Security Alerts & News
by Tymoteusz A. Góral

#805 Think you're not being tracked? Now websites turn to audio fingerprinting to follow you
New research into web-tracking techniques has found some websites using audio fingerprinting for identifying and monitoring web users.

During a scan of one million websites, researchers at Princeton University have found that a number of them use the AudioContext API to identify an audio signal that reveals a unique browser and device combination.

"Audio signals processed on different machines or browsers may have slight differences due to hardware or software differences between the machines, while the same combination of machine and browser will produce the same output," the researchers explain.

The method doesn't require access to a device's microphone, but rather relies on the way a signal is processed. The researchers, Arvind Narayanan and Steven Englehardt, have published a test page to demonstrate what your browser's audio fingerprint looks like.

"Using the AudioContext API to fingerprint does not collect sound played or recorded by your machine. An AudioContext fingerprint is a property of your machine's audio stack itself," they note on the test page.
#804 These are the worst passwords from the LinkedIn hack
A list of the worst passwords in the LinkedIn hack is remarkably familiar, but unremarkably depressing.

A list of the most popular passwords used by LinkedIn in 2012, at the time of the hack that recently came to light (again), was published by LeakedSource. The cache of 117 million accounts were hashed with the SHA-1 algorithm, a once-strong hashing system that was recently pushed into deprecation as it could be cracked.

But because the passwords weren't salted -- a process that makes it harder to decrypt.

It's estimated that about 90 percent of the passwords were decrypted -- a figure that will likely grow over time.

Last year -- which would've been two years after the LinkedIn breach -- the most popular password was, unsurprisingly, at the top of this list.
#803 Thousands of Ubiquiti AirOS routers hit with worm attacks
A worm is reportedly spreading across thousands of Ubiquiti Networks routers running outdated firmware. In a security advisory, a Ubiquiti spokesperson said that over the past week, the worm has been using a known exploit to infect airOS M devices. The worm creates its own account on the compromised device and, from there, conducts mass infections of other routers both within the same subnet and on other networks.

The attacks affect the following Ubiquiti devices running outdated firmware: airMAX M, airMAX AC, airOS 802.11G, ToughSwitch, airGateway, airFiber.

Any router that runs older versions of the firmware and has its HTTP/HTTPS interface exposed to the Internet could be infected. Ubiquiti released a patch for this vulnerability almost a year ago. However, as is often the case on these devices, many routers may still have old firmware installed.
#802 If you clicked anything online, Google probably knows about it
"Google is a serial tracker"

Researchers reveal that Google-owned domains, from where browsers load tracking code, account for the top 5 most popular trackers and 12 of the top 20 tracker domains.

In fact, after studying the Top 1 Million sites, researchers discovered over 81,000 different domains from where tracking code was loaded. Taking a closer look at the data researchers said that only 123 of these third-party trackers are found on more than 1 percent of all sites.

"This suggests that the number of third parties that a regular user will encounter on a daily basis is relatively small," Princeton Web Census researchers explained. "The effect is accentuated when we consider that different third parties may be owned by the same entity. In fact, Google, Facebook, and Twitter are the only third-party entities present on more than 10% of sites."

All of this means there's a high chance that you visit a website, or click on a link, and that one of the three companies mentioned above already knows about it. This is certainly true for Google, who loads some sort of tracking code on four out of five websites.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12