Macrotone Blogs

Macrotone blogs upon Joomla, our products and other matters.

Canvas Fingerprint code tracking

fingerprintThe topic of the moment appears to be ‘Canvas Fingerprinting’ with a number of articles available on the web. It is the latest development in use for tracking the movement of users on the web. You do not need to click on a widget to be tracked, just visiting the site is sufficient.  It exploits the subtle differences in the rendering of the same text to extract a consistent fingerprint that can easily be obtained in a fraction of a second without the user being made aware.

A research paper concluded that code used for canvas fingerprinting had been in use earlier this year on 5,000 or so popular websites, unknown to most of them. Most but not all the sites observed made use of a content-sharing widget from the company AddThis.

The mechanism: Canvas Fingerprinting works in a similar way to cookies, by keeping a record of which sites are visited. When a browser loaded the AddThis widget, JavaScript that enabled canvas fingerprinting was sent. The script used a capability in modern Web browsers called the canvas API that allows access to the computer’s graphics chip, which is intended for use with games or other interactive content.

An invisible image is sent to the browser, which renders it and sends data back to the server. That data can then be used to create a “fingerprint” of the computer, which could be useful for identifying the computer and serving targeted advertisements.

But of several emerging tracking methods, canvas fingerprinting isn’t the greatest: it’s not terribly accurate, and can be blocked.  The Electronic Frontier Foundation (EFF) recommend their own ‘Privacy Badger’ or the Disconnect add-on.  

The list of sites that still track you is at this address.

So much for privacy.

  2080 Hits
  0 Comments

Pavlovian approach to Password Management.

Engineers as Stanford recently unveiled a new password policy that shuns one-size-fits-all security.  This has been followed a system proposed by Lance James, the head of the cyber intelligence group at Deloitte & Touche.   This proposes a system that provides rewards or penalties based on the passcode choices people have made.

The example given is one as follows:

A user who picks "test123@#" might be required to change the password in three days under the system,. The three-day limit being based upon calculations showing it would take about 4.5 days to find the password using offline cracking techniques. Had the same user chosen "t3st123@##$x" (all passwords in this post don't include the beginning and ending quotation marks), the system wouldn't require a change for three months.

An interesting concept, and on that would avoid forcing users who have made a sensible password choice from being forced to change their passwords because some other less careful users choose ‘easier passwords’.

The full article is here.

  1908 Hits
  0 Comments

Privacy Badger– an interesting Browser plugin

There is an interesting plugin for Chrome and Firefox currently in ‘Alpha’ release from the EFF (Electronic Frontier Foundation) who brought us ‘HTTPS Everywhere‘ named ‘Privacy Badger’.

Privacy Badger is described as a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web.  If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser.  To the advertiser, it's like you suddenly disappeared.

More details upon the EFF website.

  2062 Hits
  0 Comments

Now we have BACN in addition to SPAM

spamA new term seems to have entered usage used to describe nuisance emails. Bacn is the term used for all those reminders, newsletters, notifications, limited offers, alerts and other ephemera sent by websites, e-tailers and other services you have used ever since you made your first mouse clicks on the web.

It takes its name 'bacn' because it tries to describe those messages that sit in the middle of a short continuum between which technical folks call spam (fake meat/junk mail) and ham (real meat/real mail). These messages are bacn because they are not quite real messages but are not quite junk either.

It is classed as a problem because it is something you probably want to read, yet not quite yet, and it masks the real email messages you want to read now.

The BBC web site has an article expanding upon the topic you might or might not want to read.

 

 

Tags:
  2739 Hits
  0 Comments

Private IP addresses visible on Internet?

This should not happen, BUT we have observed a few private IP addresses being used by visitors to our site.

An IP address is considered private if the IP number falls within one of the IP address ranges reserved for private uses by Internet standards groups. The following  private IP address ranges exist:

      10.0.0.0 to 10.255.255.255
      169.254.0.0 to 169.254.255.255 (APIPA only)
      172.16.0.0 to 172.31.255.255
    192.168.0.0 to 192.168.255.255

These private IP addresses are (normally) used on local networks which includes homes, schools business LANs etc.  Devices with private IP addresses cannot (should not be possible to) connect directly to the Internet. Similarly devices outside of the local network cannot (should not be able to) connect directly to a device with a private IP.  Typically access to such devices are brokered by a router or similar device that supports Network Address Translation (NAT).  NAT effectively hides the private IP numbers but can selectively transfer messages to these devices, affording a layer of security to the local network.

