Cuidado: seus dispositivos ouvem, gravam e arquivam o que você fala

By: ÉPOCA NEGÓCIOS ONLINE

Saiba como smartphones, notebooks e assistentes virtuais invadem sua privacidade todos os dias, coletando e analisando seus dados em sistemas de inteligência artificial

Se você passa os dias imaginando se seu smartphone, notebook, tablet, ou suas assistentes virtuais AlexaSiri Cortana estão vigiando você, pode parar de imaginar. A resposta é sim. Todos esses dispositivos ouvem, registram, arquivam e monitoram, de alguma maneira, o que você fala. Os registros podem ser em áudio, em transcrições completas ou resumos. E o uso que é feito desses dados nem sempre é claro, de acordo com o The Guardian.

Alvo de críticas sobre o possível uso de gravações feitas pela assistente Alexa, a Amazon diz que seus produtos são vilificados de maneira injusta. Segundo a companhia, é verdade que os dispositivos escutam o tempo todo, “mas de maneira nenhuma transmitem tudo que ouvem”. Só quando um dispositivo ouve a palavra de despertar “Alexa”, é que a gravação é mandada para a nuvem e analisada, dizem.

O argumento é o mesmo usado por todas as companhias de tecnologia acusadas de espionar os consumidores: elas dizem e que só ouvem quando recebem uma ordem expressa para isso. Dizer a frase “OK, Google” desperta os aparelhos da companhia. Mesmo que isso seja verdade, fica a pergunta: depois que a escuta começa, o que acontece?

Fontes da Apple, que se orgulha da maneira como protege a privacidade do usuário, dizem que a Siri tenta satisfazer todas as demandas possíveis de maneira direta no iPhone ou no computador do usuário. Caso uma demanda seja levada à nuvem para uma análise adicional, será marcada com um identificador em código, e não com o nome do usuário.

As gravações ficam arquivadas por seis meses, para que o sistema de reconhecimento de voz possa aprender a entender melhor a voz daquela pessoa. Depois, outra cópia é salva, sem o identificador, para ajudar a Siri nos próximos dois anos.

No caso das outras gigantes de tecnologia, os áudios são mandados diretamente para a nuvem. Daí, computadores tentam adivinhar a intenção do usuário e satisfazê-la. Depois, as empresas poderiam apagar a solicitação e a resposta do sistema, mas geralmente não fazem isso. A razão são os dados. Para a inteligência artificial da fala, quanto mais dados, melhor.

Qualquer usuário pode logar em sua conta na Amazon e no Google e ver uma lista de todas suas perguntas em áudio. Esses arquivos só serão apagados se a pessoa que fez a pergunta tomar a iniciativa. Caso contrário, ficarão registrados para sempre.

É verdade que todas as suas buscas por escrito no Google e outros mecanismos de busca também ficam registrados. Mas, para muita gente, ter o som de sua voz arquivado por uma empresa soa muito mais invasivo.

Sem garantias
Praticamente todos os fabricantes de sistemas de inteligência artificial, dos amadores até os gênios da IA nas grandes companhias, reveem pelo menos algumas das transcrições das interações dos usuários com suas criações. A meta é descobrir o que é funcional, o que precisa ser aprimorado e o que os usuários estão dispostos a discutir. Há muitas maneiras de fazer isso.

Os registros podem ser modificados para que o funcionário encarregado não veja os nomes dos usuários individuais. Ou eles podem ver apenas dados resumidos. Por exemplo, eles podem aprender que uma conversação termina depois de uma determinada frase do bot, o que os leva a fazer um ajuste. Designers na Microsoft e no Google, e outras companhias, também recebem relatórios detalhando as perguntas mais populares, para que eles saibam qual conteúdo adicionar.

