Facebook admite que ouviu e transcreveu áudio de usuários

By: Louise Rodrigues

Após polêmicas envolvendo Apple e Amazon, o Facebook garantiu que interrompeu o programa de transcrição

Facebook admitiu, nesta terça-feira (13), que pagou profissionais para transcrevem os áudios enviados pelos usuários de seus serviços. Segundo a agência de notícias Bloomberg os contratados escutavam todo o tipo de conversa, mesmo sem informações sobre como os áudios foram obtidos e onde foram gravados. Após polêmicasenvolvendo Siri e Alexa, assistentes virtuais do iPhone e do Amazon Echo, o programa teria parado.

O Facebook, porém, alegou que os usuários que tiveram suas conversas invadidas foram, unicamente, aqueles que optaram, no aplicativo Messenger, por terem seus áudios transcritos. Por isso, o objetivo seria certificar que o software era capaz de interpretar de forma correta as palavras. Apesar disso, o porta-voz garantiu o anonimato dos usuários.

O Facebook, porém, alegou que os usuários que tiveram suas conversas invadidas foram, unicamente, aqueles que optaram, no aplicativo Messenger, por terem seus áudios transcritos. Por isso, o objetivo seria certificar que o software era capaz de interpretar de forma correta as palavras. Apesar disso, o porta-voz garantiu o anonimato dos usuários.

Mais: https://www.techtudo.com.br/noticias/2019/08/facebook-admite-que-ouviu-e-transcreveu-audio-de-usuarios.ghtml

Two weird ways your iPhone or Mac can be hacked

By: Adrian Kingsley-Hughes

For most people, the security that Apple has baked into an iPhone or Mac is more than enough. But determined criminals can find creative ways to bypass the locks to get at your data. Should you be worried?

For the majority of users, the security offered by iOS and macOS is more than enough, and they can go about their day-to-day business secure in the knowledge that their data is safe.

But determined criminals can find a way around these safeguards, and while these two hacks are impractical for widespread use, they go to show just how creative ne’er-do-wells can be when it comes to cracking security measures.

First, let’s look at how a cable can be used to hack a Mac. Enter the O.MG Cable. This is an Apple Lightning charging cable with a twist. That twist is that it has been custom-modified with electronics that allow it to be used to access any Mac it has been connected to over a Wi-Fi network.

“In the end, I was able to create 100 percent of the implant in my kitchen and then integrate it into a cable. And these prototypes at DEF CON were mostly done the same way,” MG, the creator of the cable, told Vice.

The cables retail for $200 each.

The O.MG Cable also features a remote kill switch as a way to hide its existence.

How do you prevent these sorts of hacks? Use your own cable (customize it in a way unique to you so it can’t be surreptitiously replaced) and don’t plug charging cables into computers.

As for hacking into an iPhone, security researchers at the Black Hat hacker convention in Las Vegas managed to bypass the iPhone’s Face ID authentication system in 120 seconds.

More: https://www.zdnet.com/article/two-weird-ways-your-iphone-or-mac-can-be-hacked/

South Korea New Target for Payment Fraud

By: Suparna Goswam

Some Experts Say Merchants Are Slow to Implement Chip Cards, Security Measures

hreat actors are increasingly targeting the APAC region – especially South Korea – for payment card fraud, according to recent report from Gemini Advisory.

For example, a group of hackers recently stole information on more than 1 million credit cards in South Korea, targeting transactions made at point-of-sale terminals.

The Gemini Advisory report says more than 1 million credit card records from South Korea have been posted for sale on the dark web since May 29, 2019.

“South Korea’s high card-present fraud rates indicate a weakness in the country’s payment security that fraudsters are motivated to exploit,” says Stas Alforov, security researcher at Gemini Advisory. “As this global trend toward increasingly targeting non-Western countries continues, I feel both the supply and demand for South Korean-issued CP records in the dark web will likely increase.”

The statistics illustrate the growth of the problem. Alforov says 42,000 compromised South Korean-credit card records were posted for sale on the dark web in May. That number grew to 230,000 in June and 890,000 in July.

