Monthly Archives: November 2016

Should Know How Hackers Can Steal Passwords Over WiFi

The issue was raised in the past too, but the methods described were not as accurate and predictable as the WindTalker method to steal passwords over WiFi. Among the many methods talked earlier, the best bet was to place some device between the victim and WiFi that could read traffic patterns. This was the closest one could get, until now. They scanned (sniffed) packets and tried to hack into the computers of victims to figure out the passwords.

The WindTalker method was devised and explained by professors in University of Florida, Shanghai Jaio Tong University and the University of Massachusetts. The paper delves into details on how to steal passwords using a common WiFi. This does mean that for the method to work, both the victim and hacker should be on the same WiFi. That allows those hackers to read the victim’s keystrokes.

This method does not require any extra device between victim and hacker devices. They do not even need any software installed on the device of the victim. Simply by analyzing the traffic in parallel, the hackers using WindTalker method can check out the movements of victim’s finger movements. The paper says that even on a new device, the chances of success of getting the right password in single attempt are 84 percent

What is WindTalker & how does it work
WindTalker is the name given to the method that allows parallel scanning of WiFi signals arising out of the victim’s device to retrieve the data being typed on the device.

The first part of the method is to identify the signals coming from the victim’s device. Note that the hackers do not need any software to be installed on the victims’ phones or other devices that they intend to hack.

The second requirement is to be able to use the WiFi network. This could be easy at public places where they have free WiFi. If not, the hackers can create an ad hoc rogue WiFi network and offer it as free WiFi. Once the victim falls for it and connects to it, the work of stealing information is half done.

The final thing to do is to check the movements of the fingers of the victims. The directions and pace with which the victim is moving his or her fingers and when she or he is pressing key(s) are noted down. This gives away the data being typed by the victim

Restrictions of WindTalker
The first thing that can spoil hackers’ attempts if the victim disconnects from the WiFi before the input and input pattern is decoded. But the method is fast, so chances are the hackers will succeed in their endeavors.

The requirement of having to connect to the WiFi network makes it a bit hard. In cases where free and public WiFi is not present, the victims will have to create a public network which is not very hard to do. Anyone can create a public WiFi using their Windows or Android phones, tablets. Both operating systems have the option to create mobile hotspots and are easy to set up. Once the WiFi is set up, it is not difficult to have people connecting to the FREE OPEN network.

Device models also play a part in processing data: i.e. monitoring the finger movements of the victims. Since the shape and size vary across different phone and tablet devices, it takes a bit to understand the keystrokes being sent on the WiFi. For example, the keyboard of an 8-inch device will vary from an 11-inch device and so it may take some time to understand the movements.

Other than the above, there were no restrictions and requirements of WindTalker that I could notice in this paper.

“WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the multi-path signals of WiFi” the researchers say.
Simply put, WindTalker monitors finger movements and provides hackers with whatever is being typed on the victim device.

More Information About Facebook’s Face Recognition

Nimesh Patel, aggrieved user of Facebook and Illinois resident, isn’t naive: He well understands that the social networking company collects information about him. But Facebook went too far for his liking when it collected certain intimate details about his physiognomy, such as how many millimeters of skin lie between his eyebrows, how far the corners of his mouth extend across his cheeks, and dozens of other aspects of his facial geometry that enable the company’s face recognition software to identify him.

Patel is a named plaintiff in a class-action lawsuit against Facebook alleging that the company’s use of face recognition technology violates an Illinois law passed in 2008. The Biometric Information Privacy Act (BIPA) sets limits on how companies can store and use people’s biometric identifiers, which the law defines as fingerprints, voiceprints, retina or iris scans, and scans of hand or face geometry. The case is scheduled for trial this October, and similar Illinois-based lawsuits are proceeding against Google and Snapchat. In the upcoming year, the courts will host a debate over who can keep our faces on file.

