Security researcher demonstrates Thunderbolt firmware hack proof of concept at Chaos Computer Congress

Posted by:
Date: Monday, January 5th, 2015, 10:15
Category: Hack, Hardware, News, security, Thunderbolt

thunderstrike

As great as Thunderbolt is, there are vulnerabilities to consider.

Per 9to5Mac, a security researcher speaking at the Chaos Computer Congress in Hamburg demonstrated a hack that rewrites an Intel Mac’s firmware using a Thunderbolt device with attack code in an option ROM. Known as Thunderstrike, the proof of concept presented by Trammel Hudson infects the Apple Extensible Firmware Interface (EFI) in a way he claims cannot be detected, nor removed by reinstalling OS X.

Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the hard drive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.

(more…)

iDict brute-force security tool for hacking iCloud account passwords becomes available on GitHub

Posted by:
Date: Friday, January 2nd, 2015, 15:21
Category: iCloud, News, security, Software

icloudicon

This may be worth keeping an eye on if you’re concerned about iCloud security.

Per 9to5Mac, a new tool submitted to developer web site GitHub claims to be able to perform password dictionary attacks on any iCloud account, seemingly able to evade detection from Apple’s rate-limiting security that is supposed to prevent such dictionary attacks from happening. In September, Apple reported it had closed one such hole that allowed brute-force attacks to occur.

(more…)

Apple releases Network Time Protocol security patch

Posted by:
Date: Tuesday, December 23rd, 2014, 08:43
Category: News, security, Software

trojanhorse

It’s not a huge patch, but it could make a difference.

Per Mac|Life, Apple released a small Network Time Protocol security patch on Friday. The patch, a 1.4 megabyte download, addresses what the company terms as a new “critical security issue”.

Fascinatingly enough, the vulnerability itself was discovered by the Google Security Team back on December 19, and the U.S. Government alerted users of it only a couple of days later. The dangers of the vulnerability are a little complex and the government’s ICS-CERT site is a little vague about what it is and what it does:

(more…)

Apple releases Safari 8.0.2 update

Posted by:
Date: Monday, December 15th, 2014, 04:32
Category: News, security, Software

Apple_Safari

It’s not a huge update, but it helps.

On Friday, Apple released version 8.0.2 of its Safari web browser.

The new version, a 53.8 megabyte download, offers the following fixes and changes:

- Fixes an issue that could prevent history from syncing across devices if iCloud Drive is not on.
•
- Fixes an issue that could prevent a saved password from being autofilled after two devices are added to iCloud Keychain.

(more…)

Apple releases iOS 8.1.2 update, includes ringtone purchase fix, security changes (updated)

Posted by:
Date: Tuesday, December 9th, 2014, 13:44
Category: iOS, iPad, iPhone, iPod, News, security, Software

ios8icon

This could come in handy.

Per 9to5Mac, Apple has released iOS 8.1.2 as an over-the-air software update for iPhone, iPad, and iPod touch users running iOS 8. The latest release contains bug fixes for users as well as a fix for a problem regarding ringtones purchased from Apple being removed from devices. Other fixes include a fix for keyboards that may not appear in Safari, Maps, or other third-party apps in iOS simulator and it offers Siri support for Singapore English, Repairing a bug that caused Notifications to fail to open an app and a fix for an issue that caused WatchKit apps to stop working in iOS 8 simulator.

For users subject to the reported issues involving ringtones purchased through iTunes, Apple points users to itunes.com/restore-tones for recovering those purchases.

(more…)

WireLurker security paper released, discusses potential next generation of OS X, iOS malware

Posted by:
Date: Friday, November 7th, 2014, 02:30
Category: iOS, News, security

trojanhorse

Not that you should be entirely paranoid about malware on your OS X and iOS devices, but a little caution couldn’t hurt.

Per Palo Alto Networks, a new paper has been published on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months. It’s believed that WireLurker could herald in a new generation of malware on Apple’s desktop and mobile platforms given the following characteristics:
- It is only the second known malware family that attacks iOS devices through OS X via USB.

- It is the first malware to automate generation of malicious iOS applications, through binary file replacement.

- It is the first known malware that can infect installed iOS applications similar to a traditional virus.

- It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning.

WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.

(more…)

Security researcher finds unsaved files are automatically saved into iCloud

Posted by:
Date: Wednesday, November 5th, 2014, 17:10
Category: iCloud, News, security

icloudicon

This may not be what Apple intended to have happen with iCloud.

And there may be a patch coming for it posthaste.

According to Slate, security researcher Jeffrey Paul recently noticed that Apple’s default autosave is storing in-progress files—the ones you haven’t explicitly saved yet—in the cloud, not on your hard drive. Unless you decided to hit save before you start typing, or manually changed the default settings, those meeting notes, passwords, and credit card numbers you jotted down in “Untitled 17” are living in iCloud.

