Over the past few weeks, multiple agricultural equipment, construction materials and grains collected by farms in Ukraine have been reported stolen. In this case, the equipment of the manufacturer John Deere would have been stolen and transported by Russian troops in the Ukrainian city, occupied since the end of March.

According to the informant in an interview with CNN, Russian soldiers forcibly seized tractors, trucks and crops worth up to $5 million USD. An informant claimed that military trucks with the letter “Z” painted on the front entered the looted facilities for days.

Some of the stolen machinery was sent to a village on the outskirts of Melitopol, while another part of the loot was shipped overland to Chechnya, on a journey of more than 700 miles. However, the Russian soldiers were unaware that the stolen units were equipped with a GPS locator, which allowed the owners to follow in detail the route traced by the Russians.

The stolen equipment could also be controlled remotely, so during the journey to Chechnya the harvesters, tractors and trucks simply stopped working and it was impossible to move forward. Apparently, Russian soldiers decided to leave these machines on a farm near Grozny, at least until they find a way to evade this remote control mechanism.

Although the manufacturer and owners of the stolen machinery appear to have thwarted this heist at least momentarily, the looting of farms by Russian troops in Ukraine is already a widespread practice. Last week, the mayor of Melitopol posted a video showing a convoy of trucks leaving the city and allegedly loaded with thousands of tons of grain produced by Ukrainian farmers: “The stolen grain is sent to Crimea,” the mayor says.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Tractors and agricultural trucks stolen from Ukraine by Russian troops were remotely blocked by the manufacturer appeared first on Information Security Newspaper | Hacking News.

Launched in April 2021, this device allows iPhone users to track their devices through the Find My service. However, it has been reported on multiple occasions that malicious users can use them to track a person without permission, stealthily hiding them in a backpack, clothing or any other similar site.

Despite Apple’s efforts to counter malicious use of these devices, this remains a severe problem, especially when the tracked user does not have a tool to detect an Apple device from the abusive behavior patterns established by the company.

In 2021 Apple launched the Tracker Detect app for Android users, which would inform users that there is an AirTag enabled in a nearby location. However, the app only informs the user if it is being tracked, so it is not really a reliable tool.

The researchers decided to reverse engineer iOS tracking detection to better understand its inner workings and then design the AirGuard app, for automatic detection of any passive tracking activity and that works with all Find My accessories in addition to the AirTag.

The app was launched at the end of 2021 through the official Google Play Store platform and already has about 120,000 users. With this tool it will be possible to detect all the devices of the Find My family, including the AirTags modified for tracking and espionage purposes.

The app will also be able to detect any AirTag placed in a car, which can prove difficult even for other tools from Apple itself. Finally, the researchers acknowledge that the main weakness during their testing is the limited scanning opportunities on the Android operating system, so the scope of the search could be limited.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post AirGuard: Free Android app allows users to detect if they are being spied on using an Apple AirTag appeared first on Information Security Newspaper | Hacking News.

According to the report, the investigative agency resorted to the so-called “geofence warrant” to force Google to hand over information about devices using its popular mobile operating system, located in the area at the time of the attack.

During the investigation of the incident, an officer stated that it all began at almost midnight, when two unidentified suspects caused intentional damage to the building using homemade explosives: “Based on this information, we believe there is probable cause to seek information in Google’s possession and related to devices located near the scene of the incident.”

In the order, Google is required to hand over location history data, including GPS data and information related to visible WiFi points and Bluetooth packets transmitted from these devices to Google, determining the devices within reach of the investigation using the coordinates, date and times provided by the FBI.

For obvious reasons, privacy activists expressed concern, believing that Google should not be able to hand over these confidential records to law enforcement without a clear case and as an attempt to locate potential suspects.

These kinds of measures can cause anyone located around a crime scene to be considered a suspect; if your mobile device shows any indication of this, the authorities can send you a subpoena and even request full access to the information stored on your smartphone.