The FBI’s FACES face recognition database mostly contains images of law-abiding citizens taken from driver’s license and passport photos. Source: Center on Privacy and Technology, Georgetown Law
Civil liberties groups say that debate is long overdue. The Illinois law is a weird outlier in the United States, where face recognition is increasingly being integrated into surveillance systems and law enforcement databases. The technology has rapidly improved in recent years, says Jennifer Lynch, an attorney with the Electronic Frontier Foundation, and regulations haven’t kept pace. “We could soon have security cameras in stores that identify people as they shop,” she says.

The case against Facebook hinges on a handy photo-tagging feature introduced in 2010: When a user uploads a photo, Facebook’s system automatically picks out any faces in the shot, tries to match those faces to people it’s seen in photos before, and offers up the names of any friends it has identified. According to the lawsuit, this “tag suggestion” system proves that Facebook collects and stores “face templates” for its American users. (The company turned off this feature in Europe in 2012 over privacy concerns.)

The Illinois law predates Facebook’s introduction of the tag-suggestion feature and doesn’t mention social networks. Instead, BIPA cites the potential use of biometric IDs in financial transactions, and notes that these identifiers differ significantly from PIN codes and passwords—if customers’ biometric IDs are stolen by hackers, they can’t be issued new fingerprints or faces. But the class-action lawyers who have recently seized on the law aren’t going after banks; they’re targeting tech companies. Yet another lawsuit, settled in April 2016 for an undisclosed sum, took aim at the photo storage site Shutterfly.

Under BIPA, private companies must develop written policies stating how long they will retain people’s biometric information and when they will permanently destroy that data. “In a way, this is a modest law,” says Claire Gartland, an attorney who works on consumer privacy issues at EPIC, the Electronic Privacy Information Center. “It just requires a disclaimer to the consumer.”

By maintaining a database of Illinois users’ face templates without a written policy in place, the suit says, Facebook has violated the law. A Facebook spokesperson declined to answer questions about the lawsuit, but notes that users can easily turn off the tag-suggestion feature for their accounts.

The legal wrangling has already begun. In late 2015 the company filed a motion to dismiss [PDF] based on its interpretation of BIPA’s list of biometric identifiers, which includes face scans and face geometries yet explicitly excludes photographs and physical descriptions. Facebook argued that the law refers only to physical face scanners that create biometric records based on flesh-and-blood faces. But the court called Facebook’s argument “unpersuasive,” saying that the law was intended to address all emerging biometric technologies, and allowed the suit to move forward [PDF]. If Facebook loses the case, the company could be forced to pay damages to millions of Illinois users and change its policies in that state—or, more practically, throughout the United States.

“We could soon have security cameras in stores that identify people as they shop”
In the courtroom, it’s quite possible that the technical aspects of Facebook’s face recognition technology will come into play. The courts may need to know whether the company uses the conventional approach to face-matching software, says biometrics expert Anil Jain, a professor of computer science and engineering at Michigan State University. Such systems build and store face templates based on thousands of measurements: “They extract landmark points by sampling across the contours of the face, the eyebrows, the nose, the points along the lips, the two ends of the mouth, and so forth,” he says.

But Jain notes that Facebook researchers pioneered a new approach to face recognition that relies on machine learning, introducing their DeepFace system in a 2014 paper. In the report, the researchers describe training their system using a data set of 4.4 million labeled faces drawn from Facebook photographs. The system’s deep neural network examined the faces based on millions of parameters, and derived its face-matching rules based on whatever mysterious lessons it learned. “It’s more like a black box,” Jain says.

Facebook won’t say whether it now uses DeepFace, or something like it, for its standard tag-suggestion feature. If the company does employ this advanced method, however, its current technology might not violate the letter of the law. “The question is what they store in the database,” explains Jain. As the DeepFace program analyzes raw photographs, the system might simply hold on to the analytic rules it has learned, and might not bother to store face templates that count as biometric identifiers. Therein lies the irony: If Facebook doesn’t save faces in its database, it may save face in court.

