[access-uk] BBC News - Web attack knows where you live
- From: Colin r. Howard <colin@xxxxxxxxx>
- To: access-uk@xxxxxxxxxxxxx
- Date: Wed, 04 Aug 2010 15:44:44 +0100
From: "David Pardy" <pardy@xxxxxxxxxxxx>
Date: Wed, 4 Aug 2010 08:46:36 +0100
Here's what may be considered a worrying development.
http://www.bbc.co.uk/news/technology-10850875
**From Colin**
text from site pasted below.
3 August 2010 Last updated at 11:18
Web attack knows where you live
The attack exploits the way routers handle requests for ID information
One visit to a booby-trapped website could direct attackers to a person's
home, a security expert has shown.
The attack, thought up by hacker Samy Kamkar, exploits shortcomings in many
routers to find out a key identification number.
It uses this number and widely available net tools to find out where a
router is located.
Demonstrating the attack, Mr Kamkar located one router to within nine metres
of its real world position.
'Creepy' attack
Many people go online via a router and typically only the computer directly
connected to the device can interrogate it for ID information.
However, Mr Kamkar found a way to booby-trap a webpage via a browser so the
request for the ID information looks like it is coming from the PC on which
that page is being viewed.
He then coupled the ID information, known as a MAC address, with a
geo-location feature of the Firefox web browser. This interrogates a Google
database created when its cars were carrying out surveys for its Street View
service.
The attack uses data gathered by Google's Street View cars
This database links Mac addresses of routers with GPS co-ordinates to help
locate them. During the demonstration, Mr Kamkar showed how straightforward
it was to use the attack to identify someone's location to within a few
metres.
"This is geo-location gone terrible," said Mr Kamkar during his
presentation. "Privacy is dead, people. I'm sorry."
Mikko Hypponen, senior researcher at security firm F Secure, attended the
presentation and said it was "very interesting research".
"The thought that someone, somewhere on the net can find where you are is
pretty creepy," he said.
"Scenarios where an attack like this would be used would be stalking or
targeted attacks against an individual," he added.
"The fact that databases like Google Streetview's Mac-to-Location database
or the Skyhook database can be used in these attacks just underlines how
much responsibility companies that collect such data have to safeguard it
correctly," said Mr Hypponen.
Mr Kamkar detailed the attack during a presentation at the Black Hat hacker
conference. In 2005, Mr Kamkar created a worm that exploited security
failings in web browsers to garner more than one million "friends" on the
MySpace social network in one day.
Prosecuted for the hack, Mr Kamkar was given three years' probation, did 90
days of community service and paid damages. He was also banned from using
the net for personal purposes for an undisclosed amount of time.
This email has been sent to you by Colin Howard, who lives in a small place
about 8 miles east of Southampton in Southern England.
** To leave the list, click on the immediately-following link:-
** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=unsubscribe]
** If this link doesn't work then send a message to:
** access-uk-request@xxxxxxxxxxxxx
** and in the Subject line type
** unsubscribe
** For other list commands such as vacation mode, click on the
** immediately-following link:-
** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=faq]
** or send a message, to
** access-uk-request@xxxxxxxxxxxxx with the Subject:- faq
Other related posts:
- » [access-uk] BBC News - Web attack knows where you live - Colin r . Howard