Mais: https://epocanegocios-globo-com.cdn.ampproject.org/c/s/epocanegocios.globo.com/amp/Tecnologia/noticia/2019/05/

Google Researchers Disclose PoCs for 4 Remotely Exploitable iOS Flaws

By: Wang Wei

Google’s cybersecurity researchers have finally disclosed details and proof-of-concept exploits for 4 out of 5 security vulnerabilities that could allow remote attackers to target Apple iOS devices just by sending a maliciously-crafted message over iMessage.

All the vulnerabilities, which required no user interaction, were responsibly reported to Apple by Samuel Groß and Natalie Silvanovich of Google Project Zero, which the company patched just last week with the release of the latest iOS 12.4 update.

Four of these vulnerabilities are “interactionless” use-after-free and memory corruption issues that could let remote attackers achieve arbitrary code execution on affected iOS devices.

However, researchers have yet released details and exploits for three of these four critical RCE vulnerabilities and kept one (CVE-2019-8641) private because the latest patch update did not completely address this issue.

The fifth vulnerability (CVE-2019-8646), an out-of-bounds read, can also be executed remotely by just sending a malformed message via iMessage. But instead of code execution, this bug allows an attacker to read the content of files stored on the victim’s iOS device through leaked memory.

Here below, you can find brief details, links to the security advisory, and PoC exploits for all four vulnerabilities:

More: https://thehackernews.com/2019/07/apple-ios-vulnerabilities.html?m=1

How to slow Google Sensorvault from tracking your location on iOS, Android

By: Rick Broida

Not only is Google Maps tracking you, but a program called Google Sensorvault is potentially turning over your location data to law enforcement, according to a report from The New York Times. We’ll show you how you make it more difficult for Google or at least not hand over the most granular data.

Keep in mind that a 2018 Associated Press investigation reported that even if you manually disable Google Location History, Google Maps and other apps may retain data about your whereabouts.

We also recently learned that Facebook is tracking you even after you deactivate your account, so it’s not just Google that you have to worry about. (Alternatively, you may want to at least turn off Facebook’s facial recognition feature.)

google-activity-controls-web-and-app-activity
The Web & App Activity toggle will fully disable Google location tracking, but good luck finding it unless you know exactly where to look.Screenshot by Rick Broida/CNET

 

“Google maintains that such location-tracking features are intended to improve your experience. But that notion is at odds with the definition of “off,” said Princeton computer scientist Jonathan Mayer. “If you’re going to allow users to turn off something called ‘Location History,’ then all the places where you maintain location history should be turned off,” he said.

android-web-app-activity
Feel free to disable Web & App Activity on Android, but keep in mind you’ll lose out on a lot of location-based services.Screenshot by Rick Broida/CNET

 

Indeed, even when Location History is toggled off in your Google account settings, AP discovered, actions like searching for something in your browser, checking automatic weather updates and opening Google Maps will record your location. Princeton researchers were able to verify AP’s claims.

If you want to fully disable location tracking (which, keep in mind, will limit certain apps’ location-driven capabilities), you need to disable another setting called Web & App Activity.

More: https://www.cnet.com/google-amp/news

Sistemas operacionais móveis e segurança – evolução

By: Alexandre Vasconcelos

Sistemas Operacionais são a base da computação desde seus primórdios, pois sempre foi necessário ter uma fundação e plataforma base, a partir de onde outros programas serão executados. É um tema fascinante e extenso, cadeira obrigatória nos cursos de computação.

Sistemas Operacionais de dispositivos Móveis, mais recentes, inevitavelmente são derivações (ou até mesmo adaptações) de sistemas existentes, mas nem por isso perdem em sua virtude executar tarefas nobres – e obrigatórias – como gerenciamento de recursos de hardware, por exemplo.

E a Segurança? Esta tem sido negligenciada por muitos no decorrer das últimas décadas. No entanto, na medida em que a computação em nuvem e a massificação do uso de dispositivos móveis aumenta, inevitavelmente torna-se um assunto de grande relevância.

