(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge / System architecture of a cross-browser tracking system. (credit: Cao et al.)

Researchers have recently developed the first reliable technique for websites to track visitors even when they use two or more different browsers. This shatters a key defense against sites that identify visitors based on the digital fingerprint their browsers leave behind.

State-of-the-art fingerprinting techniques are highly effective at identifying users when they use browsers with default or commonly used settings. For instance, the Electronic Frontier Foundation's privacy tool, known as Panopticlick, found that only one in about 77,691 browsers had the same characteristics as the one commonly used by this reporter. Such fingerprints are the result of specific settings and customizations found in a specific browser installation, including the list of plugins, the selected time zone, whether a "do not track" option is turned on, and whether an adblocker is being used.

Until now, however, the tracking has been limited to a single browser. This constraint made it infeasible to tie, say, the fingerprint left behind by a Firefox browser to the fingerprint from a Chrome or Edge installation running on the same machine. The new technique—outlined in a research paper titled (Cross-)Browser Fingerprinting via OS and Hardware Level Features—not only works across multiple browsers. It's also more accurate than previous single-browser fingerprinting.

Read 8 remaining paragraphs | Comments


Enlarge (credit: Screengrab via YouTube )

This weekend, as news of a ballistic missile launch by the Democratic People's Republic of Korea (North Korea) reached President Donald Trump and Japanese Prime Minister Shinzo Abe, President Trump got on his phone, and Abe consulted with staff. This didn't happen behind closed doors, however; it took place as members of Trump's Mar-A-Lago Club watched on in the resort's dining room. One club member even posed for photos with Trump's aide-de-camp—the Air Force major carrying the president's "nuclear football"—and posted pics of the scrum around Trump's table on Facebook.

Trump is comfortable conducting business over a meal. Last month, Trump approved a raid by US Navy SEALs in Yemen on an Al Qaeda compound not after a briefing in the White House situation room but rather over dinner with senior officials. These and other details of how the new president and his administration operate suggest that despite hitting Hillary Clinton hard for her security foibles, the Trump White House is not big on operational security (opsec).

President Trump may not be making phone calls on his old, vulnerable Android device, but he keeps it close at hand. He regularly posts to Twitter from his Samsung phone based on his Twitter metadata. And we know he's using an unsecured Android device because the secure one he's been issued wouldn’t even allow Twitter to be installed.

Read 8 remaining paragraphs | Comments

[security bulletin] HPESBGN03698 rev.1 - HPE DDMi using OpenSSL, Remote Arbitrary Code Execution, Bypass Security Restrictions, Denial of Service (DoS)
[security bulletin] HPSBMU03692 rev.1 - HPE Matrix Operating Environment, Multiple Remote Vulnerabilities
[security bulletin] HPESBHF03704 rev.1 - HPE OfficeConnect Network Switches, Local Unauthorized Data Modification
[slackware-security] tcpdump (SSA:2017-041-04)
TP-Link C2 and C20i vulnerable to command injection (authenticated root RCE), DoS, improper firewall rules
[SECURITY] [DSA 3783-1] php5 security update
WebKitGTK+ Security Advisory WSA-2017-0002
[slackware-security] php (SSA:2017-041-03)
Internet Storm Center Infocon Status