Sources say China used iPhone hacks to target Uyghur Muslims

A number of malicious websites used to hack into iPhones over a two-year period were targeting Uyghur Muslims, TechCrunch has learned.

Sources familiar with the matter said the websites were part of a state-backed attack — likely China — designed to target the Uyghur community in the country’s Xinjiang state.

It’s part of the latest effort by the Chinese government to crack down on the minority Muslim community in recent history. In the past year, Beijing has detained more than a million Uyghurs in internment camps, according to a United Nations human rights committee.

Google security researchers found and recently disclosed the malicious websites this week, but until now it wasn’t known who they were targeting.

The websites were part of a campaign to target the religious group by infecting an iPhone with malicious code simply by visiting a booby-trapped web page. In gaining unfettered access to the iPhone’s software, an attacker could read a victim’s messages, passwords, and track their location in near-real time.

Apple fixed the vulnerabilities in February in iOS 12.1.4, days after Google privately disclosed the flaws. News of the hacking campaign was first disclosed by this week.

These websites had “thousands of visitors” per week for at least two years, Google said. It’s not immediately known if the same websites were used to target Android users.

Victims were tricked into opening a link, which when opened would load one of the malicious websites used to infect the victim. It’s a common tactic to target phone owners with spyware.

One of the sources told TechCrunch that the websites also infected non-Uygurs who inadvertently accessed these domains because they were indexed in Google search, prompting the FBI to alert Google to ask for the site to be removed from its index to prevent infections.

A Google spokesperson would not comment beyond the published research. A FBI spokesperson said they could neither confirm nor deny any investigation, and did not comment further.

Google faced some criticism following its bombshell report for not releasing the websites used in the attacks. The researchers said the attacks were “indiscriminate watering hole attacks” with “no target discrimination,” noting that anyone visiting the site would have their iPhone hacked.

But the company would not say who was behind the attacks.

Apple did not comment. An email requesting comment to the Chinese consulate in New York was unreturned.

Malicious websites were used to secretly hack into iPhones for years, says Google

Source: TechCrunch http://j.mp/2LpwDoq

Apple still has work to do on privacy

There’s no doubt that Apple’s self-polished reputation for privacy and security has taken a bit of a battering recently.

On the security front, Google researchers just disclosed a major flaw in the iPhone, finding a number of malicious websites that could hack into a victim’s device by exploiting a set of previously undisclosed software bugs. When visited, the sites infected iPhones with an implant designed to harvest personal data — such as location, contacts and messages.

As flaws go, it looks like a very bad one. And when security fails so spectacularly, all those shiny privacy promises naturally go straight out the window.

The implant was used to steal location data and files like databases of WhatsApp, Telegram, iMessage. So all the user messages, or emails. Copies of contacts, photos, https://t.co/AmWRpbcIHw pic.twitter.com/vUNQDo9noJ

— Lukasz Olejnik (@lukOlejnik) August 30, 2019

And while that particular cold-sweat-inducing iPhone security snafu has now been patched, it does raise questions about what else might be lurking out there. More broadly, it also tests the generally held assumption that iPhones are superior to Android devices when it comes to security.

Are we really so sure that thesis holds?

But imagine for a second you could unlink security considerations and purely focus on privacy. Wouldn’t Apple have a robust claim there?

On the surface, the notion of Apple having a stronger claim to privacy versus Google — an adtech giant that makes its money by pervasively profiling internet users, whereas Apple sells premium hardware and services (including essentially now ‘privacy as a service‘) — seems a safe (or, well, safer) assumption. Or at least, until iOS security fails spectacularly and leaks users’ privacy anyway. Then of course affected iOS users can just kiss their privacy goodbye. That’s why this is a thought experiment.

But even directly on privacy, Apple is running into problems, too.

 

To wit: Siri, its nearly decade-old voice assistant technology, now sits under a penetrating spotlight — having been revealed to contain a not-so-private ‘mechanical turk’ layer of actual humans paid to listen to the stuff people tell it. (Or indeed the personal stuff Siri accidentally records.)

Source: TechCrunch http://j.mp/2Ljcf8z

Minecraft Earth closed beta goes live on Android in five cities

When the beta for Minecraft Earth (think the building concepts of Minecraft mashed up with the real world wandering/augmented reality/collecting concepts of Pokémon GO) first went live back in July, it did so with a catch or two: it only worked on iOS, and only players in Seattle or London were actually able to play.

