Date of Publishing:5/9/2010

Location:Mumbai

Tabnapping, GPS hacks and smudgy touchscreens

Gone are the days when computer hacking used to be n o t h i n g more than a few annoying pranks by nerdy programmers trying to show off their prowess. Unfortunately, as technology advanced so did hackers and scammers who devised niftier tricks to lure you into a trap; mostly for economic gain. Today, they can do wonders with miniscule bits of code: Peek into your house, own your bank accounts and even steal your identity. Here are three upcoming techniques that could prove to be chinks in your security armour in the very near future. It would be advisable for you to fix these before they become your Achilles’ heel.

Geo-tags that could lead stalkers to your doorstep Geo-tags are fun. They let your pictures tell the complete story; pinpointing the exact latitude and longitude of where it was shot. But did you consider that when you share these pictures online, this feature also provides stalkers with enough information to track you down?

Shweta Sharma from Mumbai found out the hard way when she took pictures of her new abode on her iPhone and shared them online. What she didn’t know was that the geo-tag embedded in the pictures was the last piece of information that her stalker needed to walk up to her doorstep.

"I had received a few friend requests from a stranger on Facebook and Twitter, but I turned them down," says Sharma."But one day, this person showed up at my place."

Thankfully, Sharma had a few friends around at the time, and the police were quickly involved, but she dreads what would have happened if she were alone.

Sharma’s only mistake was that she had neglected to turn off the geo-tagging feature that comes with most GPS-enabled phones and digital cameras.

The feature—although pretty innocent—can turn into a privacy risk because it gives away the exact location of where your pictures were shot. Security experts believe it’s even more dangerous because people who shoot digital pictures and upload them don’t even realise that they’ve been geo-tagged.

Researchers Gerald Friedland and Robin Sommer from the International Computer Science Institute in Berkeley recently published a paper titled ‘Cybercasing the Joint: On the Privacy Implications of Geo-tagging’, which talks about different ways these geo-tags can be used.

Apart from figuring out where you live, hackers can also find out whether you are at home or away. For instance, when you post pictures online while on holiday, high-tech burglars can use the geo-tags to find out that you are on vacation—and that your apartment is probably left unattended.

Disabling geo-tags in pictures is the obvious solution to this problem. But this feature can be buried under layers of menus in cellphones and digital cameras. To locate the geo-tag function on your device, read the manual that comes with it. Alternatively, visit ‘I Can Stalk U’ at http://icanstalku.com/how.php#disable, which provides step-by-step guides on how to disable the feature for most GPS-enabled gadgets.

Phishing grows up into ‘tabnapping’

While security experts are still trying to fight phishing scams—where hackers steal your login and password by floating fake websites masquerading as banks and such—scammers have moved on to a more ingenious way of phishing called ‘tabnapping’.

Simply put, tabnapping—derived from ‘tab’ and ‘kidnapping—is a version of a phishing scam, where hackers use multiple browser tabs to harvest sensitive information such as credit card numbersand login/ password combos. Say, you have opened seven or eight tabs in your browser and are accessing sites such as Orkut, HDFC Bank, Facebook and Gmail. Once you drift away from a particular tab, it loses focus. A simple javascript running on your system tells the hacker when a particular tab has lost focus. This is their cue for replacing a legitimate site with a fake one. To make the attack more believable, scammers quickly scan your browser history for information on what websites you visit often, or what websites are currently active. When you go back to the tab, you will either see a log-in screen or a re-authentication screen that says your session has timed out. Since you had accessed the original website, you might not think twice before entering your details to login again. Voilà! There goes your bank balance. Experts believe that all browsers are vulnerable to this kind of attack. Tabnapping could be a growing threat because most people now keep multiple tabs open in their browsers. According to Mozilla’s creative lead, Aza Raskin, tabnapping isn’t a big problem at the moment, but has the potential to pose a major headache for security agencies and banks.

So what can one do to steer clear of tabnappers? Simple: Refuse to login again in an existing window. Instead, open a fresh tab and sign in.

Smudges can reveal passwords Everyone hates smudges on their touchscreens, but according to a research paper ‘Smudge Attacks on Smart Phone Touch Screens’—published by the University of Pennsylvania—these can be much more than just ugly blotches.

The researchers claim that the fingerprints you leave behind could actually help scammers gain access to your data. According to the paper, hackers can read the smudges on a smart phone to infer passwords, either by taking photos of the screen from multiple angles, or by gaining physical control of your handsets.

The Pennsylvania team used Google Nexus One and HTC G1 handsets for the research; both of which use a graphical password system that lets you unlock your phone by swiping a set pattern on the touchscreen. They took photos of the screens and used a program to analyse the photos closely. Surprisingly, they could guess the passwords with 90% accuracy.

“Unlocking your phone in this way leaves oily residue on the screen that remains even after you’ve wiped it. And these latent smudges may be usable to infer recently and frequently touched areas of the screen—a form of information leakage,” the report states.

The study also found “pattern smudges,” which build up from writing the same password numerous times, are particularly recognisable.

“We showed that in many situations, full or partial pattern recovery is possible, even with smudge ‘noise’ from simulated application usage or distortion caused by incidental clothing contact,” the paper says.

So how do you defend yourself against these ‘Smudge Attacks’? Well, using a clear screen protector is the best way to go. And while this might not be a foolproof defence, it’s still the best plan, say experts.

Web Resource for Reference of the Above Mentioned Article:

• TIMES NEWS NETWORK