Um dos principais pontos que definem o sucesso em maior ou menor intensidade é como um determinado produto é planejado e, consequentemente, concebido. Sem a intenção em voltar demais no tempo, os medalhões da tecnologia que iniciaram suas carreiras lá pelos anos 80 se lembrarão (saudosamente, muitas vezes) dos mainframes e dos monitores que exibiam apenas caracteres, devotados à eficiência computacional e ao máximo aproveitamento dos poucos recursos de hardware existentes na época. Não existia mobilidade e a segurança desempenhava seu papel, a conectividade era bem restrita e as ameaças limitadas.

Um pouco mais adiante, nos anos 90, o uso da Internet se intensifica, as interfaces gráficas tornam-se cada vez mais populares, mas a segurança ainda continua sendo coadjuvante nesta história. O nascimento do Google, iMac, players portáteis de MP3, além da telefonia móvel também que avançava. Os sistemas operacionais continuavam a evoluir, não apenas com o progresso da interface gráfica, mas também com o surgimento de opções como o Linux, que influenciaria decisivamente o mercado. Aqui a segurança ainda tinha um papel secundário, fraudes e roubo de identidade eram eventos de até certa forma isolados e que causavam poucos danos, apesar das falhas crescentes no flash e plugins em navegadores, por exemplo.

No início dos anos 2000 temos um cenário muito mais sólido e empolgante, muitas soluções disponíveis e um mercado de tecnologia muito mais maduro. Com a Internet cada vez mais presente, distribuída e com mais velocidade, redes sociais e YouTube abrirão caminho para que dispositivos móveis, como o iPhone, bem como as primeiras versões do Android (entre 2007 e 2009) ocupem espaço definitivo. Eis que a segurança começa a ocupar um papel de destaque, uma vez que os dados iniciam o processo de migração para estes dispositivos.

Nos últimos anos alguns eventos causaram impacto no uso da tecnologia. No campo da política, quando pairaram dúvidas a respeito da influência dos Russos nas eleições Americanas; além de inúmeros casos de vazamento de dados.

More: http://tiinside.com.br/tiinside/seguranca/

Dozens of US spies killed after Iran and China uncovered CIA messaging service using Google

By: Margi Murphy

Dozens of American spies were killed in Iran and China after a flawed communications service that allowed foreign foes to see what the agents were up to using Google, official sources have claimed.

Between 2009 and 2013 the US Central Intelligence Agency suffered a “catastrophic” secret communications failure in a website used by officers and their field agents around the world to speak to each other, according to a report in Yahoo News, which heard from 11 former intelligence and government officials about the previously unreported disaster.

“We’re still dealing with the fallout,” said one former national security official. “Dozens of people around the world were killed because of this.”

The internet-based communications platform was first used in the Middle East to communicate with soldiers in war zones and had not been intended for widespread use but due to its ease of use and efficacy, it was adopted by agents despite its lack of sophistication, the sources claimed.

Cracks only began to show when Iran, angered that the government under Barack Obama had discovered a secret Iranian nuclear weapon factory, went out with a fine tooth comb to find moles.

It discovered the existence of one of the websites used by US agents using Google. US officials believe that Iranian spies were able to use Google as a search tool to find secret CIA websites, unbeknown to those using them.

By 2011, Iran had infiltrated the CIA spy network and in May it announced that they had broken up a 30-strong ring of American spies.

Some informants were executed and others imprisoned as a result, the sources claimed.

This was corroborated by a report on ABC news at the time, which referred to a compromised communications system after a tip off from the CIA.

Meanwhile in China 30 agents working for the US were executed by the government after compromising the spy network using a similar means. Beijing had managed to break into a second temporary communications system,  splintered from the initial platform and were able to see every single agent the CIA had placed in the country, the sources told Yahoo.

The sources said that it the general consensus was that that Iran and China had traded technical information with each other to form a two-pronged attack.