Digital Life And Your Death

You’ve probably thought about what will happen to your finances, your possessions and maybe even your real estate when you die. But what about your Facebook account? Or your hard-drive backups?

For the past two decades, most of us in the modern world have gradually shifted our central living space online. That’s 20-ish years of documenting our real-life experiences while also creating entirely new versions of ourselves in countless places online.

These digital lives are basically immortal, so you may as well figure out while you’re still alive what will happen to them after you’re gone.

There are two main things to consider: What will happen to your accounts and what will happen to the data contained therein. For example, you can give someone authority to delete your Google account and to download all your photos stored there after you die.

It’s a grim thought, but like writing a last will and testament, this has become just another part of death preparation.

Many online spaces offer some form of death planning. But this is still a relatively new concept, and some of the most popular destinations on the internet don’t give users a way to plan for their death. In that case, it’s best to establish a plan now with a trusted loved one.

For the websites and services that do offer help, here’s what to know.

Facebook

Whom do you trust to mind your central online presence after your death? That’s probably the person you want to be your Facebook legacy contact.

This person will be able to write a post that will remain at the top of your profile, update your profile photo and respond to friend requests. You can also allow that person to download an archive of your public activity (including posts, photos and “likes”), but he or she can’t read your messages, so your most intimate secrets will be safe.

Alternatively, you can set your account to delete everything once Facebook is notified of your death.

Facebook legacy contacts, however, will not also have access to your Instagram account (Facebook owns the photo-sharing app). But Instagram accounts can be memorialized or, if requested by a verified family member, deleted.

Google

Google lets you choose up to 10 people to be the executors of your account once you die or your account becomes inactive via its inactive account manager feature.

To set this up, choose an amount of time between sign-ins for your account to be designated “inactive.” Once that threshold is met (for example, you don’t sign into any Google service for a certain number of months), your chosen contact will get a prewritten email from you with, presumably, your wishes for your account.

Unlike your legacy contact on Facebook, you can designate this person to have full access to your Google account, including email and chat histories, and he or she can download the data you specify. (You also have the option not to give that person access to any of it.)

Google also allows you to delete your account and all its data.

Twitter

Twitter has no equivalent to a legacy contact or a way to plan for your online data after your death. It does, however, let a “verified immediate family member of the deceased” delete your account if that person can provide your death certificate and other official documents.

A similar protocol is in place in the event a user becomes incapacitated, though in that case someone will have to have proof of power of attorney.

In certain circumstances, Twitter says it will consider removing “imagery” of a deceased person, based on “public interest factors such as the newsworthiness of the content.”

LinkedIn, Snapchat, Tumblr

These three networks offer no type of death planning, though all offer some form of account management for the deceased.

LinkedIn will let a verified next-of-kin have an account removed (via this form).

Snapchat said it can delete the account of a deceased person at the request of a next-of-kin (with a death certificate).

And Tumblr will let a next-of-kin request that an account be deleted.

Snapchat and Tumblr declined to say whether they’ll eventually add a similar legacy-contact feature, and LinkedIn said it’s “considering” some form of death planning or account memorialization.

Beyond that, many sites (including Yahoo, Microsoft and AOL) have relatively standard protocols in place for immediate family members to request the deletion of a deceased person’s account.

Online data backup services

Online data storage is an especially tricky part of death planning. The industrywide push for privacy and encryption, while great for personal protection, has created its own problems.

“There’s a very real security and privacy implication that can somewhat conflict” with online death planning, said Ahin Thomas, the vice president of marketing for Backblaze, an online backup service. “If you set up a private encryption key — we’re not joking — we don’t have access.”

In one recent case, a widow contacted the company for access to her late husband’s backups, but the data was inaccessible because it had been encrypted.

“It was heartbreaking and sad, and I wish we could’ve done something,” Mr. Thomas said. “But the stuff was encrypted.”

So what can we do? The best advice, Mr. Thomas said, is to simply give the keys to your data to someone you trust.