Israeli firm can steal your private data from Apple, Google, Facebook and Amazon

Israel-based cybersecurity company, NSO Group has developed a surveillance tool that can obtain user data from Apple, Google, Facebook, Amazon and Microsoft servers, according to The Financial Times.

NSO Group, whose software product was used to hack Facebook-owned WhatsApp Messenger in May, denied the allegations.

“The Financial Times got it wrong. NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure suggested in this article,” the company told CNBC in a statement.

“Increasingly sophisticated terrorists and criminals are taking advantage of encrypted technologies to plan and conceal their crimes, leaving intelligence and law enforcement agencies in the dark and putting public safety and national security at risk. NSO’s lawful interception products are designed to confront this challenge.”

Apparently, the hack appears related to the NSO’s exclusive smartphone malware, Pegasus, which is normally sold to law enforcement and intelligence services.

After the malware is installed on a device, it copies the authentication keys for cloud services—including Google Drive, Facebook Messenger and iCloud—accessed by that device. This malware harvests both information on users’ devices as well as data stored in popular cloud services, including a user’s location data, archived messages, and photos.

Citing an NSO sales document seen by FT, it reported that the malware allows for open-ended access to the cloud data of those apps without “prompting 2-step verification or warning email on a target device.”

The NSO spokesperson said that “increasingly sophisticated terrorists and criminals are taking advantage of encrypted technologies to plan and conceal their crimes, leaving intelligence and law enforcement agencies in the dark and putting public safety and national security at risk. NSO’s lawful interception products are designed to confront this challenge.

“Our products are licensed in small scale to legitimate government intelligence and law enforcement agencies for the sole purpose of preventing or investigating serious crime including terrorism.”

According to the FT, Amazon has until now found no evidence that their systems or customer accounts were accessed by the software. However, the company will continue to investigate the report.

Adelaide teenager gets a good-behavior bond for hacking twice into Apple’s computer systems

An Australian teenager who was a big admirer of the technology giant, Apple hacked into the company’s secure computer system twice hoping to get a job. He is now pleading guilty to multiple computer hacking charges.

The 17-year-old Adelaide schoolboy, who can’t be named, along with another teenager from Melbourne first hacked into Apple’s mainframe in December 2015 when he was just 13 years old. He again hacked the system in early 2017 when he was 15 years old, and managed to download internal documents and data, according to ABC News.

His actions came to the notice of authorities after the second incident. Apple then contacted the FBI who in turn contacted the Australian Federal Police (AFP).

The teen, who is credited with a “high level of expertise” in information technology, created false credentials to break into Apple’s server making it think that he was a company employee

His lawyer, Mark Twiggs, told the Adelaide Youth Court that the teen thought the company might offer him a job and was not aware of the seriousness of his actions at the time.

“This offending started when my client was 13 years of age, a very young age,” he said.

“He had no idea about the seriousness of the offence and hoped that when it was discovered that he might gain employment at this company.

“He didn’t know this was going to lead to anything other than a job at the end of it, [this] happened in Europe, a similar person got caught and they ended up getting employed by the company.”

The prosecutors told the Adelaide Youth Court on Monday that Apple did not suffer any loss or damage as a result of the hacks.

The court also heard the boy had been motivated by his desire to secure a job with Apple.

The teenager faced the Adelaide Youth Court and pleaded guilty to several counts of unauthorized modification of data. The court encouraged him to use his “significant talent” for good instead of evil and placed him on a $500 bond to be on good behavior for nine months.

No conviction was recorded. Even the teenager’s accomplice was spared a conviction when dealt with through the Children’s Court of Victoria.

Chinese programmer gets jailed for withdrawing $1 million in cash using an ATM flaw

A senior Chinese bank programmer was arrested after he withdrew more than 7 million yuan (around $1,000,000) in “free” cash by exploiting an ATM flaw. He has been given a prison sentence of 10 and a half years, the South China Morning Post reported.

Qin Qisheng, 43, a former manager in Huaxia Bank’s technology development center in Beijing, discovered a flaw in the bank’s main operating system in 2016. According to the report, the loophole enabled Qisheng to make cash withdrawals from the ATM around 12 a.m. As the bank’s system was not working properly, the cash withdrawals made by Qisheng were not recorded and also no alert was raised.

Apparently, Qisheng who had discovered the flaw in 2016, had inserted a few scripts in the banking system in November that year, which suppressed cash withdrawal alerts. From November 2016 to January 2018, Qisheng withdrew between 5,000 yuan and 20,000 yuan ($740 to $2,965) from a dummy account the bank used for testing. By the start of last year, Qisheng had collected over $1,000,000, that he added it to his personal bank account. He also did not inform his superiors what he was doing.

In January last year, a subsidiary branch in Cangzhou, Hebei detected and verified the irregular activity in the dummy account during a manual check. The incident was reported by the bank to relevant authorities.

Once Qisheng was caught, the bank decided to not continue to press charges against him and accept his explanation that he had simply been trying to investigate the ATM flaw. Qisheng had kept the money in his personal account and invested some of it in the stock market. While Huaxia bank said that he should have reported these activities, they requested police to drop the case if he returned the money.

Although Qisheng returned the money, the authorities did not accept the explanation and was detained in March. The Chaoyang district court found him guilty of theft in December and awarded him a jail sentence of 10 and a half years with a fine of 11,000 yuan ($16,000).

Even though Qi had returned all the money to the bank before his arrest, it was not enough to let him go, the district court said. It also added that the request by Huaxia bank to pardon Qi was not legitimate.

“On the one hand, [the bank] said that the accused’s behaviour was in violation of the rules. On the other hand, he said that he could conduct relevant tests. This is self-contradictory,” said the judge.

After the trial, Qin filed an appeal arguing that he did not deserve such a severe punishment. The second and final ruling by the Beijing Intermediate People’s Court upheld the verdict.

“After reviewing the papers, speaking to the appellant and listening to the opinions of the defenders, we believed that the facts of the case were clear and decided not to have another trial,” the court said.

---

Follow My Blog

Get new content delivered directly to your inbox.