Hacker group claims iPhone X Face ID feature can be fooled with mask technique

Posted by:
Date: Tuesday, November 14th, 2017, 03:16
Category: Face ID, Hack, Hardware, iPhone, News, security

It’s been noted that Apple’s the iPhone X’s Face ID feature can be fooled by an identical twin. Now it looks like a mask might do the trick as well.

On Friday, Vietnamese security firm Bkav released a blog post and video showing that—by all appearances—they’d cracked Face ID with a composite mask of 3-D-printed plastic, silicone, makeup, and simple paper cutouts, which in combination tricked an iPhone X into unlocking. That demonstration, which has yet to be confirmed publicly by other security researchers, could poke a hole in the expensive security of the iPhone X, particularly given that the researchers say their mask cost just $150 to make.

The hack stands as a proof-of-concept for the time being, so the average iPhone owner isn’t at grave risk.

Bkav, offered the following comments:

“Apple has done this not so well. Face ID can be fooled by mask, which means it is not an effective security measure.”

(more…)

Security researchers hack iOS 11.1 at Pwn2Own event

Posted by:
Date: Friday, November 3rd, 2017, 03:17
Category: Google, Hack, iOS, iPhone, News, Samsung, security

Trend Micro’s annual Pwn2Own has kicked off over at the PacSec Security conference in Tokyo, complete with security researchers spending the day attempting to hack into the iPhone 7, the Samsung Galaxy S8, the Google Pixel, and the Huawei Mate 9 Pro in an effort to win prizes totaling more than $500,000.

And, for better or worse, Apple’s iPhone 7, running the newly-released iOS 11.1, was successfully breached twice Tencent Keen Security Lab. The first hack targeted a Wi-Fi bug and won the team $110,000 and 11 Master of Pwn points, while the second hack targeted the Safari Browser and earned Tencent Keen Security Lab $45,000 and 12 Master of Pwn points.

The group used a total of four bugs to both gain code execution and escalate their user privileges to allow their rogue application to install via a reboot. In addition, the group snagged $60,000 for the WiFi exploit and added $50,000 for the persistence bonus, thereby totaling $110,000 and 11 Master of Pwn points.

(more…)

Apple releases security updates for KRACK, other exploits in macOS High Sierra 10.13.1 update, Security Update 2017-004

Posted by:
Date: Thursday, November 2nd, 2017, 03:10
Category: Hack, High Sierra, macOS, News, security, Sierra, Software

A few critical security updates also shipped out with Tuesday’s macOS High Sierra 10.13.1 update.

Apple also released Security Update 2017-004 and Security Update 2017-001 macOS Sierra, which address the KRACK security exploit.

KRACK is a vulnerability in the WPA2 encryption standard for Wi-Fi networks that lets attackers decrypt the data passing to and from a specific device. The vulnerability exists in most any device capable of using WPA2 on Wi-Fi networks and once it was publicly disclosed product manufacturers started scrambling to release patches.

(more…)

Verizon reveals that all 3 billion existing Yahoo accounts were breached in 2013 attack

Posted by:
Date: Wednesday, October 4th, 2017, 05:45
Category: Finance, Hack, News, security

If you had a Yahoo account in 2013, there’s a 100 percent chance that you were hacked.

Yahoo’s parent company has revealed that the massive data breach that occurred in August of 2013 affective all three billion Yahoo accounts that existed at the time.

Previously, Yahoo said the hack affected 1 billion accounts, or a third of all accounts. Verizon now says new intelligence suggests the attack was much larger, compromising all Yahoo accounts in 2013.

(more…)

Apple’s WiFi routers left off CIA’s Cherry Blossom list of hackable equipment

Posted by:
Date: Monday, June 19th, 2017, 05:24
Category: Apple, Hack, Hardware, News, wireless

At least this will make you feel better about your AirPort router.

Per a series of recently-published documents from WikiLeaks, the CIA has has has apparently been hacking WiFi routers for years to secretly spy on Americans’ internet activity, but Apple’s AirPort Base Stations aren’t on the list. Plenty of other popular basestations are, however, which means the public, home, and business WiFi networks you use could’ve been surveillance targets.

Reports surrounding the CIA’s tool kit used to monitor Internet activity passing through WiFi routers, known as “Cherry Blossom,” mention a variety of hackable router models. Manufacturers of these devices include 3Com, Aironet/Cisco, Asustek, Belkin, Buffalo, D-Link, Linksys, Netgear, US Robotics, and more. Apple’s AirPort Base Station lineup is not mentioned on this list.

(more…)

Apple releases iOS 10.3.1 update, offers bug fixes, security fixes

Posted by:
Date: Tuesday, April 4th, 2017, 05:36
Category: Hack, iOS, iPad, iPhone, iPod Touch, News, security, Software

After a major OS update come the fixes.

