O'Grady's PowerPage » security

Apple posts guide to activating, deactivating Private Browsing in iOS 9

Posted by:
Date: Monday, September 28th, 2015, 08:45
Category: iOS, iPad, iPhone, iPod Touch, News, security, Software


This could come in handy.

Recently, Apple posted full instructions as to how to activate and deactivate Private Browsing in iOS 9. Private Browsing mode protects your private information and blocks some websites from tracking your behavior. Safari won’t remember the pages you visit, your search history, or your AutoFill information.


Apple to begin providing better Xcode development tool hosting for Chinese developers in wake of XcodeGhost incident

Posted by:
Date: Thursday, September 24th, 2015, 07:22
Category: Developer, News, security, Software


In the wake of developers downloading a malware-filled copy of your development tools and inadvertently uploading tons of malware-filled apps to the App Store, it helps to put some money into infrastructure and make sure the slow download speeds for the genuine version of the development tools are sufficient, thus removing the need to download the fake version in the first place.

Apple’s Phil Schiller, the company’s senior vice president of worldwide marketing, said on Tuesday that steps are being taken to prevent any such occurrence of the conditions that caused the XcodeGhost issue in the future.

The source of the tainted apps was a program called XcodeGhost, a counterfeit version of Xcode, the platform used by developers to create programs for iOS and Mac. Developers in China often download Xcode from local sites due to the slow download speeds associated with sourcing it officially from Apple’s US servers. The spurious version of Xcode was slipped in amongst the authentic ones on Chinese sites and downloaded by many programmers, unbeknownst to them.


XcodeGhost malware affecting hundreds of iOS apps, Apple pulling infected versions from App Store

Posted by:
Date: Monday, September 21st, 2015, 07:06
Category: iOS, iPad, iPhone, News, security, Software


This is where things get a bit messier.

Apple has admitted that it is App Store integrity was compromised as apps were secretly infected by fake Xcode tools before submission to the App Store. The company has now officially acknowledged the problem and is now removing apps affected by the malware from the App Store.

Developers were inadvertently submitting malware by using counterfeit versions of Xcode, Apple’s development software, to submit apps. The fake Xcode, dubbed XcodeGhost, would inject malicious code into otherwise-legitimate apps during the submission process.

The malware seems to have infected hundreds of apps on the App Store, Apple releasing the following statement:


Palo Alto Networks cites XcodeGhost malware’s presence in 39 iOS apps

Posted by:
Date: Monday, September 21st, 2015, 07:47
Category: iOS, News, security, Software


Well, this is kind of a mess.

Research associate Palo Alto Networks has posted an analysis on a novel malware XcodeGhost that modifies Xcode IDE to infect Apple iOS apps. The report mentions that at least two popular iOS apps were infected. We now believe many more popular iOS apps have been infected, including WeChat, one of the most popular IM applications in the world.

The malware itself seems to stem from the fact that some iOS developers use crowd-sourcing techniques which adds to their apps being more vulnerable.

As last count, roughly 39 iOS apps were infected, some of which are extremely popular in China and in other countries around the world, comprising hundreds of millions users.


Vulnerabilities noted for several models of Seagate external drives, patch offered

Posted by:
Date: Tuesday, September 8th, 2015, 07:51
Category: hard drive, Hardware, News, security


If you’re using a Seagate external hard drive, you may want to be aware of both the security risks present on the drive as well as the patch that was just released to fix the vulnerability.

A series of vulnerabilities primarily affect owners of Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie Fuel devices purchased since October 2014.

Tangible Security, the firm that discovered the flaws, has stated that other Seagate products may be affected as well.

The worst flaw is thanks to a hard-coded username and password that gives an attacker access to an undocumented Telnet service. Telnet is a command line method of logging into one computer from another over the Internet or a local network.


KeyRaider malware steals credential information for 225,000+ jailbroken iOS devices

Posted by:
Date: Tuesday, September 1st, 2015, 04:07
Category: iOS, News, security, Software


The bad news is that more than 225,000 Apple IDs and passwords were taken from assorted iPhones via a chunk of malware dubbed “KeyRaider”, which can also remotely lock iOS devices in order to hold them to ransom.

The good news is that this only occurred with jailbroken iOS devices and probably didn’t happen to you.

According to reports, the KeyRaider software will hijack app purchase requests, download stolen accounts or purchase receipts from the C2 server, then emulate the iTunes protocol to log in to Apple’s server and purchase apps or other items requested by users. The tweaks have been downloaded over 20,000 times, which suggests around 20,000 users are abusing the 225,000 stolen credentials.


iPassword for iOS updated to 5.5, adds Apple Watch, Touch ID improvements

Posted by:
Date: Friday, August 21st, 2015, 08:58
Category: iOS, News, security, Software


This might be worth snagging.

1Password for iOS has been updated, version 5.5 allowing users access to a Touch ID button under the Master Password field so you can choose to sign in using your finger print even if you accidentally hit cancel on the first request. Tapping the fingerprint button prompts the system Touch ID unlock screen.

The new version also features an improvement to how the app can stay unlocked between uses in different apps. Previously 1Password’s extension in other apps required being unlocked by password, passcode, or Touch ID each time. Now, the 1Password extension and 1Password app share the same unlock time limits.


Researchers demonstrate proof of concept for firmware worm that can directly target Macs

Posted by:
Date: Monday, August 3rd, 2015, 16:00
Category: Hack, MacBook, MacBook Air, MacBook Pro, News, security, Software


It’s generally been accepted that Apple’s computers are much more secure than their Windows PC counterparts.

This isn’t entirely true, as a part of researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of Macs. The researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.


Mozilla temporarily disables Flash Player interactivity within Firefox, cites recently discovered exploits

Posted by:
Date: Tuesday, July 14th, 2015, 10:52
Category: News, security, Software


If you haven’t updated your version of Adobe Flash Player lately, now might be the time to do it.

The developers at Mozilla, having noticed that the staff at Hacking Team had three working exploits for Adobe Flash, decided to block all versions of the Flash Player plugin up to version on Windows. Mozilla said Flash would remain on the Firefox blocklist until Adobe fixes all known vulnerabilities.

Since the announcement, Adobe appears to have updated its Flash player to version, which is not blocked.


Apple to do away with Recovery Key as part of Two-Factor Authentication in iOS 9, OS X 10.11 El Capitan operating systems

Posted by:
Date: Thursday, July 9th, 2015, 09:42
Category: iOS, News, security, Software


There shall be Recovery Key no more come iOS 9 and OS X 10.11 El Capitan.

Apple on Wednesday confirmed that the security feature will be removed from its future operating systems.

Currently, the Recovery Key system in Apple’s “two-step” protocol works as a failsafe for accessing an Apple ID when a registered trusted device or phone number is unavailable. Under the existing setup, losing both a trusted device and Recovery Key renders the account inaccessible, which has in the past forced some users to abandon their Apple IDs altogether.