Apple Will Stop Listening To Siri Recordings For Now

Apple Will Stop Listening To Siri Recordings For Now

Not long ago, both Google and Apple found themselves in hot water when it came to light that both companies had been making use of third-party partners to review Siri recordings. As the companies explained at the time, their goal was to make their voice recognition software more efficient and more effective. After they found themselves at the center of a controversy over it, Apple has announced that they have formally suspended the program worldwide while they conduct a review. A company spokesman had this to say: “We are committed to delivering a great Siri experience while protecting user privacy. While we conduct a thorough review, we are suspending Siri grading globally.  Additionally, as part of a future software update, users will have the ability to choose to participate in grading.” In a similar vein, Google announced that it was putting its evaluation program on hold in Europe only for three months. Johannes Casper, the Hamburg Commissioner for Data Protection and Freedom of Information, had this to say with regards to Google’s current policy and a possible conflict with Europe’s GDPR data-protection laws: “The use of language-assistance systems in the EU must follow the data-protection requirements of the GDPR.  In the case of the Google Assistant, there are currently significant doubts. The use of language-assistance systems must be done in a transparent way, so that an informed consent of the users is possible.  In particular, this involves providing sufficient information and transparently informing those affected about the processing of voice commands, but also about the frequency and risks of mal-activation.” Kudos to the EU for making a big enough...
Apple Is Launching Their Own Credit Card Soon

Apple Is Launching Their Own Credit Card Soon

Apple has partnered with Goldman Sachs and their long-awaited “Apple Card” begins rolling out in limited fashion. The card becomes available to all iPhone owners in the United States toward the end of August. According to CEO Tim Cook, a random selection of people who signed up to be notified about the Apple Card are getting an early-access sneak peek. However, the company has been tight-lipped about exactly how many people are being invited into the preview group. If you’re one of the lucky winners, know that the sign-up process will involve upgrading to iOS 12.4 and entering your address, your birthday, income level and the last four digits of your Social Security number.  That information is sent on to Goldman Sachs, which will approve or deny your credit application in real time and in under a minute. Note that part of the approval process also involves a TransUnion credit check, so if you have that information locked, you’ll need to unlock it (at least long enough to get approval). Once you’ve been approved, your card will show up in your Apple Wallet immediately and be available for use.  If you want one, you can request a physical card from Apple for free during the setup and it will arrive in the mail in a few days. The cool thing about the physical card is the fact that it has an NFC tag on it, so you can activate it simply by tapping the phone against it. Also note that you’ll have three different credit card numbers associated with your Apple Card: The number assigned to your phone The...
Update Your iPhone To Avoid Latest iMessage Security Vulnerability

Update Your iPhone To Avoid Latest iMessage Security Vulnerability

If you own an iPhone, be aware that a new iMessage vulnerability has been recently found and patched by Apple. This was part of the iOS 12.4 update. The flaw allowed hackers to access and read the contents of files stored on iOS devices remotely. They could access files the same way as the device owner with no sandbox, and with no user interaction needed. The issue was discovered by Natalie Silvanovich, who is a security research with Google’s Project Zero.  As a proof of concept, she created a demo that only works on devices running iOS 12 or later. She describes it as “a simple example to demonstrate the reach-ability of the class in Springboard. The actual consequences of the bug are likely more serious.” In describing the issue itself, Silvanovich had this to say: “First, it could potentially allow undesired access to local files if the code deserializing the buffer ever shares it (this is more likely to cause problems in components that use serialized objects to communicate locally than in iMessage).  Second, it allows an NSData object to be created with a length that is different than the length of its byte array.  This violates a very basic property that should always be true of NSData objects.  This can allow out of bounds reads, and could also potentially lead to out-of-bounds writes, as it is now possible to create NSData objects with very large sizes that would not be possible if the buffer was backed.” As mentioned, this bug has already been patched, along with two other iMessage vulnerabilities that Silvanovich recently discovered. All of them...
Security Issue Found In Multiple Devices Is Called ‘Urgent 11’