A Google spokesperson said, “As with any other legal request, we have a rigorous process that is designed to protect the privacy of our users while supporting the important work of law enforcement,” though it has not been confirmed whether the FBI will have access to the desired information.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post “Geofence warrant” allows police to obtain location data from Google users near crime scenes and arrest them appeared first on Information Security Newspaper | Hacking News.

According to a recent report, modified AirTags can be found online from which the built-in speakers have been removed, which would allow unsuspecting users to be spied on without even being able to identify signs of harmful activities. This “silent AirTags” is available for less than $80 USD.

While the seller of these devices, active on the e-commerce website Etsy, ensures that this modification is intended to help users find the devices without attracting the attention of potential thieves, this has undoubtedly been a cause for concern for cybersecurity experts, including director of cybersecurity at the Electronic Frontier Foundation Eva Galperin.

The specialist is concerned that these modified AirTags can be easily abused for other nefarious fines, leaving a potential victim exposed to tracking their location: “Any similar item could also be used to harass people,” Galperin says.

This is not a new practice, as you can even find online tutorials in text and video on how to disable the speakers on an AirTag simply by performing a small drill under the battery of the device, although this requires some skill and experience.

The concerns are legitimate, although Apple had already taken some action on the matter before; iPhone users can receive a notification in case they find a modified AirTag, plus Apple also developed an Android app with which users of any non-iOS device can scan around them for a hidden AirTag.

At the time of writing, this item had already been removed from Etsy website.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Silent AirTags with no speakers are being used for stalking appeared first on Information Security Newspaper | Hacking News.

MapEye is a simple tool in which a kind of phishing website can be placed to extract the location data of an unsuspecting user. According to the ethical hacking experts of the International Institute of Cyber Security (IICS), it is sufficient for the target user to click on a text box to extract confidential details, including:

• Latitude and longitude, with a high degree of precision
• Height (not always available due to users’ device settings)
• Scroll direction, only available if the user is moving
• Speed, available only if the user is moving

In addition to these details, MapEye also allows you to intercept some details of the user’s device without having to obtain additional permissions. Ethical hacking experts point out that this tool can even be used in fraudulent campaigns.

As usual, we remind you that this manual was prepared for entirely academic and demonstration purposes, so IICS is not responsible for the misuse that may be given to this tool.

INSTALLATION

In order to install, enter the following commands:

git clone https://github.com/bhikandeshmukh/MapEye.git
cd MapEye
apt update
apt install python3 python3-pip php
pip3 install requests

If used in Termux, enter the following commands:

git clone https://github.com/bhikandeshmukh/MapEye.git
cd MapEye
pkg update
pkg install python php
pip3 install requests

USE

According to ethical hacking experts, the simplest method to get started with MapEye is to enter:

python3 mapeye.py -h

USAGE EXAMPLES

At the first of the terminal, enter:

python3 mapeye.py -t manual

At the second terminal, start a tunnel service such as ngrok

./ngrok http 8080

OPTIONS

Output KML file for Google Earth

python3 mapeye.py -t manual -k <filename>

Use a custom port

python3 mapeye.py -t manual -p 1337

./ngrok http 1337

To learn more about ethical hacking, information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How to create a fake website to get anybody’s accurate GPS location on iOS, android and Windows appeared first on Information Security Newspaper | Hacking News.

As you may remember, this application can identify the name of songs, movies and TV shows using a small audio sample captured by the microphone of the device thanks to the “deeplink” technology. The expert mentions that the flaw exists because an exported deeplink that loads websites into a Shazam-integrated browser does not validate its parameters correctly, which could trigger in the application’s engagement.

Malicious hackers could exploit the flaw by sending a malicious URL that will be opened by Shazam when the target user clicks on the received link. Shazam will then open WebView, its built-in browser, and run the payload, resulting in sending the device’s location data to an attacker-controlled server.

At the time of its patching, the flaw could have affected Shazam’s more than 100 million users. The vulnerability was fixed after Apple acquired the app, although it was mentioned that the company did not consider this report to meet the requirements set out in its bug bounty program, so the researcher was not compensated.

