Google Helps Police Identify Devices Close to Crime Scenes Using Location Data

google sensorvault location tracking history

It’s no secret that Google tracks you everywhere, even when you keep Google’s Location History feature disabled.

As revealed by an Associated Press investigation in 2018, other Google apps like Maps or daily weather update service on Android allows the tech giant to continuously collect your precise latitude and longitude.

According to Google, the company uses this location-tracking features with an intent to improve its users’ experience, like “personalized maps, recommendations based on places you’ve visited, help finding your phone, real-time traffic updates about your commute, and more useful ads.”

Moreover, it’s also known that Google could share your location data with federal authorities in criminal investigations when asked with a warrant.

Google ‘SensorVault’ Database Help Police Solve Crimes

But what many people weren’t aware of is that Google also helps federal authorities identify suspects of crimes by sharing location history of all devices that passed through crime scenes over a certain time period.

It should be noted Google doesn’t share personal information of all nearby users; instead, it asks the police to first analyze location history of all users and narrows down results to only a few selected users to receive their names, email addresses, and other personal data from Google.

A new in-depth report from The New York Times revealed that Google maintains a database, known internally as Sensorvault, over nearly the past decade, containing detailed location records from hundreds of millions of phones around the world, and shares with authorities nationwide with warrants to mine it to help in criminal cases.

According to several unnamed Google employees cited in the report, such requests to dive into Google’s Sensorvault database have spiked in the last six months, with the company receiving as many as 180 requests in just one week.

How Does Law Enforcement Use Google SensorVault Database?

To seek location data, law enforcement needs to get a so-called “geofence” warrant.

Here below I have tried to step-by-step illustrate how Google shares location data when “legally” required:

  • The authorities reached out to Google with a geofence warrant looking for smartphones Google had recorded around the crime scene.
  • After receiving the warrant, Google gathers location information from its Sensorvault database and sends it to investigators, with each device identified by an anonymous ID code and not the actual identity of the devices.
  • Investigators then review the data, look for patterns of the devices near the crime scene, and request further location data on devices from Google that appear relevant to see the particular device movement beyond the original area defined in the warrant.
  • When investigators narrow results to a few devices, which they think may belong to suspects or witnesses, Google reveals the real name, email address and other data associated with the devices.

The NYT report explained the entire process when federal agents requested the location data to investigate a string of bombings around Austin, Texas.

Federal agents first used this technique of catching criminals in 2016, which has since been spread to local departments across the country, including in California, Florida, Minnesota, and Washington.

While the technique has been proven to work, it’s not a foolproof way to catch criminals.

Some cases highlighted by the NYT report showed how police used this data to accuse innocents, with one man jailed for a week last year in a murder investigation after being recorded near the killing location and then released after investigators pinpointed and arrested another suspect.

It’s no surprise that law enforcement seeks help from tech companies during criminal investigations, but the use of location history databases like Sensorvault has raised concerns… concerns about the privacy of users… concerns about data collection… concerns about innocent being accused and implicated.

Let’s block ads! (Why?)

Link to original source

Apache Tomcat Patches Important Remote Code Execution Flaw

apache tomcat server security

The Apache Software Foundation (ASF) has released new versions of its Tomcat application server to address an important security vulnerability that could allow a remote attacker to execute malicious code and take control of an affected server.

Developed by ASF, Apache Tomcat is an open source web server and servlet system, which uses several Java EE specifications such as Java Servlet, JavaServer Pages (JSP), Expression Language, and WebSocket to provide a “pure Java” HTTP web server environment for Java concept to run in.

The remote code execution vulnerability (CVE-2019-0232) resides in the Common Gateway Interface (CGI) Servlet when running on Windows with enableCmdLineArguments enabled and occurs due to a bug in the way the Java Runtime Environment (JRE) passes command line arguments to Windows.

Since the CGI Servlet is disabled by default and its option enableCmdLineArguments is disabled by default in Tomcat 9.0.x, the remote code execution vulnerability has been rated as important and not critical.

In response to this vulnerability, the CGI Servlet enableCmdLineArguments option will now be disabled by default in all versions of Apache Tomcat.

Affected Tomcat Versions

  • Apache Tomcat 9.0.0.M1 to 9.0.17
  • Apache Tomcat 8.5.0 to 8.5.39
  • Apache Tomcat 7.0.0 to 7.0.93

Unaffected Tomcat Versions

  • Apache Tomcat 9.0.18 and later
  • Apache Tomcat 8.5.40 and later
  • Apache Tomcat 7.0.94 and later

Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary command on a targeted Windows server running an affected version of Apache Tomcat, resulting in a full compromise.