Security Issue Found In Multiple Devices Is Called ‘Urgent 11’

Let’s take a little time to talk about the vast numbers of smart devices in use around the world. You probably have several in your home or office. Smart devices need operating systems, just like your phone and your PC. Of course, mobile device operating systems must be much smaller and more compact. After all, they don’t really need to do a lot of computing, and they don’t need a GUI, so the code tends to be on the lean side. The odds are excellent that you’ve never even heard of most of the IoT’s operating systems, nor the companies that make them. Take VxWorks by a company called Wind River, for example.  It’s the most popular Real Time Operating System (RTOS), used in a wide range of smart devices today.  They don’t get a lot of attention or oversight because almost nobody has heard of them. That’s beginning to change, however.  Recently, security researchers disclosed the details of the “Urgent 11”, which are 11 vulnerabilities found in VxWorks that can be used by hackers to take control of a variety of devices. These devices range from medical systems to printers, industrial equipment, routers, and more. The company has been in existence for 32 years. Yet, in that time, only 13 security flaws with a MITRE-assigned CVE have been found in the VxWorks RTOS, because again, nobody’s paying attention. The good news is that when someone finally started paying attention, Wind River responded quickly and resolved all eleven of the security flaws, issuing a patch to correct them.  There’s just one rather significant catch, however. The company is claiming that...
Ransomware Now Sends Malicious Texts Through Mobile Device

Ransomware Now Sends Malicious Texts Through Mobile Device

If you own an Android device, there’s a new threat to be at least moderately concerned about.  It takes the form of a new ransomware family that spreads from one victim to the next with text messages that contain poisoned links to every contact on an infected device. The ESET research team that found the software had this to say about it: “Due to narrow targeting and flaws in both execution of the campaign and implementation of its encryption, the impact of this new ransomware is limited. If your system is infected, the first thing it will do is raid your contacts list and send SMS text messages to everyone on it.  Anybody who clicks on the link in the SMS message will also be infected. After sending a flurry of messages, the malware will turn its attention to your device itself. It will then set about the task of encrypting most of the files on your device.  Fortunately, the people behind this new threat prove themselves to be new to the game.” ESET continues: “After the ransomware sends out this batch of malicious SMSes, it encrypts most user files on the device and requests a ransom.  Due to flawed encryption, it is possible to decrypt the affected files without any assistance from the attacker.” All in all, this issue is only of minor concern.  It’s annoying, and certainly time consuming to restore your files. However, it’s not an especially dangerous malware strain - yet, and that’s the problem. Whomever is behind this new threat certainly has the right idea, even if they lack the technical chops to pull...
Playing Videos Could Allow Hackers Into Your Phone

Playing Videos Could Allow Hackers Into Your Phone

Do you have an Android device?  Are you running Android Nougat, Oreo, or Pie (versions 7x, 8x, or 9x)?  Do you play games on your phone? If you answered yes to those questions, you may have a problem. It is a bigger problem given that there are more than a billion devices currently in service running one of those operating systems. A carefully crafted, innocent-looking video file could be embedded in a game app and could compromise your system, thanks to a critical vulnerability. The RCE (Remote Code Execution) vulnerability is being tracked at CVE-2019-2107. It wworks by finding a way to trick the user into playing a poisoned video via Android’s native video player application. Google moved quickly to address the issue and has already patched it, but there’s a catch. Millions of Android devices are still waiting for that last security update.  The bottleneck isn’t Google in this case. It’s the device manufacturers themselves that are dropping the ball. As bad as the bug is, there is a potential silver lining.  The vulnerability only works if the video is viewed directly on the device.  If the video is received through an instant messaging app, or uploaded to a service like YouTube, the attack becomes utterly ineffective. That’s because messaging and video hosting services both compress and re-encode media files, which has a distorting effect on the embedded malicious code. In terms of avoiding the issue, there are three things you can do: Make sure your OS is up to date Don’t download games or other apps from un-trusted third-party sources. Get them from the Google Play store...