Cuidado: seus dispositivos ouvem, gravam e arquivam o que você fala

By: ÉPOCA NEGÓCIOS ONLINE

Saiba como smartphones, notebooks e assistentes virtuais invadem sua privacidade todos os dias, coletando e analisando seus dados em sistemas de inteligência artificial

Se você passa os dias imaginando se seu smartphone, notebook, tablet, ou suas assistentes virtuais AlexaSiri Cortana estão vigiando você, pode parar de imaginar. A resposta é sim. Todos esses dispositivos ouvem, registram, arquivam e monitoram, de alguma maneira, o que você fala. Os registros podem ser em áudio, em transcrições completas ou resumos. E o uso que é feito desses dados nem sempre é claro, de acordo com o The Guardian.

Alvo de críticas sobre o possível uso de gravações feitas pela assistente Alexa, a Amazon diz que seus produtos são vilificados de maneira injusta. Segundo a companhia, é verdade que os dispositivos escutam o tempo todo, “mas de maneira nenhuma transmitem tudo que ouvem”. Só quando um dispositivo ouve a palavra de despertar “Alexa”, é que a gravação é mandada para a nuvem e analisada, dizem.

O argumento é o mesmo usado por todas as companhias de tecnologia acusadas de espionar os consumidores: elas dizem e que só ouvem quando recebem uma ordem expressa para isso. Dizer a frase “OK, Google” desperta os aparelhos da companhia. Mesmo que isso seja verdade, fica a pergunta: depois que a escuta começa, o que acontece?

Fontes da Apple, que se orgulha da maneira como protege a privacidade do usuário, dizem que a Siri tenta satisfazer todas as demandas possíveis de maneira direta no iPhone ou no computador do usuário. Caso uma demanda seja levada à nuvem para uma análise adicional, será marcada com um identificador em código, e não com o nome do usuário.

As gravações ficam arquivadas por seis meses, para que o sistema de reconhecimento de voz possa aprender a entender melhor a voz daquela pessoa. Depois, outra cópia é salva, sem o identificador, para ajudar a Siri nos próximos dois anos.

No caso das outras gigantes de tecnologia, os áudios são mandados diretamente para a nuvem. Daí, computadores tentam adivinhar a intenção do usuário e satisfazê-la. Depois, as empresas poderiam apagar a solicitação e a resposta do sistema, mas geralmente não fazem isso. A razão são os dados. Para a inteligência artificial da fala, quanto mais dados, melhor.

Qualquer usuário pode logar em sua conta na Amazon e no Google e ver uma lista de todas suas perguntas em áudio. Esses arquivos só serão apagados se a pessoa que fez a pergunta tomar a iniciativa. Caso contrário, ficarão registrados para sempre.

É verdade que todas as suas buscas por escrito no Google e outros mecanismos de busca também ficam registrados. Mas, para muita gente, ter o som de sua voz arquivado por uma empresa soa muito mais invasivo.

Sem garantias
Praticamente todos os fabricantes de sistemas de inteligência artificial, dos amadores até os gênios da IA nas grandes companhias, reveem pelo menos algumas das transcrições das interações dos usuários com suas criações. A meta é descobrir o que é funcional, o que precisa ser aprimorado e o que os usuários estão dispostos a discutir. Há muitas maneiras de fazer isso.

Os registros podem ser modificados para que o funcionário encarregado não veja os nomes dos usuários individuais. Ou eles podem ver apenas dados resumidos. Por exemplo, eles podem aprender que uma conversação termina depois de uma determinada frase do bot, o que os leva a fazer um ajuste. Designers na Microsoft e no Google, e outras companhias, também recebem relatórios detalhando as perguntas mais populares, para que eles saibam qual conteúdo adicionar.

Mais: https://epocanegocios-globo-com.cdn.ampproject.org/c/s/epocanegocios.globo.com/amp/Tecnologia/noticia/2019/05/

Apple accidentally unpatched a vulnerability it had already fixed, making current versions of iOS vulnerable to hackers.

By: Pierluigi Paganini

A public Jailbreak for iPhones in was released by a hacker, it is an exceptional event because it is the first in years. According to Motherboard, that first reported the news, Apple accidentally unpatched a flaw it had already fixed allowing the hacker to exploit it.

The jailbreak works with the latest version of the iOS mobile operating system, Google Project Zero expert Ned Williamson confirmed that the jailbreak works on his iPhone.

During the weekend, experts discovered that the latest iOS version (12.4) released in June has reintroduced a security flaw found by a Google Project Zero white hat hacker that was previouslyfixed in iOS 12.3.

The flaw potentially exposes iPhone devices running current and older iOS versions (any 11.x and 12.x below 12.3) to the risk of a hack until the 12.4.1will be released.

The popular researcher Pwn20wnd, who already developed iPhone jailbreaks in the past, today has published a jailbreak for iOS 12.4. Some users claim the jailbreak works on their iPhones.

This is a very unusual situation because hackers that have developed a working exploit for iPhone prefers to sell it to zero-day broker firm like Zerodium that pay them up 2 million of dollars.