The beta pool is expanding dramatically this morning, with players on Android finally being invited to jump in. Meanwhile, the region locks have expanded over the past few weeks to include Tokyo, Stockholm, and Mexico City along with Seattle and London.

Curiously, those new Android users will immediately get access to a fledgling feature that iOS players haven’t: the in-game currency, rubies. Rubies can be earned or bought, and allow players to buy more build plates upon which they can piece together their blocky creations. In a blog post on the beta expansion, the company promises that any rubies acquired during the beta will follow the player into the eventual public release, and that iOS support for rubies is coming “very soon.”

Alas, you can’t just hop in the Google Play store, hit download, and get to building. It’s still a closed beta, so you’ll have to sign up and be invited in before you’ll be able to start.

We went hands-on with an early build of Minecraft Earth right after it was announced — check out our early impressions here.

Source: TechCrunch http://j.mp/2LalhWM

September’s Mate 30 launch could be a major test for Huawei

Apple isn’t the only smartphone manufacturer planning a big September launch. Huawei’s got a big event on the books as well, set for September 18 in Munich, just over a week after the new iPhones are unveiled. For Huawei, however, the Mate 30 announcement is about more than just smartphones.

The event is effectively the first big handset launch since the embattled Chinese manufacturer was added to the U.S. trade blacklist. The move had seemingly been a long time coming, after years of allegations ranging from spying to sanctions violations, but with the ban in place, the move will mark a key moment of truth for a company that has so far been dependent on offerings from U.S. companies like Google.

The Mate 30, which also marks a push into 5G, could potentially launch without Google apps. The recent U.S. government reprieve only applied to already announced products, according to a statement Google gave to Reuters. Trump has suggested that ban on Huawei products could be lifted with a new U.S.-China trade deal, further clouding the suggestion that the move made purely out of concerns for security.

The smartphone maker gave its own comment to Reuters, noting, “Huawei will continue to use the Android OS and ecosystem if the U.S. government allows us to do so. Otherwise, we will continue to develop our own operating system and ecosystem.”

That last bit is a clear allusion to HarmonyOS. The recently unveiled operating is largely limited to low end handsets and IoT device, but Huawei is also certainly readying itself for a longterm life after Google.

Meanwhile, CNBC is citing a source that suggests the phone will launch with or without Google apps, depending on how things shake out over the next few weeks. That would likely amount to a minor nuisance, requiring users to download them after purchase, while a full out Android brand would prove far more harmful to its bottom line.

It seems quite unlikely at the moment, however, that the company would attempt to launch such a high end device with its own partially baked operation system.

Source: TechCrunch http://j.mp/34cBCkW

How Do I Stream My Android Phone to an Older TV?

You should never feel limited to the small screen on the tiny phone in your pocket—or gargantuan phone, depending on your preference for “plus” devices. It’s pretty easy to push whatever you’re looking at on your phone at to a larger screen, like your living-room television. At least, it should be.

Read more...

Source: Gizmodo http://j.mp/2Uj6lIx

Google to pay security researchers who find Android apps and Chrome extensions misusing user data

Google said it will pay security researchers who find “verifiably and unambiguous evidence” of data abuse using its platforms.

It’s part of the company’s efforts to catch those who misuse user data collected through Android apps or Chrome extensions — and to avoid its own version of a scandal like Cambridge Analytica, which saw millions of Facebook profiles scraped and used to identify undecided voters during the U.S. presidential election in 2016.

Google said anyone who identifies “situations where user data is being used or sold unexpectedly, or repurposed in an illegitimate way without user consent” is eligible for its expanded data abuse bug bounty.

“If data abuse is identified related to an app or Chrome extension, that app or extension will accordingly be removed from Google Play or Google Chrome Web Store,” read a blog post. “In the case of an app developer abusing access to Gmail restricted scopes, their API access will be removed.” The company said abuse of its developer APIs would also fall under the scope of the bug bounty.

Google said it isn’t providing a reward table yet but a single report of data misuse could net $50,000 in bounties.

News of the expanded bounty comes in the wake of the DataSpii scandal, which saw browser extensions scrape and share data from millions of users. These Chrome extensions uploaded web addresses and webpage titles of every site a user visited, exposing sensitive data like tax returns, patient data, and travel itineraries.

Google was forced to step in and suspend the offending Chrome extensions.