Standards groups created the private IP addressing to prevent a shortage of public IP addresses available to Internet service providers and subscribers.

So given that these private IP addresses should not be visible on the Internet, how is it possible therefore for our site to have recorded access from devices with addresses in the 10.x.x.x and 192.168.x.x ranges? 

One can always block these devices from access to web pages by including the private address ranges within ‘blocked’ ranges, using commonly available tools available upon the web, but it still doesn’t explain how there are visible in the first place! If in doubt it is possibly wise to block them as a matter of course for a site on the Internet. Remember if the site is on a ‘local’ LAN that blocking them is not an option.

One wonders if there is a connection with the implementation of IP v6, and whether somehow these address ranges are getting through.  Alternatively perhaps a particular NAT provisioning mechanism is faulty?  Another possibility is that  dubious entities are using them to ‘mask’ their activities.  We are led to the latter possibility since the 10.x.x.x devices were attempting access to our site ‘back end’.

Despite some extensive searching we do not currently know the source of these connections, which raises a few possibly serious security concerns. We will continue our investigations.

  1998 Hits
  0 Comments

Amazon and Apple close security hole.


Amazon has closed a security hole discovered following the earlier journalists security hack earlier this week. On Tuesday, Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.



Apple has also suspended its policy of allowing over the phone AppleID password resets.


The journalists actual report is here.

  1928 Hits
  0 Comments

Dropbox security breech.

dropbox
Dropbox is the latest in a long line of services that has had a security breech. This has led to many of the members receiving unsolicited emails.

The cause is claimed to be a stolen password which was used to access an employee’s accounts allowing a ‘project document’ containing user emails to be accessed and copied.

More details here.

  1953 Hits
  0 Comments

Invalid Logging Attempts

We saw a situation of a brute force login attack the other day and thought we would share it with our readers, although we are flattered that anyone thought our site sufficiently important enough to make the effort, their efforts were in vain as they did not get very far.   This particular attack is classed as one of the most common (and least subtle) attacks that can be conducted against Web applications.  The sole aim of a brute force attack is to gain access to user accounts by repeatedly trying to guess the password of a user or a group of users.   It is often carried out by automated tools -- readily available on the Internet – enabling submission of thousands of password attempts in a matter of seconds (or less), trying to make it easy for an attacker to beat a password-based authentication system.

Continue reading
  2686 Hits
  0 Comments

Thoughts on the EU data protection regulation and Joomla

In January 2012, the European Commission announced two important pieces of legislation affecting the personal data of EU citizens: the EU data protection directive and the EU data protection regulation.  Of the two, the data protection regulation will have the greater effect on most businesses that collect, hold or share data within the EU. 

Continue reading
  4226 Hits
  0 Comments

PECR– Cookies and Joomla Part 4

Several new product announcements to add to my growing list.  The JED now even has a separate section for Cookie Control

8. Cookie Choice is a non-commercial JED entry.  It does not block cookies but informs the user, which is what the current interpretation of the PECR regulations is understood to be required.

9. JE Cookies a commercial JED entry.  Details are a little light but it offers various colour options. 

One I have mentioned earlier 6. Cookie Alert does offer the country determination options, something we have in our own version.  We have tested our own version and it works reasonably well, although the impact on checking the country of origin on each screen refresh is something we are giving serious thought to, and would impact this product offering as well.

Our own home grown version is being tested and is working well.  One thing we have found is a small problem where if a visitor does not accept the cookies, and just leaves the banner displayed, continuing to browse the site, IF a separate modal window is opened, we have observed a situation where the model window is also presented with the cookie banner.  Not every modal window, just some, so we are investigating further. 

  2328 Hits
  0 Comments
Go To Top

The Macrotone Consulting Web site would like to use cookies to store information on your computer, to improve our website. Cookies used for the essential operation of the site have already been set. To find out more about the cookies we use and how to delete them, see our Privacy Policy.

I accept cookies from this site.