The graph shows spike in card fraud in South Korea in June. (Source: Gemini Advisory)

Missing Security Steps

Alforov tells Information Security Media Group that the failure of many South Korean merchants to shift to accepting EMV chip card transactions at their POS devices appears to have contributed to the surge in credit card information theft, along with a failure to take other security steps. Another factor, some experts say, is a lack of security measures at POS integrators. (see: Mastercard’s Ron Green on Payment Card Fraud)

“In this particular case, it appears that while South Korea mandated the switch to EMV at the end of 2018, there are still some merchants lagging behind, which is why we are seeing over 1 million card-present records compromised” because of data stolen from magnetic stripe card transactions, he says. EMV cards store encrypted data on a chip, making card-present data theft far more difficult.

More: https://www.bankinfosecurity.com/south-korea-new-target-for-payment-fraud-a-12897

A security firm says it has discovered a flaw in WhatsApp that would allow hackers to alter your messages

By: Mary Hanbury

A cybersecurity firm has discovered a flaw in WhatsApp that allows hackers to intercept and manipulate messages — potentially changing the identity of a message sender or altering their text.

Attackers could literally “put words in [someone’s] mouth,” Israeli firm Check Point Research said in a press release on Wednesday. It added that this gives the attacker the power to “create and spread misinformation from what appear to be trusted sources.”

Check Point reversed WhatsApp’s encryption algorithm and decrypted the data. Once it did so, it was able to see all the parameters that are sent between the web and mobile version of WhatsApp and manipulate this data.

So, for example, if it wanted to change your message, it captures the outgoing message from WhatsApp, decrypts the data, changes it to whatever it wants it to say, and then encrypts it back.

More: https://www.businessinsider.com/whatsapp-flaw-could-allow-hackers-to-alter-your-messages-2019-8

Apple To Restrict Facebook, WhatsApp Voice Calling Feature To Prevent Background Data Collection

By: Inc42

To protect the privacy of its users and keep major apps from accessing microphone data in the background, Apple has announced that it would be rolling out an update to mobile operating system iOS to restrict apps such as Facebook’s Messenger, WhatsApp and other communication apps from making voice calls over the internet in the background.

According to a report in The Information, apps are able to run calls in the background when using an iPhone even when the app has not been opened. This means such messaging and calling apps can be used at a faster pace, but it also lets them collect data in the background, without the user being aware of such an activity, while a voice call is active and running.

Apple will restrict the background access for apps while users are connected to internet calls. Apple’s move is likely to have repercussions on both Messenger and WhatsApp, however, whether it affects Telegram, Skype and other platforms is as yet unknown. It is likely to have a major impact on the development of WhatsApp, which uses internet calling for voice and video calls, which it claims are end-to-end encrypted.

However, this is not the first security weakpoint found in WhatsApp’s internet-based calls. In May, it fixed a massive data vulnerability that left its over 1.5 Bn users at risk from malicious spyware. The data vulnerability which could have led to breaches and unauthorised malware installation has seemingly been present on WhatsApp for a number of years.

More: https://inc42.com/buzz/apple-to-restrict-facebook-whatsapp-voice-calls-to-block-data-access/

QualPwn vulnerabilities in Qualcomm chips let hackers compromise Android devices

By: Catalin Cimpanu

Patches for the QualPwn vulnerabilities have been released earlier today by both Qualcomm and the Android team.

The Android Security Bulletin for August 2019 is out today and this month’s Android security patches include a fix for two dangerous vulnerabilities that impact devices with Qualcomm chips.

Known collectively as QualPwn, these two vulnerabilities “allow attackers to compromise the Android Kernel over-the-air,” according to Tencent Blade, a cyber-security division at Tencent, one of China’s biggest tech firms.

The over-the-air attack is not a fully remote attack, meaning it can’t be executed over the internet. To launch a QualPwn attack, the attacker and the target must be on the same WiFi network.

Nonetheless, the QualPwn attacks don’t require user interaction, and Android users with affected Qualcomm chipsets will need to look into installing the August 2019 Android OS security patch.