A CIA agent in Russia who was warned about the attacks were able to change communication channels before anyone was uncovered.

More: https://www.telegraph.co.uk/technology/2018/11/03/dozens-us-spies-killed-iran-china-uncovered-cia-messaging-service/amp/

Google’s prototype Chinese search engine reportedly links searches to phone numbers

By: Adi Robertson

Google is reportedly building a prototype system that would tie Chinese users’ Google searches to their personal phone numbers, as part of a new search service that would comply with the Chinese government’s censorship requirements. The Intercept writes that the “Dragonfly” Android app, a secret project revealed by a whistleblower last month, could be linked to a user’s phone number — making it simple to track individual users’ searches.

This tracking would be in addition to Dragonfly’s blacklisting of terms like “human rights,” “student protest,” and “Nobel Prize,” which might normally pull up news about Chinese activist and Nobel laureate Liu Xiaobo. Sources have also told The Intercept that it’s “essentially hardcoded” to replace weather and air pollution results with potentially doctored data from a source in China.

Google hasn’t confirmed the existence of Dragonfly, and it’s mostly declined to comment on reports about the project. (It didn’t immediately respond to a request for comment on this latest news.) It’s previously said that it’s only doing “exploratory” work on a search service in China and that it’s “not close to launching a search product” in the country.

But these reports have drawn opposition inside and outside the company. Around 1,400 Google employees have allegedly signed a letter demanding more information about the project, which has been shrouded in secrecy and reportedly runs in partnership with a Chinese company. Earlier today, a bipartisan group of House representatives asked Google to answer questions about its plans for a Chinese search app, saying Congress has “a responsibility to ensure that American companies are not perpetuating human rights abuses abroad.” And The Interceptreported yesterday that Google senior research scientist Jack Poulson resigned to protest the decision, saying a total of five employees have left because of Dragonfly.

More: https://www.theverge.com/platform/amp

 

Google paid million dollars to track offline purchases using Mastercard Data

By: Pierluigi Paganini

Google has paid Mastercard millions of dollars to access offline transactions of its users, the news was revealed by Bloomberg.

New problems for Google, experts discovered a secret agreement of the tech giant with Mastercard to track user purchases offline.

Google has paid Mastercard millions of dollars to access offline transactions of its users.

The embarrassing agreement was revealed by Bloomberg that cited four unidentified people with knowledge of the deal.

Google used Mastercard data to track whether its ads led to a sale at a physical store in the U.S.

Google and Mastercard signed the agreement after a four-year negotiation, it gives the company all Mastercard transaction data in the US.

Neither Mastercard or Google have never disclosed the deal, roughly two billion Mastercard holders aren’t aware that Big G was tracking them.

“Alphabet Inc.’s Google and Mastercard Inc. brokered a business partnership during about four years of negotiations, according to four people with knowledge of the deal, three of whom worked on it directly.” reads the report published by Bloomberg.

“The alliance gave Google an unprecedented asset for measuring retail spending, part of the search giant’s strategy to fortify its primary business against onslaughts from Amazon.com Inc. and others.”

Google used the data to fuel a new tool for advertisers, called Store Sales Measurement, that is currently in a test phase for a restricted group of advertisers. The tool aims at tracking the conversion rate of online advertisements into real-world retail sales.

Google never revealed that the source of data used by its Store Sales Measurement service since its presentation, the company only declared that its customers had access to approximately 70% of U.S. credit and debit cards through partners.

“People don’t expect what they buy physically in a store to be linked to what they are buying online,” said Christine Bannan, counsel with the advocacy group Electronic Privacy Information Center (EPIC).

“There’s just far too much burden that companies place on consumers and not enough responsibility being taken by companies to inform users what they’re doing and what rights they have.”

This suggests that not just Mastercard, Google has deals with other credit card companies as well, which total of 70% of the people who use credit and debit cards in the United States.

