My Weekly RoundUp #79
This week i’ve read a lot of article about privacy.
Below a selection, plus a sad news…
Home Assistant Adopter Beware: Google, Amazon Digital Assistant Patents Reveal Plans for Mass Snooping
Internet giants Amazon and Google are slashing prices and offering supposed deals on their “digital assistants” this holiday season, but a study of patent applications associated with the devices reveals plans for massive surveillance of users’ homes, Consumer Watchdog warned today.https://www.consumerwatchdog.org/privacy-technology/home-assistant-adopter-beware-google-amazon-digital-assistant-patents-reveal
Consumer Watchdog said that a study of patent applications filed by Amazon and Google with the U.S. Patent and Trademark Office reveals a vision for an Orwellian future in which digital assistants eavesdrop on everything from confidential conversations to your toilet flushing habits to children’s movements and the books on bedside tables. They would know when you go to sleep and whom you wake up with.
The patents reveal the devices’ possible use as surveillance equipment for massive information collection and intrusive digital advertising. SNL’s Weekend Update made light of these revelations.
FamilyTreeDNA Hands the FBI Access to Its Database
There are plenty of reasons to be wary of at-home DNA testing, particularly if you’re concerned about genetic privacy. That’s especially true now that it’s come to light that FamilyTreeDNA, one of the largest private genetic testing companies, is cooperating with the FBI to give its agents access to its genealogy database.https://gizmodo.com/familytreedna-hands-the-fbi-access-to-its-database-1832259369
The partnership, first reported by BuzzFeed News, marks the first known time a consumer DNA kit company has voluntarily given law enforcement access to a private database. Detectives have increasingly turned to DNA databases as a way to jumpstart cold cases, but previously kept searches limited to public and free databases, such as in the recent Golden State Killer case. While in that particular case law enforcement relied most heavily on GEDmatch, an open-source database, FamilyTreeDNA was also subpoenaed to provide the identity of a single user who was a genetic match to the killer.
Many popular iPhone apps secretly record your screen without asking
Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/ and http://theappanalyst.com/aircanada.html
You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.
Unlocking God Mode on x86 Processors
We missed this Blackhat talk back in August, but it’s so good we’re glad to find out about it now. [Christopher Domas] details his obsession with hidden processor instructions, and how he discovered an intentional backdoor in certain x86 processors. These processors have a secondary RISC core, and an undocumented procedure to run code on that core, bypassing the normal user/kernel separation mechanisms.
The result is that these specific processors have an intentional mechanism that allows any unprivileged user to jump directly to root level access.
The most fascinating part of the talk is the methodical approach [Domas] took to discover the details of this undocumented feature. Once he had an idea of what he was looking for, he automated the process of checking every possible x86 instruction, looking for the one instruction that allowed running code on that extra core.https://hackaday.com/2019/02/03/unlocking-god-mode-on-x86-processors/
Reverse RDP Attack: Code Execution on RDP Clients
Check Point Research recently discovered multiple critical vulnerabilities in the commonly used Remote Desktop Protocol (RDP) that would allow a malicious actor to reverse the usual direction of communication and infect the IT professional or security researcher’s computer. Such an infection could then allow for an intrusion into the IT network as a whole.https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients
macOS vulnerability lets attackers access passwords in the Keychain
The problem lies with the Keychain, which can be used to store the user’s passwords for a variety of services. In theory, these are kept safe from any possible intruders, but Henze discovered a vulnerability which can be exploited to reveal all the passwords stored in the Keychain. The exploit is demonstrated in the video below, where Henze uses a specially designed KeySteal app to get access to those passwords.https://www.neowin.net/news/macos-vulnerability-lets-attackers-access-passwords-in-the-keychain
Android devices could be hacked by viewing a malicious PNG Image
The flaws affect millions of Android devices running versions of the Google OS, ranging from Android 7.0 Nougat to the latest Android 9.0 Pie.https://securityaffairs.co/wordpress/80772/hacking/android-hack-png-image.html
Google addressed the three vulnerabilities in the Android Open Source Project (AOSP) as part of the February Android Security Updates.
Even if Google has addressed the flaws, each vendor will have to distribute the patch for its models and this process usually doesn’t occur on a regular basis.
Researchers at Google did not provide technical details for the flaws, the tech giant only reported that the security updates addressed a “heap buffer overflow flaw,” “errors in SkPngCodec,” and vulnerabilities in some components that render PNG images.
According to the security advisory published by Google, the most severe of the three vulnerabilities could allow a maliciously crafted .PNG image file to execute arbitrary code on the vulnerable Android devices.
Introducing Adiantum: Encryption for the Next Billion Users
Storage encryption protects your data if your phone falls into someone else’s hands. Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted.https://security.googleblog.com/2019/02/introducing-adiantum-encryption-for.html
This Marie Kondo-inspired Twitter tool will help you declutter your timeline so it again ‘sparks joy’
Designed by Julius Tarng, previously of Facebook and Branch, “tokimeki” roughly translates to “spark joy.” It’s a nod to Tarng’s source of inspiration for the new tool — Marie Kondo’s hugely popular Netflix show “Tidying Up.” The series, based on the decluttering expert’s own KonMari method of organization, has prompted many to start purging their homes of unwanted and unloved clothing, books, papers, toys and more in the weeks following the series’ debut.https://techcrunch.com/2019/02/05/this-marie-kondo-inspired-twitter-tool-will-help-you-declutter-your-timeline-so-it-again-sparks-joy/
Beyond bionics: how the future of prosthetics is redefining humanity
Bionic technology is removing physical barriers faced by disabled people while raising profound questions of what it is to be human. From DIY prosthetics realised through 3D printing technology to customised AI-driven limbs, science is at the forefront of many life-enhancing innovationshttps://www.youtube.com/watch?v=GgTwa3CPrIE
Oreo the Raccoon, Inspiration for ‘Guardians of the Galaxy’ Character Rocket, Dies
Oreo the Raccoon, who served as the model for “Guardians of the Galaxy” character Rocket, has passed away after a short illness.https://www.thewrap.com/oreo-the-raccoon-inspiration-guardians-galaxy-rocket-dies/
The Facebook fan page for all things “Guardians” announced the news on Thursday, after his family took to the social media platform to announce his death.
“Our hearts are broken as we have lost our best friend, our Guardian of our Galaxy Mr Oreo Raccoon,” Quinta Layla wrote. “Oreo passed away in the early hours of this morning after a very short illness. Many thanks to our wonderful vets for their compassion and care.”
Jake Shimabukuro Performing Galloping Seahorses
Jake has released album “Nashville Sessions” on SEP 23, 2016.
The album got No.1 on iTune’s World Album in USA and Japan.