Apple on Monday released iOS 10.3.1, an update available for its iOS devices available as an over-the-air update or when connected to iTunes via a Mac or Windows PC.

The update, which weighs in at just under 30 megabytes as an OTA download, resolves issues such as a hardware-specific problem wherein iPhone 5 and iPhone 5c handsets had trouble updating over the air.

(more…)

LastPass exploit discovered, company scrambles to repair the vulnerability

Posted by:
Date: Monday, April 3rd, 2017, 05:04
Category: Hack, News, security, Software

A serious vulnerability was recently discovered in the popular LassPass password manager and developers are scrambling to fix the issue which makes it possible for malicious websites to steal user passcodes and in some cases execute malicious code on computers running the program.

The flaw, which affects the most recent version of the browser extension, was briefly described on Saturday, March 25th, by Tavis Ormandy, a researcher with Google’s Project Zero vulnerability reporting team. When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn’t present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault. Ormandy said he developed a proof-of-concept exploit and sent it to LastPass officials. Developers now have three months to patch the hole before Project Zero discloses technical details.

Ormandy offered the following statement:

“It will take a long time to fix this properly, It’s a major architectural problem. They have 90 days, no need to scramble!”

The blog post describing the issue had LastPass company officials thanking Ormandy for the alert and stating that a fix was on the way. In the meantime, it was suggested that LastPass users protect themselves by by entering stored passwords into websites using the LastPass vault as a launch pad for opening websites and entering passwords and enabling two-factor authentication on sites that offer it.

The attack was described as both unique and highly sophisticated. LastPass, in turn, stated that the company didn’t want to disclose details regarding the vulnerability or the fix to outside parties. Users, in turn, could expect a more detailed post mortem once the work was complete.

The string of vulnerabilities underscores the tradeoff that comes from use of any password manager. Storing dozens, hundreds, or even thousands of passwords in a single place poses catastrophic risks should that resource be breached. Exploits become easier by convenience features that, for example, store encrypted password vaults in Internet-accessible locations or automatically paste passwords into websites. Ultimately, password managers likely make the average user safer because they make it possible to use long, complex, and unique passwords. And that protects people in the event that their password is exposed in website breaches, which are much more common than real-world password manager exploits.

If you use LastPass, please take care and stay tuned for additional details as they become available.

Via Ars Technica, Twitter and blog.lastpass.com

Apple clears through almost 350 security vulnerabilities with of iOS, macOS, watchOS and tvOS updates

Posted by:
Date: Wednesday, March 29th, 2017, 05:54
Category: Hack, iOS, macOS, News, security, Software, TvOS, watchOS

Apple cleaned house via a slew of operating system updates on Monday, pinning down nearly 350 known vulnerabilities between its changes to iOS, macOS, watchOS and tvOS.

Starting with iOS 10.3, Apple’s latest version includes Find My AirPods, Apple’s new file system, CarPlay, and a few other small visual tweaks. With nearly every update Apple does, they also include a handful of security fixes that easily go unnoticed by the user. iOS 10.3 is no exception with over 85 different common vulnerabilities and exposures (CVEs) listed.

In one case, the iOS 10.3 update patched a security hole that allowed attackers to spam Safari with a ‘Cannot Open Page’ dialog. Lookout, a cybersecurity company, learned of the attack after one of their users complained of losing control over their browsing experience. The dialog was meant to trick users into eventually paying money to “unlock” their Safari browser.

(more…)

Justice Department files charges against Russian hackers following Yahoo email breaches

Posted by:
Date: Thursday, March 16th, 2017, 05:56
Category: Hack, News, security

They found the people who hacked into more than half a billion Yahoo email accounts.

The Justice Department announced charges Wednesday against two Russian spies and two hackers behind the infamous 2014 hacks, which have been identified as among the most significant digital security breaks in American history.

The four men together face 47 criminal charges, including conspiracy, computer fraud, economic espionage, theft of trade secrets and aggravated identity theft, the Justice Department said in a news release.

(more…)

WikiLeaks to share CIA hacking tools with Apple, other firms after security fixes are complete

Posted by:
Date: Friday, March 10th, 2017, 05:36
Category: Hack, iOS, News, privacy, security, Software

Following WikiLeaks’ release of more than 8,000 documents from inside the CIA’s Center for Cyber Intelligence, Apple followed up, saying it had already fixed most of the exploits the agency had found to hack into iPhones.

WikiLeaks founder Julian Assange said Thursday he will share the code, which was withheld from the published documents, with tech companies like Apple.

Per Assange:

“We have decided to work with [tech companies] to give them exclusive access to the additional technological details we have so that fixes can be developed and pushed out,” Assange said in a live-streamed press conference from the Ecuadorian Embassy in London, where he lives. “Once this material is effectively disarmed by us we will publish additional details.”

(more…)