More: https://securityaffairs.co/wordpress/90099/hacking/iphone-jailbreak-released.html

Nova ferramenta hacker desbloqueia qualquer iPhone no mercado

By: Felipe Payão

 

Ferramenta da Cellebrite invade qualquer iPhone e Android top de linha no mercado.

A empresa israelense Cellebrite lançou hoje (14) a UFED Premium, uma ferramenta hacker com a capacidade de desbloquear qualquer Apple iPhone vendido no mercado atualmente. A UFED Premium é uma ferramenta voltada para autoridades governamentais e policiais no mundo — a Cellebrite, por exemplo, colabora com autoridades brasileiras.

Por meio da UFED Premium, agências policiais poderão realizar a extração completa do sistema de arquivos em celulares iOS, além de smartphones Android top de linha, afirma a Cellebrite. “Obtenha acesso a dados de aplicativos de terceiros, conversas por bate-papo, e-mails baixados e anexos de email, conteúdo excluído e muito mais, aumente suas chances de encontrar provas incriminatórias e leve sua questão a uma resolução”, escreve a empresa ao vender a solução.

Vale notar que, apesar da Cellebrite afirmar que consegue desbloquear todos os iPhones no mercado, o site oficial indica que o UFED Premium ainda não consegue fazer o hack em iPhones com iOS 13, versão do sistema operacional que chegará em breve em todos os aparelhos Apple.

A Cellebrite ganhou mídia no caso Apple x FBI, quando o órgão norte-americano buscava hackear o aparelho de um suspeito do terrorismo. O FBI teve sucesso em extrair os dados de um iPhone 5c por conta da ferramenta.

Mais:  https://m.tecmundo.com.br/seguranca/142593-nova-ferramenta-hacker-desbloqueia-qualquer-iphone-mercado.htm

Many popular iPhone apps secretly record your screen without asking

By: Zack Whittaker

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

More: https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/

New FaceTime Bug Lets Callers Hear and See You Without You Picking Up

By: Swati Khandelwal

If you own an Apple device, you should immediately turn OFF FaceTime app for a few days.

A jaw-dropping unpatched privacy bug has been uncovered in Apple’s popular video and audio call app FaceTime that could let someone hear or see you before you even pick up their call.

The bug is going viral on Twitter and other social media platforms with multiple users complaining of this privacy issue that can turn any iPhone into an eavesdropping device without the user’s knowledge.

 The Hacker News has tested the bug on iPhone X running the latest iOS 12.1.2 and can independently confirm that it works, as flagged by 9to5Mac on Monday. We were also able to replicate the bug by making a FaceTime call to a MacBook running macOS Mojave.

Here’s How Someone Can Spy On You Using FaceTime Bug

The issue is more sort of a designing or logical flaw than a technical vulnerability that resides in the newly launched Group FaceTime feature.

Here’s how one can reproduce the bug:
  1. Start a FaceTime Video call with any iPhone contact.
  2. While your call is dialing, swipe up from the bottom of your iPhone screen and tap ‘Add Person.’
  3. You can add your own phone number in the ‘Add Person’ screen.
  4. This will start a group FaceTime call including yourself and the person you first called, whose audio you will able to listen in even if he/she hasn’t accepted the call yet.

iPhone a Growing Target of Crypto-Mining Attacks

By: Kacy Zurkus

Apple has increasingly been the target of crypto-mining attacks, and according to Check Point, iPhone attacks increased by nearly 400% over the last two weeks in September.

In its most recently published Global Threat Index, Check Point researchers said they are continuing to investigate the reasons behind this sharp increase but reported that crypto-miners continued to be the most common malware in September 2018. Coinhive continued to hold the number-one position, which it has occupied since December 2017.

While Coinhive currently impacts 19% of global organizations, researchers also reported that the information-stealing Trojan Dorkbot held onto second place with a 7% global impact. The report also noted significant increase in Coinhive attacks against PCs. Attackers used the Coinhive mining malware to target iPhones, which aligned with a rise in attacks against users of the Safari browser, the primary browser used by Apple devices.

The mining malware that rivals Coinhive, known as Cryptoloot, ranked third place overall on the Threat Index, making it the second-most prevalent crypto-miner in the index. Differentiating itself from Coinhive, Cryptoloot requests a smaller revenue percentage from websites than its top competitor.

“Crypto-mining continues to be the dominant threat facing organizations globally,” Maya Horowitz, threat intelligence group manager at Check Point, said in a press release. “What is most interesting is the fourfold increase in attacks against iPhones and against devices using the Safari browser during the last two weeks of September. These attacks against Apple devices are not using new functionality, so we are continuing to investigate the possible reasons behind this development.”

More: https://www.infosecurity-magazine.com/news/iphone-a-growing-target-of/

Expert demonstrated how to access contacts and photos from a locked iPhone XS

By: Pierluigi Paganini

Expert discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited to access photos, contacts on a locked iPhone XS .

The Apple enthusiast and “office clerk” Jose Rodriguez has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could be exploited by an attacker (with physical access to the iPhone) to access photos, contacts on a locked iPhone XS and other devices.

