Security News

Google tracking, a fax attack, and a vote of “un-confidence”

Avast Security News Team, 17 August 2018

Google tracks you when you think it doesn’t, fax machines are vulnerable, and could the US midterms be hacked?

Google may still be tracking you...

Adding to the growing mistrust consumers have about what tech companies do with the data they collect, we learned this week from an Associated Press investigation that Google still tracks and stores your whereabouts even if you turn off “location history” in your privacy settings. It turns out that disabling location history, on Android devices and iPhones, only removes your location from the Google Maps Timeline feature — which shows you where you've been in Google's data — but some Google apps still store your time-stamped location data, in part so they can better target ads based on where you’ve been. The company argues that it makes clear to users how to disable this setting and delete location history. So, what can you do to prevent Google from saving these location markers? First, disable a setting called “Web and App Activity,” which stores a variety of information from Google apps and websites to your Google account. Then, delete your location data in your Google account at myactivity.google.com.

Just the fax, ma’am

The fax machine: they’re still around — banks, doctors offices, and government agencies all still rely on them. Also, they’re woefully insecure — an easy entry point for an attack on private networks. A Wired article this week described researchers who simulated such an attack using a fax machine and an HP all-in-one printer.

The target: a pretend bank.

The tactic: initiate a “stack overflow” — basically a system overload — in order to gain more access or privileges.

Bank fax numbers are public, so in theory, any malicious attacker could get it. And if the printer that receives the fax is also connected to the internal network, then all the attacker would need to do is send a malicious fax to the phone number to automatically get inside. “It’s crazily dangerous,” one researcher discovered.

From there, attackers could probe deeper into the bank’s internal network using various exploits. For HP’s part, after the researchers alerted them of the breach, the company issued a security bulletin saying they’d released a patch that adds standard protections against stack overflows.

But the deeper problem is the antiquated technology of the machine itself: the fax protocol simply doesn’t allow for certain protections. For institutions and individuals, ditching the fax may not be possible. So it’s critical, researchers said, that people understand that plugging a printer into a phone line opens up an additional avenue for potential attack.

Are the midterms safe from voting hacks?

As if Americans needed more reason to question the integrity of the nation’s voting systems after Russian hackers targeted the 2016 election, the week brought wind of this: an 11-year-old girl hacked a replica of the Florida Secretary of State’s website within 10 minutes — and changed the results.

All went down at DEFCON, the world’s largest hacker conference, inside Voting Village, where organizers set up decommissioned election equipment, and hackers attempt to break in. There, youth hackers were instructed to use a simple database hacking tactic called SQL injection, the same tool the US has said Russian hackers used when targeting state voter registration databases in the summer of 2016. And minutes later, an 11-year-old named Audrey had made it appear that libertarian candidate Darrell Castle had won Florida’s presidential vote in 2016.

Changing the appearance of the vote on a website isn't the same as changing actual votes, Florida's Secretary of State was quick to point out. “Providing conference attendees with unlimited physical access to voting machines,” The National Association of Secretaries of State also said in a statement, “does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.” But does it inspire confidence? Elsewhere at DEFCON another (adult) hacker took a Diebold TSX voting machine, the kind used in some 20 states — and turned it into a jukebox. At last year’s conference, attendees had identified new vulnerabilities for all five voting machines and a single e-poll book of registered voters.

With the U.S. midterm elections just months away, and the nation already questioning the integrity of its voting systems, voting fraud is top-of-mind throughout the country, and the cybersecurity world is on alert.


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.