By taking his report to Google, the researcher received a similar response: “Google does not consider location data leaking as a serious security risk,” the expert said. However, the company mentioned through the Play Store that users could see their location data exposed if they did not use the latest version of Shazam.

The post Critical vulnerability in Shazam exposes over 100 million users’ location data appeared first on Information Security Newspaper | Hacking News.

Bellingcat experts, self-determined as a collective of independent researchers and journalists, were able to determine where they live, where they work and where multiple Untappd users will drink beer, also discovering that many are members of the U.S. Army. Investigators found photos of military IDs, documents and equipment completely exposed.

This is not the first time an app has unintentionally exposes too much information. Previously, researchers found that Strava, a route tracking app for cyclists, also posed a safety risk to its users. In the case of Untappd, users are invited to register in various places, record the beers they have tasted and share their experience with other alcohol enthusiasts.

Although this seems like a harmless activity, the investigation demonstrates a risky scenario: “Using this data we were able to trace the identity of a drone pilot, in addition to a list of the military bases you visited recently. We also found a naval officer who visited the Pentagon facility several times, as well as an intelligence officer.” According to the report, this is achieved by cross-referencing the records in Untappd with other platforms, something very easy for anyone with the necessary knowledge.  

In other words, any threat actor could compromise the privacy of Untappd users because of the way the app manages publicly accessible data, which could lead to disastrous scenarios. The company was questioned about it, but has not been officially pronounced so far.

While this is an undesirable situation, experts note that it would be inaccurate to claim that this happens due to malicious practices of the company. By analyzing Untappd, the researchers concluded that the app works as the developer company expects; the point is that users have also contributed, posting photos of fighter jets or military equipment, making it easier to identify in this investigation.

One way to mitigate these kinds of risks is to consider how necessary it is for users to register their location on online platforms, because sometimes this information is all hackers need to start an attack. Disabling GPS from mobile devices when not needed is a good measure to limit these activities.

The post After TikTok, Untappd a social drinking app is leaking the location details of US military appeared first on Information Security Newspaper | Hacking News.

Facing the criticism related to student privacy, university officials defended this strategy, arguing that it has been implemented for the benefit of the student community. The application, called SpotterEDU, must be used by student athletes of the university, in addition the rest of the students have been invited to willingly participate in the pilot program.

According to data protection specialists, the app was planned by a former basketball coach concerned about the poor academic performance of some members of his team. As for its developers, the app provides the universities “continuous, reliable, non-invasive information about the presence of students within classrooms.” University of Missouri officials say students are only monitored inside classroom or labs.

Unsurprisingly, this technology has multiple detractors, mainly student-athletes who have been forced to install this software on their smartphones so as not to lose their scholarships or face other kinds of sanctions. Academics and researchers at various universities have also expressed concerns about the use of this tool.

On the other hand, a representative of SpotterEDU says that developers are already working with more than 40 schools across the US, mainly in areas such as Florida, Indiana and Missouri; Although the idea arose to track the activities of athletes-students, many data protection experts fear that this technology will be used in a standardized way in the future.

The primary question regarding the use of surveillance and monitoring technology is who monitors the vigilantes, mentions the International Institute of Cyber Security (IICS), without forgetting a potential abuse of this technology and its level of propensity to computer security incidents.

The post Universities force students to install location tracking apps to check if they attend classes or not appeared first on Information Security Newspaper | Hacking News.

One of the most recent cases is that of 3Fun, described by its developers as “an ideal dating app for curious couples and singles”. It is a service for over 18s that currently has more than 1.5 million users worldwide, according to the data of the creators.

While 3Fun developers argue that the app has the best privacy protections, such as the use of private photo albums, web application security specialists at Pen Test Partners claim otherwise. A study conducted by this firm mentions that 3Fun is probably the worst dating app in terms of information security.

This privacy failure, in addition to exposing users’ real-time location (no matter where they are), came to leak out sensitive data such as dates of birth, sexual preferences, in-app conversation history, and private photos.