The hack works on the latest iOS 12 beta and iOS 12 operating systems, as demonstrated by Rodriguez in a couple of videos he published on YouTube (Videosdebarraquito).

The passcode bypass vulnerability affects a number of other iPhone models including the latest model iPhone XS.

An attacker can access the images on the devices by editing a contact and changing the image associated with a specific caller.

Apple has addressed the issue allowing images to be viewed via contacts, but Rodriguez devised a new method to circumvent the mitigations implemented by Apple.

The attack exploits the VoiceOver feature that enables accessibility features on iPhone, for this reason, the vulnerable device needs to have Siri enabled and Face ID either turned off or physically covered.

A step by step guide for the Rodriguez’s attack was published by the website Gadget Hacks.

More:  https://securityaffairs.co/wordpress/76700/hacking/iphone-xs-passcode-hack.html

 

Critical MacOS Mojave vulnerability bypasses system security

By: Michael Archambault

With the launch of a new version of macOS from Apple typically comes a culmination of new features, better performance, and enhanced security. Unfortunately, the previous statement might not necessarily be true as security researcher Patrick Wardle, co-founder of Digita Security, has discovered that MacOS Mojave includes a severe security flaw; the bug is currently present on all machines running the latest version of macOS and allows unauthorized access to a users’ private data.

Wardle announced his discovery on Twitter, showcasing that he could easily bypass macOS Mojave’s built-in privacy protections. Due to the flaw, an unauthorized application could circumvent the system’s security and gain access to potentially sensitive information. With the Twitter post, Wardle also included a one-minute Vimeo video showing the hack in progress.

The short video begins with Wardle attempting to access a user’s protected address book and receiving a message that states the operation is not permitted. After accessing and running his bypass program, breakMojave, Wardle is then able to locate the user’s address book, circumvent the machine’s privacy access controls, and copy the address book’s contents to his desktop — no permissions needed.

Wardle is an experienced security researcher who has worked at NASA and the National Security Agency in his past; he notes that one of his current passions is finding MacOS security flaws before others have the chance. While it is unlikely Wardle will release the app as a malicious tool, he does want to spread knowledge of its existence so that Apple addresses the issue in a timely fashion.

More: https://www.digitaltrends.com/computing/macos-mojave-vulnerability

 

Security Flaws Inadvertently Left T-Mobile And AT&T Customers’ Account PINs Exposed

By: L33TDAWG

T-Mobile and AT&T customers’ account PINs — passcodes meant to protect mobile accounts from being hacked — have been exposed by two different security flaws, which were discovered by security researchers Phobia and Nicholas “Convict” Ceraolo.

Apple’s online store contained the security flaw that inadvertently exposed over 72 million T-Mobile customers’ account PINs. The website for Asurion, a phone insurance company, had a separate vulnerability that exposed the passcodes of Asurion’s AT&T customers.

Apple and Asurion fixed the vulnerabilities after BuzzFeed News shared the security researchers’ findings. Apple declined to provide further comment on the record, stating only that the company is very grateful to the researchers who found the flaw. Asurion spokesperson Nicole Miller said, “Asurion takes customer security and privacy very seriously, and as such we have an ongoing, layered security program in place to prevent security issues. We are investigating the researcher’s concerns, but have immediately implemented measures to address these concerns to ensure customers’ accounts are safe.”

16-Year-Old Teen Hacked Apple Servers, Stole 90GB of Secure Files

By: Mohit Kumar

Well, there’s something quite embarrassing for Apple fans.

Though Apple servers are widely believed to be unhackable, a 16-year-old high school student proved that nothing is impossible.

The teenager from Melbourne, Australia, managed to break into Apple servers and downloaded some 90GB of secure files, including extremely secure authorized keys used to grant login access to users, as well as access multiple user accounts.

The teen told the authorities that he hacked Apple because he was a huge fan of the company and “dreamed of” working for the technology giant.

What’s more embarrassing? The teen, whose name is being withheld as he’s still a minor, hacked the company’s servers not once, but numerous times over the course of more than a year, and Apple’s system administrators failed to stop their users’ data from being stolen.

When Apple finally noticed the intrusion, the company contacted the FBI, which took the help of the Australian Federal Police (AFP) after detecting his presence on their servers and blocking him.

Apple Hack: The “Hacky Hack Hack” Folder

The AFP caught the teenager last year after a raid on his residence and seized two Apple laptops, a mobile phone, and a hard drive.

“Two Apple laptops were seized, and the serial numbers matched the serial numbers of the devices which accessed the internal systems,” a prosecutor was quoted as saying by Australian media The Age. “A mobile phone and hard drive were also seized, and the IP address matched the intrusions into the organization.”

After analyzing the seized equipment, authorities found the stolen data in a folder called “hacky hack hack.”

Besides this, authorities also discovered a series of hacking tools and files that allowed the 16-year-old boy to break into Apple’s mainframe repeatedly.

More: https://thehackernews.com/2018/08/apple-hack-servers.html?m=1