Instagram recently expanded its own bug bounty to include misused user data following a spate of data incidents,

After data incidents, Instagram expands its bug bounty

Source: TechCrunch http://j.mp/2zzNG1v

Pinterest starts displaying information from health organizations for searches related to vaccines

As part of its efforts against health misinformation, Pinterest is now displaying information from public health organizations for keywords like “measles” or “vaccine safety.” The social media platform had previously blocked vaccination-related search terms, but a new announcement says the company wants to close the “data void” that results from false information being spread more widely than accurate information.

“What we and others have observed is an enthusiasm gap between those creating and disseminating harmful health misinformation and those creating resources rooted in settled science,” wrote Ifeoma Ozoma, Pinterest’s public policy and social impact manager. “Generally, there’s more accessible and visually compelling health misinformation than science-based journal articles on the virtues of vaccinations. In addition, we’ve found that some purveyors of health misinformation have a financial incentive.”

Pinterest search results for health-related keywords will now display information from the World Health Organization, the Vaccine Safety Net (created by WHO to provide vaccine information in different languages), the American Academy of Pediatrics and the Centers of Disease Control.

In addition, an information card on top of the results notifies users that “pins about this topic often violate our Community Guidelines, which prohibit harmful medical misinformation. Because of this, we’ve limited search results to Pins from internationally-recognized health organizations. If you’re looking for medical advice, please contact a healthcare provider.”

Users also won’t see recommendations or comments on Pins in these search results. “We’re taking this approach because we believe that showing vaccine misinformation alongside resources from public health experts isn’t responsible,” said Ozoma.

The new search feature is currently available in English on Pinterest’s website and iPhone and Android apps and will be expanded into other languages. Ozoma wrote that Pinterest will focus on vaccine-related searches first but “keep evolving our list of terms for which we block medical misinformation and provide expert advice as people try to get around our safeguards. We’ll also continue to remove this content and accounts that spread it from our service.”

Importantly for a visually-based platform, Pinterest, which has more than 300 million visitors a month, is also developing resources that health organizations can use to create eye-catching pins for text-based information.

Once filled with anti-vaccine pins (in 2016, researchers found that most vaccine-related posts on Pinterest contained anti-vaccine sentiment), Pinterest has become one of the most active social media platforms in terms of stemming the spread of misinformation about vaccines. In 2017, it began banning pins with “anti-vaccination advice,” which have always been prohibited by its advertising policies.

Facebook, Twitter and YouTube have also begun taking measures to stop the proliferation of anti-vaccine content, which has contributed to the return of diseases like measles around the world. In the U.S., the Centers of Disease Control said that between January 1 and August 22, 1,215 cases of measles were confirmed, the greatest number of cases reported in the country since 1992, and since measles was declared eliminated in 2000.

Source: TechCrunch http://j.mp/2NFIykS

Ahead of FTC ruling, YouTube Kids is getting a website

Ahead of the official announcement of an FTC settlement which could force YouTube to direct under-13 users to a separate experience for YouTube’s kid-friendly content, YouTube has quietly announced plans to launch its YouTube Kids service on the web. Previously, parents would have to download the YouTube Kids app to a mobile device in order to access the filtered version of YouTube.

By bringing YouTube Kids to the web, the company is prepared for the likely outcome of an FTC settlement which would require the company to implement an age-gate on its site, then redirect under-13-year-olds to a separate kid-friendly experience.

In addition, YouTube Kids is gaining a new filter which will allow parents to set the content to being preschooler-appropriate.

The announcement, published to the YouTube Help forums, was first spotted by Android Police.

It’s unclear if YouTube was intentionally trying to keep these changes from being picked up on by a larger audience (or the press) by publishing the news to a forum instead of its official YouTube blog. (The company tells us it publishes a lot of news the forum site. Sure, okay. But with an FTC settlement looming, it seems an odd destination for such an announcement.)

It’s also worth noting that, around the same time as the news was published, YouTube CEO Susan Wojcicki posted her quarterly update for YouTube creators. The update is intended to keep creators abreast of what’s in store for YouTube and its community. But this quarter, her missive spoke solely about the value in being an open platform, and didn’t touch on anything related to kids content or the U.S. regulator’s investigation.