Although this issue seems to be a recent phenomenon, it appears that it’s been happening since at least December of 2013, according to Apple’s Knowledge Base, and it doesn’t just affect TextEdit, but also Preview, Pages, Numbers, and Keynote. Hopefully there wasn’t anything sensitive on those screenshots, spreadsheets, presentations, and documents you haven’t yet saved, or you were using other programs. Luckily, Word for Mac files don’t seem to be affected in this way.

You can turn off this surreptitious feature in Documents & Data —> Apple —> System Preferences —> iCloud —> Documents & Data, or you can save your empty file before you even start typing. But that’s not really the point. The problem is that users intuitively expect their in-progress documents to be saved locally, but these files are being stored on the Cloud instead.

(more…)

AT&T admits to testing “unique tracker” on smartphones, offers opt-out option

Posted by:
Date: Thursday, October 30th, 2014, 11:55
Category: iPhone, News, security, wireless

attlogosmall

This isn’t the best news.

According to Forbes, wireless carriers Verizon and AT&T have ceded that they’re tagging their customers with unique codes that are visible to third parties, making smartphone users far easier to track on the Web than they’ve ever been before, targeted advertising being that much easier to create as a result of this. After the findings by researchers, AT&T admitted it’s “testing” a new way of tracking its customers for ad display purposes.

“There’s nothing ready to announce,” said AT&T spokesperson Mark Siegel. “We’re still testing.”

But that means, yes, AT&T customers are being tagged by AT&T in a way that’s visible to the websites they visit, but AT&T says it’s building in what it considers to be a privacy-protective measure: the unique code for each user will change every 24 hours. Siegel says this is happening now, but Kenneth White, one of the researchers who discovered the tracking, says that is “categorically untrue,” saying he found three identifying codes being sent by AT&T that were persistent.

“AT&T does not currently have a mobile Relevant Advertising program. We are considering such a program, and any program we would offer would maintain our fundamental commitment to customer privacy,” read a statement from AT&T. “For instance, we are testing a numeric code that changes every 24 hours on mobile devices to use in programs where we serve ads to the mobile device. This daily rotation on the numeric code would help protect the privacy of our customers. Customers also could opt out of any future AT&T program that might use this numeric code.”

(more…)

Hours after citing capable security, CurrentC announces unauthorized access of users’ email accounts

Posted by:
Date: Wednesday, October 29th, 2014, 16:35
Category: Finance, iOS, News, security, Uncategorized

currentc

Hubris, anyone?

Just hours after publishing a blog post answering some questions about its upcoming CurrentC mobile payments system and touting the security of its cloud-based storage of sensitive information, the company behind the effort, Merchant Customer Exchange (MCX) has alerted users of unauthorized access to their email addresses.

Per MacRumors, the company released the following statement:

Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.

Details on the unauthorized access have not been disclosed, but reporter Nick Arnott of iMore took some time earlier this week took a look at some of the personal information being collected by MCX and CurrentC and noted that he could ping CurrentC’s systems to look for valid registered email addresses on the system. While he did not find valid addresses, the system appeared capable of returning a substantial amount of personal information about such accounts.

(more…)

MCX responds to Apple Pay blocking controversy with questionable responses to issues at hand

Posted by:
Date: Wednesday, October 29th, 2014, 11:46
Category: Finance, iOS, iPhone, News, security, Software

applepayicon

The most recent shot in the NFC payment wars has been fired.

And it kind of made MCX look like a bunch of jerks.

Per 9to5Mac, MCX, the retailer consortium behind the CurrentC mobile payment system, has responded to the controversy over its members being required to block Apple Pay or face fines with some unconvincing ‘assurances.’

The first sign of trouble between MCX and Apple Pay was when CVS disabled NFC functionality from its payment terminals. When Rite Aid joined in, consumers responded by threatening to boycott MCX members.

In a blog post which MCX says is designed to “set the record straight,” as it were, MCX responded to some of the recent concerns levied against it.

Responding to the fines issue, the company offered the following comment:

Importantly, if a merchant decides to stop working with MCX, there are no fines.

Nobody has suggested there are. What has been suggested–and which MCX has not denied–is that members are fined if they accept other forms of mobile payment, like Apple Pay, alongside CurrentC.

The consortium gets off to a marginally better start on privacy, with a statement that consumers “can choose to limit the information they share through our privacy dashboard, which means they will have the ability turn off location based services and opt out of marketing communications in our app.” However, that does nothing to limit the storage of other sensitive information, nor to address claims that merchants will share purchasing data amongst themselves.

(more…)