According to web application security specialists, the leakage of location data from users of this kind of apps is due to a technique known as ‘trilateration’. This attack involves falsifying GPS coordinates and abusing some features of these apps to determine the location of users. However, this research highlights that, in the case of 3Fun, hackers do not require performing such sophisticated tasks, as the app itself is insecure and leaks users’ sensitive details.

In other words, no software is required to calculate a location from the distance between targets. “The latitude and longitude of users is available to anyone who knows where to look for this data”, the experts add.

Although users can restrict the exposure of their location data in the app’s settings menu, this data is sent to 3Fun servers using a GET request, so it is fully exposed to any data lurker. “The leaking occurs on the client side, so this data can be queried in the API to determine the position of the target”. Specialists included a demonstration of how to access a user’s exact location using this method.

While this technique may be fun for some leisure activities, web application security experts at the International Institute for Cyber Security (IICS) say that, in combination with leaked user data, such as the name or date of some malicious activities, such as harassment or extortion, may be made possible, not to mention that users’ private photos are also available through the API.

Although this investigation has already concluded, experts say it is highly likely to find more security vulnerabilities in this app.

Even when the developers were notified about these flaws more than a month ago, their response was unsatisfactory, as they only responded with a message: “Thank you for your kind notification. The problem will be solved shortly. If you have another suggestion, we’ll listen to it, salutes”.

Despite the multiple flaws in the app, after receiving some advice from the experts, the developers fixed these flaws a couple days after.  

The post 3Fun, dating app for threesomes, was hacked; multiple users blackmailed appeared first on Information Security Newspaper | Hacking News.

Metadata contained in old posts contains precise location coordinates

According to a research carried out by cybersecurity specialists, the location metadata contained in the social network Twitter posts may be useful to infer some private details of users, such as address, workplace and most frequently visited places, as reported by experts from the International Institute of Cyber Security.

Kostas Drakonakis, Panagiotis Ilia and Jason Polakis, a group of Greek researchers on cybersecurity issues, recently published a document entitled ‘Privacy risks in public location metadata’. In this, researchers claim to have shown that location metadata allows inferring sensitive information, which could be used for malicious purposes. “Some authoritarian regimes could pursue campaigns of persecution against activists or opponents”, claimed the investigators.

In 2015, the risks to the privacy of users associated with Twitter location metadata began to be investigated; since then, the social network has given its users greater control over their location data, such as the restriction of access to the precise coordinates. Currently, Twitter is no longer able to access the exact location of the user by default. 

“Twitter never attaches the user’s location without their consent. If someone decides to share their location through a tweet, the location is also available through our APIs, but the user’s express consent must be granted”.

However, experts in cybersecurity believe that the implementation of these changes has not sufficiently reduced the privacy risks, as Twitter still has a history of location data through its developer API. For example, mobile Twitter versions released before April 2015 contain the precise GPS coordinates attached to the tweets by default.

“In the sample we analyzed we discovered that tweets with very general location tags (like city name, for example) also contain GPS coordinates as metadata,” Polakis mentioned. “As of April 2015, tweets with this kind of location tag stopped displaying coordinates as metadata, suggesting that this is the date on which the social network began with the implementation of these changes,” the expert added.

Researchers suggest that the Twitter policy that allowed attaching these location metadata represents a serious privacy problem that should be addressed as soon as possible.

“This is an imperceptible privacy violation for users of the social network, as their coordinates are contained as metadata returned by the API invisible on the website or Twitter mobile app. The worst thing is that these metadata are still visible through the API,” the experts mentioned. The treatment of this kind of information is one of the greatest challenges that companies face in the midst of technological age; they are so useful in the orientation of marketing campaigns that companies have not tried to stop this kind of practices, although this could cause inconvenience in the future. For example, in recent days, the Los Angeles prosecutor filed a lawsuit against the IBM meteorological company for allegedly treating the data collected through the Weather Channel application inappropriately.

The post Twitter API reveals user’s location appeared first on Information Security Newspaper | Hacking News.