AT&T admits to testing “unique tracker” on smartphones, offers opt-out option

Posted by:
Date: Thursday, October 30th, 2014, 11:55
Category: iPhone, News, security, wireless

attlogosmall

This isn’t the best news.

According to Forbes, wireless carriers Verizon and AT&T have ceded that they’re tagging their customers with unique codes that are visible to third parties, making smartphone users far easier to track on the Web than they’ve ever been before, targeted advertising being that much easier to create as a result of this. After the findings by researchers, AT&T admitted it’s “testing” a new way of tracking its customers for ad display purposes.

“There’s nothing ready to announce,” said AT&T spokesperson Mark Siegel. “We’re still testing.”

But that means, yes, AT&T customers are being tagged by AT&T in a way that’s visible to the websites they visit, but AT&T says it’s building in what it considers to be a privacy-protective measure: the unique code for each user will change every 24 hours. Siegel says this is happening now, but Kenneth White, one of the researchers who discovered the tracking, says that is “categorically untrue,” saying he found three identifying codes being sent by AT&T that were persistent.

“AT&T does not currently have a mobile Relevant Advertising program. We are considering such a program, and any program we would offer would maintain our fundamental commitment to customer privacy,” read a statement from AT&T. “For instance, we are testing a numeric code that changes every 24 hours on mobile devices to use in programs where we serve ads to the mobile device. This daily rotation on the numeric code would help protect the privacy of our customers. Customers also could opt out of any future AT&T program that might use this numeric code.”

(more…)

Hours after citing capable security, CurrentC announces unauthorized access of users’ email accounts

Posted by:
Date: Wednesday, October 29th, 2014, 16:35
Category: Finance, iOS, News, security, Uncategorized

currentc

Hubris, anyone?

Just hours after publishing a blog post answering some questions about its upcoming CurrentC mobile payments system and touting the security of its cloud-based storage of sensitive information, the company behind the effort, Merchant Customer Exchange (MCX) has alerted users of unauthorized access to their email addresses.

Per MacRumors, the company released the following statement:

Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.

Details on the unauthorized access have not been disclosed, but reporter Nick Arnott of iMore took some time earlier this week took a look at some of the personal information being collected by MCX and CurrentC and noted that he could ping CurrentC’s systems to look for valid registered email addresses on the system. While he did not find valid addresses, the system appeared capable of returning a substantial amount of personal information about such accounts.

(more…)

MCX responds to Apple Pay blocking controversy with questionable responses to issues at hand

Posted by:
Date: Wednesday, October 29th, 2014, 11:46
Category: Finance, iOS, iPhone, News, security, Software

applepayicon

The most recent shot in the NFC payment wars has been fired.

And it kind of made MCX look like a bunch of jerks.

Per 9to5Mac, MCX, the retailer consortium behind the CurrentC mobile payment system, has responded to the controversy over its members being required to block Apple Pay or face fines with some unconvincing ‘assurances.’

The first sign of trouble between MCX and Apple Pay was when CVS disabled NFC functionality from its payment terminals. When Rite Aid joined in, consumers responded by threatening to boycott MCX members.

In a blog post which MCX says is designed to “set the record straight,” as it were, MCX responded to some of the recent concerns levied against it.

Responding to the fines issue, the company offered the following comment:

Importantly, if a merchant decides to stop working with MCX, there are no fines.

Nobody has suggested there are. What has been suggested–and which MCX has not denied–is that members are fined if they accept other forms of mobile payment, like Apple Pay, alongside CurrentC.

The consortium gets off to a marginally better start on privacy, with a statement that consumers “can choose to limit the information they share through our privacy dashboard, which means they will have the ability turn off location based services and opt out of marketing communications in our app.” However, that does nothing to limit the storage of other sensitive information, nor to address claims that merchants will share purchasing data amongst themselves.

(more…)

Apple announces end to SSL 3.0 notifications on October 29th in wake of POODLE vulnerability

Posted by:
Date: Thursday, October 23rd, 2014, 08:05
Category: iOS, News, security, Software

applelogo1

Sometimes you’ve got to drop back and punt.

Per the Apple developer web site and AppleInsider, Apple announced on Wednesday that it will be removing support for the SSL 3.0 protocol on its Apple Push Notification server.

Apple will be switching off SSL 3.0 support in favor of the more secure transport layer security (TSL) protocol on Wednesday, Oct. 29, noting developers will have to build in support by that time to ensure uninterrupted push notification service continues.

Apps currently using both SSL 3.0 and TSL will not be affected by the change, but those using just SSL 3.0 will need to be updated.