QUALPWN VULNERABILITIES BREAKDOWN

The two QualPwn vulnerabilities are as follow:

  • CVE-2019-10538 – a buffer overflow that impacts the Qualcomm WLAN component and the Android Kernel. Can be exploited by sending specially-crafted packets to a device’s WLAN interface, which allows the attacker to run code with kernel privileges.
  • CVE-2019-10540 – a buffer overflow in the Qualcomm WLAN and modem firmware that ships with Qualcomm chips. Can be exploited by sending specially-crafted packets to an Android’s device modem. This allows for code execution on the device.

The first issue was patched with a code fix in the Android operating system source code, while the second bug was patched with a code fix in Qualcomm’s closed-source firmware that ships on a limited set of devices.

More: https://www.zdnet.com/article/qualpwn-vulnerabilities-in-qualcomm-chips-let-hackers-compromise-android-devices/

 

Brasil sofreu 15 bilhões de tentativas de ataques cibernéticos no segundo trimestre de 2019

By: TI Inside Online

A Fortinet anunciou nesta terça-feira, 6, os resultados de sua mais recente pesquisa sobre ameaças, revelando que o Brasil sofreu 15 bilhões de tentativas de ataque cibernético em apenas três meses, entre março e junho de 2019. O serviço de inteligência contra ameaças FortiGuard detectou a prevalência de ataques antigos como os usados no ransonware Wannacry em 2017 e aqueles que violaram seriamente os bancos no Chile e no México em 2018. A eficácia desse tipo de ataque indica a presença ainda existente de sistemas não corrigidos ou atualizados em empresas brasileiras e a necessidade crítica de maior investimento em tecnologias de segurança cibernética.

De acordo com Frederico Tostes, Country Manager da Fortinet no Brasil: “A segurança cibernética passou de um elemento complementar para uma necessidade crítica para todas as empresas em seu processo de transformação digital. A questão não é mais “o que fazemos se sofrermos um ataque cibernético?”, mas seria “o que fazemos quando sofremos um ataque cibernético?”. Atualmente, a segurança cibernética é uma questão global e o Brasil também ocupa um lugar importante no mundo como um alvo para os criminosos cibernéticos. Vemos ameaças que aumentam em um ritmo alarmante, tanto em quantidade quanto em sofisticação”.

Os resultados da pesquisa FortiGuard mais proeminentes incluem:

  • Antigas e conhecidas ameaças permanecem muito ativas no Brasil

* DoublePulsar, o troiano usado para distribuir malware em ataques reconhecidos como o ransomware Wannacry em 2017 e ataques a bancos no Chile e no México no ano passado, esteve entre os três mais detectados no Brasil no segundo trimestre de 2019.

  • Grande número de tentativas de exploit de aplicativos para negação de serviços

*Cerca de 73% das tentativas de intrusão em redes detectadas no Brasil exploraram uma vulnerabilidade que permite ativar um comando para gerar ataques por negação de serviços em servidores NTP (Network Time Protocol é um protocolo da Internet para sincronizar os relógios de sistemas de computadores através de roteamento de pacotes em redes).

  • O malware que afeta o Windows e é usado para “criptomineração”

*Cerca de 33% do malware detectado no Brasil foi um “verme” com características de troiano que afeta computadores com o sistema operacional Windows. Pode ser considerado um ataque sério se você não tiver um antivírus atualizado.

Mais: https://tiinside.com.br/tiinside/seguranca/mercado-seguranca/06/08/2019/brasil-sofreu-15-bilhoes-de-tentativas-de-ataques-ciberneticos-no-segundo-trimestre-de-2019

Carro conectado: hacker pode abrir portas, frear e roubar dados a distância.

By: Alessandro Reis

Conectados, inclusive com acesso dedicado à internet, os carros da atualidade e, especialmente, do futuro cada vez mais se assemelham a smartphones. Ter acesso a redes sociais e poder postar de dentro do veículo, por exemplo, é algo que os consumidores querem, e as montadoras sabem disso. No entanto, existe o lado ruim: tal como celulares e computadores pessoais, os automóveis têm sido alvo crescente do ataque de hackers.