However, it seems that users can reportedly opt out of offline ad tracking by merely turning off “Web and App Activity” in their Google account.

Mastercard denied that it has provided personal information to any third parties.

More: https://securityaffairs.co/wordpress/75871/security/mastercard-data-google-deal.html

WhatsApp confirma que las copias de seguridad almacenadas en iCloud y Google Drive pierden el cifrado de extremo a extremo

By: Raúl Álvarez

Hace unos días WhatsApp y Google anunciaron con bombo y platillo un nuevo acuerdo que beneficiaría a todos los usuarios de la plataforma en Android. Y es que a partir del 12 de noviembre, todos aquellos usuarios de Android podrán hacer copias de seguridad de sus conversaciones en Google Drive, sin que éstos ocupen espacio de la cuota de almacenamiento.

Sin embargo, hay aquí hay un detalles que se pasó por alto en ese entonces y que hoy se deja en claro: las copias de seguridad gratuitas de WhatsApp en Google Drive pierden su cifrado, algo que también aplica para las copias en iCloud desde un iPhone

Información privada sin ningún tipo de protección

Cuando se hizo el anuncio, WhatsApp actualizó su página de soporte para reflejar estos cambios, donde también explicaba paso a paso cómo configurar esta característica. Lo que por supuesto levantó sospechas al ser “demasiado bello para ser cierto”.

Y así ha sido, hoy WhatsApp nuevamente ha actualizado su web de soporte para mencionar explícitamente la pérdida del cifrado en las copias de seguridad en Google Drive:

“Importante: Los archivos multimedia y mensajes que guardes no estarán protegidos por el cifrado de extremo a extremo de WhatsApp mientras están en Google Drive.”

Whatsapp Google Drive Cifrado

Pero eso no es todo, ya que también se confirma que esto aplica de igual forma a los respaldos que actualmente tenemos en Google Drive y iCloud. Es decir, todas las copias de seguridad almacenadas están guardadas sin ningún tipo de protección, por lo que cualquier persona con acceso a estos respaldos podría tener acceso a mensajes, fotos, vídeos, ubicación y todo lo que compartimos en WhatsApp.

Pero ojo, la mayoría de los comentarios se están centrando en lo que ocurre en Android con WhatsApp y Google Drive, pero la realidad es que las copias de seguridad en iPhone que se guardan en iCloud también pierden el cifrado una vez almacenadas. Es decir, ni en Android ni en iOS tenderemos copias de seguridad de WhatsApp protegidas por cifrado.

Más: https://m-xataka-com.cdn.ampproject.org

New Man-in-the-Disk attack leaves millions of Android phones vulnerable

By: Swati Khandelwal

Security researchers at Check Point Software Technologies have discovered a new attack vector against the Android operating system that could potentially allow attackers to silently infect your smartphones with malicious apps or launch denial of service attacks.

Dubbed Man-in-the-Disk, the attack takes advantage of the way Android apps utilize ‘External Storage’ system to store app-related data, which if tampered could result in code injection in the privileged context of the targeted application.

It should be noted that apps on the Android operating system can store its resources on the device in two locations—internal storage and external storage.

Google itself offers guidelines to Android application developers urging them to use internal storage, which is an isolated space allocated to each application protected using Android’s built-in sandbox, to store their sensitive files or data.

However, researchers found that many popular apps—including Google Translate itself, along with Yandex Translate, Google Voice Typing, Google Text-to-Speech, Xiaomi Browser—were using unprotected external storage that can be accessed by any application installed on the same device.

How Android Man-in-the-Disk Attack Works?

Similar to the “man-in-the-middle” attack, the concept of “man-in-the-disk” (MitD) attack involves interception and manipulation of data being exchanged between external storage and an application, which if replaced with a carefully crafted derivative “would lead to harmful results.”

man-in-the-disk android hacking apps

 

More: https://thehackernews.com/2018/08/man-in-the-disk-android-hack.html