Apple has disabled SSL 3.0 on the Provider Communication interface in the developer environment, offering developers a way to check their apps for compatibility. More information is available through Apple’s Developer Portal.

(more…)

iWorm trojan quietly added to Apple’s Xprotect definition list

Posted by:
Date: Wednesday, October 8th, 2014, 10:46
Category: News, security, Software, Uncategorized

The bad news is that there’s another chunk of malware on the OS X platform to worry about.

The good news is that Apple included a backdoor fix over the weekend to take care of it.

Per The Mac Observer, Apple pushed an update to its Xprotect malware list for the Mac that includes the Mac.BackDoor.iWorm malware over the weekend. Xprotect watches for telltale signatures from known malware threats and attempts to stop them from invading your computer.

The iWorm threat installs through a Trojan horse masquerading as an installer for other apps. Mac owners that have fallen victim to iWorm picked up the malware through installers for pirated apps such as Adobe Photoshop.

iworm

Once installed, iWorm looks to Reddit for posts that include server addresses it can link to for instructions on what nasty activities it should undertake. Reddit has shut down the forum iWorm checked, but that doesn’t mean hackers won’t be able to find an alternate method for delivering server locations.

(more…)

Shellshock fix posted for Mac OS X 10.4 to Mac OS X 10.6.8 operating systems

Posted by:
Date: Monday, October 6th, 2014, 10:35
Category: News, security, Software

unixterminal

This suggestion came in over the weekend from one Larry Macy, Ph.D over at the University of Pennsylvania and it’s pretty interesting.

For those of you still running Mac OS X 10.4 to Mac OS X 10.6.8, a workaround has been discovered for the recently discovered Shellshock bash vulnerabilities. Per Macy, the process replaces bash and sh with a new version of bash.

(more…)

Apple launches Find My iPhone page to help cut down on stolen iOS device purchases

Posted by:
Date: Friday, October 3rd, 2014, 11:18
Category: iOS, iPad, iPhone, iPod Touch, News, security, Software

This might prove useful.

This week, Apple launched a web-based tool to check the Activation Lock status of iOS devices such as iPhones, iPads and iPod Touches. Here, users can go to a web site, enter the device’s IMEI number or serial number and see if the Find My iPhone feature has been activated.

(more…)

Apple patches Shellshock vulnerability, but it’s not in Software Update

Posted by:
Date: Wednesday, October 1st, 2014, 01:24
Category: OS X, security

OS X bash Update 1.0 for OS X Mavericks released to address Shellshock bug on Macs

Apple released OS X bash Update 1.0 for OS X Mavericks to fix a vulnerability in the bash UNIX shell. “Shellshock” is believed to be much worse than the Heartbleed vulnerability that was discovered earlier this year.

PC Magazine wrote about two scenarios that can make OS X vulnerable to the Shellshock bash bug:

For example, Bash would be exposed if a user turned on the remote login capability for all users, including guests. But that is an action that “is probably not the most secure thing to do anyway,” Erwin wrote, as it would open up the computer to other possible attacks.

Another scenario in which adjusted settings could make a difference is on a Lion OS X server running Apache or PHP scripting environments, Erwin wrote. If Apache is configured to run scripts, an attacker could insert variables into a script that a Bash shell would run.

Curiously, OS X bash Update 1.0 isn’t available through the usual channel (the Updates tab in the App Store). It needs to be downloaded and installed manually. Based on the potential impacts of the bug it’s recommended that all OS X 10.9/Mavericks users install OS X bash Update 1.0 right away. 

Apple releases OS X 10.9.5 Mavericks update

Posted by:
Date: Thursday, September 18th, 2014, 11:49
Category: Mavericks, News, security, Software

maverickslogo

In the midst of the iPhone 6 hype and hoopla, a major operating system update just hit.

Late Wednesday, Apple released OS X 10.9.5, which includes the following fixes and changes:

- Safari version 7.0.6.

- Fix for VPN-related vulnerability.

- Fix for file access from SMB servers.

- Fix for the reliability of virtual private network connections that use USB Smart Cards as IDs.

(more…)

Apple implements two-step authentication protocol for iCloud Web services

Posted by:
Date: Wednesday, September 17th, 2014, 11:23
Category: News, security, Software

icloudicon

It’s a step in the right direction.

Or at least a step to make the iCloud user base feel more secure.

Per AppleInsider, Apple on Tuesday activated two-factor authentication for iCloud.com access, allowing only basic access to Find My iPhone for those opted-in to the security layer.

The authentication system now requires users to enter a dynamically generated code sent to a trusted device prior to gaining access to the service.

Apple first tested the extra layer of iCloud.com security in June, more than one year following the protocol’s introduction for Apple ID accounts in 2013.

(more…)