Web attacks can trace your whereabouts
Thursday, 05 August 2010, 15:43 IST   |    1 Comments
Printer Print Email Email
Web attacks can trace your whereabouts
London: Your casual visit to a website can now spell danger for you! Yes, visiting a bogus webpage designed for phising may lead the attacker to know the whereabouts of the victims. Explaining how this procedure works, Samy Kamkar, a hacker turned security researcher, said there are certain shortcomings in many routers -- the device which forwards data packets to their destinations. The attacker can find a key identification number through which the victim's physical location can be traced. After making contact, the target is convinced to visit a booby-trapped website designed by the attacker. Once the victim clicks the attacker's link, Kamkar showed how the attacker can manipulate geo location data from Google to pinpoint a victim's precise location. Many people go online via a router and typically only the computer directly connected to the device can interrogate it for ID information. However, Kamkar found a way to booby-trap a webpage via a browser so the request for the ID information looks like it is coming from the PC on which that page is being viewed. He then coupled the ID information, known as a MAC address, with a geo-location feature of the Firefox web browser. This interrogates a Google database created when its cars were carrying out surveys for its Street View service. This database links Mac addresses of routers with GPS co-ordinates to help locate them. "This is geo-location gone terrible," said Kamkar. "Privacy is dead, people. I'm sorry." Mikko Hypponen, Senior Researcher at security firm F Secure, attended the presentation and said it was "very interesting research". "The thought that someone, somewhere on the net can find where you are is pretty creepy," he said. "Scenarios where an attack like this would be used would be stalking or targeted attacks against an individual," he added. "The fact that databases like Google Streetview's Mac-to-Location database or the Skyhook database can be used in these attacks just underlines how much responsibility companies that collect such data have to safeguard it correctly," said Mr Hypponen. In 2005, Mr Kamkar created a worm that exploited security failings in web browsers to garner more than one million "friends" on the MySpace social network in one day. Prosecuted for the hacking, Kamkar was given three years' probation and 90 days of community service and paid damages. He was also banned from using the net for personal purposes for an undisclosed amount of time.
Source: PTI
Votal AI: Redefining Workforce Efficiency Through Ethical AI