling in general doesn’t require user interaction; all of the major browsers will autofill the username (often an email address) immediately, regardless of the visibility of the form,” the researchers wrote. “Chrome doesn’t autofill the password field until the user clicks or touches anywhere on the page. Other browsers we tested don’t require user interaction to autofill password fields.”
“Built-in login managers have a positive effect on web security: they curtail password reuse by making it easy to use complex passwords, and they make phishing attacks are [sic] harder to mount,” the Princeton team wrote. “Yet, browser vendors should reconsider allowing stealthy access to autofilled login forms in the light of our findings. More generally, for every browser feature, browser developers and standard bodies should consider how it might be abused by untrustworthy third-party scripts.”
In other news:
Sound waves can disable hard disk drives and sabotage computers, CCTV systems, medical devices and more, according to a new study. Researchers from Princeton and Purdue University introduced the attack principle in a recent paper. The researchers blasted sound waves at hard drives from different angles to determine what frequency, placement and timing were needed to successfully disrupt the functions of the hard disk drive. They were successful on the four different Western Digital hard drives used in their experiments. When the sound wave hits the hard disk drive, it causes a denial-of-service attack that stops the device from working. The researchers disrupted hard disk drives found in DVRs used in CCTV systems, as well as desktop computers running Windows 10, Ubuntu 16 and Fedora 27 operating systems. In the case of the DVR, the digital recording during the time of the attack was permanently lost. While the attacks require specific circumstances — such as no human operators around to hear the sound and thus stop the attack — they could still potentially harm people with medical devices that run on the hard disk drives.
Ancestry.com has temporarily shut down portions of its community genealogy website RootsWeb after 300,000 user passwords, email addresses and usernames were exposed. Security researcher Troy Hunt alerted the company that he had found a file with the user data exposed on the public-facing internet. “Our Information Security Team reviewed the details of this file, and confirmed that it contains information related to users of Rootsweb’s surname list information, a service we retired earlier this year,” Ancestry.com CISO Tony Blackham wrote in a statement. Blackham said the exposed file contained the data of 300,000 users, and 55,000 of those users used the same information on another Ancestry website, though he didn’t explain what led to the file being exposed. “We believe the intrusion was limited to the RootsWeb surname list, where someone was able to create the file of older RootsWeb usernames and passwords as a direct result of how part of this open community was set up, an issue we are working to rectify,” Blackham said. “We have no reason to believe that any Ancestry systems were compromised. Further, we have not seen any activity indicating the compromise of any individual Ancestry accounts.”
Microsoft’s internal bug tracking system was hacked in 2013, and no one outside the company knew about the database breach until now, according to a Reuters report.
The breached database was accessible with just a password, according to five former employees. But after the database breach Microsoft added two-factor authentication, as well as other security measures to better protect the bug tracking system containing detailed descriptions of unpatched vulnerabilities in Microsoft software.
Shortly after reports surfaced in 2013 of a security incident at Microsoft, the software giant had stated only that a “small number” of computers had been infected with malicious software. However, it turns out that the database breach exposed details of critical — and unpatched — bugs in Windows and other Microsoft software.
The bugs documented in the breached database could have been used by threat actors to create exploits against the unpatched software, although the ex-employees told Reuters that a Microsoft investigation after the database breach failed to uncover any evidence that the vulnerability data had been used in any attacks on other organizations.
“The compromise of Microsoft’s database highlights that everyone is vulnerable to sophisticated intrusions,” Dmitri Alperovitch, co-founder and CTO at CrowdStrike, told SearchSecurity by email. “From the adversary perspective, having access to critical and unfixed vulnerabilities is the ‘holy grail.’ We may be seeing the ripple effects of this hack for some time and many businesses may end up suffering stealthy compromises.”
According to Reuters, the group behind the database breach was identified as Wild Neutron, also known as Morpho and Butterfly. The breach was discovered after the same group accessed systems at Apple, Facebook and Twitter. The Wild Neutron group, considered to be well-resourced and focused on financial gains, is not thought to be a state-sponsored threat actor.
This isn’t the first time a bug tracking system breach of major software provider has been made public. In 2015, Mozilla announced that its Bugzilla bug tracking system had been accessed by an unknown attacker, who used at least one of the vulnerabilities breached to carry out attacks on Firefox users.
In other news
The U.S. Department of Homeland Security has given federal agencies just 30 days to develop plans to enhance email and web security under a new binding operational directive (BOD). Under the directive, BOD 18-01, agencies have 90 days to deploy STARTTLS on all internet-facing mail servers and to begin deploying Domain-based Message Authentication, Reporting and Conformance, to validate email and combat spam and phishing attacks. STARTTLS is a protocol option added to email and other application protocols in order to specify that transmissions of that protocol use Transport Layer Security (TLS) protocol encryption. Under the new BOD, agencies have 120 days to transition all web content to HTTPS, instead of HTTP, to drop support for deprecated Secure Sockets Layer (SSL) versions 2 and 3, and to disable 3DES and RC4 ciphers on all web and mail servers.
The U.S. Supreme Court will decide whether authorities can access data stored anywhere in the world. The case in question involves a warrant for emails believed to be connected to a narcotics investigation that were stored on a Microsoft server in Ireland. A warrant was issued for the emails in 2013, which Microsoft challenged in court. Brad Smith, president and chief legal officer at Microsoft, wrote in a blog post this week that Microsoft is contesting the warrant “because we believed U.S. search warrants shouldn’t reach over borders to seize the emails of people who live outside the United States and whose emails are stored outside the United States.” The Justice Department argues that because the data being demanded can be retrieved from Microsoft’s U.S. headquarters, the data must be turned over no matter where it is being stored.