A coisa fica ainda mais delicada quando se trata de veículos equipados com tecnologias de condução semiautônoma, com uma série de dispositivos gerenciados por sensores e computadores, como aceleração, freios e até o movimento do volante.

Basta fazer uma pesquisa rápida na internet para encontrar exemplos. Em 2016, pesquisadores chineses do Keen Security Lab conseguiram interferir nos freios, na abertura das portas, na tela da central multimídia e em outros itens de um Tesla Model S controlados eletronicamente. A demonstração, comprovada em vídeo, foi feita com a ajuda de um laptop posicionado a quilômetros de distância.

Mais recentemente, em março deste ano, outro grupo de pesquisadores de cyber segurança, autodenominado Fluoroacetate, vendeu uma competição de hackers realizada em Vancouver, no Canadá, fazendo algo aparentemente mais singelo: aproveitaram uma falha no navegador de internet de um Tesla Model 3 e exibiram uma mensagem na tela multimídia do sedã.

Como prêmio, levaram o carro para casa, mais US$ 35 mil (cerca de R$ 138,5 mil na conversão direta).

Vale destacar que essas vulnerabilidades não são exclusivas da marca norte-americana de carros elétricos, porém os Teslas são os preferidos para demonstrações do tipo por conta da sua fama e do grande volume de tecnologias disponíveis – inclusive os mencionados recursos de condução semiautônoma.

Mais: https://www.uol.com.br/carros/noticias/redacao/2019/08/06/carro-conectado-hacker-pode-abrir-portas-frear-e-roubar-dados-a-distancia.htm

Facebook Plans on Backdooring WhatsApp

By: Bruce Schneier

This article points out that Facebook’s planned content moderation scheme will result in an encryption backdoor into WhatsApp:

In Facebook’s vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user’s device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.

The company even noted that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service.

Facebook’s model entirely bypasses the encryption debate by globalizing the current practice of compromising devices by building those encryption bypasses directly into the communications clients themselves and deploying what amounts to machine-based wiretaps to billions of users at once.

Once this is in place, it’s easy for the government to demand that Facebook add another filter — one that searches for communications that they care about — and alert them when it gets triggered.

Of course alternatives like Signal will exist for those who don’t want to be subject to Facebook’s content moderation, but what happens when this filtering technology is built into operating systems?

More: https://www.schneier.com/blog/archives/2019/08/facebook_plans_.html

28 Million Android Phones Exposed To ‘Eye-Opening’ Attack Risk

By: Davey Winder

New research has revealed the truly shocking state of Android phone security. The source of that security problem may well come as a surprise: antivirus apps designed to protect devices and users. Researchers at testing specialists Comparitech found that apps with more than 28 million installs between them were presenting attack paths and opportunities to threat actors looking to exploit vulnerabilities on the Android platform.

In total, Comparitech put 21 separate Android antivirus apps to the test over the course of many weeks. Some 47% of them failed in one way or other. Three apps contained serious security flaws, including a critical vulnerability exposing the address books of users which laid the details of an estimated million contacts bare. Another vulnerability made one app “very easy to disable remotely” by an attacker.

And that’s before I’ve even mentioned the apps that were unable to detect a virus used during the testing process, or how nearly all of them were found to be tracking their users according to the Comparitech researchers.

“Comparitech spent weeks testing popular free Android antivirus apps,” Aaron Phillips, a Comparitech researcher reported, “we looked for flaws in the way each vendor handles privacy, security, and advertising. The results were eye-opening.”

Comparitech’s senior security researcher, Khaled Sakr, took responsibility for the testing itself, looking at each application, its effectiveness, web management dashboard and any back-end services. The apps were also scrutinized for dangerous permissions and trackers embedded within them.

More: https://www.forbes.com/sites/daveywinder/2019/08/03/28-million-android-phones-exposed-to-eye-opening-attack-risk/amp/