The vulnerability was reported to the Apache Tomcat security team by a security researcher (not named by the Apache Software Foundation) on 3rd March 2019 and was made public on 10 April 2019 after the ASF released the updated versions.

This Apache vulnerability has been addressed with the release of Tomcat version 9.0.19 (though the issue was fixed in Apache Tomcat 9.0.18, the release vote for the 9.0.18 release did not pass), version 8.5.40 and version 7.0.93.

So, administrators are strongly recommended to apply the software updates as soon as possible. If you are unable to apply the patches immediately, you should ensure the CGI Servlet initialisation parameter’s default enableCmdLineArguments value is set to false.

Let’s block ads! (Why?)

Link to original source

Hackers Compromise Microsoft Support Agent to Access Outlook Email Accounts

microsoft outlook email hacked

If you have an account with Microsoft Outlook email service, there is a possibility that your account information has been compromised by an unknown hacker or group of hackers, Microsoft confirmed.

Earlier this year, hackers managed to breach Microsoft’s customer support portal and access information related to some email accounts registered with the company’s Outlook service.

Yesterday, a user on Reddit publicly posted a screenshot of an email which he received from Microsoft warning that unknown attackers were able to access some information of his OutLook account between 1 January 2019 and 28 March 2019.

Another user on Reddit also confirmed that he/she too received the same email from Microsoft.

According to the incident notification email, as shown below, attackers were able to compromise credentials for one of Microsoft’s customer support agents and used it to unauthorisedly access some information related to the affected accounts, but not the content of the emails or attachments.

microsoft outlook email hacked

The information that a Microsoft’s customer support agent can view is limited to account email addresses, folder names, subject lines of emails, and the name of other email addresses you communicate with.

“Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used,” the company says in the email.

It should be noted that since attackers had an alternative window, i.e., access to customer support account, to partially look inside the affected email accounts without actually having to log into each account, even the two-factor authentication was not able to prevent users’ accounts.

At this time, it is not clear how the attackers were able to compromise Microsoft employee, but the tech company confirmed that it has now revoked the stolen credentials and started notifying all affected customers.

In an email to the Verge reporter, Microsoft verified the authenticity of the notification email and confirmed the breach saying:

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access.”

However, Microsoft did not disclose the total number of accounts affected by the incident.

Although the breach did not directly impact your email login credentials, Microsoft recommended users to still consider resetting passwords for their Microsoft accounts just to be on the safer side.

“Microsoft regrets any inconvenience caused by this issue,” the company says. “Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as. additional hardening of systems and processes to prevent such recurrence.”

Let’s block ads! (Why?)

Link to original source

Russia Fines Facebook $47 Over Citizens' Data Privacy Dispute

russia data localization law

Yes, you read that right!

Russia has fined Facebook with 3,000 rubles, roughly $47, for not complying with the country’s controversial Data Localization law.

It’s bizarre and unbelievable, but true.

In December last year, Russian Internet watchdog Roskomnadzor sent notifications to Twitter and Facebook asking them to provide information about the location of servers that store the personal data of its citizens.

Roskomnadzor – also known as the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications – is Russian telecommunications watchdog that runs a huge blacklist of websites banned in Russia.

Though the social media platforms had one month to reply, they choose not to disclose this information, as a result of which Moscow’s Tagansky District Court imposed 3,000 rubles fine on Twitter last week and the same on Facebook today.

The fine is the minimum that Russian courts can impose on companies for violating Article 19.7 of the Administrative Code of the Russian Federation, i.e., failure to provide information. The maximum amount of the fine under this article is 5,000 rubles.

In July 2014, Russia approved amendments to the Russian Personal Data Law which came into force in 1st September 2015, under which foreign tech companies were required to store the personal data of its citizens within the country’s borders.

Although the fine imposed on Facebook and Twitter may seem nothing, further refusal to comply with the country’s data localization law could result in much more serious repercussions, like Russia can ban social media companies, just like it banned LinkedIn in late 2016.

Russia is not the first country to enforce such law on foreign tech companies. In May 2016, Iran also imposed new regulations on all foreign messaging and social media apps to move ‘data and activity’ associated with Iranian citizens onto servers in Iran within one year.

China also passed amendments for data localization in late 2016 that would force “critical information infrastructure operators” to store its citizens’ data within the nation’s borders.

Let’s block ads! (Why?)

Link to original source