Application Security

1/29/2018
10:33 AM
50%
50%

Strava Fitness App Shares Secret Army Base Locations

The exercise tracker published a data visualization map containing exercise routes shared by soldiers on active duty.

In November 2017, the Strava fitness tracking app published a visualization map to show where users exercise across the world. However, that map also revealed location information about military bases and spy posts around the world, military analysts report.

The company lets users record running, walking, or biking activity on their smartphones or wearables, and upload it to the Internet. Military analysts noticed the map - which was constructed using more than three trillion individual GPS data points - has enough detail to give away potentially sensitive data on where soldiers on active duty are located. Users in locations like Afghanistan and Syria seem to exclusively be military personnel, they say.

"If soldiers use the app like normal people do, by turning it on and tracking when they go to do exercise, it could be especially dangerous," says Nathan Ruser, analyst with the Institute for United Conflict Analysts. On Strava's map, the Helmand province of Afghanistan shows the layout of operating bases via exercise routes. The base is absent from satellite views on both Google Maps and Apple Maps.

These findings arrive the day after Data Privacy Day, which was created to encourage both individuals and businesses to respect user privacy and protect data. Strava's decision to publish sensitive location data is part of a growing discussion around how companies should handle the massive amount of information they collect on users.

Read more details here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/1/2018 | 12:00:57 PM
Re: Sharing data
@Dr.T: More to the point, I've also found that, for people who engage and share practically nil online, it's much easier to find information out about them online because all that's left on Google are the data harvesters and data sellers -- particularly because the people who don't engage online tend to do a poor job of protecting their privacy beyond the mentality of "Well, I'm maintaining my privacy as long as I'm no on Facebook" (as if privacy and Facebook were correlated in such a binary fashion).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/31/2018 | 8:04:54 AM
Re: Sharing data
@Dr.T: There are more checks and balances on gathering data on citizens directly rather than purchasing it from companies. (See, e.g., that URL from the other comment.)
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:45:36 PM
Re: Sharing data
I work to consciously control the flow of information to mitigate things. I do the same, if I feel it is not suppose to be shared with anyone that information does not end up in the internet for me.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:44:01 PM
Re: Sharing data
I've accepted that various information about me is going to be readily accessible online -- particularly because of the nature of my work. That is true, it is the same for many of us, we can share willingly since it is not sensitive data.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:42:17 PM
Re: Sharing data
Uphill battle, though, given a population addicted to always online, sharing and comparing. This is a good point. Sharing and comparing is ok but if for sensitive location then we end up with these problems.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:39:31 PM
Re: Sharing data
Realistically, they're either making it public, or they're selling it directly to government agencies. Interesting idea. Would government agencies not have the data already?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
1/30/2018 | 7:38:04 PM
Army location
One thing I am sure everybody knows where the army stations are and where the soldiers practice. You do not need tracking app for that.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/30/2018 | 1:52:06 PM
Re: Sharing data
@Brian: For my own part, I've accepted that various information about me is going to be readily accessible online -- particularly because of the nature of my work.

That said, via my writing, my social presences (which I manage by assuming anyone or just about anyone can read what I put -- regardless of my restrictions), etc., I work to consciously control the flow of information to mitigate things.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
1/30/2018 | 12:49:09 PM
Re: Sharing data
@JoeS: "...realistically the best solution is to do what you can to share little with companies to begin with."  That sound advice, worded many different ways, can be found in every security-centric site.  Uphill battle, though, given a population addicted to always online, sharing and comparing. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/29/2018 | 11:16:54 PM
Sharing data
Realistically, they're either making it public, or they're selling it directly to government agencies. ( See, e.g., this from recent headlines about license-plate location data: theverge.com/2018/1/26/16932350/ice-immigration-customs-license-plate-recognition-contract-vigilant-solutions ).

We'll see how things change with GDPR, but realistically the best solution is to do what you can to share little with companies to begin with.
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8980
PUBLISHED: 2019-02-21
A memory leak in the kernel_read_file function in fs/exec.c in the Linux kernel through 4.20.11 allows attackers to cause a denial of service (memory consumption) by triggering vfs_read failures.
CVE-2019-8979
PUBLISHED: 2019-02-21
Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when the order_by() parameter can be controlled.
CVE-2013-7469
PUBLISHED: 2019-02-21
Seafile through 6.2.11 always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2018-20146
PUBLISHED: 2019-02-21
An issue was discovered in Liquidware ProfileUnity before 6.8.0 with Liquidware FlexApp before 6.8.0. A local user could obtain administrator rights, as demonstrated by use of PowerShell.
CVE-2019-5727
PUBLISHED: 2019-02-21
Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, 6.3.x before 6.3.12, 6.2.x before 6.2.14, 6.1.x before 6.1.14, and 6.0.x before 6.0.15 and Splunk Light before 6.6.0 has Persistent XSS, aka SPL-138827.