Google added limited antivirus capability to Chrome for Windows this week. Citing the importance of preventing unwanted software from running on browsers, the ad giant announced three changes to Chrome for Windows that would help prevent unwanted software from taking over the browser. Philippe Rivard, product manager for Chrome Cleanup at Google, wrote that Google “upgraded the technology we use in Chrome Cleanup to detect and remove unwanted software,” working with antivirus and internet security vendor ESET to integrate its detection engine with Chrome’s sandbox technology. Chrome is now able to detect when an extension attempts to change user settings, a tactic that malicious software sometimes uses to take control of the browser by manipulating search engine results to steer users to malicious sites. The other major change was a simplified method for removing unwanted software using Chrome Cleanup.
Microsoft wants Office 365 administrators tracking every new feature and update that it puts out, but that’s not as easy as it sounds.
The cadence of releases for a cloud-hosted product can be a perk, with a steady arrival of innovative tools and functionality. But it can also be a pain, particularly if Microsoft deprecates a component that a business needs.
On its Office 365 roadmap website, Microsoft lists more than 200 features in development, rolling out or recently launched. New or upcoming features range from Advanced Threat Protection Status — which reports on the malware that ATP catches — to an option for users to delay or choose when Office 365 sends their message. As Microsoft expands Office 365 into a security, collaboration, cloud storage, private branch exchange and communication suite, IT admins must stay updated on the latest changes on the platform and alert users on the availability of new apps and features.
These Exchange and Office 365 experts — all TechTarget contributors — offered their insights on how Office 365 administrators can adapt to Microsoft’s constant changes and their experiences with how businesses handle the twists and turns of the Office 365 roadmap.
Perils of constant change
Michel de Rooij
Many organizations use IT Infrastructure Library-based processes to implement new Office 365 features, which can be problematic because of the service’s rapid rollouts. Instead, look to Microsoft’s Office Insider program, with its fast and slow update rings, to bring updates into your business at the right pace.
Editor’s note:Microsoft’s Office Insider program allows Office 365 subscribers to receive early access to new features that they can test out and provide feedback on.
Let a few power users and IT operate on the fast ring to try out new features, but remember that those updates might never arrive based on your region. For example, I still haven’t received Focused Inbox in Outlook 2016, despite running First Release in Office 365 and Insider Fast for Office 2016. Microsoft sometimes pulls features, which happened to the automatic creation of groups for delegates. Also, Microsoft can turn new features on by default, often without administrative controls. An organization that signs up for these early releases needs to be comfortable with a certain amount of unpredictability.
Finally, Microsoft seems to push for certain features that its customers do not care for, such as the option to create Office 365 Groups when you actually want to create distribution groups.
It’s difficult for email and collaboration tool admins to act proactively against the sudden changes in Office 365’s roadmap, but they should always provide feedback to Microsoft when they have strong opinions about features. Administrator pushback caused Microsoft to pull the change for automatic creation of groups for delegates. There will be discrepancies between what the software provider develops and what customers are comfortable with or actually use.
Keep track of the Office 365 roadmap for changes, both for planned updates and those in development — the latter might arrive sooner than you think.
For more from Michel de Rooij, please visit his contributor page.
Users want the latest and greatest
Office 365 changes constantly. Users will hear about new features and demand training for them. Administrators have to adapt, and they might even block new features from end users until IT can thoroughly test these updates. But admins cannot restrict the flow of enhancements as a long-term solution; users will still want to get what’s new. The IT staff needs to consider what users want while it evaluates whether these features provide a tangible benefit to the company.
New features can also be disruptive after organizations adopt and master them, if the service changes. For example, Microsoft offered a free version of its cloud-based business analytics Power BI feature, but some of its capabilities — such as dashboard sharing — disappeared when a new edition superseded the old. Early adopters of Power BI had to choose between a trial or the paid version — or lose the capability altogether.
There are risks, but Office 365’s constant updates can benefit those who plan ahead. Microsoft helps IT departments implement and adopt platform features with its free FastTrack service. FastTrack ensures the IT team uses best practices with Office 365 and also provides technical assistance with implementation of its services.
For more from Reda Chouffani, please visit his contributor page.
Keep an eye on the roadmap
Microsoft’s Office 365 roadmap site lets administrators understand what lies ahead for significant service and feature updates. This roadmap is split into five categories: in development, rolling out, launched, previously released or canceled. To avoid issues, administrators need to check the roadmap regularly for new items that might affect their Office 365 deployment. This gives them the early visibility required to commence high-level planning.
As new features on the roadmap near rollout, Microsoft posts announcements to the Message Center, which can be found within the main Office 365 administration portal. The Message Center also contains dated announcements about changes and actions that prevent or fix issues. Announcements contain a short description of the feature or issue, information on how it will affect the organization, actions to prepare for the update and a link to more detailed information. It is vital that administrators check Message Center posts often to be fully prepared for the imminent changes. Some actions must be completed by a specific date to avoid problems.
Admins can configure Office 365’s tenant release option to manage how the platform pushes out new features. An organization selects the First Release option to receive new features early. Admins can then choose to release those features to the entire organization or just specific users. Alternatively, the Standard Release option means that new features come via the default release schedule.
For more from Neil Hobson, please visit his contributor page.