To: <"Undisclosed-Recipient:;"@gold.pobox.com> Subject: Fw: BBC News - Web attack knows where you live (update) From: "Dave Pardy" <pardy@xxxxxxxxxxxx> Date: Wed, 4 Aug 2010 16:21:01 +0100 One of my really computer literate friends was onto this already & came up with the following information - Dave Dave, On 4 Aug 2010, at 08:46, David Pardy wrote: Here's a worrying development - D I could do with a bit more information on this topic. I rather think something like it has come up before. There is mention of geo-location on the Firefox help site (see http://tinyurl.com/34ma83o), but I'm not sure how relevant this is. Q&A 1: 23 of Sep, 200923 of Sep, 2009 Can someone please tell me just how toggling the geo location setting to false is supposed help my browsing ? Is it supposed to hide my IP address from the world or not ? At a forum I belong to, one of the members has a little utility that spits your location info back at you via your IP address. The utility is run by a company called IP2Location.com. Now, even after I toggled my geo location setting to false AND started a private browsing session, this utility still picked up my IP address and had me pegged in seconds. 08 of Jun, 2010 A Web server will ALWAYS have access to your source IP. If that website has some code to map your location based on your Source IP, this has NOTHING to do with FireFox's Geo Location Services. That same website can identify your location if you were running IE5. If you really want to "hide" your source IP, you need an Anonymous Proxy. The FireFox GeoLocation service is meant to work in conjunction with websites where you WANT to provide your location for such things as localized search results, local maps, Google Latitude and similar friend tracking functions, etc. Q 2 (not yet answered): 03 of Aug, 2010 This BBC news article http://www.bbc.co.uk/news/technology-10850875 says that Samy Kamkar has found a way to use the geo-location facility within Firefox to find out where you live. It does not take much imagination to see the use criminal hackers can make of this newly exposed security flaw. Therefore, does Firefox plan to do anything about this flaw and if so then how soon will it be fixed? There are a number of other similar queries, but nobody seems to have mentioned the router in this context. And I'm not sure, investigating further, that it's relevant anyway. However, one of the reportsI found says: First of all he tricked the user he wanted to locate the whereabouts of, into visiting a booby trapped website he had already set up, and once they clicked on that link, Kamkar demonstrated how he can use Google?s tools to reveal the exact location of that user. Even I cannot get my Media Access Control (MAC) address from my router without the password. (I I know a lot of people leave their routers with the default password.) I wonder if all this implies that someone else can? One article says: Web users whose MAC addresses has been logged by the cars and have not changed the default password for the router are at risk. Another says: Of course, a few things have to happen for the attack to work. First, the router needs to be set to use the default administrative password, or it needs to be a model that doesn't require credentials to access its system information page. (Second), the router's MAC address must already have been recorded by Google's ubiquitous fleet of Street View cars, which roam the earth snapping pictures and sniffing select Wi-Fi data. It would be interesting to see if my MAC address is known to the Google database, but I've no idea how to find this out. Hopefully it is not, because I suspect that the cars only gleaned information from routers that were using WiFi that exposed their presence. You may like to visit http://www.google.com/privacy-lsf.html and http://tinyurl.com/2al368o. However, one of the reports very sensibly observes: Kamakar described the tactic as ?Geo-location gone terrible?. That said, targets would have to be using a recent, geolocation-enabled browser and have the feature enabled. They?d also need to have a stalker with hacking skills after them. While it?s frightening to think this might happen, chances are you can relax safe in the knowledge that nobody is likely to be that interested in tracking you down ? and even if they are they probably don?t have access to this hack. I'm afraid this isn't all that clearly set out, but I suspect that I will continue to sleep easy at nights... John. This email has been sent to you by Colin Howard, who lives in a small place about 8 miles east of Southampton in Southern England. ** To leave the list, click on the immediately-following link:- ** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=unsubscribe] ** If this link doesn't work then send a message to: ** access-uk-request@xxxxxxxxxxxxx ** and in the Subject line type ** unsubscribe ** For other list commands such as vacation mode, click on the ** immediately-following link:- ** [mailto:access-uk-request@xxxxxxxxxxxxx?subject=faq] ** or send a message, to ** access-uk-request@xxxxxxxxxxxxx with the Subject:- faq