However, it’s precisely YouTube’s position on “openness” that concerns parents when it comes to their kids watching YouTube videos. The platform’s (almost) “anything goes” nature means kids can easily stumble upon content that’s too adult, controversial, hateful, fringe, or offensive.

The YouTube Kids app is meant to offer a safer destination, but YouTube isn’t manually reviewing each video that finds its way there. That has led to inappropriate and disturbing content slipping through the cracks on numerous occasions, and eroding parents’ trust.

Because many parents don’t believe YouTube Kids’ algorithms can filter content appropriately, the company last fall introduced the ability for parents to whitelist specific videos or channels in the Kids app. It also rolled out a feature that customized the app’s content for YouTube’s older users, ages 8 through 12. This added gaming content and music videos.

Now, YouTube is further breaking up the “Younger” content level filter, which was previously 8 and under, into two parts. Starting now, “Younger” applies to ages 5 through 7, while the new “Preschool” filter is for the age 4 and under group. The latter will focus on videos that promote “creativity, playfulness, learning, and exploration,” says YouTube.

YouTube confirmed to TechCrunch that its forum announcement is accurate, but the company would not say when the YouTube Kids web version would go live, beyond “this week.”

The YouTube Kids changes are notable because they signal that YouTube is getting things in place before an FTC settlement announcement that will impact how it handles kids content and the site’s continued use by young children.

It’s possible that YouTube will be fined by the FTC for its violations of COPPA, as Musical.ly (TikTok) was earlier this year. One report, citing unnamed sources, says the FTC’s YouTube settlement has been finalized and includes a multimillion-dollar fine.

YouTube will also likely be required to implement an age-gate on its site and in its apps that will direct under-13-year-olds to the YouTube Kids platform instead of YouTube proper. The settlement may additionally require YouTube to stop targeting ads on videos aimed at children, as has been reported by Bloomberg. 

We probably won’t see the FTC issuing a statement about its ruling ahead of this Labor Day weekend, but it may do so in advance of its October workshop focused on refining the COPPA regulation — an event that has the regulator looking for feedback on how to properly handle sites like YouTube. 

 

 

Source: TechCrunch http://j.mp/2KZrUuO

Hulu debuts an expanded Live TV Guide on web, Apple TV and Roku

Yesterday, Hulu began rolling out an updated version of its mobile app sporting the brand-new interface the company first unveiled at CES in January. However, it was missing one of the pre-announced and more-requested features: Hulu’s revamped and expanded live TV guide. Today, that updated Live Guide is launching — but only to select TV platforms for the time being.

The updated Live Guide is coming today to Hulu.com on the web, Roku devices, and Apple TV.

As promised at CES, Hulu’s expanded TV guide will now allow viewers to scroll to see what’s airing in the next two weeks, as well as schedule recordings on upcoming shows, movies, and sporting events.

It’s also easier to navigate, as filters like “Recent,” “My Channels,” “News,” “Movies,” and “Kids” have now been relocated from the top of the grid to the left-hand side.

A green vertical line with a lightning bolt icon overlaid on the guide will help you to visualize how much of the program or movie has aired so far.

Users can also add channels from the guide to their “My Channels” list, which is now available from the Live Guide itself, as well as from the Home page.

This update follows Hulu’s revamp of its mobile app on Tuesday, which dropped the confusing “Lineup” section from the Home screen, while adding a way to see more content in each section.

Getting the Hulu interface right is a big priority for the company, given that its last big makeover didn’t go down all that well. At one point, a complaint about Hulu’s redesign became the most-upvoted item on the company’s user feedback forums, as many agreed that Hulu’s user interface was too difficult to navigate and had a confusing layout.

In the many months since, Hulu has been working to make changes to address user complaints by rolling out the live grid guide initially, then tweaking its appearance and functionality over time.

Unlike Sling TV, PlayStation Vue, or YouTube TV, for example, Hulu has been challenged with merging its vast on-demand library and original content with a more traditional live TV service.

Today, Hulu with Live TV is available on a range of devices — including the web, mobile, Apple TV, Fire TV, Echo Show, Xbox One, Windows 10, Chromecast, Android TV, Nintendo Switch, VIZIO SmartCast TVs, and select Samsung and LG smart TVs. But the updated Live Guide is only coming to a subset of those — Hulu.com on the web, Roku and Apple TV — as of today.

Hulu says it will roll out to more platforms and devices “soon.”

 

 

 

Source: TechCrunch http://j.mp/2L1yuAW